Skip to Highlights

The U.S. Department of Agriculture (USDA) performs critical missions that enhance the quality of life for the American people, relying on automated systems and networks to deliver billions of dollars in programs to its customers; process and communicate sensitive payroll, financial, and market data; and maintain personal customer information. Interruptions in USDA's ability to fulfill its missions could have a significant adverse impact on the nation's food and agricultural production. In addition, securing sensitive information is critical to USDA's efforts to maintain public confidence in the department. GAO was asked to evaluate the effectiveness of USDA's information security controls.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Agriculture To establish effective information security, the Secretary of Agriculture should direct the CIO to fully implement a comprehensive security management program. Specifically, this would include (1) ensuring that security management positions have the authority and cooperation of agency management to effectively implement and manage security programs, (2) completing periodic risk assessments for systems, (3) completing information security plans and establishing policies and procedures on the basis of identified risks, (4) ensuring that employees complete security awareness training, (5) implementing ongoing tests and evaluations of controls, (6) completing system certifications and accreditations, and (7) developing corrective action plans that clearly tie to identified weaknesses.
Closed - Implemented
In fiscal year 2008 GAO verified, that in response to our recommendation, USDA published various departmental manuals and directives to aid in implementing a comprehensive security management program. Also, as part of the department's Federal Information Security Management Act compliance program all USDA agencies are required to complete self-assessments using NIST guidance.

Full Report

GAO Contacts