IG finds flawed IT security program at USDA

An inspector general has found that the Agriculture Department’s systems and networks continue to have numerous flaws despite efforts to bolster the department’s IT security posture.

In the Federal Information Security Management Act audits for 2009 and 2010, USDA’s inspector general made 33 recommendations for bolstering the overall security of USDA’s systems. By the end of 2011, the department had met only six of those recommendations, a new IG report notes.

USDA’s weaknesses in its overall IT security program were reported already in 2001, when the IG first detailed the shortcomings. In 2009, the IG recommended USDA focus its efforts on a select number of priorities, instead of trying to achieve numerous goals during a short period of time. USDA and its agencies received recommendations on working together to identify and complete one or two critical objectives before moving onto the next priorities.

Although the IG noted that USDA did take a collaborative approach to address these problems, its efforts were not enough. For example, during 2010 and 2011, USDA funded 14 separate projects with none being fully implemented during 2011. But instead, funding was slashed and the majority of the projects were scaled back, pushing adoption dates further ahead, the report states.

“USDA needs to undertake a manageable number of its highest priority projects and it needs to show measurable progress toward the milestones for each active project,” the IG said in its report. “USDA’s inability to complete projects in a timely manner continues to hinder its progress toward improving its security posture.”

The IG found also that USDA lacked policy and procedures to oversee systems that contractors operated on agencies’ behalf. During the 2009 FISMA audit, the IG found seven systems that were excluded in the inventory of contractor systems. Additionally, USDA’s new cloud email service was also not included in the official department inventory and lacked the designation of a contractor system.

USDA’s remote access program was also determined to be flawed. The IG found policy that did not meet NIST requirements as well as widespread lack of multifactor authentication adequately implemented for remote access. In addition, USDA did not take action to properly encrypt its laptops, and one agency failing to do so “because procedures were inadequate to ensure this was done for newly deployed hardware,” the IG said.

Despite these shortcomings, the IG said it recognizes USDA has made some progress in areas such as system security documentation. USDA was able to enhance the overall quality of the documentation by issuing detailed guidance, boosting its quality review process for reviewing that documentation, and ensuring more consistent formatting and recording in updates of that guidance.

USDA also successfully deployed a set of network monitoring and detection tools, and made progress in improving its identity and access management program by developing a system that, once completed, will integrate human resource systems, logical access security, and physical access security.