GAO skewers Agriculture IT security

The Agriculture Department has not implemented an adequate security management program to ensure that effective controls are in place, leading to 'significant, pervasive information security weaknesses,' the General Accounting Office reported today.

Information security also requires significantly more management attention.

Although Agriculture has various initiatives under way, it had not yet fully implemented the key elements of a comprehensive security management program. GAO reviewed Agriculture's IT security from February through October last year.

Agriculture CIO Scott Charbo told the GAO in a letter that he was committed to improving IT security throughout the department. The department received an F in the federal computer security scorecard released in December by the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census.

Agriculture's security will be greatly improved by the next scorecard, Charbo said in an interview. Certification and accreditation of Agriculture's IT systems is his top security priority, he said. Audits by Agriculture's Inspector General and GAO have generated work lists with plans of action and milestones to be met. 'If you look at what happens in the certification and accreditation process, you correct the majority of the material weakness and plan of action and milestone tasks,' he said, adding that he has vetted his security plan through the IG.

In its report, the GAO cited, for example, that agency security personnel lack management involvement needed to effectively implement security programs. Three agencies have not completed any of the required risk assessments, and security controls have been tested and evaluated for less than half of the department's systems in the past year, the report said.

Serious weaknesses in access control include inadequate protection of network boundaries, insufficient control of network access, inappropriate limits on mainframe access, and failure to fully implement a comprehensive program to monitor access.

Weaknesses also exist in physical security, personnel controls, system software, application change control and service continuity. 'As a result, sensitive data, including information relating to the privacy of U.S. citizens, payroll and financial transactions, proprietary information, agricultural production and marketing estimates, and other mission-critical data, are at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected,' GAO said in its report..

GAO recommended that Agriculture:

  • ensure that security management positions have the authority and cooperation of agency management to implement the security programs

  • completes periodic IT systems risk assessments

  • complete IT security plans and establishe policies and procedures on the basis of identified risks

  • provide employees security awareness training

  • test security controls

  • complete IT system certification and accreditation.

  • About the Author

    Mary Mosquera is a reporter for Federal Computer Week.


    • 2020 Government Innovation Awards
      Government Innovation Awards -

      21 Public Sector Innovation award winners

      These projects at the federal, state and local levels show just how transformative government IT can be.

    • Federal 100 Awards
      cheering federal workers

      Nominations for the 2021 Fed 100 are now being accepted

      The deadline for submissions is Dec. 31.

    Stay Connected