Information Security: USDA Needs to Implement Its Departmentwide Information Security Plan

In response, USDA established an Associate CIO for Cyber Security; developed risk assessment procedures; and implemented a department-wide information security architecture, a security awareness program, an information survivability program, and a system certification program. Also, USDA prepared a plan of actions and milestones for FISMA. In addition, in response to a more recent review of USDA Information Security, GAO-04-154, USDA agreed to fully implement a comprehensive security management program.

In response, USDA established the OCIO with the delegated authority to manage the Department's Cyber Security Program and has appointed a Chief Information Security Officer. Regarding reporting, in addition to FISMA, quarterly reports are provided to OMB for certain key security performance measures. Also, USDA maintains a plan of actions and milestones for identified weaknesses, a summary of which is reported to OMB quarterly.

In August 2000, GAO reported that USDA needed to strengthen its information security. Until this was done, USDA's computer systems, which process sensitive data and support billions of dollars in benefits, remained at risk of serious threats and cyber attacks. To help ensure the department's information security problems were corrected, GAO recommended that USDA should report its information security weaknesses and lack of information security management program as a material internal control weakness under the Federal Managers' Financial Integrity Act (FMFIA). As GAO recommended, USDA reported information security at the department as a material weakness in its fiscal year (FY) 2000 and FY2001 FMFIA reports and, as stated in the reports, USDA has taken corrective actions to strengthen information security.