IG finds flawed IT security program at USDA

An inspector general has found that the Agriculture Department’s systems and networks continue to have numerous flaws despite efforts to bolster the department’s IT security posture.

In the Federal Information Security Management Act audits for 2009 and 2010, USDA’s inspector general made 33 recommendations for bolstering the overall security of USDA’s systems. By the end of 2011, the department had met only six of those recommendations, a new IG report notes.

USDA’s weaknesses in its overall IT security program were reported already in 2001, when the IG first detailed the shortcomings. In 2009, the IG recommended USDA focus its efforts on a select number of priorities, instead of trying to achieve numerous goals during a short period of time. USDA and its agencies received recommendations on working together to identify and complete one or two critical objectives before moving onto the next priorities.

Although the IG noted that USDA did take a collaborative approach to address these problems, its efforts were not enough. For example, during 2010 and 2011, USDA funded 14 separate projects with none being fully implemented during 2011. But instead, funding was slashed and the majority of the projects were scaled back, pushing adoption dates further ahead, the report states.

“USDA needs to undertake a manageable number of its highest priority projects and it needs to show measurable progress toward the milestones for each active project,” the IG said in its report. “USDA’s inability to complete projects in a timely manner continues to hinder its progress toward improving its security posture.”

The IG found also that USDA lacked policy and procedures to oversee systems that contractors operated on agencies’ behalf. During the 2009 FISMA audit, the IG found seven systems that were excluded in the inventory of contractor systems. Additionally, USDA’s new cloud email service was also not included in the official department inventory and lacked the designation of a contractor system.

USDA’s remote access program was also determined to be flawed. The IG found policy that did not meet NIST requirements as well as widespread lack of multifactor authentication adequately implemented for remote access. In addition, USDA did not take action to properly encrypt its laptops, and one agency failing to do so “because procedures were inadequate to ensure this was done for newly deployed hardware,” the IG said.

Despite these shortcomings, the IG said it recognizes USDA has made some progress in areas such as system security documentation. USDA was able to enhance the overall quality of the documentation by issuing detailed guidance, boosting its quality review process for reviewing that documentation, and ensuring more consistent formatting and recording in updates of that guidance.

USDA also successfully deployed a set of network monitoring and detection tools, and made progress in improving its identity and access management program by developing a system that, once completed, will integrate human resource systems, logical access security, and physical access security.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.