Further Efforts Needed to Address Serious Weaknesses to USDA
GAO-04-154: Published: Jan 30, 2004. Publicly Released: Mar 1, 2004.
The U.S. Department of Agriculture (USDA) performs critical missions that enhance the quality of life for the American people, relying on automated systems and networks to deliver billions of dollars in programs to its customers; process and communicate sensitive payroll, financial, and market data; and maintain personal customer information. Interruptions in USDA's ability to fulfill its missions could have a significant adverse impact on the nation's food and agricultural production. In addition, securing sensitive information is critical to USDA's efforts to maintain public confidence in the department. GAO was asked to evaluate the effectiveness of USDA's information security controls.
Significant, pervasive information security control weaknesses exist at USDA, including serious access control weaknesses, as well as other information security weaknesses. Specifically, USDA has not adequately protected network boundaries, sufficiently controlled network access, appropriately limited mainframe access, or fully implemented a comprehensive program to monitor access activity. In addition, weaknesses in other information security controls, including physical security, personnel controls, system software, application software, and service continuity, further increase the risk to USDA's information systems. As a result, sensitive data--including information relating to the privacy of U.S. citizens, payroll and financial transactions, proprietary information, agricultural production and marketing estimates, and mission critical data--are at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected. A key reason for the weaknesses in information system controls is that the department has not yet fully developed and implemented a comprehensive security management program to ensure that effective controls are established and maintained and that information security receives significant management attention. Although USDA has various initiatives under way, it has not yet fully implemented the key elements of a comprehensive security management program. For example, agency security personnel have lacked the management involvement needed to effectively implement security programs, three agencies have not completed any of the required risk assessments, and security controls have been tested and evaluated for less than half of the department's systems in the past year. USDA has recognized the need to improve information security throughout the department, including in the components that we reviewed.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In fiscal year 2008 GAO verified, that in response to our recommendation, USDA published various departmental manuals and directives to aid in implementing a comprehensive security management program. Also, as part of the department's Federal Information Security Management Act compliance program all USDA agencies are required to complete self-assessments using NIST guidance.
Recommendation: To establish effective information security, the Secretary of Agriculture should direct the CIO to fully implement a comprehensive security management program. Specifically, this would include (1) ensuring that security management positions have the authority and cooperation of agency management to effectively implement and manage security programs, (2) completing periodic risk assessments for systems, (3) completing information security plans and establishing policies and procedures on the basis of identified risks, (4) ensuring that employees complete security awareness training, (5) implementing ongoing tests and evaluations of controls, (6) completing system certifications and accreditations, and (7) developing corrective action plans that clearly tie to identified weaknesses.
Agency Affected: Department of Agriculture