oversight

The Department of Education's Controls over the Access, Disclosure and Use of SSNs by Third Parties -- Pell Grant Program.

Published by the Department of Education, Office of Inspector General on 2002-10-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                        UN ITED STATES DEPARTMENT O F ED UCATI ON

                                           OFFICE OF INSPECTOR GENERAL



                                                       OCT 3 1 2002



                                                                                                CONTROL NUMBER
                                                                                                 ED-O IGI A 19-C0006

Theresa S. Shaw, Chief Operating Officer
Federal Student Aid
U.S. Department of Education
830 First Street, NE
Washington, DC 20202

Dear Ms. Shaw:

This Final Audit Report (Control Number ED-OIG/A 19-C0006) presents the results of
our audit of the Department of Education's controls over the access, disclosure, and use
of Social Security Numbers (SSNs) by third parties.

Statements that managerial practices need improvements, as well as other conclusions
and recommendations in this report, represent the opinions of the Office of Inspector
General. Detem1inations of corrective action to be taken will be made by appropriate
Department of Education officials.

In accordance with the Freedom of Information Act (5 U.S.c. § 552), reports issued by
the Office of Inspector General are available, if requested, to members of the press and
general public to the extent infomlation contained therein is not subject to exemptions in
the Act.


                                             BACKGROUND
The Social Security Administration created the Social Security Number (SSN) in 1936 as
a means of tracking workers' earnings and eligibility for Social Security benefits. Over
the years, the SSN has become a national identifier Llsed by Federal agencies, State and
local governments, and private organizations. Due to concerns related to sharing of
personal information and identity theft, Congress asked the General Accounting Office
(GAO) to study how and to what extent, Federal, State and local government agencies
use individuals' SSNs and how these entities safeguard records or documents containing
those SSNs. The Chairman of the House Ways and Means Subcommittee on Socia l
Security asked the Social Security Administration, Office of Inspector General, and the


                               400 M ARYLAND AVE., S. W. WASH1NGTO N, D.C. 20202 · 1510

       Our mission is!O ensure equal access to oou.cntion a nd   10   pronwte educational exceUence throughout the Nalion.
Ms. Theresa S. Shaw	                                                              Page 2 of 9




President’s Council on Integrity and Efficiency (PCIE) to review the way Federal
agencies disseminate and control the SSN. The Offices of Inspector General (OIG) for
several agencies participated in this review.

A standardized audit approach was developed for all participating agencies based on a
GAO survey conducted in August 2001. GAO sent questionnaires to officials of Federal
programs that were likely to routinely collect, maintain, and use individuals’ SSNs. GAO
asked each agency to complete questionnaires for five program areas. Each OIG
participating in the PCIE effort was asked to conduct an in-depth review of one of the
programs for which a questionnaire was completed. The Department of Education
(Department) completed questionnaires for the following areas: Direct Loan
Originations, Pell Grant Program, Federal Student Aid Collections, Education Central
Automated Processing System/Grants and Administration Payment System
(EDCAPS/GAPS), and Rehabilitation Services. We selected the Pell Grant Program for
the PCIE review since the Department reported the highest number of SSNs in that
program.

The objectives were to determine whether each agency:

    1. 	 Makes legal and informed disclosures of SSNs to third parties;
    2. 	 Has appropriate controls over contractors’ access and use of SSNs;
    3. 	 Has appropriate controls over other entities’ access and use of SSNs; and
    4. 	 Has adequate controls over access to individuals’ SSNs maintained in its 

         databases. 



                                  AUDIT RESULTS
Our audit was limited to review of the Pell Grant program and the Recipient Financial
Management System (RFMS). We determined that the only disclosures of SSNs to third
parties from the RFMS were to Federal Student Aid (FSA) contractors. As such, the
third objective regarding access by other entities was not applicable. (See the Objectives,
Scope, and Methodology section of this report for the definition of a disclosure
established for this review and the audit scope. See also Attachment 1 for details on the
flow of SSNs through the Pell Grant system.)

We found that in general, the Department made legal and informed disclosures of SSNs.
We found that improvements were needed in the Department’s controls over contractors’
access to and use of SSNs, and in controls over access to individuals’ SSNs maintained in
the RFMS.

The Department responded to our draft report, concurring with the finding and all
recommendations provided. The Department also described specific corrective actions
Ms. Theresa S. Shaw	                                                               Page 3 of 9




they have taken and intend to take to address the issues noted. The full text of the
Department’s response is included as Attachment 2 to this audit report.


Finding No. 1 	        Improvements Are Needed in Monitoring of FSA Contractor
                       Access, Disclosure and Use of Social Security Numbers.

Our audit revealed FSA staff did not adequately monitor the RFMS contractor’s
performance to ensure that SSNs were appropriately safeguarded. Specifically, we found
that FSA staff did not confirm whether the RFMS contractor provided Privacy Act
training for contractor personnel as required, and whether all contractor staff with access
to the RFMS were still currently employed by the contractor.

We also found that FSA did not maintain a current listing of RFMS users. During our
review, FSA staff provided us with a listing of staff with access to the system, but they
stated that the listing needed to be updated. FSA staff further stated that the RFMS
contractor previously provided regular reports of all current users, but that such a report
had not been provided since June 2002.

The Privacy Act of 1974, (5 U.S.C. § 552a, as amended), provides requirements on the
protection of personal information. Sections (e)(9) and (e)(10) of the Act require
agencies to:

         [E]stablish rules of conduct for persons involved in the design,
        development, operation, or maintenance of any system of records, or in
        maintaining any record, and instruct each such person with respect to such
        rules and the requirements of this section, including any other rules and
        procedures adopted pursuant to this section and the penalties for
        noncompliance.

        [E]stablish appropriate administrative, technical and physical safeguards
        to insure the security and confidentiality of records and to protect against
        any anticipated threats or hazards to their security or integrity which could
        result in substantial harm, embarrassment, inconvenience, or unfairness to
        any individual on whom information is maintained.

Section (m)(1) of the Privacy Act requires agencies to include compliance with the
Privacy Act in contracts for the operation of a system of records. Likewise, the Federal
Acquisition Regulation (FAR) § 24.102(a) states that the Privacy Act:

        [R]equires that when an agency contracts for the design, development, or
        operation of a system of records on individuals on behalf of the agency to
        accomplish an agency function the agency must apply the requirements of
        the Act to the contractor and its employees working on the contract.
Ms. Theresa S. Shaw                                                               Page 4 of 9




The Department’s Directive (Directive), C:GPA 2-110, “Contract Monitoring for
Program Officials,” dated January 12, 1987, establishes internal standards and guidelines
in conducting day-to-day contact monitoring. The Directive states:

        It is the policy of the Department of Education (a) to monitor every
        contract to the extent appropriate to provide reasonable assurance that the
        contractor performs the work called for in the contract, and (b) to develop
        a clear record of that performance and the Department’s efforts in
        monitoring it. (Section II, page 2 of the Directive)

        Contract monitoring is conducted by the Government to ensure that the
        contractor performs according to the specific promises and agreements
        that make up the contract. (Section VIII.A, page 10 of the Directive)

        Site visits may be advisable for particularly complex contracts, for those
        known to be experiencing performance difficulties, or for any contract
        where it would be good to demonstrate the Government’s interest or concern
        for successful performance. (Section H.1, page 22 of the Directive)

The RFMS contract Statement of Work, Section 5.8.3, Computer Security and Privacy
Act Training, states that the contractor shall:

        Provide formal classroom instruction for contractor personnel and
        packaged instruction for Department of Education staff prior to system
        start-up….Give computer security and Privacy Act refresher training
        annually to meet the requirements identified in the Computer Security Act
        of 1987.

We found that FSA included the requirements of the Privacy Act in the RFMS contract
and established rules of conduct for the system. However, FSA staff did not conduct site
visits or otherwise verify that the contractor was complying with the Privacy Act
requirements. For example, FSA did not monitor contractor activities to ensure that
training was provided as required. FSA staff did not receive copies of training records or
certifications from the contractor that training had taken place to confirm that these
requirements were being met. In fact, annual refresher training had not been provided
since November 2000. We also found that FSA staff did not maintain a current listing of
RFMS users or validate such a listing to ensure all users were appropriately trained and
were still employed by the contractor.

As a result, FSA does not have assurance that contractor staff with access to SSNs and
other personal information in the RFMS are aware of Department policies and procedures
and Federal laws prohibiting the disclosure of such information. FSA also does not have
assurance that contractor staff with access to the system are still current employees.
Ms. Theresa S. Shaw	                                                               Page 5 of 9




Recommendations:

We recommend that the Chief Operating Officer for Federal Student Aid take actions to
ensure:

1.1 	   FSA staff appropriately monitor contractor operations to ensure that training is
        provided to contractor staff as required.

1.2 	   FSA staff receive copies of training records or certifications from the contractor
        on a regular basis and periodically reconcile this information with user listings to
        ensure all users are appropriately informed of their responsibilities and the
        prohibitions against disclosure of SSNs and other information.

1.3 	   FSA maintains a current listing of RFMS users and periodically validates the
        listing of RFMS users to ensure that all staff with access to the system are current
        employees, and that access is canceled timely for staff that have separated.

1.4 	   FSA review other contracts with Privacy Act provisions to ensure that those
        contracts are appropriately monitored for compliance with Privacy Act
        requirements.


                OBJECTIVE, SCOPE, AND METHODOLOGY
The objectives of our audit were to determine whether the Department:

    1. 	 Makes legal and informed disclosures of SSNs to third parties;
    2. 	 Has appropriate controls over contractors’ access and use of SSNs;
    3. 	 Has appropriate controls over other entities’ access and use of SSNs; and
    4. 	 Has adequate controls over access to individuals’ SSNs maintained in its 

         databases. 


For the purpose of this audit, disclosure of SSNs was defined as new information
provided to a third party, whether it be another Government agency, a contractor, or an
outside organization. If a third party first sends a file of SSNs to the agency, the agency
matches those SSNs against its records to determine eligibility or some other information,
and sends the additional information back to the third party, that process is not considered
a disclosure for the purposes of our audit. For example, the exchange of information
between educational institutions and the RFMS is not considered a disclosure, since the
institutions provide the SSN with records initially sent to RFMS. Applying this criterion,
we determined that SSNs were not disclosed from the RFMS to entities other than
contractors. As such, the third objective of this audit did not apply to the scope of our
Ms. Theresa S. Shaw                                                             Page 6 of 9




audit. See Attachment 1 for further details on the flow of SSNs through the Pell Grant
system.

In selecting a program to review, we performed an analysis of the Department’s
responses to the GAO questionnaire for Direct Loan Originations, Pell Grant Program,
Federal Student Aid Collections, EDCAPS/GAPS, and Rehabilitation Services. We
evaluated the Department’s responses regarding the volume of records stored on
computer systems, the disclosure of SSN information to third parties, the number of
private contractors who have access to SSN information, computer network access by
third parties, and the number of separate computer systems that contain SSNs. We
selected the Pell Grant Program for further review based on the Department’s report of
approximately 50 million SSNs in the system. This amount far exceeded those reported
for the other programs. The other factors reviewed did not differ significantly among the
five programs.

The scope of our audit was calendar year 2001. We did not review the Common
Origination and Disbursement system that is now used for the Pell Grant Program, as that
system had not been implemented during the audit period.

To accomplish our objectives, we conducted interviews with FSA staff responsible for
the operation and security of the Pell Grant system. We reviewed the Privacy Act of
1974, Federal Acquisition Regulation, and Departmental policies and procedures on the
protection and use of Privacy Act information and on the requirements for contract
monitoring. We reviewed the general terms and conditions for the contracts for
development and operation of the RFMS to determine the requirements regarding access
to and disclosure of SSNs. We also reviewed the Department’s Privacy Act System of
Records notices for RFMS and other related FSA systems. We reviewed disclosures of
the uses of data made on the Free Application for Federal Student Aid (FAFSA) form and
the FAFSA electronic form on FSA’s website. We reviewed computer-matching
agreements with other Federal agencies, as well as risk assessments and security reviews
conducted of the RFMS and of the Virtual Data Center where RFMS data is stored. We
did not rely upon computer-processed data in conducting our audit.

We performed our fieldwork at applicable Department of Education offices in
Washington, DC, during the period April 2, 2002, through September 18, 2002. We held
an exit conference with Department officials on September 18, 2002. We performed our
audit in accordance with generally accepted government auditing standards appropriate to
the scope of the review described above.
Ms. Theresa S. Shaw                                                                 Page 7 of 9




              STATEMENT ON MANAGEMENT CONTROLS 

We made a study and evaluation of Federal Student Aid’s management control structure
over the access, disclosure, and use of Social Security Numbers by third parties. Our
review was limited to evaluation of the Pell Grant system operations during the period of
our review. Our study and evaluation was conducted in accordance with generally
accepted government auditing standards.

For the purpose of this report, we assessed and classified the significant management
control structure into the following categories:

•   Disclosure of SSNs to third parties,
•   Contractors’ access and use of SSNs, and
•   Access to SSNs in the Department’s RFMS database.

Department management is responsible for establishing and maintaining a management
control structure. In fulfilling this responsibility, estimates and judgments by
management are required to assess the expected benefits and related costs of control
procedures. The objectives of the system are to provide management with reasonable,
but not absolute, assurance that assets are safeguarded against loss from unauthorized use
or disposition and that the transactions are executed in accordance with management's
authorization and recorded properly, so as to permit effective and efficient operations.

Because of inherent limitations in any management control structure, errors, or
irregularities may occur and not be detected. Also, projection of any evaluation of the
system to future periods is subject to the risk that procedures may become inadequate
because of changes in conditions, or that the degree of compliance with the procedures
may deteriorate.

Our assessment disclosed conditions in the Department's management control structure
over disclosure of SSNs to contractors, which, in our opinion, result in more than a
relatively low risk that errors, irregularities, and other inefficiencies may occur resulting
in inefficient and/or ineffective performance. We noted a weakness with respect to the
Department’s monitoring of contractor’s access to, disclosure, and use of SSNs, and in
controls over access to individuals’ SSNs in the RFMS. These weaknesses are discussed
in the Audit Results section of this report.


                         ADMINISTRATIVE MATTERS
Please provide the Supervisor, Post Audit Group, Office of the Chief Financial Officer
and the Office of Inspector General with quarterly status reports on promised corrective
actions until all such actions have been completed or continued follow-up is unnecessary.
Ms. Theresa S. Shaw                                                           Page 8 of9




We appreciate the cooperation provided to us during this review. Should you have any
questions concerning this report, please call Michele Weaver-Dugan at (202) 863-9526.
Please refer to the control number in all correspondence related to the report.


                                Sincerely,


                                f(f~l~w 

                                Helen Lew
                                Acting Assistant Inspector General for Audit Services
Ms. Theresa S. Shaw	                                                             Page 9 of 9




                                                                            Attachment 1


                       The Flow of Social Security Numbers (SSNs)
                             through the Pell Grant System


• 	 Applicant SSNs are originally provided on the Free Application for Federal Student
    Aid (FAFSA) Application Processing System. The Recipient Financial Management
    System (RFMS) receives the SSNs for eligible Pell recipients via the Eligible
    Applicant File from the Central Processing System (CPS).

• 	 The Federal Pell Grant program does not directly make disclosures to eligible
    applicants of the uses of their personal information. Such disclosures do appear on
    the FAFSA forms (paper and electronic), Privacy Act Systems of Records notices,
    and Federal Register. These notices are applicable to all Title IV applicants,
    including Pell eligible applicants.

• 	 Institutions send origination records to RFMS. These origination records include
    students’ SSNs and institutions’ determinations of the Pell award amount. Original
    SSNs are matched to the eligible applicant data provided previously to RFMS by
    CPS. RFMS processes the data received from the institution and then provides the
    institution with an acknowledgment indicating that the record has been accepted,
    corrected, or rejected.

• 	 Once origination records have been accepted, institutions disburse funds to the
    students and transmit disbursement records to RFMS for processing. Again, students’
    SSNs are provided to RFMS by institutions in disbursement records. RFMS matches
    the information provided by institutions to the previously received origination records
    and transmits acknowledgements back to institutions.

• 	 Upon request by an institution, a year-to-date summary of originations and
    disbursements information that the institution previously sent to RFMS will be
    provided. This file includes only accepted and/or corrected records previously sent
    by the institution.
                                                                                     Attachment 2
                  UNITED STATES DEPARTMENT OF EDUCATION
                              ST UDENT FINANCIAL ASSISTANCE 

                               WASffi NGTON, D,C, 20202- 5 132 


                                                                            CHIEf' OPERATING OFFICER




                                                                                      OCT 2 3 2002
Ms. Michele Weaver-Dugan
Director, Operations Internal Audit Team
U.S. Department of Education
Office of Inspector General
400 Maryland A venue, S. W.
Washington, DC 20202-1600

Dear Ms. Weaver-Dugan:

Thank you for the opportunity to review and comment on the draft audit report (Control
Number ED-OIG/AI 9-C0006) that presents the results of your audit of the Department of
Education ' s "Controls over the Access, Disclosure, and Use of Social Security Numbers
(SSNs) by Third Parties." Specifically, your audit finding and the recommendations
pertain to your audit of the Federal Pell Grant program and the Recipient Financial
Management System (RFMS) administered by the Department's Federal Student Aid
program.

We concur with the finding and the four recommendations identified in the report. The
attachment provides the Department' s response to each recommendation. We used your
report to assist us in improving our controls over Social Security Number access,
di sclosure, and release.

Again, we appreciate the opportunity to review and comment on the draft report.




                                                          Theresa S. Shaw

cc: 	 Kathleen Wicks
      Rosemary Beavers




                               We help pul " me rlco Ihrough schooL
                        Response to OIG Draft Audit Report 

                     Audit of Controls over the access, disclosure, 

                     And use of Social Security Numbers (SSNs) 

                                   by third parties 



Office of Inspector General (OIG) draft report section:

OIG Finding No. I:

Improvements are needed in monitoring of FSA Contractor Access, Disclosure and
Use of Social Security Numbers.

DIG Recommendation 1.1: Ensure FSA staffappropriately monitor contractor
operations to ensure thar training is proVided fa contractor staffas required.

FSA Response: We concur. The Contractor has scheduled Privacy Act training for
October 24, 2002. Once the training is completed, the Systems Security Officer (SSO)
will obtain a report from the contractor. The SSO will monitor the contractor more
closely and receive compliance reports on a monthly basis for the full tenn of the
contract. The RFMS contract is scheduled to end this fiscal year. We wi ll ensure lhallhe
SSO for the Common Origination and Disbursement (COD) contract, which replaces
RFMS, compl ies with the Privacy Ac t and Departmental Directive C: GPA 2-110,
"Contract Monitoring for Program Officials" and appropriately monitors contractor
operations to ensure that training is provided to con tractor staff.

DIG Recommendation 1.2: Ensure FSA staffreceive copies oftraining records or
certifications from the contractor 011 a regular basis and periodically reconcile this
information with user listings to ensure aI/users are appropriately informed oftheir
responsibilities and the prohibitions against disclosure ofSSNs and other information.

FSA Response: We concur. On October 24,2002, the Contractor has scheduled Privacy
Act training that wi ll appropriately infonn a ll users of their responsibi lities and
prohibitions against disclosure of SSNs and other infomlation. The Contractor will
submit training records or certifications of training upon completion of this training. The
RFMS contract is sc hedu led to end this fiscal year. We will ensure that the SSO for the
COD contract monitors the contract more closely and on a monthly basis, and reconciles
the train ing records with the user li sting.

DIG Recommendation 1.3: Ensure FSA maintains a cllrrent listing ofRFMS users and
periodically validates the listing ofRFMS lIsers to ensllre that all staff lVith access to the
system are current employees. and tho! access is canceled timely for staff that have
separated.
FSA Response: We concur. In October 2002, the SSO reviewed and validated the li sting
of RFMS users to ensure that they are curre nt employees. The SSO confirmed that
access was canceled for employees who separated. The RFMS contract is schedu led to
end this fiscal year. We will ensure the SSO for the COD contract reviews and validates
listings on a monthly basis and removes employees upon notification of separation.

OIG Recommendation 1.4: Ensure FSA review other contracts with Privacy Act
provisions to ensure rhat those contraCls are appropriately monitored/or compliance
with Privacy Act requiremenrs.

FSA Response: We concur. We will have SSO's review all current contracts with
Privacy Act provisions to ensure that they are appropriately monitored for compliance
with Pri vacy Act requirements.