Sponsors (3)
Directs the U.S. Comptroller General to perform a full audit of Social Security Administration computer systems and networks that are used or accessed by the U.S. DOGE Service and related organizations to identify security vulnerabilities and possible violations of federal privacy laws. The Comptroller General must deliver an audit report with findings and recommendations within one year, and the Social Security Administration Commissioner must remediate identified problems and report remediation status within 90 days of receiving the audit report.
Within 60 days after the date of enactment, the Comptroller General of the United States must begin a comprehensive audit of Social Security Administration computer systems and networks that are accessed by the United States DOGE Service, the U.S. DOGE Service Temporary Organization, any employees or volunteers affiliated with those agencies, or, if applicable, associated agency DOGE teams. The audit must identify security vulnerabilities or bugs in software installed, created, or modified by such individuals or entities.
As part of the audit in subsection (a), the Comptroller General must determine whether the individuals or entities described violated federal privacy laws, specifically: section 552a of title 5 (Privacy Act of 1974), section 6103 of the Internal Revenue Code, subchapter II of title 44 (Federal Information Security Management Act), or section 1106 of the Social Security Act (42 U.S.C. 1306).
Not later than 1 year after the date of enactment, the Comptroller General shall submit to the Senate Committee on Finance, the House Committee on Ways and Means, and the Commissioner of the Social Security Administration a report or reports describing the results of the comprehensive audits and including recommendations for legislation and administrative action as the Comptroller General determines appropriate.
Not later than 90 days after the Commissioner of the Social Security Administration receives an audit report under subsection (b), the Commissioner must fix any vulnerabilities or bugs identified in the report.
Not later than 90 days after receipt of an audit report by the Commissioner under subsection (b), the Commissioner must "submit to the and the a report on the status of those vulnerabilities or bugs." (The text as provided is incomplete regarding the report recipients.)
Primary effects will be on Social Security Administration IT systems, the SSA workforce that operates and secures those systems, and recipients of SSA services whose data could be accessed by the U.S. DOGE Service. The GAO audit will increase oversight and likely produce technical and policy recommendations to reduce vulnerabilities and to ensure compliance with federal privacy rules. SSA must act quickly to remediate identified issues, which may require allocation of staff time, contracting for technical fixes, and possible short-term operational changes. For beneficiaries and the public, the audit aims to reduce risk of data breaches or improper disclosures; for Congress and oversight bodies, it provides an independent assessment and recommended actions. The law does not provide funding, so implementing fixes could require SSA to reallocate resources or seek appropriations. The measure does not itself change substantive privacy law or create enforcement penalties; it focuses on detection, reporting, and remediation.
Last progress June 4, 2025 (8 months ago)
Introduced on June 4, 2025 by Sheldon Whitehouse
Read twice and referred to the Committee on Finance.