The U.S. Department of Agriculture (USDA) performs critical missions that enhance the quality of life for the American people, relying on automated systems and networks to deliver billions of dollars in programs to its customers; process and communicate sensitive payroll, financial, and market data; and maintain personal customer information. Interruptions in USDA's ability to fulfill its missions could have a significant adverse impact on the nation's food and agricultural production. In addition, securing sensitive information is critical to USDA's efforts to maintain public confidence in the department. GAO was asked to evaluate the effectiveness of USDA's information security controls.
Recommendations for Executive Action
|Department of Agriculture||To establish effective information security, the Secretary of Agriculture should direct the CIO to fully implement a comprehensive security management program. Specifically, this would include (1) ensuring that security management positions have the authority and cooperation of agency management to effectively implement and manage security programs, (2) completing periodic risk assessments for systems, (3) completing information security plans and establishing policies and procedures on the basis of identified risks, (4) ensuring that employees complete security awareness training, (5) implementing ongoing tests and evaluations of controls, (6) completing system certifications and accreditations, and (7) developing corrective action plans that clearly tie to identified weaknesses.|