Information Security: USDA Needs to Implement Its Departmentwide Information Security Plan

AIMD-00-217 Published: Aug 10, 2000. Publicly Released: Sep 11, 2000.
Jump To:
Skip to Highlights
Highlights

Pursuant to a congressional request, GAO provided information on the steps the Department of Agriculture (USDA) is taking to help ensure departmentwide information systems security.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture In order to ensure that information security is strengthened at the department, the Secretary of Agriculture should direct that the Chief Information Officer (CIO) and Associate CIO for Cyber-Security develop and document a strategy for implementing the action plan for improving USDA information security. At a minimum, the implementing strategy should establish and set forth priorities for implementing the plan and for addressing the highest risks and threats to the department's assets; time frames and milestones for completing all necessary actions; and staff and funding resources required for fiscal years 2001, 2002, and beyond.
Closed – Implemented
In response, USDA established an Associate CIO for Cyber Security; developed risk assessment procedures; and implemented a department-wide information security architecture, a security awareness program, an information survivability program, and a system certification program. Also, USDA prepared a plan of actions and milestones for FISMA. In addition, in response to a more recent review of USDA Information Security, GAO-04-154, USDA agreed to fully implement a comprehensive security management program.
Department of Agriculture In order to ensure that information security is strengthened at the department, the Secretary of Agriculture should demonstrate that information security at USDA is a departmental priority by (1) directing that sufficient resources be available to fund the department's information security improvement strategy and implementing plan; (2) holding the CIO and Associate CIO accountable for carrying out the strategy and plan; and (3) requiring the Office of the Chief Information Officer to provide the Secretary of Agriculture with quarterly reports describing the results of USDA's efforts to establish and implement an effective departmentwide information security program.
Closed – Implemented
In response, USDA established the OCIO with the delegated authority to manage the Department's Cyber Security Program and has appointed a Chief Information Security Officer. Regarding reporting, in addition to FISMA, quarterly reports are provided to OMB for certain key security performance measures. Also, USDA maintains a plan of actions and milestones for identified weaknesses, a summary of which is reported to OMB quarterly.
Department of Agriculture The Secretary of Agriculture should report the department's information security weaknesses and lack of a departmentwide information security management program as a material internal control weakness under the Federal Managers' Financial Integrity Act. This internal control weakness should remain outstanding until USDA fully meets the federal regulations for information security.
Closed – Implemented
In August 2000, GAO reported that USDA needed to strengthen its information security. Until this was done, USDA's computer systems, which process sensitive data and support billions of dollars in benefits, remained at risk of serious threats and cyber attacks. To help ensure the department's information security problems were corrected, GAO recommended that USDA should report its information security weaknesses and lack of information security management program as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA). As GAO recommended, USDA reported information security at the department as a material weakness in its fiscal year (FY) 2000 and FY2001 FMFIA reports and, as stated in the reports, USDA has taken corrective actions to strengthen information security.

Full Report

GAO Contacts