Information Security

USDA Needs to Implement Its Departmentwide Information Security Plan Gao ID: AIMD-00-217 August 10, 2000

The Department of Agriculture (USDA) relies on automated systems and networks to deliver billions of dollars in programs to its customers; process and communicate sensitive payroll, financial, and market data; and maintain personal customer information. This report discusses steps that USDA has taken to improve information security and implement its August 1999 departmentwide information security plan. GAO found that USDA has developed recommendations to strengthen departmentwide information security and has hired a new Associate Chief Information Officer for Cyber-Security. Since the plan was issued, however, little progress has been made to implement the plan's other recommendations for strengthening the department's information security. Moreover, GAO found that USDA has not developed and documented a strategy to implement the action plan recommendations with established priorities and the detailed steps, time frames, milestones, and total resources needed to fully carry them out. GAO concludes that until USDA fully implements these important information security improvements, its critical assets will remain vulnerable to cyber attacks and other threats. GAO recommends that USDA develop a detailed strategy to implement the action plan and take steps that would demonstrate that information security is a departmentwide priority.

GAO noted that: (1) USDA has taken positive steps to begin improving its information security by developing its August 1999 Action Plan with recommendations to strengthen departmentwide information security and hiring a new Associate Chief Information Officer for Cyber-Security who is working to address specific vulnerabilities and other potential threats; (2) however, since the plan was issued in August 1999, little progress has been made to implement other recommendations in the plan for strengthening the department's information security; (3) moreover, USDA has not developed and documented a strategy for implementing the action plan recommendations with established priorities and the detailed steps, time frames, milestones, and total resources needed to fully carry them out; and (4) until and unless the department fully implements these important information security improvements, its critical assets will remain at risk to cyber attacks and other threats.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.