What GAO Found
Governmentwide initiatives aimed at eliminating the unnecessary collection, use, and display of Social Security Numbers (SSN) have been underway in response to recommendations that the presidentially appointed Identity Theft Task Force made in 2007 to the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), and the Social Security Administration (SSA). However, these initiatives have had limited success. In 2008, OPM proposed a regulation requiring the use of an alternate federal employee identifier but withdrew it in 2010 because no such identifier was available. OMB required agencies to develop SSN reduction plans and requires annual reporting on agency SSN reduction efforts. SSA developed an online clearinghouse of best practices for reducing SSN use; however, it is no longer available online. Based on responses to GAO's questionnaire, the 24 agencies covered by the Chief Financial Officers (CFO) Act use SSNs for various purposes (see figure).
Agency Use of Social Security Numbers
All 24 CFO Act agencies developed SSN reduction plans and reported taking actions to curtail the use and display of SSNs. For example, the Department of Defense replaced SSNs, which previously appeared on its identification cards, with new identification numbers. Nevertheless, the agencies cited impediments to further reductions, including (1) statutes and regulations mandating SSN collection, (2) use of SSNs in necessary interactions with other federal entities, and (3) technological constraints of agency systems and processes.
Further, poor planning by agencies and ineffective monitoring by OMB have also limited efforts to reduce SSN use. Lacking direction from OMB, many agencies' SSN reduction plans did not include key elements, such as time frames and performance indicators, calling into question their utility. In addition, OMB has not required agencies to maintain up-to-date inventories of their SSN holdings or provided criteria for determining "unnecessary use and display," limiting agencies' ability to gauge progress. OMB also has not ensured that agencies update their progress in annual reports or established performance metrics to monitor agency efforts. Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall governmentwide reduction efforts will likely remain limited and difficult to measure.
Why GAO Did This Study
The federal government uses SSNs as unique identifiers for many purposes, including employment, taxation, law enforcement, and benefits. However, SSNs are also key pieces of identifying information that potentially may be used to perpetrate identity theft.
GAO was asked to review federal government efforts to reduce the collection and use of SSNs. This report examines (1) what governmentwide initiatives have been undertaken to assist agencies in eliminating their unnecessary use of SSNs and (2) the extent to which agencies have developed and executed plans to eliminate the unnecessary use and display of SSNs and have identified challenges associated with those efforts. To do so, GAO analyzed reports and guidance on protecting SSNs. GAO also analyzed SSN reduction plans and other documents, administered a questionnaire, and interviewed officials from the 24 CFO Act agencies.
What GAO Recommends
GAO recommends that OMB require complete plans for ongoing reductions in the collection, use, and display of SSNs, require inventories of systems containing SSNs, provide criteria for determining "unnecessary" use and display, ensure agencies update their progress in annual reports, and monitor agency progress based on clearly defined performance measures.
OMB did not comment on GAO's recommendations. We received written comments from SSA and technical comments from eight other agencies, which were incorporated into the final report as appropriate. The other 15 agencies did not provide comments.
For more information, contact Gregory C. Wilshusen at (202) 512-6244 or firstname.lastname@example.org.
Original Page: http://www.gao.gov/products/GAO-17-553?source=ra
Sent from my iPad