What GAO Found
Governmentwide initiatives aimed at eliminating the unnecessary collection, use, and display of Social Security Numbers (SSN) have been underway in response to recommendations that the presidentially appointed Identity Theft Task Force made in 2007 to the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), and the Social Security Administration (SSA). However, these initiatives have had limited success. In 2008, OPM proposed a regulation requiring the use of an alternate federal employee identifier but withdrew it in 2010 because no such identifier was available. OMB required agencies to develop SSN reduction plans and requires annual reporting on agency SSN reduction efforts. SSA developed an online clearinghouse of best practices for reducing SSN use; however, it is no longer available online. Based on responses to GAO's questionnaire, the 24 agencies covered by the Chief Financial Officers (CFO) Act use SSNs for various purposes (see figure).
Agency Use of Social Security Numbers
All 24 CFO Act agencies developed SSN reduction plans and reported taking actions to curtail the use and display of SSNs. For example, the Department of Defense replaced SSNs, which previously appeared on its identification cards, with new identification numbers. Nevertheless, the agencies cited impediments to further reductions, including (1) statutes and regulations mandating SSN collection, (2) use of SSNs in necessary interactions with other federal entities, and (3) technological constraints of agency systems and processes.
Further, poor planning by agencies and ineffective monitoring by OMB have also limited efforts to reduce SSN use. Lacking direction from OMB, many agencies' SSN reduction plans did not include key elements, such as time frames and performance indicators, calling into question their utility. In addition, OMB has not required agencies to maintain up-to-date inventories of their SSN holdings or provided criteria for determining “unnecessary use and display,” limiting agencies' ability to gauge progress. OMB also has not ensured that agencies update their progress in annual reports or established performance metrics to monitor agency efforts. Until OMB requires agencies to adopt better practices for managing their SSN reduction processes, overall governmentwide reduction efforts will likely remain limited and difficult to measure.
Why GAO Did This Study
The federal government uses SSNs as unique identifiers for many purposes, including employment, taxation, law enforcement, and benefits. However, SSNs are also key pieces of identifying information that potentially may be used to perpetrate identity theft.
GAO was asked to review federal government efforts to reduce the collection and use of SSNs. This report examines (1) what governmentwide initiatives have been undertaken to assist agencies in eliminating their unnecessary use of SSNs and (2) the extent to which agencies have developed and executed plans to eliminate the unnecessary use and display of SSNs and have identified challenges associated with those efforts. To do so, GAO analyzed reports and guidance on protecting SSNs. GAO also analyzed SSN reduction plans and other documents, administered a questionnaire, and interviewed officials from the 24 CFO Act agencies.
GAO recommends that OMB require complete plans for ongoing reductions in the collection, use, and display of SSNs, require inventories of systems containing SSNs, provide criteria for determining “unnecessary” use and display, ensure agencies update their progress in annual reports, and monitor agency progress based on clearly defined performance measures.
OMB did not comment on GAO's recommendations. We received written comments from SSA and technical comments from eight other agencies, which were incorporated into the final report as appropriate. The other 15 agencies did not provide comments.
Recommendations for Executive Action
|Office of Management and Budget||1. To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should specify elements that agency plans for reducing the unnecessary collection, use, and display of SSNs should contain and require all agencies to develop and maintain complete plans.|
|Office of Management and Budget||2. To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should require agencies to modify their inventories of systems containing personally identifiable information to indicate which systems contain SSNs and use the inventories to monitor their reduction of unnecessary collection and use of SSNs.|
|Office of Management and Budget||3. To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should provide criteria to agencies on how to determine unnecessary use of SSNs to facilitate consistent application across the federal government.|
|Office of Management and Budget||4. To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should take steps to ensure that agencies provide up-to-date status reports on their progress in eliminating unnecessary SSN collection, use, and display in their annual Federal Information Security Modernization Act of 2014 reports.|
|Office of Management and Budget||5. To improve the consistency and effectiveness of governmentwide efforts to reduce the unnecessary use of SSNs and thereby mitigate the risk of identity theft, the Director of OMB should establish performance measures to monitor agency progress in consistently and effectively implementing planned reduction efforts.|