oversight

The Social Security Administration's Implementation of iPaySSA (Congressional Response Report)

Published by the Social Security Administration, Office of Inspector General on 2020-07-30.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

    Congressional Response Report




The Social Security Administration’s
    Implementation of iPaySSA




        A-14-19-50893 | July 2020
                                              July 30, 2020


The Honorable John B. Larson
Chair

The Honorable Tom Reed
Ranking Member

Subcommittee on Social Security
Committee on Ways and Means
U.S. House of Representatives
Washington, DC 20515

Dear Subcommittee Chair Larson and Mr. Reed:

In a February 3, 2020 letter, you asked that we review the Social Security Administration’s plans
to implement iPaySSA. Thank you for bringing your concerns to my attention. We share your
interest in ensuring that all Agency programs properly assess fraud risk, protect personally
identifiable information, and monitor results to meet the stated objectives.

This report contains our responses to the questions included in your letter. To ensure the Agency
is aware of the information provided to your office, we are forwarding a copy of this report to the
Agency. If you have any questions concerning this matter, please call me or have your staff
contact Walter Bayer, Congressional and Intragovernmental Liaison, at (202) 358-6319.

                                                    Sincerely,




                                                    Gail S. Ennis
                                                    Inspector General

Enclosure

cc:
Commissioner of Social Security




                WEB: OIG.SSA.GOV | FACEBOOK: OIGSSA | TWITTER: @THESSAOIG | YOUTUBE: THESSAOIG
                          6401 SECURITY BOULEVARD | BALTIMORE, MD 21235-0001
The Social Security Administration’s Implementation of
iPaySSA
A-14-19-50893
July 2020                                                                 Office of Audit Report Summary

Objective                                 Conclusion

To answer questions on the Social         On July 17, 2020, SSA informed the OIG that it no longer intends
Security Administration’s (SSA)           to implement the iPaySSA project. Instead, the Agency is directing
implementation of iPaySSA.                its efforts to providing the public with modern electronic service
                                          options, including the ability to securely repay overpayments online
Background                                through the development of its modern Debt Management Product.

IPaySSA was designed as a new, online     The goal of iPaySSA was to reduce the burden and cost of SSA’s
repayment option for Social Security      manual remittance process and provide the public with a more
beneficiaries and Supplemental            convenient and timely method of payment. SSA planned to offer
Security Income recipients with one       the application to approximately 260,000 individuals who
debt owed to SSA.
                                             have only 1 overpayment;
On February 3, 2020, John B. Larson,         receive monthly installment billing notices; and
Chair, and Tom Reed, Ranking
Member, Committee on Ways and                remit payments (a) in field offices via cash, credit card, or
Means, Subcommittee on Social                 check; (b) to a processing center by mail; or (c) by telephone
Security requested that the Office of         via credit card.
the Inspector General (OIG) address
the following: (1) SSA’s plans for        IPaySSA would have offered individuals the option to print, save, or
implementing iPaySSA; (2) the             email a confirmation receipt. The Agency did not plan to provide
security risks and vulnerabilities with   individuals with overpayment balances through iPaySSA.
iPaySSA, and what SSA is doing to         Individuals can obtain this information through my Social Security
address them; (3) how those who make      or by calling SSA’s national 800-number.
a payment through iPaySSA will
receive confirmation that a payment       On March 13, 2020, SSA hired a contractor to conduct a security
was processed; and (4) what group(s)      assessment of iPaySSA and its infrastructure. The contractor
of Social Security beneficiaries and      assessed the security, fraud, and privacy controls of the iPaySSA
Supplemental Security Income              application before the Agency makes it available to the public.
recipients SSA is targeting for the       SSA provided OIG a copy of the contractor’s report on
initial release of iPaySSA.               May 21, 2020. We agreed with the contractor’s assessment and
                                          determined that the contractor identified many of the same concerns
                                          we shared with the Agency in February 2020.
TABLE OF CONTENTS
Objective ..........................................................................................................................................1
Background ......................................................................................................................................1
Results of Review ............................................................................................................................2
     Question 1: What are SSA’s plans for implementing iPaySSA? What are SSA’s goals and
     objectives for the system, and how will the Agency determine whether they have been met? .2
     Question 2: What are the security risks and vulnerabilities with iPaySSA, and what is SSA
     doing to address them? What additional steps should the Agency take to ensure iPaySSA is
     both secure and able to gain the confidence of potential users? Could the security of iPaySSA
     be improved by utilizing the my Social Security portal? ........................................................3
     Question 3: For those who make a payment through iPaySSA, how will they receive
     confirmation that a payment has been processed? Will the individual receive a receipt and/or
     update regarding the balance of his/her overpayment?..............................................................4
     Question 4: What group(s) of Social Security beneficiaries and Supplemental Security
     Income recipients is SSA targeting for the initial release of iPaySSA? How many individuals
     are in these categories, and how are these individuals currently repaying their benefit
     overpayments? What is SSA’s plan for expanding iPaySSA to other potential users? ............5
                    – Letter From Congress ......................................................................................... A-1
                    – Scope and Methodology ..................................................................................... B-1
                    – Agency Comments .............................................................................................. C-1




SSA’s Implementation of iPaySSA (A-14-19-50893)
ABBREVIATIONS
NIST                National Institute of Standards and Technology

OIG                 Office of the Inspector General

PII                 Personally Identifiable Information

SSA                 Social Security Administration

SSN                 Social Security Number




SSA’s Implementation of iPaySSA (A-14-19-50893)
OBJECTIVE
Our objective was to answer questions on the Social Security Administration’s (SSA)
implementation of iPaySSA.

BACKGROUND
IPaySSA was designed to be a new, online repayment option to reduce the burden and cost of
SSA’s manual remittances process. It was part of SSA’s multi-year Debt Management
modernization effort. 1 IPaySSA would allow Social Security beneficiaries and Supplemental
Security Income recipients with one debt to access a payment portal on SSA.gov and make
payments via the Department of the Treasury’s Pay.gov Website. 2 Individuals would be able to
repay benefit overpayments by credit/debit card or checking/savings account. On SSA.gov,
iPaySSA would ask the individual to enter a Social Security number (SSN) and the dollar amount
to repay. SSA would use its system of records to validate the SSN and the overpayment
associated with the SSN before it proceeds with the transaction. If the information was correct
and the individual was eligible to use the service, iPaySSA would transfer the user to Pay.gov to
enter credit card or bank information and complete the transaction. When the payment was
successful, Pay.gov would return the individual to iPaySSA with a receipt of payment to print,
save, or email.

On February 3, 2020, John B. Larson, Chair, and Tom Reed, Ranking Member, Committee on
Ways and Means, Subcommittee on Social Security, requested that the Office of the Inspector
General (OIG) answer specific questions about SSA’s implementation of iPaySSA (see
Appendix A).

For this audit, we reviewed relevant documentation and interviewed personnel from SSA’s
Offices of Budget, Finance and Management and Systems to gain an understanding of the
Agency’s plans for implementation and the controls for iPaySSA. We contacted digital identity
experts from the National Institute of Standards and Technology on the technical requirements
for Federal agencies implementing digital identity services. See Appendix B for additional
information about our scope and methodology.




1
  According to SSA, its modernization plan began in 2014 with the implementation of the Social Security Electronic
Remittance System in its field offices. In Fiscal Year 2019, the Agency collected nearly 200,000 remittances
totaling $122 million via the Social Security Electronic Remittance System.
2
 Pay.gov is the Department of the Treasury’s Government-wide collection portal that enables agencies to collect
payments from their customers and manage agency collection activities.



SSA’s Implementation of iPaySSA (A-14-19-50893)                                                                   1
RESULTS OF REVIEW
Question 1: What are SSA’s plans for implementing iPaySSA? What
are SSA’s goals and objectives for the system, and how will the
Agency determine whether they have been met?
The Agency planned to implement iPaySSA before the end of Fiscal Year 2019 but, in
September 2019, decided to delay implementation until spring 2020 to add more functionality.
On July 17, 2020, SSA informed the OIG that it no longer intends to implement the iPaySSA
project. Instead, the Agency is directing its efforts to providing the public with modern
electronic service options, including the ability to securely repay overpayments online, through
the development of a modern Debt Management Product (see Appendix C). 3

SSA’s goal for iPaySSA was to reduce the burden and cost of the Agency’s manual remittance
process and provide the public with a more convenient method of payment. SSA planned to
target the initial release of iPaySSA to a smaller population of approximately 55,000 to
70,000 users (of the 260,000 individuals identified) who are making monthly payments in field
offices. SSA’s initial goal was for about 550 to 700 individuals to use iPaySSA.

In March 2020, SSA reported the actual cost of iPaySSA was approximately $2.18 million
(73 percent above its original $1.26 million estimate). According to SSA, the cost overages
occurred because the Agency added functionality to iPaySSA that it did not include in the
original plan. As of March 25, 2020, SSA did not have a goal for the cost savings it planned to
achieve with iPaySSA.




3
    SSA is targeting September 2021 for the minimum viable product of the Debt Management Product.


SSA’s Implementation of iPaySSA (A-14-19-50893)                                                      2
Question 2: What are the security risks and vulnerabilities with
iPaySSA, and what is SSA doing to address them? What additional
steps should the Agency take to ensure iPaySSA is both secure and
able to gain the confidence of potential users? Could the security of
iPaySSA be improved by utilizing the my Social Security portal?
Federal standards require that an agency verify a user’s identity if the agency needs to have
assurance the user is who he/she claims to be. 4 Federal agencies must perform risk assessments
to determine the extent to which risk must be mitigated by identity proofing and authentication
processes. 5

SSA contacted a consultant, who informed the Agency on April 1, 2019 that the iPaySSA
application, as designed, would disclose personally identifiable information (PII)—specifically,
the existence of an SSN and the amount of the debt owed by the number holder. However, the
Agency did not address this disclosure in its authentication risk assessment for iPaySSA, which it
completed on April 4, 2019. SSA determined it would not need to verify the identities of
iPaySSA users because, similar to the current remittance process, the individuals making
payments need not be the debtors themselves (for example, representative payees could make
payments on the debtors’ behalf). However, if iPaySSA confirms to users the validity of the
SSNs and the existence of debts, SSA would need to verify users’ identities to ensure it does not
disclose PII to unauthorized individuals. SSA ultimately decided not to implement iPaySSA and
will instead pursue the business goals as part of a broader debt management product.

In February 2020, OIG shared with SSA its concerns about the security of iPaySSA. The Agency
updated its authentication risk assessment on March 12, 2020 6 but did not address all of OIG’s
concerns. The Agency needed to fully consider all the risks for iPaySSA and implement identity
verification to address all risks associated with the online application.

On March 13, 2020, the Agency hired a contractor to conduct a security assessment of iPaySSA
and its infrastructure. The contractor assessed the security, fraud, and privacy controls of the
iPaySSA application before SSA made it available to the public. 7 The Agency provided OIG a
copy of the contractor’s report on May 21, 2020. We agreed with the contractor’s assessment




4
  Identity verification includes collecting the most appropriate identity evidence (such as a passport or driver’s
license) from the applicant and determining its authenticity, validity, and accuracy. Identity verification comprises
three steps: collecting the appropriate identity evidence; confirming the evidence is genuine and authentic; and
confirming the data contained on the identity evidence is valid, current, and related to a real-life subject. NIST,
Digital Identity Guidelines, SP 800-63A, pp. 15 through 19 (June 2017).
5
    NIST, Digital Identity Guidelines, SP 800-63 Revision 3, p. 17 (June 2017).
6
 SSA, Authentication Risk Assessment for the iPaySSA Online Application, System Boundary: Debt Management
System, Final Version 2.0 (Updated March 12, 2020).
7
    Order No. 28321320P00050080, award amount $91,200.


SSA’s Implementation of iPaySSA (A-14-19-50893)                                                                         3
and determined that the contractor identified many of the same concerns we shared with the
Agency in February 2020.

All SSA Websites, including iPaySSA, must protect beneficiaries’ and recipients’ PII.
Alternatives that would assist in preventing unauthorized release of PII, securing iPaySSA, and
gaining the confidence of potential users include the following.

   Put payment portal behind my Social Security. While this would permit only number
    holders to pay their own debts (not third parties who want to make payments online on
    another’s behalf), it would provide a level of assurance that users are who they claim to be.

   Develop a unique identifier and send users directly to Pay.gov to submit payments.
    SSA plans to develop a unique debt identifier after implementation of its new debt
    management product. Although this could create additional workloads if someone mistyped
    the identifier, it would eliminate the risk that PII is improperly disclosed.

Question 3: For those who make a payment through iPaySSA, how
will they receive confirmation that a payment has been processed?
Will the individual receive a receipt and/or update regarding the
balance of his/her overpayment?
SSA planned for iPaySSA to offer individuals the option to print, save, or email a payment
confirmation. After payment was confirmed, iPaySSA would give an electronic receipt. An
individual would have the option of providing his/her email address to receive an email
confirmation. SSA did not plan to save the email address in its system.

As of March 25, 2020, the Agency did not plan to provide individuals with overpayment
balances through iPaySSA. Individuals who are receiving benefits can obtain their overpayment
balances through the Check Your Benefits application within my Social Security, which will
reflect payments made through iPaySSA. Additionally, all debtors can obtain information about
their overpayment balance and transaction history by calling SSA’s national 800-number. 8




8
 SSA advises customers they may experience longer wait times than usual because of the Coronavirus Disease 2019
pandemic and encourages them to try SSA’s online services or call their local field office first.


SSA’s Implementation of iPaySSA (A-14-19-50893)                                                              4
Question 4: What group(s) of Social Security beneficiaries and
Supplemental Security Income recipients is SSA targeting for the
initial release of iPaySSA? How many individuals are in these
categories, and how are these individuals currently repaying their
benefit overpayments? What is SSA’s plan for expanding iPaySSA to
other potential users?
SSA planned to offer the application to approximately 260,000 individuals who

1. have only 1 overpayment;
2. receive monthly installment billing notices; and
3. remit payments (a) in field offices via cash, credit card, or check; (b) to the processing
   centers by mail; or (c) by telephone via credit card.

The Agency planned to target the initial release of iPaySSA to approximately 55,000 to
70,000 users who are making monthly payments in field offices. SSA planned to pursue this
population through limited communication about iPaySSA with notices in field office waiting
rooms and printed on the bottom of receipts given to individuals making payments in field
offices. SSA’s initial goal was that 1 percent of the targeted group—approximately 550 to
700 individuals—would use iPaySSA.




                                                  Michelle L. Anderson
                                                  Assistant Inspector General for Audit




SSA’s Implementation of iPaySSA (A-14-19-50893)                                                 5
                                     APPENDICES




SSA’s Implementation of iPaySSA (A-14-19-50893)
                    – LETTER FROM CONGRESS




SSA’s Implementation of iPaySSA (A-14-19-50893)   A-1
SSA’s Implementation of iPaySSA (A-14-19-50893)   A-2
                     – SCOPE AND METHODOLOGY
To answer the congressional questions, we:

   Reviewed National Institute of Standards and Technology (NIST) Special Publication
    800-63, Digital Identity Guidelines, document suite.

   Interviewed digital identity experts from NIST on the technical requirements in NIST Special
    Publication 800-63 for Federal agencies implementing digital identity services.

   Reviewed Government Accountability Office, Office of Management and Budget, and other
    relevant resources on managing the risks of Federal information technology projects.

   Reviewed prior Office of the Inspector General reports.

   Reviewed the System Security Plan, Security Assessment Report, and the Authentication
    Risk Assessment for iPaySSA as well as other supporting security documents.

   Interviewed personnel from SSA’s Offices of Budget, Finance and Management, and
    Systems to gain an understanding of the Agency’s plans for implementation and the controls
    for iPaySSA.

We conducted our review in Baltimore, Maryland, between February and May 2020. The
principal entities reviewed were SSA’s Offices of Budget, Finance and Management and
Systems. We conducted this performance audit in accordance with generally accepted
government auditing standards. Those standards require that we plan and perform the audit to
obtain sufficient, appropriate evidence to provide a reasonable basis for findings and conclusions
based on our audit objective. We believe the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objective.

We assessed the significance of internal controls necessary to satisfy the audit objective. This
included an assessment of the five internal control components, including control environment,
risk assessment, control activities, information and communication, and monitoring. In addition,
we reviewed the principles of internal controls associated with the audit objective. We identified
the following two components and two principles as significant to the audit objective.

   Component 2: Risk Assessment

       Principle 7: Identify, analyze, and respond to risks

   Component 3: Control Activities

       Principle 10: Design control activities




SSA’s Implementation of iPaySSA (A-14-19-50893)                                                B-1
                    – AGENCY COMMENTS




SSA’s Implementation of iPaySSA (A-14-19-50893)   C-1
                                           MISSION
By conducting independent and objective audits, evaluations, and investigations, the Office of
the Inspector General (OIG) inspires public confidence in the integrity and security of the Social
Security Administration’s (SSA) programs and operations and protects them against fraud,
waste, and abuse. We provide timely, useful, and reliable information and advice to
Administration officials, Congress, and the public.

                                   CONNECT WITH US
The OIG Website (oig.ssa.gov) gives you access to a wealth of information about OIG. On our
Website, you can report fraud as well as find the following.
   •   OIG news                                  In addition, we provide these avenues of
   •   audit reports
                                                 communication through our social media
                                                 channels.
   •   investigative summaries
   •   Semiannual Reports to Congress               Watch us on YouTube
   •   fraud advisories                             Like us on Facebook
   •   press releases
                                                    Follow us on Twitter
   •   congressional testimony
   •   an interactive blog, “Beyond The             Subscribe to our RSS feeds or email updates
       Numbers” where we welcome your
       comments


                          OBTAIN COPIES OF AUDIT REPORTS
To obtain copies of our reports, visit our Website at oig.ssa.gov/audits-and-investigations/audit-
reports/all. For notification of newly released reports, sign up for e-updates at oig.ssa.gov/e-
updates.

                          REPORT FRAUD, WASTE, AND ABUSE
To report fraud, waste, and abuse, contact the Office of the Inspector General via
   Website:        oig.ssa.gov/report-fraud-waste-or-abuse
   Mail:           Social Security Fraud Hotline
                   P.O. Box 17785
                   Baltimore, Maryland 21235
   FAX:            410-597-0118
   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time
   TTY:            1-866-501-2101 for the deaf or hard of hearing