An internal complaint alleges SSA officials authorized placing NUMIDENT, a High-Value Asset containing records on over 450 million people, into a cloud environment without adequate controls. The complaint quotes a SSA official who authorized the project, stating the business need outweighed security risks and that they accepted those risks. The Government Accountability Project contends the authorization constituted abuse of authority, gross mismanagement, and potential violations of FISMA, the Computer Fraud and Abuse Act, and 44 U.S.C. § 3554(b). SSA states the referenced data remain stored in a long-standing environment walled off from the Internet and reports no known compromise.
"SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information. The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the Internet. High-level career SSA officials have administrative access to this system with oversight by SSA's Information Security team. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data."
Borges alleges that the authorization was an "abuse of authority" and "gross mismanagement," and that the creation of the cloud environment potentially violated multiple federal laws. "By knowingly placing a High-Value Asset containing data on over 450 million people in an uncontrolled environment, the requestors, apparently Moghaddassi and possibly others, violated statutory duties under FISMA [Federal Information Security Modernization Act]," the letter said.
Collection
[
|
...
]