A FISMA audit found problems with both phishing and data exfiltration at the Social Security Administration (SSA), according to two report summaries released December 4 by the agency’s inspector general.
The reports, both held from the public due to potential cybersecurity threats, detail weaknesses found by auditor Grant Thornton during its assessment of SSA’s cybersecurity posture. Both found that while the agency had controls in place, they were not being fully implemented.
On the phishing side, the summary noted that SSA had deficiencies that could allow for data exfiltration. While the agency’s policies met requirements from the National Institute of Standards and Technology (NIST), the Office of Management and Budget, and FISMA, implementation gaps existed, which put systems and personally identifiable information at risk.
“SSA should continue implementing additional corrective actions that address the root causes of findings documented in this report as well as similar previous reports and assessments provided to the agency,” the report noted.
The auditors made an unspecified number of recommendations, all of which SSA agreed to implement.
For malicious software and data exfiltration, the issues at SSA came to light around the FISMA controls of detecting, preventing, and responding to malicious activity.
“While policies, procedures, and practices were in place, we noted instances where controls were not designed or operating as intended, which could lead to security weaknesses on the Agency network and/or devices resulting in the loss of sensitive data,” the summary states.
While the specific recommendations were not included in the report summary, Grant Thornton auditors noted the usefulness of tabletop cybersecurity exercises in remedying potential issues. SSA agreed to seven of the nine recommendations, but disagreed with two recommendations from the audit.