Information Security:

USDA Needs to Implement Its Departmentwide Information Security Plan

AIMD-00-217: Published: Aug 10, 2000. Publicly Released: Sep 11, 2000.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on the steps the Department of Agriculture (USDA) is taking to help ensure departmentwide information systems security.

GAO noted that: (1) USDA has taken positive steps to begin improving its information security by developing its August 1999 Action Plan with recommendations to strengthen departmentwide information security and hiring a new Associate Chief Information Officer for Cyber-Security who is working to address specific vulnerabilities and other potential threats; (2) however, since the plan was issued in August 1999, little progress has been made to implement other recommendations in the plan for strengthening the department's information security; (3) moreover, USDA has not developed and documented a strategy for implementing the action plan recommendations with established priorities and the detailed steps, time frames, milestones, and total resources needed to fully carry them out; and (4) until and unless the department fully implements these important information security improvements, its critical assets will remain at risk to cyber attacks and other threats.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In response, USDA established an Associate CIO for Cyber Security; developed risk assessment procedures; and implemented a department-wide information security architecture, a security awareness program, an information survivability program, and a system certification program. Also, USDA prepared a plan of actions and milestones for FISMA. In addition, in response to a more recent review of USDA Information Security, GAO-04-154, USDA agreed to fully implement a comprehensive security management program.

    Recommendation: In order to ensure that information security is strengthened at the department, the Secretary of Agriculture should direct that the Chief Information Officer (CIO) and Associate CIO for Cyber-Security develop and document a strategy for implementing the action plan for improving USDA information security. At a minimum, the implementing strategy should establish and set forth priorities for implementing the plan and for addressing the highest risks and threats to the department's assets; time frames and milestones for completing all necessary actions; and staff and funding resources required for fiscal years 2001, 2002, and beyond.

    Agency Affected: Department of Agriculture

  2. Status: Closed - Implemented

    Comments: In response, USDA established the OCIO with the delegated authority to manage the Department's Cyber Security Program and has appointed a Chief Information Security Officer. Regarding reporting, in addition to FISMA, quarterly reports are provided to OMB for certain key security performance measures. Also, USDA maintains a plan of actions and milestones for identified weaknesses, a summary of which is reported to OMB quarterly.

    Recommendation: In order to ensure that information security is strengthened at the department, the Secretary of Agriculture should demonstrate that information security at USDA is a departmental priority by (1) directing that sufficient resources be available to fund the department's information security improvement strategy and implementing plan; (2) holding the CIO and Associate CIO accountable for carrying out the strategy and plan; and (3) requiring the Office of the Chief Information Officer to provide the Secretary of Agriculture with quarterly reports describing the results of USDA's efforts to establish and implement an effective departmentwide information security program.

    Agency Affected: Department of Agriculture

  3. Status: Closed - Implemented

    Comments: In August 2000, GAO reported that USDA needed to strengthen its information security. Until this was done, USDA's computer systems, which process sensitive data and support billions of dollars in benefits, remained at risk of serious threats and cyber attacks. To help ensure the department's information security problems were corrected, GAO recommended that USDA should report its information security weaknesses and lack of information security management program as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA). As GAO recommended, USDA reported information security at the department as a material weakness in its fiscal year (FY) 2000 and FY2001 FMFIA reports and, as stated in the reports, USDA has taken corrective actions to strengthen information security.

    Recommendation: The Secretary of Agriculture should report the department's information security weaknesses and lack of a departmentwide information security management program as a material internal control weakness under the Federal Managers' Financial Integrity Act. This internal control weakness should remain outstanding until USDA fully meets the federal regulations for information security.

    Agency Affected: Department of Agriculture

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here