Between Social Security reform, never-ending scams targeting retired seniors, and the usual financial security threats, the Social Security Administration no doubt has enough on its plate this holiday season.

Judging by a recent Federal Information Security Management Act (FISMA) audit, the agency has a number of outstanding cybersecurity issues it needs to pay attention to as well.

According to the audit, carried out by auditor Grant Thornton, the SSA has made good on achieving a number of requirements stipulated by FISMA, the Office of Management and Budget, and the National Institute of Standards and Technology - but several weaknesses remain.

In particular, the SSA needs to improve how it prevents and detects malicious activity. It's not that controls don't exist - they do - they're just not designed or implemented as intended, according to the auditor. That could open the agency, its network, and its devices up to data loss, the report warns.

While the audit, which was requested by the SSA’s Office of Inspector General, isn’t public, a summary of the audit was made public last week.

In it, Grant Thornton acknowledges the agency has no shortage of policies, procedures, and technical controls - it's just that they aren't fine tuned to handle today's threats.

“Without appropriate security, SSA may not be able to protect its mission-critical assets adequately,” the report summary reads, “Additionally, some deficiencies could negatively affect the confidentiality, integrity, and availability of the Agency’s systems and personally identifiable information.”

Specifically, the audit asked the auditor to test the SSA’s controls around malware introduced by phishing emails, mainly how they handle identifying, logging, analyzing, blocking, containing, and reporting malicious activity. Once a threat is sniffed out, the auditors were also interested in seeing how the agency handles data exfiltration attempts and command-and-control payloads.

The findings echo a report issued by the U.S. Senate's Committee on Homeland Security and Governmental Affairs earlier this summer that found that many federal agencies are unprepared to "confront the dynamic cyber threats of today."

In that report, the subcommittee also worked with Grant Thornton to find that while the SSA's information security program was consistent with FISMA requirements, it was ineffective in all five NIST security functions. Patches weren't applied in a timely fashion, the SSA failed to keep an adequate inventory of its IT assets, and its identity and access management hygiene was severely lacking, according to the report (.PDF).

It's not like the SSA hasn't been taking steps towards fortifying its security; it just sounds like the agency has been working harder at fighting fraud. It partnered with its Inspector General last month to announce a new online reporting form for imposter scam calls. Earlier this year it worked with the OIG to debut a new anti-fraud unit - an entity that complemented a public service announcement campaign it launched in March to combat fake phone calls from criminals pretending to be SSA employees.

According to the summary of last week's report, SSA officials agreed with Grant Thornton's recommendations - also not disclosed in the summary report - and will make the necessary moves to address its findings.

Social Security card image via frankieleon's Flickr photostream, Creative Commons