GAO skewers Agriculture IT security

The Agriculture Department has not implemented an adequate security management program to ensure that effective controls are in place, leading to 'significant, pervasive information security weaknesses,' the General Accounting Office reported today.

Information security also requires significantly more management attention.

Although Agriculture has various initiatives under way, it had not yet fully implemented the key elements of a comprehensive security management program. GAO reviewed Agriculture's IT security from February through October last year.

Agriculture CIO Scott Charbo told the GAO in a letter that he was committed to improving IT security throughout the department. The department received an F in the federal computer security scorecard released in December by the House Government Reform subcommittee on technology, information policy, intergovernmental relations and the census.

Agriculture's security will be greatly improved by the next scorecard, Charbo said in an interview. Certification and accreditation of Agriculture's IT systems is his top security priority, he said. Audits by Agriculture's Inspector General and GAO have generated work lists with plans of action and milestones to be met. 'If you look at what happens in the certification and accreditation process, you correct the majority of the material weakness and plan of action and milestone tasks,' he said, adding that he has vetted his security plan through the IG.

In its report, the GAO cited, for example, that agency security personnel lack management involvement needed to effectively implement security programs. Three agencies have not completed any of the required risk assessments, and security controls have been tested and evaluated for less than half of the department's systems in the past year, the report said.

Serious weaknesses in access control include inadequate protection of network boundaries, insufficient control of network access, inappropriate limits on mainframe access, and failure to fully implement a comprehensive program to monitor access.

Weaknesses also exist in physical security, personnel controls, system software, application change control and service continuity. 'As a result, sensitive data, including information relating to the privacy of U.S. citizens, payroll and financial transactions, proprietary information, agricultural production and marketing estimates, and other mission-critical data, are at increased risk of unauthorized disclosure, modification, or loss, possibly without being detected,' GAO said in its report..

GAO recommended that Agriculture:

  • ensure that security management positions have the authority and cooperation of agency management to implement the security programs

  • completes periodic IT systems risk assessments

  • complete IT security plans and establishe policies and procedures on the basis of identified risks

  • provide employees security awareness training

  • test security controls

  • complete IT system certification and accreditation.


  • About the Author

    Mary Mosquera is a reporter for Federal Computer Week.

    inside gcn

    • Autonomous driverless car with Head Up Display (Scharfsinn/Shutterstock.com)

      What are these 'levels' of autonomous vehicles?

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group