The Social Security Administration did not remediate multiple known vulnerabilities for over one year, according to a summary of a report from SSA’s inspector general, released October 24.
The summary noted that the inspector general found a lack of progress on some vulnerabilities in SSA’s systems, along with unauthorized software on the agency’s systems. The initial audits of SSA’s system occurred from April to June 2018, with follow-up audits on scans from April to June 2019 revealing the need for improvements.
“Many critical vulnerabilities we found in 2018 were also identified on SSA’s network one year later. Further, we are concerned that other high-risk vulnerabilities may not be addressed for years,” the summary states.
The summary noted the difficulties in managing vulnerabilities with limited resources, but emphasized the importance of securing the agency’s network.
“Although timely vulnerability management poses challenges, SSA must overcome these challenges to protect its systems and its ability to serve the public,” the inspector general said.
The report recommended that SSA improve its vulnerability remediation program and address unauthorized software on its systems. SSA agreed to implement both recommendations.