OFFICE
OF
THE INSPECTOR GENERAL
SOCIAL SECURITY ADMINISTRATION
THE SOCIAL
SECURITY ADMINISTRATION'S
COMPLIANCE WITH INTELLIGENCE REFORM
AND TERRORISM PREVENTION ACT OF 2004
PROVISIONS REGARDING SECURITY OF
SOCIAL SECURITY CARDS AND NUMBERS
May 2008
A-08-08-18058
AUDIT REPORT
Mission
By conducting independent and objective audits, evaluations and investigations, we inspire public confidence in the integrity and security of SSA's programs and operations and protect them against fraud, waste and abuse. We provide timely, useful and reliable information and advice to Administration officials, Congress and the public.
Authority
The Inspector General Act created independent audit and investigative units, called the Office of Inspector General (OIG). The mission of the OIG, as spelled out in the Act, is to:
Conduct and supervise independent and objective audits and investigations
relating to agency programs and operations.
Promote economy, effectiveness, and efficiency within the agency.
Prevent and detect fraud, waste, and abuse in agency programs and operations.
Review and make recommendations regarding existing and proposed legislation
and regulations relating to agency programs and operations.
Keep the agency head and the Congress fully and currently informed of problems
in agency programs and operations.
To ensure objectivity, the IG Act empowers the IG with:
Independence to determine what reviews to perform.
Access to all information necessary for the reviews.
Authority to publish findings and recommendations based on the reviews.
Vision
We strive for continual improvement in SSA's programs, operations and management
by proactively seeking new ways to prevent and deter fraud, waste and abuse.
We commit to integrity and excellence by supporting an environment that provides
a valuable public service while encouraging employee development and retention
and fostering diversity and innovation.
MEMORANDUM
Date: May 21, 2008
To: The Commissioner
From: Inspector General
Subject: The Social Security Administration's Compliance with Intelligence Reform and Terrorism Prevention Act of 2004 Provisions Regarding Security of Social Security Cards and Numbers (A-08-08-18058)
OBJECTIVE
Our objective was to assess the Social Security Administration's (SSA) compliance with certain provisions of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) that involve the security of Social Security cards and numbers.
BACKGROUND
On December 17, 2004, President Bush signed IRTPA into law. Section 7213(a)(1)(B) of this law mandates that SSA establish minimum standards for the verification of documents or records submitted by an individual to establish eligibility for an original or replacement card, other than for enumeration at birth. Section 7213(b) requires that SSA, in consultation with the Department of Homeland Security, form an interagency task force to further improve the security of Social Security cards and numbers. The law further states that the Commissioner of Social Security should provide for the implementation of security requirements, including 7213(b)(1) standards for safeguarding cards from counterfeiting, tampering, alteration, and theft and 7213(b)(2) requirements for verifying documents submitted for the issuance of replacement cards.
To accomplish our objective, we contacted officials from SSA's Office of Income Security Programs and reviewed policies and procedures SSA established to comply with IRTPA provisions regarding the security of Social Security cards and numbers. We also reviewed reports regarding potential security enhancements to the Social Security card. See Appendix A for additional information on our scope and methodology.
RESULTS OF REVIEW
Based on our interviews with SSA officials and a review of policies and procedures, we determined that SSA established minimum standards for verifying documents or records that applicants submit to establish eligibility for an original or replacement card. SSA also implemented numerous security features to enhance the integrity of Social Security cards. Although we are pleased with SSA's compliance with the IRTPA provisions we reviewed, we believe the Agency should periodically assess these areas and enhance internal controls as needed to reduce the potential for improper SSN assignment and counterfeiting of Social Security cards.
SSA Established Minimum Standards for Verifying Evidentiary Documents
IRTPA mandates that SSA establish minimum standards to verify documents or records submitted by an individual to establish eligibility for an original or replacement card, other than for enumeration at birth. To comply with this provision, SSA established a list of acceptable evidentiary documents, issued policy instructions, and trained field office personnel on the minimum standards for document verification. To help applicants understand the new IRTPA provisions, SSA also produced a fact sheet and revised information brochures and pamphlets.
When processing Social Security number (SSN) applications, SSA personnel first determine the applicant's age range. Next, SSA policy instructs personnel to determine whether the applicant is a U.S. citizen or alien. Within each age range, SSA establishes acceptable evidentiary documents for U.S. citizens and aliens. Under each category, SSA lists documents in two groups based on their relative probative value: primary and secondary evidence. Primary evidence documents have the highest probative value while secondary documents have lower probative value.
For adult U.S. citizens, primary evidence of identity includes a U.S. driver's license, U.S. State issued non-driver identity card, or U.S. Passport. Acceptable secondary evidence for adult U.S. citizens includes documents with less probative value, such as U.S. military identification cards, Certificates of Naturalization, Certificates of U.S. Citizenship, U.S. Government employee identification cards, non-Government identification cards/badge cards, marriage documents, certified copies of medical records, health insurance or Medicaid cards, life insurance policies, and school identity cards or records. SSA handles situations where no primary or secondary documentation exists or can be obtained by the applicant within 10 days on a case by-case basis. SSA policy requires that personnel have their supervisor determine whether the other evidence of identity is acceptable. In such cases, supervisors must consult with the SSA regional office. SSA also instructs personnel to verify all evidentiary documents with the issuer when the documents do not appear authentic.
Although SSA considers security issues in formulating its policies relative to SSN assignment, it also considers public service and a wide range of factors. Among these are the need for virtually every U.S. citizen and many noncitizens to obtain an SSN, and that not all card applicants are adults. Not every applicant, even if age 16 or older, has a driver's license, State identification card, or other photograph identity document; and not every applicant has more than one identity document that meets SSA's criteria. As such, these factors guided SSA's process for establishing priority lists of acceptable documents that establish identity and citizenship.
Although SSA has established minimum standards for verifying evidentiary documents, we believe it should periodically assess the probative value of these documents and update its list of acceptable documents, as needed. For example, if SSA field office personnel determine certain acceptable evidentiary documents (for example, health insurance cards or life insurance policies) have less probative value than originally thought, the Agency should no longer accept such documents. Periodically assessing the probative value of evidentiary documents helps reduce the potential for SSA to improperly assign SSNs.
SSA Added Security Features to SSN Cards
IRTPA requires that the Commissioner of Social Security, in consultation with the Secretary of Homeland Security, form an interagency task force to establish requirements to further improve the security of Social Security cards and numbers. IRTPA also requires that the Commissioner provide for the implementation of security requirements, including standards for safeguarding cards from counterfeiting, tampering, alteration, and theft. To comply with this provision and prepare for interagency task force discussions, SSA contacted the Document Security Alliance, a group of experts on document security, in October 2005 to develop a Whitepaper with recommendations for a more secure SSN card. From January through April 2006, the interagency task force met to discuss options for a more secure SSN card and used the Whitepaper recommendations as a basis for discussion. The task force issued its final report, which outlined its recommendations to the Commissioner, in May 2006.
SSA implemented six overt and various covert security features to the SSN card. Because SSN card features are used in forensic analysis of counterfeit documents, we withheld descriptions of the covert changes. The six overt changes were as follows.
The card issuance date was added to the front of each SSN card.
Signing instructions were added to the perforated card attachment. The instructions state "ADULTS: Sign this card in ink immediately. CHILDREN: Do not sign until age 18 or your first job, whichever is earlier."
A guilloche background pattern, which is a unique, non-repeating spiral design, replaced the existing marbleized pattern. The new pattern is similar in color to the past background and continues to have the security feature of being erasable. This background is computer-generated and difficult to duplicate.
A latent image was added to the SSN card face. This feature, a text image, is visible only when the document is viewed at specific angles.
A split fountain production method was added that produces a unique ink color mixture on the press that transfers to the paper. The colors on the background of the card flow from blue to aqua.
Color shifting inks were added to the face of the card. These inks have a multilayer light interference ink pigment imbedded that creates a noticeable color shift when moved in front of a light source. This feature is also used in currency.
In addition to the above IRTPA changes, SSA implemented a change in response to requests from employer groups to distinguish the last name of the individual on the SSN card. As a result, beginning in September 2007, the individual's last name was displayed on a separate line on the card directly below the first and middle name.
SSA was aware of the various options for a new SSN card (ranging from no card at all to a new ultra-secure card containing biometric features) and the various purposes it could serve. However, in determining the scope for the task force deliberations, SSA considered existing legal requirements, national debate over immigration reform, and the passage of the REAL ID Act.
Specifically, the Social Security Act mandates that the SSN card "shall be made of banknote paper." In addition, the Commissioner cannot require enumerated individuals to apply for a new SSN card. Requiring that every cardholder obtain a new card would be a multi-billion dollar effort.
Also, SSA determined it would not introduce a new SSN card with enhanced workplace enforcement features while the immigration reform debate was ongoing between Congress and the Nation. Finally, in passing the REAL ID Act, Congress provided the Nation with a framework for reliable identity documents in the form of State issued driver's licenses and identification cards. This legislation seemed to diminish the need for a new type of SSN card to serve a similar purpose. Based on these factors, SSA decided it would continue to produce SSN cards on banknote paper and issue the new, more secure, cards prospectively (to anyone applying for an original or replacement card after IRTPA enactment).
Although SSA has added security features to SSN cards, we believe it should periodically examine potential threats to counterfeiting of SSN cards and make security enhancements, as needed. For example, as technology improves, SSA should conduct ongoing threat assessments to examine the ease of counterfeiting and to respond to such threats timely. Periodically examining potential threats to the SSN card helps reduce the potential for counterfeiting, tampering, alteration, and theft.
CONCLUSION AND RECOMMENDATIONS
As SSA continues to enhance SSN integrity, opportunists will continue to look for ways to exploit vulnerabilities in the Agency's controls. As such, SSA must continually assess and examine its policies and procedures to safeguard Social Security cards and numbers.
Accordingly we recommend that SSA periodically:
1. Assess the probative value of documents it allows as evidence of identity and U.S. citizenship and update its list of acceptable documents as needed to safeguard the assignment of SSNs.
2. Examine potential threats to SSN cards and make security enhancements as needed to better prevent counterfeiting, tampering, alteration, and theft.
AGENCY COMMENTS AND OIG RESPONSE
SSA agreed with our recommendations. The Agency's comments are included in Appendix B.
Patrick P. O'Carroll, Jr.
Appendices
APPENDIX A - Scope and Methodology
APPENDIX B - Agency Comments
APPENDIX C - OIG Contacts and Staff Acknowledgments
Appendix A
Scope and Methodology
To accomplish our objectives, we
reviewed applicable laws and Social Security Administration (SSA) policies and procedures related to the implementation of Intelligence Reform and Terrorism Prevention Act of 2004 provisions regarding the security of Social Security cards and numbers;
contacted officials from SSA's Office of Income Security Programs;
reviewed a Whitepaper and interagency task force final report regarding the security of Social Security cards and numbers; and
attended a Government Printing Office meeting to learn about the security enhancements made to the Social Security card.
The SSA entity reviewed was the Office of the Deputy Commissioner for Retirement and Disability Policy. We performed our audit in Baltimore, Maryland, and Birmingham, Alabama, from September through December 2007. We conducted this performance audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.
Appendix B
Agency Comments
MEMORANDUM
Date: April 30, 2008
To: Patrick P. O'Carroll, Jr.
Inspector General
From: David V. Foster
Chief of Staff
Subject: Office of the Inspector General (OIG) Draft Report, "SSA's Compliance with the Intelligence Reform and Terrorism Prevention Act of 2004 Provisions Regarding Security of Social Security Cards and Numbers" (A-08-08-18058)--INFORMATION
We appreciate OIG's efforts in conducting this review. Our response to the report findings and recommendations are attached.
Please let me know if we can be of further assistance. Staff inquiries may be directed to Ms. Candace Skurnik, Director, Audit Management and Liaison Staff, at extension 54636.
SSA Response
COMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT REPORT, "SSA'S COMPLIANCE WITH THE INTELLIGENCE REFORM AND TERRORISM PREVENTION ACT OF 2004 PROVISIONS REGARDING SECURITY OF SOCIAL SECURITY CARDS AND NUMBERS" (A-08-08-18058)
Thank you for the opportunity to review and comment on the draft report. We are pleased that this report acknowledges our overall compliance with the Social Security number (SSN) and card provisions contained in the Intelligence Reform and Terrorism Prevention Act of 2004 (P.L. 108-458). Specifically, the report recognizes that we established minimum standards for verifying documents or records that applicants submit to establish eligibility for an original or replacement card and that we implemented the interagency task force recommendations to further strengthen and safeguard the number and card from counterfeiting, tampering, alteration, and theft. Our responses to the specific recommendations are provided below.
Recommendation 1
Assess the probative value of documents we allow as evidence of identity and
United States citizenship and update its list of acceptable documents as needed
to safeguard the assignment of SSNs.
Response
We agree. We will continue to review the probative value of the documents we allow as evidence of identity and United States citizenship, and update the list of acceptable documents as needed to safeguard the assignment of SSNs.
Recommendation 2
Examine potential threats to SSN cards and make security enhancements as needed
to better prevent counterfeiting, tampering, alteration, and theft.
Response
We agree. We continually evaluate new technology as it becomes available and examine any potential threats to the integrity of the physical SSN card, in order to take the appropriate measures needed to address any vulnerability.
Appendix C
OIG Contacts and Staff Acknowledgments
OIG Contacts
Kimberly A. Byrd, Director, Birmingham Audit Division, 205-801-1650
Jeff Pounds, Audit Manager, Birmingham Office, 205-801-1606
Acknowledgments
In addition to those named above:
Hollie Reeves, Auditor
For additional copies of this report, please visit our web site at www.socialsecurity.gov/oig or contact the Office of the Inspector General's Public Affairs Specialist at (410) 965-3218. Refer to Common Identification Number A-08-08-18058.
Overview of the Office of the Inspector General
The Office of the Inspector General (OIG) is comprised of an Office of Audit
(OA), Office of Investigations (OI), Office of the Chief Counsel to the Inspector
General (OCCIG), Office of External Relations (OER), and Office of Technology
and Resource Management (OTRM). To ensure compliance with policies and procedures,
internal controls, and professional standards, the OIG also has a comprehensive
Professional Responsibility and Quality Assurance program.
Office of Audit
OA conducts financial and performance audits of the Social Security Administration's
(SSA) programs and operations and makes recommendations to ensure program objectives
are achieved effectively and efficiently. Financial audits assess whether SSA's
financial statements fairly present SSA's financial position, results of operations,
and cash flow. Performance audits review the economy, efficiency, and effectiveness
of SSA's programs and operations. OA also conducts short-term management reviews
and program evaluations on issues of concern to SSA, Congress, and the general
public.
Office of Investigations
OI conducts investigations related to fraud, waste, abuse, and mismanagement
in SSA programs and operations. This includes wrongdoing by applicants, beneficiaries,
contractors, third parties, or SSA employees performing their official duties.
This office serves as liaison to the Department of Justice on all matters relating
to the investigation of SSA programs and personnel. OI also conducts joint investigations
with other Federal, State, and local law enforcement agencies.
Office of the Chief Counsel to the Inspector General
OCCIG provides independent legal advice and counsel to the IG on various matters,
including statutes, regulations, legislation, and policy directives. OCCIG also
advises the IG on investigative procedures and techniques, as well as on legal
implications and conclusions to be drawn from audit and investigative material.
Also, OCCIG administers the Civil Monetary Penalty program.
Office of External Relations
OER manages OIG's external and public affairs programs, and serves as the principal
advisor on news releases and in providing information to the various news reporting
services. OER develops OIG's media and public information policies, directs
OIG's external and public affairs programs, and serves as the primary contact
for those seeking information about OIG. OER prepares OIG publications, speeches,
and presentations to internal and external organizations, and responds to Congressional
correspondence.
Office of Technology and Resource Management
OTRM supports OIG by providing information management and systems security.
OTRM also coordinates OIG's budget, procurement, telecommunications, facilities,
and human resources. In addition, OTRM is the focal point for OIG's strategic
planning function, and the development and monitoring of performance measures.
In addition, OTRM receives and assigns for action allegations of criminal and
administrative violations of Social Security laws, identifies fugitives receiving
benefit payments from SSA, and provides technological assistance to investigations.