The Protecting Seniors' Data Act of 2025 requires the Comptroller General to start a comprehensive audit of the Social Security Administration's computer systems and networks, including those accessed by the United States DOGE Service and related entities. The audit aims to identify security vulnerabilities and privacy-law violations stemming from software installed, created, or modified by those entities.
Within one year, the Comptroller General must submit results and recommendations to Congress and SSA officials. After receipt of the audit, the SSA Commissioner must fix identified vulnerabilities within 90 days and report back on remediation progress.
At a Glance
What It Does
The bill directs the Comptroller General to commence a comprehensive audit of SSA computer systems and networks within 60 days of enactment, focusing on vulnerabilities and potential privacy-law violations. It requires a formal audit report within one year and a remediation plan from the SSA within 90 days of receiving the report.
Who It Affects
SSA and its IT environments, the U.S. DOGE Service and related personnel, the SSA Commissioner, and congressional committees (Senate Finance and House Ways and Means) charged with oversight.
Why It Matters
This bill injects independent, government-wide oversight into the security of seniors' data, aiming to uncover weaknesses, prevent privacy breaches, and establish actionable remediation timelines.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The Protecting Seniors' Data Act of 2025 requires the Comptroller General to begin a comprehensive audit of the Social Security Administration's computer systems and networks within 60 days of enactment. The audit will examine systems accessed by the United States DOGE Service and affiliated personnel to identify security vulnerabilities and any potential violations of federal privacy laws, including the Privacy Act, tax privacy provisions, and FISMA requirements.
Within one year, the Comptroller General must deliver a report detailing the audit results and offering recommendations for further legislation or administrative action as needed. In response, the SSA Commissioner must fix identified vulnerabilities within 90 days of receiving the audit and provide a status report to the Senate Finance Committee and the House Ways and Means Committee.
The bill establishes a clear line of independent oversight and an accountability mechanism to improve the security and privacy of seniors' data held by SSA.
The Five Things You Need to Know
The Comptroller General must commence a comprehensive audit of SSA systems within 60 days of enactment.
The audit targets systems and networks accessed by the United States DOGE Service and related entities to identify vulnerabilities and potential privacy violations.
Within one year, the Comptroller General must deliver a report with audit results and recommendations for further legislation or administrative action.
The SSA Commissioner must fix identified vulnerabilities within 90 days and report progress to Congress.
Audit results can prompt additional legislation or administrative action as determined appropriate by the Comptroller General.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Comprehensive GA audit of SSA systems and networks
The Comptroller General is directed to commence a comprehensive audit of the Social Security Administration's computer systems and networks, specifically those accessed by the United States DOGE Service and related personnel. The audit must identify vulnerabilities or bugs in software installed, created, or modified by those entities and assess whether privacy laws (including the Privacy Act, 5 U.S.C. 552a, IRS Code 6103, FISMA, and related SSA statutes) were violated.
Audit reporting to Congress and SSA
Not later than one year after enactment, the Comptroller General must submit a report or reports describing the audit results. The report should include recommendations for legislation and administrative action as the Comptroller General determines appropriate, and must be transmitted to the Senate Committee on Finance, the House Committee on Ways and Means, and the Commissioner of the SSA.
Agency remediation and status reporting
Within 90 days after receipt of the audit report, the SSA Commissioner is required to fix any vulnerabilities or bugs identified and to submit a report on the status of those fixes to the Senate Finance Committee and the House Ways and Means Committee.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Seniors and SSA beneficiaries whose personal data are stored in SSA systems gain stronger data security and protection from privacy breaches.
- SSA security and IT operations teams receive formal remediation timelines and a clear mandate to address vulnerabilities.
- Congressional committees (Senate Finance and House Ways and Means) gain independent, timely audit findings to guide oversight and policy decisions.
- The Comptroller General’s office gains a clear, statutory mechanism to perform systemic IT audits of major federal systems.
Who Bears the Cost
- SSA IT budgets and staff time diverted to remediation efforts and reporting requirements.
- Contractors and vendors engaged to remediate vulnerabilities and address audit findings.
- Additional administrative and oversight resources required by SSA and related congressional committees.
Key Issues
The Core Tension
Balancing rapid remediation of vulnerabilities with the reality of complex federal IT environments and budget constraints, while ensuring privacy protections and sufficient Congressional oversight.
The bill creates a risk that audit findings may reveal significant, costly vulnerabilities requiring rapid remediation. While the 90-day remediation window imposes a tight deadline, the underlying complexity and budgetary constraints of SSA IT systems may limit immediate fixes.
Implementing the audit’s recommendations could necessitate new funding, realignment of priorities, or statutory changes. Additionally, while the Privacy Act and other federal privacy provisions guide the assessment of violations, disclosures of vulnerabilities and remediation plans raise questions about information sharing and timing for public reporting.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.