Information Security: USDA Needs to Implement Its Departmentwide
Information Security Plan (Letter Report, 08/10/2000, GAO/AIMD-00-217).

Pursuant to a congressional request, GAO provided information on the
steps the Department of Agriculture (USDA) is taking to help ensure
departmentwide information systems security.

GAO noted that: (1) USDA has taken positive steps to begin improving its
informantion security by developing its August 1999 Action Plan with
recommendations to strengthen departmentwide information security and
hiring a new Associate Chief Information Officer for Cyber-Security who
is working to address specific vulnerabilities and other potential
threats; (2) however, since the plan was issued in August 1999, little
progress has been made to implement other recommendations in the plan
for strengthening the department's information security; (3) moreover,
USDA has not developed and documented a strategy for implementing the
action plan recommendations with established priorities and the detailed
steps, time frames, milestones, and total resources needed to fully
carry them out; and (4) until and unless the department fully implements
these important information security improvements, its critical assets
will remain at risk to cyber attacks and other threats.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  AIMD-00-217
     TITLE:  Information Security: USDA Needs to Implement Its
	     Departmentwide Information Security Plan
      DATE:  08/10/2000
   SUBJECT:  Computer security
	     Internal controls
	     Data integrity
	     Information resources management
	     Information systems

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/AIMD-00-217
Accounting and Information
Management Division

B-285277

August 10, 2000

The Honorable Robert Goodlatte
Chairman
Subcommittee on Department Operations,
Oversight, Nutrition, and Forestry
Committee on Agriculture
House of Representatives

Dear Mr. Chairman:

As you know, the Department of Agriculture (USDA) relies on automated
systems and networks to deliver billions of dollars in programs to its
customers; process and communicate sensitive payroll, financial, and market
data; and maintain personal customer information. To safeguard these systems
and ensure the protection and privacy of information they contain, USDA
needs to have a departmentwide information security program. At your
request, we identified steps USDA is taking to help ensure departmentwide
information systems security and briefed your office on the results of our
work on May 17, 2000. The briefing slides are included in appendix I.

This report provides a high-level summary of information presented at that
briefing and presents recommendations we are making to USDA for
strengthening information security throughout the department.

USDA has taken positive steps to begin improving its information security by
developing its August 1999 Action Plan with recommendations to strengthen
departmentwide information security and hiring a new Associate Chief
Information Officer (CIO) for Cyber-Security who is working to address
specific vulnerabilities and other potential threats. However, since the
plan was issued in August 1999, little progress has been made to implement
other recommendations in the plan for strengthening the department's
information security. Moreover, USDA has not developed and documented a
strategy for implementing the action plan recommendations with established
priorities and the detailed steps, time frames, milestones, and total
resources needed to fully carry them out.

Until and unless the department fully implements these important information
security improvements, its critical assets will remain at risk to cyber
attacks and other threats. Therefore, we are recommending that USDA develop
a detailed strategy for implementing the action plan and demonstrate that
information security at USDA is a departmental priority by (1) directing
that sufficient resources be available to fund the department's information
security improvement strategy and implementing plan, (2) holding the CIO and
Associate CIO for Cyber-Security accountable for carrying out the strategy
and plan, and (3) requiring quarterly reports describing the results of
these efforts. We are also recommending that USDA report its information
security weaknesses and lack of departmentwide information security program
as a material internal control weakness under the Federal Managers'
Financial Integrity Act.

In its comments, USDA agreed with our recommendations for ensuring that
information security is strengthened at the department and offered some
clarifications, which we incorporated as appropriate.

Automated systems are essential to USDA's operations and the delivery of its
mission-critical programs, especially as it moves towards electronic
government (e-government). USDA has many critical assets, including

ï¿½ billions of dollars in federal payroll, thrift savings, program, and other
accounts at the National Finance Center (NFC) and other agencies;

ï¿½ sign-up and participant information and other information critical to the
delivery of billions of dollars in USDA programs;

ï¿½ market-sensitive data on commodities/agricultural economy; and

ï¿½ personal information on employees and customers, including social security
numbers and health, business, and financial data.

Under federal law and guidance, agencies are required to take necessary
steps to ensure the protection of mission-critical systems and data. The
Computer Security Act of 1987 requires the establishment of a security plan
for systems containing sensitive information commensurate with the risk and
magnitude of potential harm. Office of Management and Budget (OMB) Circular
A-130, Appendix III, Security of Federal Automated Information Resources,
requires federal agencies to establish information security programs,
including completing risk assessments to identify threats and
vulnerabilities and steps to mitigate them.

Under the Federal Managers' Financial Integrity Act (31 U.S.C. 3512 (1982)),
federal department and agency managers are required to evaluate whether
internal control systems have weaknesses that can lead to fraud, waste, and
abuse in government operations. The act is a key mechanism that the Congress
has put into place to ensure that management controls, including those over
automation efforts, are effective, and to hold managers accountable for
correcting identified deficiencies. Federal managers are required to
annually review their internal controls and report to the President and the
Congress any material weaknesses identified in these controls, along with
the status of corrective actions.

As technology has enhanced the ability to share information instantaneously
among computers and networks, federal agencies, including USDA, have become
more vulnerable to unlawful and destructive penetration and disruptions.
These kinds of cyber threats prompted the May 1998 issuance of Presidential
Decision Directive 63, requiring, among other things, that agencies develop
plans to protect their information systems and cyber infrastructure.

Additionally, plans for expanding USDA's use of the Internet as well as
allowing the public more access to services through electronic on-line
transactions pose even greater security and privacy concerns for USDA's many
information systems and networks. Specifically, the Freedom to
E-File Act (P.L. 106-222) was enacted on June 21, 2000; it requires USDA to
expand its use of electronic filing across a range of services and have
on-line systems in place within 2 years.

In 1998, we issued an executive guide1 on information security management
for helping federal agencies better manage their information security
resources. The guide, which describes five key principles and corresponding
best practices, presents a management framework that agencies can use to
establish more effective information security programs.

USDA and its 29 component agencies' fiscal year 2000 program budget is
$105.4 billion, including $1.2 billion for information technology. The
Office of the Chief Information Officer (OCIO) is responsible for
establishing, implementing, and overseeing a departmentwide information
security program, while the component agencies are responsible for the
day-to-day management of information security for their mission- support
systems.

During 1999, USDA's Office of Inspector General (OIG) and we found
significant information security weaknesses at the department's two major
data centers, which placed critical assets at significant risk. For example,
the OIG's general controls review at USDA's National Information Technology
Center reported network security vulnerabilities and weaknesses, such as
poor network monitoring and intrusion detection and inappropriately
controlled access authority.2 In July 1999, we reported on further security
weaknesses at USDA's NFC that included inadequate computer security planning
and systems information that was vulnerable to unauthorized access.3

Security

As a result of the OIG's and our reports on information security problems at
USDA, in July 1999 the Secretary of Agriculture asked for a plan within 30
days that described fundamental ways to improve information security and
provided recommendations for addressing security problems in a comprehensive
fashion across the department. In its comments on a draft of this report,
USDA stated that another reason the Secretary asked for a plan was his
long-standing and keen interest in federal information security. For
example, USDA stated that the Secretary co-authored the Computer Security
Act of 1987.

In developing its plan, USDA's OCIO assessed departmentwide information
security by (1) conducting a workshop with security experts from key USDA
agencies and a USDA contractor, (2) visiting other federal agencies,
including the Internal Revenue Service, the Department of Commerce, and the
Department of Energy, to examine actions they were taking to improve
information security, and (3) comparing USDA's current security practices
with the "best practices" identified in our May 1998 executive guide as well
as with practices followed by other federal departments.

In August 1999, USDA's OCIO issued An Action Plan to Strengthen USDA
Information Security, which emphasized protecting USDA's critical assets as
a top priority for the department. The plan identified weaknesses at USDA
that included the lack of

ï¿½ OCIO resources necessary to provide technical assistance, enforce and
monitor policy implementation, and ensure accountability;

ï¿½ a comprehensive USDA risk assessment that assigns value to the
department's assets and prioritizes vulnerabilities; and

ï¿½ a departmentwide information security architecture.

USDA's plan also reported that the department devotes significantly fewer
resources to information security than might be expected for an organization
with the criticality of assets that USDA must protect. According to the
plan, for example, USDA projected that it would devote about 1 percent
($12.5 million) of its total information technology budget ($1.2 billion) to
information security in fiscal year 2000, and projected its information
security budget would increase to only slightly more than
1 percent of the department's total information technology budget in fiscal
year 2001.

On August 13, 1999, USDA's OCIO briefed the Secretary on the plan for
improving information security. The plan's recommendations, which were based
on the five key information security principles and practices in our 1998
executive guide, were to

ï¿½ designate an Associate CIO for Cyber-Security and establish security
program management;

ï¿½ develop practical risk assessment procedures to manage risks;

ï¿½ establish appropriate policies and controls linked to business risks and
develop and implement an information security architecture;

ï¿½ promote security awareness through systematic training; and

ï¿½ establish procedures to monitor and evaluate policy and controls.

During the briefing, the CIO also discussed general steps to jump-start work
on these recommendations and requested an additional $8 million to implement
most of them by March 2000. However, a strategy was not provided for
implementing the plan's recommendations that had established priorities with
detailed steps, time frames, milestones, and total resources needed to fully
carry out the plan across the department and correct all security
weaknesses. For example, while the CIO listed several action items, such as
initiating a security compliance management program, developing
departmentwide security awareness training, and designing and implementing a
cyber-security architecture, the CIO did not identify priorities and
detailed steps, milestones, and resources needed to carry out these
activities. USDA noted in its comments on a draft of this report that by the
time the OCIO security plan was issued in August 1999, USDA's budget request
for fiscal year 2000 had already been formulated and did not include a
request for the plan's implementation.

Improvements

From August 1999 through April 2000, USDA began taking action on the first
key recommendation from the action plan for improving information security
by hiring a senior manager for cybersecurity in February 2000. In addition,
the OCIO assigned four staff members to work on the cyber-security team and
has advertised three additional positions.

Beyond this, however, little else has been done to implement the other
recommendations in the plan. For example, at the time of our review, OCIO
had not yet obtained all of the basic information necessary to begin to
determine its business risks, such as establishing a comprehensive list of
sensitive systems, as required by the Computer Security Act of 1987. This is
a fundamental step for establishing an information security program to
protect critical business assets and mitigate risks. Until this fundamental
step is complete and all business risks are adequately assessed, USDA cannot
effectively implement other recommendations for improvement, such as
establishing appropriate policies and controls linked to business risks,
developing an information security architecture, and setting forth
procedures for monitoring and evaluating policy and control effectiveness.

According to USDA's Deputy CIO, more progress implementing the recommended
improvements has not been made because of delays in hiring the senior
executive to fill the department's new cyber-security position. The new
Associate CIO for Cyber-Security did not start work until February 17, 2000.
In addition, the Deputy CIO told us that the Secretary's office did not
approve the action plan or the CIO's request to seek additional
appropriations in fiscal year 2000 beyond the $500,000 already appropriated
for information security during that fiscal year. We were told that USDA
decided that seeking additional funds from the Congress in fiscal year 2000
was not possible at the time due to other existing priorities, such as the
Year 2000 issue and the farm crisis.

The Deputy CIO told us that the OCIO did not attempt to fund needed security
improvements in fiscal year 2000 to jump-start the departmentwide
information security program by reassessing the department's other
information technology priorities and resources and seeking approval to use
a portion of the other available fiscal year 2000 information technology
resources for this purpose. These other funds included (1) the component
agencies' fiscal year 2000 information technology budgets, which amounted to
about $1.2 billion, (2) the OCIO's own $6 million budget in fiscal year 2000
appropriations, or (3) the
$61 million in information technology working capital funds allocated to the
OCIO. Instead, OCIO requested an additional $6.6 million to fund additional
work on the plan in its congressional fiscal year 2001 budget request and
pointed out that the component agencies would be funding their security risk
assessments. OCIO has not yet taken steps to ensure that the component
agencies set aside sufficient funds in their fiscal year 2001 budgets for
this purpose.

Since February 2000, USDA's new Associate CIO for Cyber-Security has been
working with the $500,000 budget appropriated for information security in
fiscal year 2000 and four assigned staff, primarily concentrating on

ï¿½ setting up a structure for the new cybersecurity office in OCIO;

ï¿½ briefing agency CIOs and security officers across the department to obtain
support for needed security improvements; and

ï¿½ addressing specific vulnerabilities identified in USDA OIG's and our
reports.

The Associate CIO for Cyber-Security has also been responding to identified
cyber intrusions, which have continued to occur at the department. According
to USDA's fiscal year 2000 budget request, the department recorded 27
security incidents of intrusions during 1999. According to the Associate
CIO, USDA has continued to experience a significant number of intrusions in
fiscal year 2000.

As previously discussed, key information security requirements and
guidelines require federal agencies to establish effective information
security management programs. Failure to do so may threaten an agency's
ability to carry out its missions and properly safeguard its critical assets
and can constitute a material internal control weakness under the Federal
Managers' Financial Integrity Act.

USDA has taken positive steps to begin improving its information security by
developing its August 1999 action plan with recommendations for
strengthening information security and hiring a new Associate CIO for
Cyber-Security who is working to address specific vulnerabilities identified
in our and USDA OIG's reports and other potential threats. Beyond this,
however, little progress has been made for implementing other
recommendations in the plan designed to strengthen departmentwide
information security because USDA lacks a strategy for doing so and because
sufficient resources have not been made available. Until and unless USDA
fully implements these important information security improvement efforts,
the department's critical assets will remain at risk for cyber attacks and
other threats, and USDA will not be in a position to provide a secure
environment for expanding e-government.

In order to ensure that information security is strengthened at the
department, we recommend that the Secretary of Agriculture do the following:

ï¿½ The Secretary should direct that the CIO and Associate CIO for
Cyber-Security develop and document a strategy for implementing the action
plan for improving USDA information security. At a minimum, the implementing
strategy should establish and set forth priorities for implementing the plan
and for addressing the highest risks and threats to the department's assets;
time frames and milestones for completing all necessary actions; and staff
and funding resources required for fiscal years 2001, 2002, and beyond.

ï¿½ The Secretary should demonstrate that information security at USDA is a
departmental priority by (1) directing that sufficient resources be
available to fund the department's information security improvement strategy
and implementing plan; (2) holding the CIO and Associate CIO accountable for
carrying out the strategy and plan; and (3) requiring OCIO to provide the
Secretary of Agriculture with quarterly reports describing the results of
USDA's efforts to establish and implement an effective departmentwide
information security program.

We also recommend that the Secretary of Agriculture report the department's
information security weaknesses and lack of a departmentwide information
security management program as a material internal control weakness under
the Federal Managers' Financial Integrity Act. This internal control
weakness should remain outstanding until USDA fully meets the federal
regulations for information security.

USDA's CIO provided written comments on July 14, 2000, on a draft of this
report. USDA's comments are summarized below and reproduced in appendix II.

USDA agreed with our recommendations for ensuring that information security
is strengthened at the department. Specifically, USDA agreed that
information systems that support its mission objectives are at risk and that
dramatic changes are needed to improve cybersecurity. USDA also stated that
its OCIO is committed to improving security for the department's valuable
information assets and that the department intends on carrying out its
security action plan. USDA stated that the President's fiscal year 2001
budget requested a $6.6 million increase in funding for cybersecurity, and
the department intends to request another substantial increase for
cybersecurity in its fiscal year 2002 budget submission. According to its
comments, these increases will be used to complete the development of a USDA
risk management program, expand the cyber-security office, revise security
policy, conduct on-site security reviews, define a security architecture,
and perform other security-related activities.

USDA also raised several additional matters, none of which affect our
conclusions and recommendations. These matters and our responses are
discussed in appendix II.

As requested, our objective was to provide information on steps being taken
by USDA to help ensure departmentwide information system security. To
identify these steps, we obtained and reviewed USDA internal documents
including the department's budget submissions, security improvement plans,
and contractor studies. Using our and other guidance as evaluation criteria,
we identified and assessed plans and steps being taken by the department to
improve and strengthen security. We also discussed USDA's information
security weaknesses and steps completed and underway to address these
weaknesses with numerous USDA officials, including the CIO, Deputy CIO, and
Associate CIO for Cyber-Security and we obtained written comments on a draft
of this report from USDA's CIO.

We performed our work from February 2000 through April 2000 at USDA
headquarters in Washington, D.C., in accordance with generally accepted
government auditing standards.

As agreed with your office, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from its
date. At that time, we will send copies of this report to Representative Eva
Clayton, Ranking Minority Member, Subcommittee on Department Operations,
Oversight, Nutrition, and Forestry, House Committee on Agriculture; Senator
Richard Lugar, Chairman, and Senator Tom Harkin, Ranking Minority Member,
Senate Committee on Agriculture, Nutrition, and Forestry; Representative
Larry Combest, Chairman, and Representative Charles Stenholm, Ranking
Minority Member, House Committee on Agriculture; and Representative Steven
Horn, Chairman, and Representative Jim Turner, Ranking Minority Member,
Subcommittee on Government Management, Information and Technology, House
Committee on Government Reform. We will also send copies to the Honorable
Daniel R. Glickman, Secretary of Agriculture; the Honorable Jacob J. Lew,
Director, Office of Management and Budget; and other interested parties.
Copies will be made available to others upon request.

If you have any questions on matters discussed in this report, please call
me at (202) 512-6408 or Stephen A. Schwartz, Senior Assistant Director, at
(202) 512-6213. We can also be reached by e-mail at [email protected]
and [email protected], respectively. Key contributors to this
assignment were Christina Bower, Troy Hottovy, Keith Rhodes, and Mark Shaw.

Sincerely yours,

Joel C. Willemssen
Director, Civil Agencies Information Systems

Briefing on USDA Information Security

Comments From the Department of Agriculture

1. USDA noted a concern over the tone of the draft report, stating that the
draft should better reflect USDA Secretary Glickman's proactive attitude
toward cyber security. Specifically, USDA stated that Secretary Glickman
co-authored the Computer Security Act of 1987 and has maintained a keen
interest in the security of USDA's information assets throughout his tenure.
We added language to the report to reflect this.

2. We added language to the report noting that by the time the OCIO security
plan was issued in August 1999, USDA's budget request for fiscal year 2000
had already been formulated and did not include a request for the plan's
implementation.

3. Discussed in "Agency Comments and Our Evaluation" section of this report.

4. These attachments have not been reprinted in the report.

5. USDA noted that the draft report indicates that part of USDA's $1.2
billion in information technology budgets and $61 million in working capital
funds could have and should have been redirected to the department's
cybersecurity program.

This is not an accurate characterization of what the draft report stated.
Specifically, the draft report states that we were told by the OCIO that
USDA did not attempt to fund needed security improvements in fiscal year
2000 to jump-start the departmentwide information security program by (1)
reassessing the department's other information technology priorities and
resources and (2) seeking approval to use a portion of the other available
fiscal year 2000 information technology resources for this purpose.

6. USDA commented that the draft report points to the fact that business
risks have yet to be completely determined across USDA, and assessments have
not been made to identify vulnerabilities. While USDA did not dispute this,
it noted that the report should more accurately distinguish between OCIO's
policy and oversight role and the agency security control and operations
responsibilities. We believe the background section of the draft report
accurately describes these responsibilities.

(511827)
  

1. Information Security Management: Learning From Leading Organizations
(GAO/AIMD-98-68, May 1998).

2. U.S. Department of Agriculture Office of Inspector General Audit
Report/Fiscal Year 1998 National Information Technology Center General
Controls Review (#88099-1, Dec. 1999).

3. Information Security: Weaknesses at National Finance Center Increase Risk
of Fraud, Misuse, and Improper Disclosure (GAO/AIMD-99-227, July 1999).
*** End of document. ***