oversight

Elimination of Unnecessary Use of Social Security Numbers at the Farm Credit Administration

Published by the Farm Credit Administration, Office of Inspector General on 2016-08-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

OFFICE OF
INSPECTOR GENERAL      Inspec on Report
                     Elimina on of Unnecessary Use
                    of Social Security Numbers at the
                        Farm Credit Administraon
                                  I‐16‐02

                               Inspector
                                Ava Bell

                         Issued August 31, 2016




                        FARM CREDIT ADMINISTRATION
Farm Credit Administration                                      Office of Inspector General
                                                                1501 Farm Credit Drive
                                                                McLean, Virginia 22102-5090




August 31, 2016


The Honorable Kenneth A. Spearman, Board Chairman
The Honorable Dallas P. Tonsager, Board Member
The Honorable Jeffery S. Hall, Board Member
Farm Credit Administration
1501 Farm Credit Drive
McLean, Virginia 22102-5090

Dear Board Chairman Spearman and FCA Board Members Tonsager and Hall:

The Office of Inspector General (OIG) completed an inspection of the Farm Credit
Administration’s (FCA or Agency) use of Social Security Numbers (SSN) within the Agency. The
objective of this inspection was to determine whether FCA has eliminated unnecessary use of
SSNs and is safeguarding SSN information in Agency processes and systems.

We found the Agency is not storing or using employee SSNs unnecessarily. When SSN
information is used within FCA systems and processes, there are administrative, technical and
physical safeguards.

Our inspection report contains no recommendations.

We appreciate the courtesies and professionalism extended by FCA personnel to the OIG staff.
If you have any questions about this inspection, Ava Bell and I would be pleased to meet with
you at your convenience.

Respectfully,




Elizabeth M. Dean
Inspector General

Enclosure
RESULTS:

The Farm Credit Administration (FCA      The objective of the inspection was to determine whether
or Agency) has eliminated unnecessary    the Farm Credit Administration (FCA or Agency) has
use of Social Security Numbers (SSN)     eliminated unnecessary use of Social Security Numbers (SSN)
and is safeguarding SSN information
                                         and is safeguarding SSN information in Agency processes and
and other personally identifiable
information (PII) in its processes and   systems.
systems.
                                         We found the Agency is not storing or using Social Security
This report contains no                  Numbers unnecessarily and there are safeguards in place
recommendations.                         when SSN information is used in Agency processes and
                                         systems. The Agency:

                                            •   Eliminated requests for SSNs from current FCA forms,
                                                with the exception of a few for which SSN use
                                                accomplishes an agency function;
                                            •   Does not unnecessarily collect and store SSNs in its
                                                processes and systems; and
                                            •   Protects SSN information with administrative,
                                                technical and physical safeguards.

                                         This report contains no recommendations or agreed upon
                                         actions.
                                TABLE OF CONTENTS



BACKGROUND _______________________________________________________ 1

 Legislation and Guidance _____________________________________________________ 1

 Prior Review _______________________________________________________________ 2

INSPECTION RESULTS ________________________________________________ 3

 Eliminating Unnecessary Use of Social Security Numbers ____________________________ 3

   FCA Forms _______________________________________________________________ 3

   SSNs in Paper and Electronic Systems __________________________________________ 3

 Safeguarding Social Security Numbers ___________________________________________ 5

   Administrative Safeguards __________________________________________________ 5

   Technical Safeguards _______________________________________________________ 5

   Physical Safeguards ________________________________________________________ 6

INSPECTION CONCLUSIONS ___________________________________________ 6

OBJECTIVE, SCOPE, AND METHODOLOGY _______________________________ 7

ACRONYMS _________________________________________________________ 8
BACKGROUND

    The Farm Credit Administration (FCA or Agency) is an independent federal agency responsible
    for regulating, examining, and supervising the Farm Credit System (FCS) and the Federal
    Agricultural Mortgage Corporation. The core mission of FCA is to ensure a safe, sound, and
    dependable source of credit and related services for agriculture and rural America.

    With this mission comes a responsibility to safeguard sensitive FCS and loan information, as
    well as sensitive, personal information within the Agency itself, including personally identifiable
    information (PII). PII is any information that 1) distinguishes an individual’s identity, such as
    name, date of birth, and social security number, and 2) is linked to an individual, such as
    medical, financial, and employment information.1

    We limited our inspection to a review of employee Social Security Numbers (SSN) within the
    Agency. Agency processes and systems change over time. Given the recent data breaches in
    several federal agencies, the Office of Inspector General (OIG) considered it prudent to review
    SSN use in forms and systems within FCA to ensure there is no unnecessary collection of SSNs,
    or when necessary to collect, the information is being safeguarded.



    Legislation and Guidance
    The Privacy Act of 1974, as amended, requires each agency that maintains a system of records
    to maintain only the information about individuals that is relevant and necessary to accomplish
    a purpose of the agency required by statute or Presidential executive order. 2 The Privacy Act
    also requires agencies to establish appropriate administrative, technical, and physical
    safeguards to protect the security and confidentiality of records when they maintain a system
    of records. 3

    The Office of Management and Budget (OMB) has issued several memoranda requiring
    agencies to eliminate the unnecessary use of SSNs and safeguard PII and other sensitive agency
    information. These memoranda and their requirements are summarized as follows:



    1
      National Institute of Standards and Technology’s Guide to Protecting the Confidentiality of Personally Identifiable
    Information (PII), Special Publication 800-122 (April 2010).
    2
      5 USC § 552a(e)(1).
    3
      The Privacy Act defines “system of records” as “a group of any records under the control of any agency from
    which information is retrieved by the name of the individual or by some identifying number, symbol, or other
    identifying particular assigned to the individual.” 5 USC § 552a(a)(5). See also 5 USC § 552a(e)(10).



                                                              1
   •   OMB M-06-15, Safeguarding Personally Identifiable Information, May 2006: Required
       agencies to conduct a review of administrative, technical, and physical controls, and
       take corrective action as necessary, to safeguard PII.
   •   OMB M-06-16, Protection of Sensitive Agency Information, June 2006: Required
       agencies to use the National Institute of Standards and Technology (NIST) checklist for
       protection of remote information, and outlined additional technical safeguards to
       compensate for the lack of physical security controls when agency information is
       accessed remotely.
   •   OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally
       Identifiable Information, May 2007: Required agencies to: review current PII holdings
       and reduce such holdings to the minimum necessary for the proper performance of a
       documented agency function; identify and eliminate instances in which collection or use
       of SSNs is superfluous; explore alternatives to agency use of SSNs as a personal
       identifier; and develop an implementation plan to eliminate unnecessary use of SSNs.
   •   OMB M-07-19, FY 2007 Reporting Instructions for FISMA and Agency Privacy
       Management, July 2007: Required agencies to provide the implementation plan
       developed under M-07-16 with their annual Federal Information Security Modernization
       Act (FISMA) evaluation.



Prior Review
In 2002, prior to the issuance of the OMB memoranda identified above, the FCA OIG conducted
a review of the Agency’s use of SSNs. The objectives of the review were to determine: how FCA
uses SSNs, whether the use of SSNs is mandatory, and whether procedures and safeguards
were in place to protect SSN information. The OIG reviewed existing policies and procedures,
and all forms published in the FCA forms database. The OIG also surveyed office directors about
departmental use and safeguarding SSNs. The OIG concluded that FCA staff were taking
reasonable measures to safeguard SSNs, and managers were exercising due diligence in
protecting SSNs.




                                               2
INSPECTION RESULTS

     The objective of this inspection was to determine whether FCA has eliminated unnecessary use
     of Social Security Numbers (SSN) and is safeguarding SSN information in Agency processes and
     systems. Based on our review, the Agency is not collecting and using SSNs unnecessarily in its
     processes and systems. When SSNs are collected, that information is protected through
     administrative, technical and physical safeguards.

     Eliminating Unnecessary Use of Social Security Numbers
     To evaluate FCA processes and systems for unnecessary use of SSNs, we reviewed current FCA
     forms. We identified electronic systems and paper records that use or store SSNs and
     determined whether the use was for an agency function. We also tested selected data
     collections for unnecessary use of SSNs.

     FCA Forms

     We reviewed current FCA forms found in the Forms Library and other internal sources to
     determine whether the Agency has eliminated the unnecessary use of SSNs in its forms. We
     excluded Federal forms (standard forms, optional forms, etc.) from our review, as the Agency
     has no discretion to revise these forms. We found that FCA has eliminated the request for the
     SSN on most Agency forms. Only a few forms still request the SSN, and we determined each use
     to be required or necessary for various reasons. The following FCA forms still include SSNs:

        •   Flexible Spending Account (FSA) forms (Health Care FSA Claim Form and Dependent Day
            Care FSA Claim Form) – require a full SSN for tax reporting purposes.
        •   Child Care Provider Information Form – requires the Federal Tax Identification Number
            for child care providers for tax reporting purposes.
        •   Government Purchase Card Setup Form – requires a partial SSN (last four digits) for card
            activation.
        •   Government Travel Card Application – requires a full SSN for a credit check.

     We determined SSN use is necessary because these forms are either tax-related documents as
     required by the Internal Revenue Service, or the SSN is a required use to accomplish an agency
     function (i.e., issuance of government credit cards).

     SSNs in Paper and Electronic Systems

     FCA has very few paper records that contain SSNs. These documents are payroll and personnel
     security records, which are maintained to accomplish agency functions (e.g., payroll
     administration and employee background investigations).


                                                    3
However, the Agency uses several electronic systems that store and use SSNs:

   •   National Finance Center (NFC) (payroll system)
   •   eOPF (OPM-mandated electronic official personnel files)
   •   FedHR Navigator (hiring, onboarding, retirement)
   •   Personnel Retrieval System (personnel management)
   •   USAStaffing (OPM’s hiring management system)
   •   Executive & Schedule C System (secure database on SES, Schedule C appointees, etc.)
   •   GSA-USA Access (employee and contractor ID card issuance)
   •   e-Verify (citizenship/eligibility to work verification)
   •   Electronic Questionnaires for Investigations Processing and Central Verification System
       (personnel security)
   •   MyEnroll (FCA flexible spending plan administration)
   •   Wells Fargo (FCA 401k plan administration)
   •   Citibank (government travel and purchase cards)

The OIG reviewed the electronic systems identified as storing and using SSNs to determine if
current SSN use is necessary for the performance of an agency function. We determined each
of the systems accomplish an agency function, e.g., payroll and benefits administration,
maintenance of official personnel files, or personnel security. For example, the NFC payroll
system is designed to use the SSN as a personal identifier for employee record retrieval.

The Agency has also created internal electronic data collections for various purposes, and the
OIG tested a judgmental sample of these data collections to determine whether SSNs are being
used unnecessarily. We selected and reviewed the following data collections to confirm
discussions with staff who stated that there are no SSNs in these collections:

   •   Personnel Action Report
   •   Retirement Eligibility Report
   •   Voluntary Leave Bank Enrollments

We confirmed that neither the reports nor the leave bank enrollments contain SSNs.




                                               4
Safeguarding Social Security Numbers
We researched Agency policies and procedures, reviewed the 2015 FCA FISMA Evaluation, and
conducted interviews with FCA staff to determine whether the Agency has administrative,
technical and physical safeguards in place to protect SSNs in its processes and systems.

Administrative Safeguards

FCA has an information technology (IT) security policy published in PPM 902, Computer Security
Program, and PPM 906, Limited Personal Use of Farm Credit Administration Assets. Compliance
with these policies is mandatory. Employees and contractors are required to read and sign the
Employee Certification Form for these policies when they come on board. The Agency also has
a number of IT security related documents that define sensitive information and PII and provide
guidance on how to protect such information. Two examples are: 1) guidance requiring
personnel to encrypt email containing sensitive or privacy information, and 2) a PII breach
notification policy requiring the Chief Information Officer to notify FCA management and
comply with breach incident reporting requirements to the Department of Homeland Security’s
US-Cert website.

The Agency also provides mandatory, annual information security awareness training to all
employees and contractors, which includes guidance on protecting PII. Additionally, the
performance standards for all human resources staff include confidentiality language to ensure
PII controls are observed.

Technical Safeguards

Annually, the OIG conducts an independent evaluation of FCA’s compliance with the Federal
Information Security Modernization Act of 2014 (FISMA) and an assessment of the Agency’s
information security program. The 2015 FCA FISMA evaluation contained no
recommendations. 4 The FISMA report stated that the FCA has established an information
security program consistent with National Institute of Standards and Technology, Department
of Homeland Security, and OMB guidelines, in the following reportable areas:
     •   Continuous Monitoring Management
     •   Configuration Management
     •   Identity and Access Management
     •   Incident Response and Reporting
     •   Risk Management
     •   Security Training

4
 See OIG 2015 Evaluation of the Farm Credit Administration’s Compliance with the Federal Information Security
Modernization Act, E-15-01, Nov. 13, 2015.



                                                       5
         •   Plans of Action & Milestones
         •   Remote Access Management
         •   Contingency Planning
         •   Contractor Systems
     Although the 2015 FISMA evaluation did not specifically review technical safeguards in place to
     protect SSNs, the OIG determined the FCA has an information security program that continues
     to mature.

     Physical Safeguards

     We interviewed several FCA staff who regularly handle electronic and paper records containing
     SSNs to determine whether physical safeguards are in place to protect this information.
     Through interviews in the staff offices, we determined these personnel are keeping paper
     records in locked cabinets, safes, closets and offices. Staff stated they keep documentation with
     SSNs secure in the locked areas when not using the records. Additionally, information provided
     by FCA managers indicated that SSNs found to be unnecessary are redacted from paper records
     originating from another agency. FCA staff who regularly use or access SSNs and other PII
     stated they are sensitive to safeguarding this information in their daily work routines.


INSPECTION CONCLUSIONS

     This report contains no recommendations or agreed upon actions. We encourage the Agency to
     continue its vigilance in safeguarding SSNs and other sensitive Agency information.




                                                     6
OBJECTIVE, SCOPE, AND METHODOLOGY

     The objective of the inspection was to determine whether the Farm Credit Administration has
     eliminated unnecessary use of Social Security Numbers (SSN) and is safeguarding SSN
     information in Agency processes and systems. We conducted fieldwork at FCA’s headquarters
     in McLean, Virginia from May to August 2016. We limited our scope to review of current FCA
     forms, processes and systems.

     We completed the following steps to accomplish the inspection objective:

        •   Reviewed applicable laws, OMB policy and other guidance related to the inspection
            objective.
        •   Considered prior reviews related to the inspection objective.
        •   Conducted interviews with key personnel who use or store employee SSNs.
        •   Reviewed applicable FCA policies and procedures.
        •   Researched and reviewed all FCA forms for SSN use.
        •   Selected and tested a judgmental sample of internal data collections to determine
            whether FCA is unnecessarily collecting or using employee SSNs in its data collection
            efforts.
        •   To avoid duplication of evaluative work, this inspection referenced the 2015 FCA FISMA
            Evaluation report, which stated FCA has an IT security program that includes all key
            areas identified in FISMA, and contained no findings or recommendations.

     This inspection was performed in accordance with the Council of the Inspectors General on
     Integrity and Efficiency’s Quality Standards for Inspection and Evaluation. Those standards
     require that we plan and perform the inspection to obtain sufficient, competent and relevant
     evidence that supports a reasonable basis for our findings, conclusions and recommendations.
     We assessed internal controls and compliance with laws and regulations to the extent
     necessary to satisfy the objective. Because our review was limited, it would not necessarily
     have disclosed all internal control deficiencies that may have existed at the time of our
     inspection. We assessed the information and data collected during the inspection and
     determined it was sufficiently reliable and valid for use in meeting the inspection objectives.
     We assessed the risk of fraud related to our inspection objective in the course of evaluating
     evidence. Overall, we believe the evidence obtained is sufficient to provide a reasonable basis
     for our findings and conclusions based on the inspection objective.




                                                    7
ACRONYMS


           FCA     Farm Credit Administration

           FCS     Farm Credit System

           FISMA   Federal Information Security Modernization Act

           FY      Fiscal Year

           NIST    National Institute of Standards and Technology

           OIG     Office of Inspector General

           OMB     Office of Management and Budget

           OPM     Office of Personnel Management

           PPM     Policies and Procedures Manual

           SSN     Social Security Number

           PII     Personally Identifiable Information




                                            8
    R E P O R T

Fraud | Waste | Abuse | Mismanagement




     FARM CREDIT ADMINISTRATION
      OFFICE OF INSPECTOR GENERAL

   Phone: Toll Free (800) 437-7322; (703) 883-4316

                Fax: (703) 883-4059

           E-mail: fca-ig-hotline@rcn.com

          Mail: Farm Credit Administration
                Office of Inspector General
                1501 Farm Credit Drive
                McLean, VA 22102-5090