“A tool designed to protect the identity of veterans is itself in need of a security update.”
“The Veterans Affairs Department’s Social Security Number Reduction, or SSNR, tool was recently migrated from a contractor-run environment to the agency’s own enterprise cloud and is in need of a security review before it can be used on VA systems.”
“Agencies have been trying to wean themselves off of Social Security numbers for nearly 15 years, going back to an Office of Management and Budget mandate issued in 2007. That push continues today, with lawmakers to the then-head of the Cybersecurity and Infrastructure Security Agency calling for an end to reliance on the number as a form of identity verification.”
“VA has the statutory authority to use SSNs as identifiers. However, the ‘increased availability of SSNs with the aggregation of other personal identifiers has exposed individuals to possible identity theft,’ according to a request for information posted to SAM.gov. ‘Thus, VA has taken steps to reduce and, where possible, eliminate the use of the SSNs in VA operations, programs and services.'”
“To that end, the agency’s Privacy Service team developed the Social Security Number Reduction, or SSNR, tool in 2018 to seek out and catalog SSN use across the agency. As those uses are identified, VA privacy officers work with the relevant programs to reduce or eliminate the need to use the number.”
“The tool was originally developed and approved to operate on a contractor-owned server. That contract has since expired and the tool has been moved over to the VA Enterprise Cloud, though it has not yet been approved to operate in that environment.”
“To get the tool properly authorized again, VA needs to put the program through the full authority to operate, or ATO, process, and is looking for a vendor to manage that review…” Read the full article here.
Source: VA Needs a Security Check For Its Social Security Number Reduction Tool – By Aaron Boyd, July 19, 2021. Nextgov.