Statement of G. Kelly Croft,
Deputy Commissioner for Systems and Chief Information Officer,
Social Security Administration
before the House Committee on Ways and Means,
Subcommittee on Social Security

May 9, 2012

Chairman Johnson, Ranking Member Becerra, and Members of the Subcommittee, thank you for this opportunity to discuss the state of Social Security information technology.

I have worked at SSA for 30 years and currently serve as Deputy Commissioner for Systems (DCS) and Chief Information Officer (CIO). I am responsible for delivering cost-effective IT services, and for protecting the information assets of Social Security.

We are a highly automated, mostly paperless agency, and our enterprise systems are available to end-users, with good response times, over 99.9 percent of the time. Our Internet applications for the public and businesses are thoughtfully designed, highly rated (by the independent American Customer Satisfaction Index and our own surveys), and allow us to maintain high and improving service levels even with rising workloads. Just last week we began providing a new service for the public to get a Social Security Statement online. Over 150,000 people have already successfully used this service.

Our electronic services are highly rated because we carefully select appropriate transactions for online development; we think through an entire business process and conduct rigorous usercentered design; we pay attention to IT security; we carefully test our software before placing it in production; we make our electronic services accessible, including to people with disabilities; and we closely monitor the performance and satisfaction of each electronic service and regularly improve our software.

Other examples of recent Social Security IT advancements include an innovative system designed to reduce improper payments with Supplemental Security Income (SSI); expanded decision support software for making policy compliant disability decisions; Spanish versions of our popular online Retirement Estimator and our retirement iClaim application; a completely redesigned system for processing Social Security card requests; and many improvements to our automated notices.

To protect our extensive data stores and all key systems, we have tight internal controls and continually invest in IT security where we blend new security technologies with classic concepts such as continuous monitoring, situational risk awareness, defense-in-depth, and least-privilege. In recent decades, our most significant security risk was our inability to quickly recover IT services with any prolonged disruption at our Maryland data center. That is no longer the case. Earlier this year we successfully tested and proved fast and assured recovery if we ever experience a serious problem at the Maryland center.

We currently have a number of in-progress IT initiatives that are critical for improving our efficiency and quality of service. Just to name a few, we are building a new case processing system for State disability determination services; building a national visitor intake system for our field offices; adding more advanced systems capabilities in our hearing offices; converting our master-files to DB2 databases; increasing the use of video for appeals and operational workloads; modernizing our earnings record software; building more agile data exchange programs; and building more online services that will utilize our new “My Social Security” portal and authentication process.

Recognizing the changing service desires of the American public, we are carefully considering use of mobile technology. We have done thorough research, considering things such as industry trends, security, guidelines for mobile suitability, design best practices, and return-on-investment potential. We plan to build a transactional mobile application for SSI wage reporting later this year. Wage reporting is a reoccurring task for a segment of beneficiaries and their families, and it is one of the main causes of improper payments.

Our most important project over the next few years will be to transition IT operations from our aging Maryland data center to a new facility. The General Services Administration has purchased the land, selected a builder, and the design phase of the work is underway. We expect to begin installing IT equipment in the new building in 2015 and are doing extensive transition and budget planning. We are grateful to this Subcommittee for unfailing support for this project.

We strive to be good partners with other Federal agencies, and with State and local government entities—in particular because of the need to collaborate on our ever-growing data exchange and information verification workloads such as eVerify. Another example of our close collaboration with agencies is our ongoing work with the Veterans Administration and the Department of Defense to support Wounded Warriors. We fully support all government-wide IT initiatives directed by the Office of Management and Budget and sponsored by the Federal Chief Information Officer Council.

Social Security has a number of IT strengths. For example, we have a superb technical workforce; we have consolidated most aspects of agency IT in order to benefit from economies of scale; and we are very good at user-centered design and technical project management. That said, during an annual process where we assess future IT investments, we always have far more agency needs and good ideas than expected resources, so we must prioritize what we will work on. All SSA components are active players with the IT department in this process because they recognize the importance of IT to the agency.

We are in a continual state of IT modernization—and given the long history and size of our enterprise, we always will be. For example, we have over 700 software applications that combined, routinely generate over 160 million computer transactions a day. Some of our software is state of the art, with modern graphical interfaces that rival the best systems of their kind in the world. On the other hand, some of our software is much older, with green screen user interfaces.

However, with proven software, “old” does not necessarily mean dysfunctional. Most of the older software (that we are gradually phasing out as resources allow) is robust; all of it is regularly updated and maintained; and it accurately reflects the intricacies of complex Social Security and SSI statute and policy. This “legacy” software represents a multi-billion dollar investment by taxpayers. We also do careful IT workforce planning to ensure that we always have adequate numbers of fully trained staff to operate all the technologies we use.
The mix of programming languages in our software portfolio reflects our continual modernization. Although we have many COBOL programs, our inventory of JAVA code is growing and will become the most prevalent programming language in our software applications in a few years. We modernize older systems when we are re-building them because of business direction, or if we determine, through annual review, that a particular system is at increasing risk for technical failure.

Our IT hardware and telecommunications infrastructure is diverse and generally very current. We refresh these technologies based on business needs and consistent with industry best practices. Reflecting our efficiency, we deliver agency-wide IT services from just two data centers. These centers are co-processing facilities. They share the daily agency computing load, and each has the ability (hardware, telecommunications, applications, data, and staff) to pick up all operations from the other in case of problems.

Managing a large IT organization requires a significant amount of planning. We routinely develop very detailed multi-year plans within a specific area, for example, to upgrade our telecommunications systems. At a higher level, we have just recently updated our 2012-2016 Information Resources Management Strategic Plan, and our Capital Planning and Investment Control guide. We are in the process of updating our IT enterprise architecture roadmap to be fully compliant with guidance from the Office of Management and Budget.

We assess the overall state of agency IT in a number of ways. For example, we analyze cost, schedule, and functionality with our major IT investments, and in a transparent manner, we share that information with the public on the Federal IT Dashboard. We monitor the availability and performance of all our enterprise systems on a daily basis. We closely track agency-wide security incidents, help desk calls and trouble tickets. We have very active management and sponsor oversight of our work, and we conduct success verification evaluations at the conclusion of all our executive oversight projects. We receive continual feedback from end-user surveys, numerous auditors, and our business partners. We conduct a bi-annual skills inventory of our workforce. We are active participants in a number of research and benchmarking groups. Finally, the ultimate measurement of our IT success is reflected in the overall performance metrics, and high year-over-year productivity gains, of the agency.

Accountability and authority for IT in Social Security very clearly rests with the position I hold as Deputy Commissioner for Systems/Chief Information Officer (DCS/CIO). I am a direct report to the SSA Commissioner and have a seat at the table for literally all senior groups and boards in the agency. At Social Security the DCS/CIO leads agency IT planning; IT capital planning and investment management; IT security; IT workforce planning; enterprise architecture; e-government initiatives; and all systems acquisitions, development and integration efforts. In addition, I closely collaborate with peer SSA executives on agency information disclosure; privacy; records management; information dissemination; and information collection/paperwork reduction efforts.

IT literally touches all aspects of the agency, and I appreciate your interest in the topic. Thanks again for inviting me to this hearing and I will do my best to answer any questions you have.