Information Technology
Demand for the Social Security Administration's Electronic Data Exchanges Is Growing and Presents Future Challenges Gao ID: GAO-09-126 December 4, 2008Federal and state agencies, including the Social Security Administration (SSA), routinely share data through electronic exchanges to help increase the efficiency of program operations, reduce program costs, and improve public service. In light of SSA's broad responsibility for carrying out data exchanges, GAO was asked to describe SSA's critical programs that exchange data with other federal and state agencies, as well as the information systems that they rely on; and determine challenges and limitations that SSA may face in effectively using its systems to carry out data exchanges in the future. To accomplish this, GAO reviewed and analyzed relevant agency documentation, held discussions with key agency officials, and reviewed selected exchange programs.
Through more than 3,000 data exchanges with federal and state agencies, SSA both receives incoming data to support its own programs and provides outgoing data to support programs of other federal and state agencies. Most of these exchanges involve collecting incoming electronic data from other agencies, primarily to support the administration of Social Security benefits programs. The outgoing data from SSA to other federal and state agencies typically provide Social Security number verifications or are used to implement payment offsets in support of other agencies' business operations. In this regard, the agency performs more than a billion transactions to verify Social Security numbers for federal and state agencies each year. To carry out these data exchanges, SSA relies on a network of electronic information systems and an infrastructure that communicates with a variety of external systems used by the agency's partners. SSA faces three primary challenges to supporting its existing and future data exchanges: (1) meeting increasing demand for its data exchange services; (2) ensuring privacy and security of data provided to its data exchange partners; and (3) establishing effective practices for implementing and managing data exchanges. Recognizing these challenges, the agency has undertaken an initiative to better manage its data exchange environment and address current and future challenges and limitations. If effectively implemented, the initiative could address the challenges GAO has described. Members of the initiative have drafted a report that includes recommendations for improving the management of its data exchanges. However, SSA has not established milestones for completing the report and acting on its recommendations. Thus, it cannot be assured that the recommendations will be addressed and implemented in a timely manner. In addition, the agency developed a summary inventory of its data exchanges to further support this initiative. However, while the inventory lists data exchanges and partners, among other things, it does not include comprehensive information on the agency's data exchange systems, because, according to SSA officials, its purpose was only to provide summary data. Nonetheless, an inventory that provides comprehensive information on the data exchanges, such as the supporting information systems and the status of privacy and security compliance requirements, is an important tool that could help the agency make credible and timely decisions to ensure effective management of its growing data exchange environment.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-09-126, Information Technology: Demand for the Social Security Administration's Electronic Data Exchanges Is Growing and Presents Future Challenges
This is the accessible text file for GAO report number GAO-09-126
entitled 'Information Technology: Demand for the Social Security
Administration's Electronic Data Exchanges Is Growing and Presents
Future Challenges' which was released on January 7, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Committee on Finance, U.S. Senate:
United States Government Accountability Office:
GAO:
December 2008:
Information Technology:
Demand for the Social Security Administration's Electronic Data
Exchanges Is Growing and Presents Future Challenges:
GAO-09-126:
GAO Highlights:
Highlights of GAO-09-126, a report to the Chairman, Committee on
Finance, U.S. Senate.
Why GAO Did This Study:
Federal and state agencies, including the Social Security
Administration (SSA), routinely share data through electronic exchanges
to help increase the efficiency of program operations, reduce program
costs, and improve public service. In light of SSA‘s broad
responsibility for carrying out data exchanges, GAO was asked to
describe SSA‘s critical programs that exchange data with other federal
and state agencies, as well as the information systems that they rely
on; and determine challenges and limitations that SSA may face in
effectively using its systems to carry out data exchanges in the
future. To accomplish this, GAO reviewed and analyzed relevant agency
documentation, held discussions with key agency officials, and reviewed
selected exchange programs.
What GAO Found:
Through more than 3,000 data exchanges with federal and state agencies,
SSA both receives incoming data to support its own programs and
provides outgoing data to support programs of other federal and state
agencies. Most of these exchanges involve collecting incoming
electronic data from other agencies, primarily to support the
administration of Social Security benefits programs. The outgoing data
from SSA to other federal and state agencies typically provide Social
Security number verifications or are used to implement payment offsets
in support of other agencies‘ business operations. In this regard, the
agency performs more than a billion transactions to verify Social
Security numbers for federal and state agencies each year. To carry out
these data exchanges, SSA relies on a network of electronic information
systems and an infrastructure that communicates with a variety of
external systems used by the agency‘s partners.
SSA faces three primary challenges to supporting its existing and
future data exchanges:
* meeting increasing demand for its data exchange services;
* ensuring privacy and security of data provided to its data exchange
partners; and;
* establishing effective practices for implementing and managing data
exchanges.
Recognizing these challenges, the agency has undertaken an initiative
to better manage its data exchange environment and address current and
future challenges and limitations. If effectively implemented, the
initiative could address the challenges GAO has described. Members of
the initiative have drafted a report that includes recommendations for
improving the management of its data exchanges. However, SSA has not
established milestones for completing the report and acting on its
recommendations. Thus, it cannot be assured that the recommendations
will be addressed and implemented in a timely manner. In addition, the
agency developed a summary inventory of its data exchanges to further
support this initiative. However, while the inventory lists data
exchanges and partners, among other things, it does not include
comprehensive information on the agency‘s data exchange systems,
because, according to SSA officials, its purpose was only to provide
summary data. Nonetheless, an inventory that provides comprehensive
information on the data exchanges, such as the supporting information
systems and the status of privacy and security compliance requirements,
is an important tool that could help the agency make credible and
timely decisions to ensure effective management of its growing data
exchange environment.
What GAO Recommends:
GAO recommends that, as part of the agency‘s initiative to improve its
data exchange management practices, SSA (1) establish milestones for
completing the initiative‘s report and acting on its recommendations
and (2) develop and maintain a comprehensive inventory of its data
exchanges and the system resources they use. In commenting on GAO‘s
draft report, SSA agreed with the recommendations and identified
actions taken to address them.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-126]. For more
information, contact Valerie C. Melvin (202) 512-6304 or
melvinv@gao.gov.
[End of section]
Contents:
Letter:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Briefing Slides:
Appendix II: Comments from the Social Security Administration:
Appendix III: GAO Contact and Staff Acknowledgments:
Abbreviations:
AAMVA: American Association of Motor Vehicle Administrators:
CMPPA: Computer Matching and Privacy Protection Act:
CMS: Centers for Medicare and Medicaid Services:
DHS: Department of Homeland Security:
EV-STAR: Employment Verification-SSA Tentative Nonconfirmation
Automated Response:
FISMA: Federal Information Security Management Act:
RSDI: Retirement, Survivors, and Disability Insurance:
SSA: Social Security Administration:
SSI: Supplemental Security Income:
SSOLV: Social Security Online Verification:
SVES: State Verification and Exchange System:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
December 4, 2008:
The Honorable Max Baucus:
Chairman:
Committee on Finance:
United States Senate:
Dear Mr. Chairman:
Federal and state agencies routinely share data through electronic
exchanges to help increase the efficiency of program operations, reduce
program costs, and improve public service. In this regard, the Social
Security Administration (SSA) relies on data exchanges with other
federal and state agencies to support its mission to advance the
economic security of the nation's people.[Footnote 1] For example, the
information provided by these exchanges helps the agency process and
disburse beneficiary payments for the nation's largest entitlement
programs, including the Retirement, Survivors, and Disability Insurance
program and the Supplemental Security Income program. Additionally,
information provided by SSA to other federal agencies, such as the
Centers for Medicare and Medicaid Services (CMS) and the Department of
Homeland Security (DHS), supports those agencies' abilities to
accomplish their missions.
In light of SSA's broad responsibility for carrying out data exchanges,
you requested that we examine the agency's data exchanges with other
federal and state agencies. Our specific objectives were to (1)
describe SSA's critical programs that exchange data with other federal
and state agencies, as well as the information systems that these rely
on, and (2) determine the challenges and limitations that SSA may face
in effectively using its systems to carry out data exchanges with these
agencies in the future.
On September 12, 2008, we provided your office briefing slides that
outlined the results of our study and met with your staff to discuss
our findings, conclusions, and recommendations. The purpose of this
report is to provide the published briefing slides to you and to
officially transmit our recommendations to the Commissioner of Social
Security. The slides, which discuss our scope and methodology and
incorporate edits made since we initially provided the briefing, are
included in appendix I.
We conducted this performance audit from November 2007 to September
2008 at SSA's headquarters in Baltimore, Maryland, in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
In summary, our study highlighted the following:
SSA both receives incoming data to support its own programs and
provides outgoing data to support programs of other federal and state
agencies through more than 3,000 data exchanges. The majority of the
exchanges involve SSA collecting incoming electronic data from other
agencies, primarily to support the administration of Social Security
benefits programs. For example, in order to calculate benefits, the
agency uses data that it receives from the Internal Revenue Service.
SSA also provides outgoing data to other federal and state agencies,
including data to verify Social Security numbers or implement payment
offsets in support of other agencies' business operations. In this
regard, the agency performs more than a billion transactions to verify
Social Security numbers for federal and state agencies each year. To
accomplish such data exchanges, SSA relies on a network of electronic
information systems and an infrastructure that communicates with a
variety of external systems used by the agency's partners.
SSA faces three primary challenges to effectively supporting its
existing and future data exchanges:
* Meeting increasing demand for its data exchange services. More
agencies are using SSA data, and the level of service required is
increasing. For example, according to SSA an increasing number of
outside organizations are requesting electronic verification of Social
Security numbers and Supplemental Security Income eligibility.
Additionally, in some cases data must be accessible full time, with
updates available in near real time. SSA may be challenged to retain
the expertise and maintain the technology required to support the
technical infrastructure and other resources needed to meet the
increased demand.
* Ensuring the privacy and security of data provided to its data
exchange partners. SSA is responsible for overseeing and reviewing
other agencies' privacy and security safeguards to verify compliance
with federal privacy and security requirements, activities that require
dedicated staff with appropriate expertise. More agencies are
requesting online access to SSA's records (rather than receiving data
through batch processing); providing and supporting online access
generally requires more extensive compliance reviews than does batch
processing. The need for additional evaluations and reviews resulting
from increasing demands could create a need for SSA to hire and retain
additional staff with the expertise required to complete these
activities.
* Establishing effective management practices for implementing current
and future data exchanges. SSA has experienced challenges in managing
its data exchange environment that have resulted in ineffective
practices. For example, some data exchanges are not associated with
documented agreements or are not properly reimbursed. Further, key
responsibilities for the agency's data exchanges are dispersed
throughout multiple agency components. According to SSA officials,
establishing a single component to manage all the agency's data
exchange activities could provide better control over the current and
future data exchange workload.
SSA has recognized these challenges and created its Electronic
Information Exchange Initiative to better manage its data exchange
environment. If effectively implemented, the initiative could address
the current and future challenges we have described. In July 2008,
members of the initiative drafted a report that included
recommendations for improving the agency's management of its data
exchanges. However, milestones were not established for completing the
report and acting on its recommendations. Until the agency defines such
milestones, it cannot be assured that the recommendations will be
addressed and implemented in a timely manner.
SSA also developed a summary inventory of data exchanges to support
this initiative. Although the inventory lists data exchanges and
partners, among other things, it does not include comprehensive
information on the agency's data exchange systems. According to SSA
officials, this is because its purpose was only to provide summary
data. Nonetheless, an inventory that provides comprehensive information
on the data exchanges, such as the supporting information systems and
the status of privacy and security compliance requirements, is an
important tool that could help the agency make credible and timely
decisions to ensure effective management of its growing data exchange
environment. Without such an inventory, SSA may miss an opportunity to
ensure that all of its data exchanges are properly managed and most
effectively contribute to its service delivery.
Conclusions:
Data exchanges between SSA and other agencies provide useful
information to both SSA and its thousands of federal and state
partners. Although most of SSA's data exchange programs were
established to allow the agency to receive data needed to support its
benefits programs, SSA also provides data to federal and state
agencies.
SSA recognizes that it faces challenges related to the increasing
demand for data exchanges, the need to ensure the privacy and security
of its data, and the effective management of its data exchanges.
Consequently, the agency recently established its Electronic
Information Exchange Initiative to improve the management, execution,
processing, and oversight of its electronic data exchanges. If, as a
result of these recent efforts, the agency establishes and maintains
effective management practices for its data exchange workload,
including establishing milestones and a comprehensive inventory, it may
better position itself to meet its future data exchange challenges.
Recommendations for Executive Action:
We recommend that, as part of the agency's initiative to improve its
data exchange management practices, the Commissioner of Social Security
take the following two actions: (1) establish milestones for completing
the initiative's report and acting on its recommendations and (2)
develop and maintain a comprehensive inventory of its data exchanges
and the system resources they use.
Agency Comments and Our Evaluation:
The Commissioner of Social Security provided written comments on a
draft of this report. In the comments, the agency agreed with our
recommendations and identified actions taken to address them.
Specifically, SSA stated that it had completed its Electronic
Information Exchange Initiative's report, established milestones for
acting on the report's recommendations, and initiated efforts to create
an inventory that could include the information that we suggested in
our recommendation.
In other comments, the agency stated that our report did not fully
explain its information exchange environment and challenges, or include
updated summary statistics and financial information regarding its data
exchange programs. In particular, SSA stated that our report did not
adequately differentiate or explain the agency's information exchange
environment and challenges that affect each type of exchange. As noted
in our study objectives and scope and methodology, we focused on
selected programs as examples of key data exchange programs that SSA
conducts with other federal and state agencies. We made our selection
of the examples based on our review of information describing SSA's
data exchange programs and in collaboration with agency officials
responsible for managing these programs. In this regard, we included
programs that support the administration of key business functions
(such as the Retirement, Survivors, and Disability Insurance and the
Supplemental Security Income programs), exchanges required by law (such
as Medicare Parts C and D), and exchanges developed to replace manual
program administration workloads or to meet the growing demand for
online Social Security number verification (such as E-Verify, the State
Verification and Exchange System, and the American Association of Motor
Vehicles Administrators programs).
Further, we identified challenges and limitations that are expected to
affect the agency's ability to effectively use its systems to exchange
data with other agencies in the future. We organized these challenges
into three broad categories that are relevant to the agency's overall
data exchange environment: meeting increasing demand for data exchange
services, ensuring privacy and security of data provided to data
exchange partners, and establishing adequate management practices for
implementing current and future data exchanges. Additionally, regarding
SSA's comment that our report does not recognize certain significant
challenges, we described those challenges in our discussion of the
agency's need to meet increasing demand for its data exchange services
and to ensure the privacy and security of the data that the agency
provides to its partners.
Finally, the summary statistics and financial information that we
included in the briefing reflected information provided by SSA program
officials during our study. We requested and received the agency's
confirmation of this information prior to delivering our briefing to
congressional staff on September 12, 2008. Agency officials told us
that updated information, to which SSA refers in its comments, had not
been finalized and, therefore, was not available during our study. As a
result, we did not have sufficient data to reconcile the difference
noted in the financial information provided by program officials during
our study and the information to which SSA refers in its written
comments.
SSA also provided technical comments, which we have incorporated into
the report as appropriate. The agency's written comments are reproduced
in appendix II.
As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from the date of this letter. At that time, we will send copies of the
report to interested congressional committees, the Director of the
Office of Management and Budget, and the Commissioner of Social
Security. This report will also be available at no charge on our Web
site at [hyperlink, http://www.gao.gov].
Should you or your staff have any questions on matters discussed in the
report, please contact me at (202) 512-6304 or at m [Hyperlink,
melvinv@gao.gov] elvinv@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. Key contributors to this report are listed in
appendix III.
Sincerely yours,
Signed by:
Valerie C. Melvin:
Director:
Human Capital and Management Information Systems Issues:
[End of section]
Appendix I: Briefing Slides:
Information Technology: Demand for the Social Security Administration‘s
Electronic Data Exchanges Is Growing and Presents Future Challenges:
Briefing for Staff of the Committee on Finance:
United States Senate:
September 12, 2008:
Overview:
Introduction:
Objectives:
Scope and Methodology:
Results in Brief:
Background:
Results:
* SSA‘s Data Exchange Environment:
* SSA Data Exchange Challenges:
Conclusions:
Recommendations:
Agency Comments and Our Evaluation:
[End of Overview]
Introduction:
Federal and state agencies routinely share data through electronic
exchanges to help increase the efficiency of program operations, reduce
program costs, and improve public service.
The Social Security Administration (SSA) relies on data exchanges with
other federal and state agencies to support its mission to advance the
economic security of the nation‘s people.[Footnote 2] Data exchanges
help the agency process and disburse beneficiary payments for the
nation‘s largest entitlement programs, including the Retirement,
Survivors, and Disability Insurance program and the Supplemental
Security Income program.
In 2006, following implementation of the premium withholding provisions
of the Medicare Prescription Drug, Improvement, and Modernization Act
of 2003,[Footnote 3] SSA and the Centers for Medicare and Medicaid
Services (CMS) encountered problems in exchanging data in a timely
manner to ensure proper premium withholdings from individuals‘ Social
Security payments. As a result, there were reports of beneficiaries not
having their requests for premium withholdings processed accurately or
in a timely manner. We reported in July 2008 that SSA had taken actions
to address problems associated with the electronic exchange of data
with CMS for processing premium withholdings.[Footnote 4]
Objectives:
In light of SSA‘s broad responsibility for carrying out data exchanges,
the Chairman of the Senate Finance Committee asked us to examine SSA‘s
data exchanges with other federal and state agencies. Our specific
objectives were to:
* describe SSA‘s critical programs that exchange data with other
federal and state agencies, as well as the information systems that
these rely on, and;
* determine the challenges and limitations that SSA may face in
effectively using its systems to carry out data exchanges with these
agencies in the future.
Scope and Methodology:
To identify SSA‘s critical data exchanges and the information systems
that SSA currently relies on to perform these exchanges, we:
* analyzed the agency‘s documentation that describes its federal and
state data exchanges and their partner agencies;
* reviewed data exchange agreements, the programs they support, and
other exchange information to gain perspective on data exchange
activities and to understand the purposes for which the exchange
agreements and systems were implemented;
* held discussions with agency officials regarding the information
systems and agencies involved in SSA‘s key data exchanges; and;
* selected programs to provide examples of SSA‘s critical data
exchanges with other federal and state agencies.
- We made our selections of examples of federal and state data
exchanges based on our review of information describing key data
exchanges and discussions with agency officials.
- We selected exchanges that provide data essential to the effective
administration of major federal programs that support SSA‘s Retirement,
Survivors, and Disability Insurance; Supplemental Security Income
benefits; Medicare prescription drug benefits; and the Department of
Homeland Security‘s employment eligibility verification. We based our
selection on the scope and impact of the programs on the country‘s
population, including Social Security and Medicare beneficiaries and
government and private employers. We reviewed and assessed
documentation related to these programs and the information systems
that support them to determine the extent to which the administration
of the programs depends on electronic data exchange with SSA. We
selected those programs for which data exchanges have recently
increased in scope and usage and are expected to expand in the future.
- We selected data exchanges serving state programs through which SSA
provides information that (1) allows states to determine whether
individuals are receiving Retirement, Survivors, and Disability
Insurance and Supplemental Security Income benefit payments; and (2)
enables states to verify Social Security numbers for administration of
driver‘s license programs. We based our selection on the large volume
of data provided by SSA and states‘ reliance on these exchanges for
administering key programs that support large portions of states‘
populations (e.g., driver‘s license, food stamps, social services). We
reviewed and assessed documentation related to these programs and the
information systems that support them to determine the extent to which
the programs depend on electronic data exchange with SSA. We selected
those that reflect the varied systems (that is, batch query and online
query systems)that the agency supports to perform these data exchanges.
To identify challenges and limitations that SSA may face in effectively
using its systems to conduct exchanges with partner agencies, we:
* analyzed the agency‘s documentation on its existing data exchanges
and requirements in federal laws and guidance that pertain to federal
and state agencies‘ exchanges of data;
* reviewed internal agency reports that discussed SSA‘s data exchanges
with other federal and state agencies; and;
* interviewed SSA officials to obtain their views on any known
problems, challenges, and limitations that are expected to affect the
agency‘s ability to effectively use its systems to exchange data with
other agencies in the future.
We did not independently verify SSA‘s reported cost or the number of
exchanges identified as part of its data exchange environment.
We conducted this performance audit from November 2007 to September
2008 at SSA‘s headquarters in Baltimore, Maryland, in accordance with
generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
Results in Brief:
Through over 3,000 exchanges[Footnote 5] with federal and state
agencies, SSA both receives incoming data to support its own programs
and provides outgoing data to support other federal and state agencies‘
programs. Most of these exchanges provide incoming electronic data from
other agencies, primarily to support the administration of Social
Security benefits programs.For example, the agency receives data from
the Internal Revenue Service that is used in benefit calculations. The
outgoing data from SSA to other federal and state agencies typically
provide Social Security number verifications or are used to implement
payment offsets in support of other agencies‘ business operations. In
this regard, the agency performs more than a billion transactions to
verify Social Security numbers for federal and state agencies each
year. To carry out these data exchanges, SSA relies on a network of
electronic information systems and an infrastructure that communicates
with a variety of external systems used by the agency‘s partners.
SSA faces three primary challenges to supporting existing and future
data exchanges:
* Meeting increasing demand for its data exchange services. More
agencies are using SSA data, and the level of service required is
increasing. For example, in some cases data must be accessible full-
time, with updates available in near real time.
* Ensuring privacy and security of data provided to SSA‘s data exchange
partners. SSA is responsible for overseeing and reviewing other
agencies‘ privacy and security safeguards to verify compliance with
federal privacy and security requirements, activities that require
dedicated staff with appropriate expertise.
* Establishing adequate management practices for implementing current
and future data exchanges, such as mechanisms to provide management
with an agencywide overview of data exchanges and the resources they
absorb. SSA has experienced challenges in managing its data exchange
environment that have resulted in ineffective practices. For example,
some data exchanges are not associated with documented agreements or
are not properly reimbursed.
* Recognizing these challenges, SSA has undertaken an initiative to
better manage its data exchange environment and address current and
future challenges and limitations, and it has drafted a report that
includes recommendations for improving the agency‘s management of data
exchanges. However, it has not established milestones for completing
the report and acting on its recommendations. Until the agency defines
such milestones, it cannot be assured that the recommendations will be
addressed and implemented in a timely manner. The agency has also
developed a summary inventory of data exchanges to support this
initiative. Although the summary inventory lists data exchanges and
partners, among other things, it does not include comprehensive
information on the agency‘s data exchange systems, because according to
SSA officials, its purpose was only to provide summary data.
Nonetheless, an inventory that provides comprehensive information on
the data exchanges, such as the supporting information systems and the
status of privacy and security compliance requirements, is an important
tool that could help the agency make credible and timely decisions to
ensure effective management of its growing data exchange
environment.Without such an inventory, SSA may miss an opportunity to
ensure that all of its data exchanges are properly managed and most
effectively contribute to its service delivery.
We are recommending that as part of its initiative to improve its data
exchange management practices, SSA (1) establish milestones for
completing the initiative‘s report and acting on its recommendations
and (2) develop and maintain a comprehensive inventory of its data
exchanges and the system resources they use.
We received oral comments on a draft of this briefing from SSA
officials, including the Deputy Commissioner for Systems and the Chief
Information Officer. The officials agreed with our recommendations and
provided additional information and technical comments related to the
department‘s data exchange programs which were incorporated into the
briefing as appropriate.
Background:
SSA engages in various types of electronic data exchanges, including
Social Security number verifications and computer matches, depending on
the business needs of its partner agencies. These electronic data
exchanges are considered to be essential to helping the government
streamline operations, reduce costs, and eliminate overpayments and
fraud.
Efficient execution of data exchanges requires SSA to work
cooperatively with its exchange partners to ensure that the data are
accurate and move seamlessly between the agency and its partners‘
information systems.
Several laws and regulations require SSA to provide record information
to other agencies to support a wide range of non-SSA programs, as shown
in table 1.
Table 1: Laws and Regulations Governing SSA Information Sharing:
Law: Intelligence Reform and Terrorism Prevention Act;
Requirements for SSA to provide information to other agencies: Add
death and fraud indicators to the Social Security number verification
systems for employers, state agencies issuing driver‘s licenses and
identity cards, and other verification routines that the Commissioner
of Social Security determines appropriate.
Law: Section 6103 of the Internal Revenue Code;
Requirements for SSA to provide information to other agencies: Disclose
tax return information to state and local child support enforcement
agencies to enforce child support obligations, and controls SSA‘s use
and disclosure of tax return information maintained in agency records.
Law: Section 1137 of the Social Security Act;
Requirements for SSA to provide information to other agencies: Transmit
data to a multitude of state agencies to assist in administering income
and health maintenance programs such as Medicaid, unemployment
compensation, and food stamps.
Law: Military Selective Service Act;
Requirements for SSA to provide information to other agencies: Disclose
names, Social Security numbers, and dates of birth of individuals
required to register with the Selective Service System.
Law: Section 453 of the Social Security Ac;
Requirements for SSA to provide information to other agencies: Provide
Social Security numbers, addresses, benefit data, and tax return
information to the Office of Child Support Enforcement (Federal Parent
Locator Service).
Source: SSA data and GAO analysis.
[End of table]
Other laws specify security and privacy protection requirements to
safeguard the data exchanged by SSA, including those containing
personally identifiable information such as Social Security
numbers.[Footnote 6] For example, the Privacy Act of 1974 was enacted
to regulate the collection, maintenance, use, and dissemination of
personal information such as Social Security numbers by federal
agencies. Additionally, the Federal Information Security Management Act
(FISMA)and related guidance impose a range of information security
requirements on SSA and other federal agencies to protect agency
information, including records involved in data exchanges, such as
performing periodic assessments of risk and periodic testing and
evaluation of the effectiveness of information security procedures and
practices.
Table 2 presents an outline of key laws that are intended to protect
data exchanged between SSA and other agencies.
Table 2: Key Laws Protecting Data Exchanged:
Law: Privacy Act of 1974;
Description: Prohibits use and disclosure of personal records without
consent of the individual, unless otherwise permitted under the law;
requires protection of personal records whose disclosure could cause
harm, embarrassment, unfairness, or inconvenience to the individual.
Law: Computer Matching and Privacy Protection Act;
Description: Establishes procedural safeguards that affect agencies‘
use of records from benefits programs in performing certain types of
computerized matching programs.
Law: Social Security Act;
Description: Prohibits unauthorized disclosure of individually
identifiable program beneficiaries‘ records and information transmitted
to, or obtained by or from the Department of Health and Human Services,
SSA, and their contractors.
Law: Federal Information Security Management Act;
Description: Defines federal requirements for securing information and
information systems that support federal agency operations and assets,
including protecting information from unauthorized access, use,
disclosure, modification, and destruction.
Source: GAO analysis.
[End of table]
Results: SSA‘s Data Exchange Environment:
Through exchanges with federal and state agencies, SSA both receives
incoming data to support its benefits programs and provides outgoing
data to support other federal and state agencies‘ programs. For
example, the agency receives data on income from the Internal Revenue
Service that is used in benefit calculations, and it provides more than
a billion Social Security number verifications for federal and state
agencies each year.
To carry out these data exchanges, SSA relies on a network of
electronic information systems and an infrastructure that communicates
with a variety of external systems used by the agency‘s partners. For
example, the agency exchanges data both with partners that use modern
telecommunications technology and with those using older technology to
transmit data. SSA‘s systems must support exchanges both through
processing data in batch files and through individual, real-time
transactions, depending on the need, the method of transfer, and the
technological capability of the data exchange partner.[Footnote 7]
Our evaluation of SSA‘s relevant documentation on the agency‘s data
exchange environment identified:
* 104 data exchanges with 19 federal agencies and;
* 3,150 data exchanges with various agencies in 50 states, the District
of Columbia, and 4 U.S. territories.
Note that these numbers do not refer to transactions”that is, an
instance of exchanged data, such as the verification of a single Social
Security number”but to ongoing mechanisms for exchanging data.
SSA receives incoming data from its exchange partners primarily to
support the administration of Social Security benefits programs.
Outgoing data typically provide Social Security number verifications or
implement payment offsets in support of other agencies‘ business
operations. As shown in table 3, most of the agency‘s data exchanges
are for incoming data from SSA‘s partners. Further, as the table shows,
some exchanges are two-way, both incoming and outgoing.
Table 3: SSA‘s Incoming and Outgoing Exchanges with Federal and State
Agencies:
Exchange type: Incoming;
Federal: 37;
State: 2,346.
Exchange type: Outgoing;
Federal: 60;
State: 765.
Exchange type: Both incoming and Outgoing;
Federal: 7;
State: 39;
Exchange type: Total;
Federal: 104;
State: 3,150.
Source: GAO analysis of SSA data.
[End of table]
SSA is financially responsible for exchanges that directly support SSA
programs. The agency provides payments to its partners for the incoming
data that it receives to support its benefits programs. Conversely, SSA
may be reimbursed for the outgoing data it provides to its partners in
support of other federal and state agencies‘ programs. Such
reimbursements depend on the agreements the agency reaches with its
exchange partners. SSA reported that it currently is reimbursed for 32
federal and 251 state data exchanges.
Table 4 summarizes the agency‘s payments and reimbursements for data
exchanges reported for fiscal year 2007.
Table 4: Summary of SSA‘s Reported Payments and Reimbursements for Data
Exchanges in Fiscal Year 2007:
Data exchange partner: Federal agencies;
Payments (incoming data): $1,288,155;
Reimbursements (outgoing data): $9,578,449.
Data exchange partner: State agencies;
Payments (incoming data): $17,462,427;
Reimbursements (outgoing data): $447,930.
Source: SSA reported data.
[End of table]
SSA‘s Data Exchange Environment: Incoming Data:
Incoming data from other federal and state agencies provide information
primarily for SSA‘s two major benefits payment programs:
* the Retirement, Survivors, and Disability Insurance (RSDI) program,
[Footnote 8] which provides benefits to workers who have paid into the
Social Security trust fund, and;
* the Supplemental Security Income (SSI) program, which provides or
supplements the income of aged, blind, or disabled individuals with
limited income and resources.[Footnote 9]
In fiscal year 2007, according to the agency,approximately 54 million
beneficiaries received monthly RSDI or SSI benefit payments, totaling
about $613 billion for both programs.
These incoming data are used to establish a record of an individual‘s
earnings and to determine eligibility for, and the amount of, benefits.
For example:
* SSA receives data from the Internal Revenue Service that provide
information such as address, earned income, unearned income, employer
identification and self-employment tax. These data are used to suspend
or reduce RSDI and SSI benefits where appropriate.
* SSA receives data from the Office of Personnel Management that
provide pension and annuity information. The data are used to compute
offsets for RSDI and SSI benefits.
* The agency receives unemployment compensation data from state
agencies to match against its benefits rolls to determine if reductions
in SSI payments are appropriate.
Additionally, to help accurately calculate benefit payments, SSA
receives data from other federal agencies, such as the Departments of
Labor, Homeland Security, and Veterans Affairs; the Railroad Retirement
Board; and the Bureau of Public Debt. It also receives data from a
variety of state agencies such as state vital records and prison
agencies to, among other things, update its records and enforce payment
regulations for RSDI and SSI programs.
Table 5 describes the types of data received from various federal and
state entities to assist SSA in calculating accurate RSDI and SSI
payments.
Table 5: Data Received from Various Federal and State Entities:
Federal and state partners: Department of Defense;
Description of data received: Military pension;
SSA program supported: SSA.
Federal and state partners: Department of Homeland Security;
Description of data received: Deportation and intent to leave the
country, alien immigration admission status;
SSA program supported: RSDI and SSI.
Federal and state partners: Department of Labor;
Description of data received: Black lung disease;
SSA program supported: RSDI and SSI.
Federal and state partners: Department of the Treasury;
Description of data received: Social Security number information on
returned checks;
SSA program supported: RSDI and SSI.
Federal and state partners: Internal Revenue Service (Treasury);
Description of data received: Address, employment, income, and nanny
tax;
SSA program supported: RSDI and SSI.
Federal and state partners: Bureau of Public Debt (Treasury);
Description of data received: Savings bond and savings account;
SSA program supported: SSI.
Federal and state partners: Department of Veterans Affairs;
Description of data received: Veterans‘ earnings;
SSA program supported: RSDI and SSI.
Federal and state partners: Center for Medicare and Medicaid Services
(Health and Human Services);
Description of data received: Nursing home, Medicare, and Medicaid;
SSA program supported: SSI.
Federal and state partners: Office of Child Support Enforcement (Health
and Human Services);
Description of data received: Quarterly wage, unemployment, and new
hire;
SSA program supported: RSDI and SSI.
Federal and state partners: Office of Personnel Management;
Description of data received: Federal employees‘ pension and annuity;
SSA program supported: RSDI and SSI.
Federal and state partners: Railroad Retirement Board;
Description of data received: Railroad retirement benefits;
SSA program supported: RSDI and SSI.
Federal and state partners: 10 states[A];
Description of data received: Vital records;
SSA program supported: RSDI and SSI.
Federal and state partners: 40 states[B];
Description of data received: Unemployment insurance benefits;
SSA program supported: RSDI and SSI.
Federal and state partners: Most states;
Description of data received: Variety of state records[C];
SSA program supported: RSDI and SSI.
Source: GAO analysis of SSA data.
[A] SSA uses the Electronic Verification of Vital Events System for
access to vital records data from 10 states.
[B] SSA uses the Interstate Benefits Inquiry Query system to obtain
unemployment insurance benefits from 40 states.
[C] SSA uses the SSA Access to State Records Online system to access a
variety of state records online, such as human services (Medicaid, food
stamps, and Temporary Assistance for Needy Families), wage,
unemployment, vital statistics (birth and death records), and workers
compensation.
[End of table]
SSA relies on two critical information systems for calculating and
processing incoming data that are relevant to its RSDI and SSI
programs:
The Modernized Claim System supports two primary functions:
* initial processing of claims for retirement, survivor, and disability
benefits, as well as Medicare benefits, and;
* post-entitlement processing of RSDI and Medicare information (such as
changes in beneficiaries or Medicare enrollment).
The Modernized Supplemental Security Income Claims System supports two
primary SSI program functions:
* initial processing of claims for SSI benefits and;
* post-eligibility processing of SSI events (such as a change in
income).
These systems process and update data from numerous other SSA systems
and databases, such as the agency‘s Master Beneficiary Record and its
Medicare Database.
SSA‘s Data Exchange Environment: Outgoing Data:
Outgoing data from SSA generally allow federal and state agencies to
verify the Social Security numbers of their clients‘ populations or to
implement payment offset requirements. Examples of programs supported
by SSA‘s outgoing data exchanges are as follows:
* Outgoing data to federal agencies:
- Part C Medicare Advantage Program and Part D Prescription Drug
Coverage Program, administered primarily by the Centers for Medicare
and Medicaid Services (CMS);
- E-Verify program of the Department of Homeland Security (DHS).
* Outgoing data to states:
- State Verification and Exchange System Program;
- American Association of Motor Vehicle Administrators Program.
The following slides briefly describe these programs, the data
exchanged, and the systems that support the data exchange.
The Part C Medicare Advantage Program and the Part D Prescription Drug
Coverage Program provide prescription drug benefits to help Medicare
recipients with prescription drug costs. SSA and CMS exchange data for
the purpose of administering these programs.
Under the Medicare Prescription Drug, Improvement, and Modernization
Act of 2003, SSA is responsible for withholding Medicare Parts C and D
premium amounts from participants who elected to have these premiums
withheld from their Social Security payments.SSA provides data to CMS
regarding amounts of premiums withheld for these participants. CMS uses
these data to update its records and perform monthly reconciliation of
the information with its records of premiums owed to the plans.
[Footnote 10]
SSA relies primarily on one system and two databases to process and
exchange Medicare premium withholding data:
* The Modernized Claim System is used to compute the amount of
beneficiary payments, including adjustments for premium withholdings,
using data from SSA‘s Medicare Database, as well as Medicare enrollment
data supplied by CMS. Data on premium withholdings are periodically
[Footnote 11] transmitted to CMS via this system.
* The Master Beneficiary Record stores all data related to enrollment
and premium collection and is updated daily on successful processing of
the daily input transactions. The Modernized Claim System updates this
database.
* The Medicare Database collects and maintains information related to
Medicare, including beneficiaries‘ enrollment and premium withholding
information. The Modernized Claim System also updates this database.
In fiscal year 2007, the number of SSA‘s Medicare withholding
transactions for Parts C and D was about 20.4 million.
Because SSA is mandated to support this program and the associated data
exchange, the agency is provided funds through its budget to operate
and maintain the systems involved in the data exchange. SSA is not
reimbursed by CMS for its services.
DHS‘s E-Verify program provides an electronic means for employers to
verify employees‘ eligibility to work. To confirm an employee‘s work
authorization status, participating employers enter employee
information into DHS‘s E-Verify Web site. The names, dates of birth,
and Social Security numbers entered by the employers are then matched
against SSA‘s Social Security number database. According to SSA
officials, when the system finds no match (i.e., nonconfirmation), the
employer notifies the employee to give him or her an opportunity to
contest that finding.[Footnote 12]
E-Verify was initiated in 1997 as a pilot that was available on a
voluntary basis to five states only. Since 2004, it has been available
to employers in all 50 states and in the U.S. territories where
immigration laws apply. Certain states have moved to require employers
to verify newly-hired employees using E-Verify. For example, as of
January 1, 2008, the ’Legal Arizona Workers Act“ requires all employers
in Arizona to verify the employment eligibility of newly hired
employees through the E-Verify program. Other states, including Idaho,
Minnesota, Rhode Island, and Oklahoma, require employers in certain
sectors, such as government employers and contractors, to verify their
employees‘ work authorization status. According to DHS, the number of
employers registered with the E-Verify program has doubled in size each
year since 2006.
SSA relies on three systems for the E-Verify data exchange:
* The E-Verify system is an Internet-based system operated by DHS in
partnership with SSA. The system provides participating employers the
ability to electronically verify the employment eligibility of newly
hired employees. The E-Verify system sends online confirmation or
nonconfirmation information to employers in response to queries.
* SSA‘s Numident (Number Holder Identification File) database contains
relevant data about the holder of a Social Security number. These data
include the number holder‘s name, date of birth, place of birth,
parents‘ names, citizenship status at the time of application, date of
death (if applicable), and the office where the Social Security number
application was processed and approved. The E-Verify system queries the
Numident database and receives confirmation or nonconfirmation
information based on whether information in Numident matches the
information in the query.
* The EV-STAR (Employment Verification SSA Tentative Nonconfirmation
Automated Response) system was developed by SSA in coordination with
DHS‘s Citizenship and Immigration Services to help resolve tentative
nonconfirmations, which occur when an employee‘s name, date of birth,
and Social Security number queried through the E-Verify program do not
match those in SSA‘s database. This system, available in all SSA field
offices, became operational in October 2007. It allows field office
staff to view the same information that is provided to employers
through E-Verify and to enter data directly into E-Verify to reflect
all actions being taken to resolve the employee‘s tentative
nonconfirmation.[Footnote 13]
The initial pilot of E-Verify received less than a quarter of a million
queries the first year. SSA officials stated that in fiscal year 2007,
there were about 3.3 million queries made to the agency‘s database to
verify employees‘ Social Security numbers. SSA officials estimated that
the number of transactions for fiscal year 2008 will be between 6.8
million and 7 million.According to agency officials, in fiscal year
2007,the agency was reimbursed over $3,500,000 by DHS for data provided
through E-Verify. SSA is working to develop an exchange agreement with
DHS that would govern reimbursement and other features of the program
in the future.
SSA initiated the State Verification and Exchange System (SVES) program
to allow state agencies to electronically request and receive data to
verify Social Security numbers, earnings and benefits information in
support of programs run by states (and certain other
agencies).[Footnote 14] SVES can deliver four different types of
automated responses to states:
* Social Security number verification,
* Social Security number verification and RSDI information,
* Social Security number verification and SSI information, and,
* all of the above.
In order to receive any of these responses, state agencies must have
agreements with SSA that specify the type of information they may
request and receive.
The SVES program relies on a query system (also called SVES)that
interfaces with other SSA systems. SSA uses the system to receive
queries from and send responses to state agencies.[Footnote 15] The
system searches the Numident and benefit records databases for
information in response to queries that SSA receives from states (e.g.,
requests for Social Security numbers on a specific individual) and
sends the requested information back to the requester. Responses to
data requests are usually returned overnight, but under SSA‘s data
exchange agreements with states, the agency guarantees a 72-hour
turnaround.
Most SVES data transfers occur through overnight batch files, with a
small percentage transmitted in real time via mainframe to mainframe
connections and over the Internet. According to SSA, in fiscal year
2007, approximately 413 million data exchange transactions were
conducted through SVES; about 33million of these (about 8 percent) were
real-time transactions.
In most cases, in lieu of reimbursement, states provide SSA access to
state records in return for SVES access to SSA data.[Footnote 16]
The American Association of Motor Vehicle Administrators (AAMVA)is a
consortium of state motor vehicle administrations that is responsible
for coordinating all data exchanges between SSA and states that use SSA
data when processing drivers‘ license applications and renewals.
Currently, under a data exchange agreement with AAMVA, SSA agrees to
provide an online Social Security number verification service to AMVAA
members through the consortium‘s network.
In addition to its agreement with AAMVA, SSA also has agreements with
individual states; these agreements establish privacy and security
requirements for access to SSA data and reimbursements to the agency
for verification services. Currently, SSA has agreements with motor
vehicle administrations in 48 states and the District of Columbia.
[Footnote 17]
State Motor Vehicle agencies use the Social Security Online
Verification (SSOLV) system to verify Social Security numbers when they
transmit queries via the AAMVA network. States submit to SSA queries
that include the name, Social Security number, and date of birth
provided by individuals in their applications for drivers‘ licenses and
state identification cards. SSA matches the information in the query
against the corresponding information in its Numident database, and
transmits a response to the requester:
* whether or not it finds a match and;
* if there is no match, the reason (e.g., difference in name or number
or an invalid Social Security number).
SSA reported processing about 18.3 million AAMVA transactions through
this online verification system during fiscal year 2007.
SSA is fully reimbursed for verifications provided through the AAMVA
agreements. According to agency officials, in fiscal year 2007, the
agency was reimbursed about $231,000 for data provided through AAMVA.
SSA Data Exchange: Challenges:
As more agencies use SSA data and require increased levels of service,
the agency faces three primary data exchange challenges:
* meeting the increased demand for electronic data exchanges with SSA,
* ensuring the privacy and security of SSA information provided to data
exchange partners, and,
* establishing effective practices for managing the agency‘s data
exchanges.
Recognizing these challenges, SSA established an initiative to examine
its data exchange environment and develop recommendations for improving
the management and execution of its data exchanges.
SSA Data Exchange Challenges: Meeting Increased Demand:
SSA‘s data exchanges have been increasing in number and volume. For
example, the volume of queries sent to the E-Verify program grew from
less than a million queries in fiscal year 2000 to over 3 million in
fiscal year 2007. Agency officials also stated that requests from
organizations such as AAMVA and employers for Social Security number
verification has increased in recent years. According to SSA, factors
contributing to the overall increase include:
* a greater reliance by agencies and the public on electronic rather
than physical verifications of Social Security numbers and;
* an increasing number of outside organizations requesting electronic
verification of Social Security and SSI eligibility.
In addition, the level of service demanded has increased: large-scale,
high-visibility programs involving data exchanges increasingly require
these exchanges to be performed online, with real-time response and
full-time availability (24 hours a day, 7 days a week).
Moreover, demand for SSA data exchanges may increase further.
Legislation has been introduced in Congress to require all employers to
electronically verify the work authorization status of their employees
through the E-Verify program. As we testified in May 2008,[Footnote 18]
if participation in E-Verify becomes mandatory for all employers, SSA‘s
technical resources and staffing requirements would increase to support
the resulting expanded workload. Specifically, our testimony cited
SSA‘s estimate that a mandatory E-Verify program would cost a total of
about $281 million for fiscal years 2009 through 2013 and require
hiring 700 new employees for a total of 2,325 additional work years
over the same 5-year period.[Footnote 19] The estimates include costs
for system upgrades, training for current and new employees, and
ongoing activities such as system maintenance.
A large increase in data exchange demands would require that the agency
devote resources to upgrading and maintaining its technical
infrastructure: hardware, software, and telecommunications. For
example, in our May 2008 testimony, we reported that if the E-Verify
program is made mandatory for all U.S. employers (as is currently
proposed), the agency would have to provide workstations for new
employees and increase systems maintenance activities.[Footnote 20] SSA
officials also stated that the agency would have to upgrade its systems
to support online and near-real-time responses to an increased number
of requests. Additionally, officials stated that the existing technical
infrastructure[Footnote 21] for E-Verify does not include comprehensive
backup and disaster recovery capabilities to support continuity of
operations in case of system failures, which would be needed for
successful, sustainable support of an expanded E-Verify program.
Part of the challenge in planning for the future technical requirements
for E-Verify is that although increased demand can be foreseen, the
level of increase is not always predictable. For example,if the E-
Verify program is made mandatory for all U.S. employers, as is proposed
in current legislation, the specific resources that SSA would require
to implement its responsibilities would depend on the final
requirements in the law. The agency has developed resource estimates
based on various assumptions, such as that implementation would be
phased according to the number of employees in an enterprise.[Footnote
22] However, these assumptions are subject to change. In the meantime,
as discussed earlier, several states have required employers to
participate in E-Verify, but state requirements vary. Such uncertainty
increases the difficulty of identifying and providing the technical
infrastructure and other resources needed to meet the increased demand
expected from the program in the future.
Another part of SSA‘s data exchange resource challenge is that the
agency supports both modern and older technologies in order to work
with exchange partners that use a variety of mechanisms for conducting
electronic transactions. For example, in 2004, SSA implemented a
verification system that allowed states‘ unemployment agencies to
perform online queries of its databases to verify Social Security
number and RSDI income. While this service was intended to replace the
need for SSA to provide the data to state unemployment agencies through
a batch file processing system, only 30 states have implemented the
online verification capability. As a result, SSA now provides the data
to state unemployment offices through both batch processing and online
system.
In the existing data exchange environment, the agency dedicates staff
and technical resources to supporting older technology, at the same
time that it must also plan for increased demand for data exchanges
that are supported by modern technology. In this regard, SSA may be
challenged to retain the expertise and maintain the technology required
to support a technical infrastructure environment that is expected to
remain mixed in the future.
SSA Data Exchange Challenges: Ensuring Privacy and Security:
As discussed earlier,federal laws impose privacy and security
requirements on federal agencies to protect information and information
systems, which are applicable to SSA data exchanges. For example, FISMA
and related guidance require SSA to protect records involved in data
exchanges by, for example, performing periodic risk assessments and
evaluations of the effectiveness of information security procedures and
practices. SSA has implemented a number of measures in order to meet
the requirements of these laws:
* Evaluating data exchange requests to ensure that the use of the data
is authorized by the routine uses[Footnote 23] associated with the
applicable Privacy Act system of records (from which data will be
disclosed) and the purpose of the request is compatible with the
agency‘s administration of its own programs.[Footnote 24]
* Conducting security certification and onsite compliance reviews. SSA
performs onsite reviews of its exchange partners‘ facilities to ensure
that they are in compliance with systems security procedures. Agency
guidelines call for these reviews about once every three years, or more
frequently if there is a significant change in a partner‘s computing
platform, a violation of SSA‘s systems security requirements, or an
unauthorized disclosure of information by a partner.
Further, the increase in agencies requesting online access to SSA‘s
records (rather than receiving data through batch processing) could
challenge SSA‘s capacity to perform privacy and security compliance
oversight, because providing and supporting online data access to
partners generally require resources to conduct more extensive remote
and onsite compliance reviews than does providing data via batch
processing.
The need for additional evaluations and reviews resulting from a
growing data exchange environment could create a need for SSA to hire
and retain additional staff with the expertise required to complete
these activities. Consequently, the agency could be challenged in the
future to meet requirements for privacy protection and security
requirements to safeguard the data that it provides to other agencies.
SSA Data Exchange Challenges: Establishing Effective Management
Practices:
SSA has experienced challenges in managing its current data exchanges.
For example, in an October 2007 memo,[Footnote 25] the Deputy
Commissioner for Budget, Management and Finance noted that the agency‘s
Office of General Counsel determined that some of the agency‘s data
exchanges were questionable in terms of disclosure authority,
procedural safeguards, budget authority, and reimbursement policy.
[Footnote 26] Further, the Office of General Counsel found existing
data exchanges that were not covered by a controlling agreement, data
exchange agreements without sufficient reimbursement, and documented
data exchanges with no apparent SSA business purpose. Such management
challenges, if not addressed, could lead to problems in efficient
execution of current and future exchanges.
Key responsibilities for the agency‘s data exchanges are dispersed
throughout multiple agency components. The assignment of responsibility
for the management and oversight of SSA‘s inventory of data exchanges
is shown in table 6.
Table 6: Data Exchange Responsibilities of SSA Components:
SSA component: Deputy Commissioner for Budget Finance and Management;
Roles and responsibilities: Sets information system security standards
for all federal and state data exchange agreement partners and conducts
periodic systems security compliance reviews. The Deputy Commissioner
also manages the data exchange agreement development and execution
process and Computer Matching and Privacy Protection Act (CMPPA)
agreement process.
SSA component: Deputy Commissioner for Operations;
Roles and responsibilities: Provides the first contact point for many
outside entities seeking new electronic exchanges with SSA. This office
is also responsible for all consent-based reimbursable projects under
development within SSA.
SSA component: Regional Commissioners for Operations;
Roles and responsibilities: Subject to approval from headquarters
components, have delegated authority from the Deputy Commissioner for
Operations to sign data exchange and CMPPA agreements between SSA and
entities in their regions and may work directly with state and local
governments to establish and maintain data exchanges.
SSA component: Deputy Commissioner for Systems;
Roles and responsibilities: Develops, maintains, and supports the
various SSA systems and processes that provide electronic data exchange
services to outside entities.
SSA component: Office of Retirement and Disability Policy;
Roles and responsibilities: Serves an ongoing role as the sponsor of
certain CMPPA data matches by which SSA obtains program enforcement
data from outside entities.
SSA component: Office of General Counsel/General Law;
Roles and responsibilities: Drafts some agreements and reviews and
approves all agreements. The office also provides legal advice on the
business process and related issues.
SSA component: Office of General Counsel and Public Disclosure;
Roles and responsibilities: Determines what information may be
exchanged and with whom, and determines if an exchange is program
related or reimbursable.
Source: GAO analysis of SSA data.
[End of table]
Effective management practices are important to improving SSA‘s ability
to carry out its growing data exchange activities. In the October 2007
memo, the SSA Deputy Commissioner for Budget, Management and Finance
noted that the agency might benefit from establishing a single
component to manage and take ownership of all the agency‘s data
exchange activities. SSA officials noted that such an approach could
provide better executive control over the current and future data
exchange workload.
SSA recognizes the need to improve the management, execution,
processing, and oversight of its electronic data exchanges, and it has
initiated actions to help better manage its data exchange environment
and address challenges and limitations the agency faces now and expects
to increase in the future. In October 2007, the agency established its
Electronic Information Exchange Initiative, which has the following
objectives:
* identify the data exchanges that disclose information protected by
the Privacy Act and distinguish these from other electronic processes
that are developed or used to obtain information for SSA program
purposes;
* document current SSA components‘ roles and responsibilities in
electronic data exchange;
* identify and discuss issues affecting the management, efficiency,
execution, or outcome of electronic data exchanges; and;
* obtain input and recommendations for improving the management and
execution of the agency‘s data exchanges from all SSA components
involved in the current process or with a stake in the outcome of the
initiative.
If effectively implemented, the initiative could potentially address
the challenges we have described. That is, identifying exchanges with
privacy implications, documenting roles and responsibilities, and
identifying and discussing data exchange issues could help SSA develop
and implement management practices that would better position the
agency to develop strategies for dealing with its resource challenges.
According to agency officials, as of late July 2008,the members of the
initiative had provided a draft report to SSA senior staff which
included recommendations for addressing the objectives. At that time,
the report was being reviewed by these staff. After addressing the
senior staff‘s comments, members of the initiative intend to brief the
Commissioner on the recommendations. The agency has not yet determined
when the report will be completed and actions taken on the
recommendations. Agency officials stated, however, that they will
provide the report to us for review upon its completion.
As part of its Electronic Information Exchange Initiative, SSA created
a summary inventory of its electronic data exchanges, but this
inventory does not include the comprehensive information needed to
effectively manage the agency‘s data exchange programs. A comprehensive
inventory that includes information such as the systems and resources
needed to support the data exchanges, workload statistics, and
identification of the status of privacy and security compliance and
reimbursement requirements, could provide useful information for
managing and overseeing data exchange programs. However, the summary
inventory SSA created does not include details on system resources,
such as the major information systems and interfaces supporting the
data exchanges. Agency officials stated that the inventory does not
include this information because its purpose was to provide summary
data as part of a report on the Initiative, and it was not intended to
be what they termed ’a definitive repository for such information.“
Maintaining an up-to-date and comprehensive data exchange inventory
could provide SSA the information needed to make credible and timely
decisions on implementing and managing data exchange activities, such
as monitoring privacy and security oversight activities and ensuring
the agency adheres to reimbursement policies.
Building on the summary inventory already created to produce a
comprehensive inventory of the agency‘s electronic data exchanges and
the system resources they use could provide SSA with an important tool
to help it better manage and oversee its data exchanges. Producing such
an inventory could help reduce the risk that the agency‘s data
exchanges and the challenges associated with them will not be
effectively managed.
Recommendations:
In view of the challenges associated with SSA‘s management of its data
exchanges, we recommend that as part of the agency‘s ongoing efforts to
establish improved management practices and processes, the Commissioner
of Social Security take the following two actions:
* establish milestones for completing the report and acting on the
recommendations of the Electronic Information Exchange Initiative and;
* develop and maintain a comprehensive inventory of SSA data exchanges
and supporting system resources that includes, among other things,
workload statistics and identification of the status of privacy and
security compliance and reimbursement requirements.
Agency Comments and Our Evaluation:
We received oral comments on a draft of this briefing from SSA program
officials, including the Deputy Commissioner for Systems and the Chief
Information Officer. The officials agreed with our recommendations and
provided additional information and technical comments related to the
department‘s data exchange programs which were incorporated into the
briefing as appropriate.
Regarding our recommendation that SSA develop and maintain a
comprehensive inventory of data exchanges, SSA officials noted that the
agency has initiated an effort that substantially addresses this
recommendation.
[End of Briefing slides]
Appendix II: Comments from the Social Security Administration:
Social Security:
The Commissioner:
November 17, 2008:
Ms. Valerie C. Melvin:
Director, Human Capital and Management Information Systems Issues:
U.S. Government Accountability Office:
441 G Street NW:
Washington. D.C. 20548:
Dear Ms. Melvin:
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report, "INFORMATION TECHNOLOGY:
Demand for the Social Security Administration's Electronic Data
Exchanges Is Growing and Presents Future Challenges" (GAO-09-126). Our
enclosed comments respond to the specific recommendations that were
raised. We have also suggested some technical corrections that would
enhance the accuracy of the report.
If you have any questions, please contact Candace Skumik, Director,
Audit Management and Liaison Staff, at (410) 965-4636.
Sincerely,
Signed by:
Michael J. Astrue:
Enclosure:
Comments On The Government Accountability Office (GAO) Draft Report
"Information Technology: Demand For The Social Security
Administration's Electronic Data Exchanges Is Growing And Presents
Future Challenges"
Thank you for the opportunity to review and provide comments on this
draft report.
Recommendation 1:
Establish milestones for completing the initiative's report and acting
on the recommendations.
Comment:
We agree. We completed the Electronic Information Exchange Initiative's
(EIEI) report on September 4, 2008, and established milestones for
acting on the report's recommendations.
Recommendation 2:
Develop and maintain a comprehensive inventory of data exchanges and
the systems resources they use.
Comment:
We agree. Related efforts, focusing primarily on creating an inventory
of reimbursable exchanges, but including non-reimbursable exchanges as
well, are currently underway and could be readily adapted to include
the information suggested in the report. A comprehensive inventory
would streamline activities across the agency, leading to labor savings
and minimizing the risk inherent in the current fragmented process.
Other Comments:
The GAO report does not adequately differentiate or explain our
information exchange environment, responsibilities, or activities.
There are significant differences between data exchanges that are the
result of shared program administration functions (such as our role in
the Medicare program or the Department of Treasury's function as the
disburser of monthly Social Security and Supplemental Security Income
payments), data exchanges required by law (such as those supporting
State administration of the Temporary Aid to Needy Families, Medicaid
and Supplemental Nutrition Assistance programs), and data exchanges
developed to replace manual program administration workloads or to meet
the growing demand (from other Federal and State agencies, and from the
private sector) for electronic verification of personal information
housed in our databases. The report does not recognize or adequately
discuss the different and unique challenges we face with each type of
data exchange that we deal with.
The first two sentences on page II. and Table 3 on page 2I, contain
inaccurate summary statistics and financial information which GAO
assembled from preliminary information we collected during the EIEI.
The discussion and summary table grossly overstate the actual number of
our outgoing electronic information exchanges. Also, on page 22, Table
3 (which we believe should be labeled Table 4), indicates that we pay
$I,288,I55 to Federal agencies and $I7,462,427 to State agencies for
incoming data. GAO's dollar amounts for incoming data rate are
incorrect. Page 19 of the EIEI report indicates that we pay Federal
agencies a total of $3,670,I55 for incoming data. We do not know GAO's
source for the $I7,462,427. Other than small amounts we pay for
electronic birth records, we are unaware of any payments to State
agencies for incoming data.
The GAO report should be updated using information from the August 2008
EIEI Report to the Commissioner of Social Security.
The report indicates the major challenge to our data exchange workload
is the need for more effective internal management and coordination. We
have already implemented the EIEI. However, the report does not state
more significant challenges, such as increasing infrastructure and
workload costs related to meeting the ever-increasing demands for on-
line verification of Social Security numbers, or the contradictory
goals of increasing the amount of personal information exchanged
electronically for third party enforcement purposes while
simultaneously attempting to comply with Federal mandates restricting
access to, and disclosure of, personal information. We recommend that
the report recognize these additional challenges.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Valerie C. Melvin, (202) 512-6304 or m [Hyperlink, melvinv@gao.gov]
elvinv@gao.gov:
Staff Acknowledgments:
In addition to the individual named above, key contributions to this
report were made by Teresa F. Tucker (Assistant Director), Michael A.
Alexander, Tonia D. Brown, Jacqueline K. Mai, Nancy E. Glover, and
Rebecca E. LaPaze.
[End of section]
Footnotes:
[1] A data exchange is any procedure for sending or receiving, or both,
information between two or more partners.
[2] A data exchange is any procedure for sending or receiving, or both,
information between two or more partners.
[3] The Medicare Prescription Drug, Improvement, and Modernization Act
of 2003 established Medicare Part D program, a prescription drug
benefit to help Medicare recipients with prescription drug costs. Under
this act, SSA is responsible, among other things,for withholding
Medicare Part D premium amounts for participants who elected to have
these premiums withheld from their Social Security payments. The act
also required SSA to allow withholding of Medicare Advantage Program
(Part C) premiums.
[4] GAO, Schedule and Timing Issues Complicate Withholding Premiums for
Medicare Parts C and D from Social Security Payments, [hyperlink,
http://www.gao.gov/products/GAO-08-816R] (Washington, D.C.: July 2008).
[5] In this context, a ’data exchange“ refers to an ongoing mechanism
for exchanging data; a ’transaction“ refers to an instance of exchanged
data, such as the verification of a single Social Security number.
[6] Protecting personally identifiable information in federal systems
is critical because its loss or unauthorized disclosure can lead to
serious consequences for individuals. These consequences include
identity theft or other fraudulent activity, which can result in
substantial harm, embarrassment, and inconvenience.
[7] Batch file mode collects and processes transactions together at a
specified time, while real-time mode processes transactions in response
to an external event within a short and predictable time frame.
[8] SSA uses RSDI to refer to the Old-Age and Survivors Insurance
program and the Disability Insurance program, both of which provide
benefits under Title II of the Social Security Act. The Old-Age and
Survivors Insurance program provides benefits to eligible insured
individuals and their eligible family members and survivors; the
Disability Insurance program provides benefits to eligible individuals
who have qualifying disabilities and their eligible family members.
[9] The SSI program provides income under Title XVI of the Social
Security Act.
[10] Because SSA plays a critical role in the programs‘ premium
withholding processes, it also receives data from CMS, which it uses in
carrying out its responsibilities under the act.
[11] For example, daily and monthly: generally, SSA sends daily files
of premium withholding transactions and monthly files on the amount of
premiums withheld.
[12] Nonconfirmations are considered tentative because mismatches can
occur for valid reasons, such as name changes on marriage. Employees
may be able to resolve such nonconfirmations; they have the right to
contest their tentative nonconfirmations by contacting SSA or DHS to
resolve any inaccuracies in their records within 8 federal working
days.
[13] Before the establishment of EV-STAR, employers were not
automatically notified through the E-Verify system after an SSA-issued
tentative nonconfirmation was resolved. Rather, after resolving the
tentative nonconfirmation, the employee had to present SSA‘s notice of
resolution to the employer, who then had to access E-Verify to resolve
the tentative nonconfirmation in the system.
[14] Although primarily aimed at state agencies, SVES also provides
data to other federal agencies and some foreign agencies.
[15] SVES also provides some federal agencies including CMS with a
standardized method of Social Security number verifications and uniform
data responses for RSDI and SSI information.
[16] In fiscal year 2007, SSA was reimbursed about $40,000 for data
provided to two state agencies.
[17] The two states that do not participate are Minnesota and Oklahoma.
[18] GAO, Employment Verification: Challenges Exist in Implementing a
Mandatory Electronic Employment Verification System, [hyperlink,
http://www.gao.gov/products/GAO-08-729T] (Washington, D.C.: May 6,
2008).
[19] SSA‘s estimates assume that under a mandatory expansion of the
current E-Verify program, for every 100 E-Verify queries, about 1.4
individuals will contact SSA regarding tentative nonconfirmation.
[20] [hyperlink, http://www.gao.gov/products/GAO-08-729T].
[21] This infrastructure was put in place a decade ago to support the
original limited pilot.
[22] For example, SSA also assumed that the first group of employers
would have to begin verifying newly hired employees by the end of
fiscal year 2009 and that there would be a gradual increase in
verification requests from fiscal years 2009 to 2012.
[23] Under the Privacy Act of 1974, the term ’routine use“ means (with
respect to the disclosure of a record) the use of such a record for a
purpose that is compatible with the purpose for which it was collected.
5 U.S.C. 552a (a) (7)).
[24] Compatibility is established when the federal, state, or local
agency requester seeks data to assist in the administration of programs
under the Social Security Act and other federal, state,and local health
and income maintenance programs concerning determinations related to
eligibility, benefit amounts, or benefit status.
[25] Memo from SSA Deputy Commissioner for Budget, Management and
Finance, Electronic Information Exchange Initiative(Oct. 16, 2007), and
attachments.
[26] Agency officials told us that 231 of the agency‘s data exchanges
were identified by the Office of General Counsel as being questionable.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
