As required by FISMA, OIG reviewed USDA’s ongoing efforts to improve its information technology security program and practices during FY 2020.
The United States Department of Agriculture (USDA or Department) relies extensively on information technology (IT) resources to accomplish its mission. The IT systems and resources strengthen the management and oversight of the Department’s procurement, property, and finances to ensure resources are used as effectively and efficiently as possible. Improving the overall management and security of IT resources and stakeholder information must be a top priority for the Department. While technology enables and enhances the sharing of information instantaneously among stakeholders, it also makes an organization’s networks and IT resources vulnerable to malicious activity and exploitation by internal and external sources. Insiders with malicious intent, recreational and institutional hackers, and attacks by foreign intelligence organizations are significant threats to the Department’s critical systems.
Key Changes to the Fiscal Year (FY) 2020 Inspector General (IG) Federal Information Security Modernization Act Of 2014 (FISMA) Metrics
One of the goals of the annual FISMA evaluation is to assess the agency’s progress toward achieving outcomes that strengthen Federal cybersecurity, including implementing the Administration’s priorities and best practices. The FY 2020 Chief Information Officer (CIO) FISMA Metrics include an additional focus on the security of mobile devices (Government-furnished equipment (GFE) and non-GFE), particularly in the areas of mobile device management and enterprise mobility management. As such, the FY 2020 IG FISMA Reporting Metrics include updates to questions on asset management, security architecture, and flaw remediation (Questions 2, 3, 6, and 19) to assess agency progress in securing mobile endpoints and employing secure application development processes.
Furthermore, the Office of Management and Budget (OMB) has issued updated guidance on the Trusted Internet Connection (TIC) initiative. Specifically, OMB Memorandum M-19-26, Update to the Trusted Internet Connections (TIC) Initiative (September 12, 2019), provides updated guidance to Federal agencies on the use of TIC capabilities in modern architectures and frameworks, such as cloud-based infrastructures. While the memorandum gives agencies until September 12, 2020, to implement new TIC requirements, the IG FISMA metrics on TIC implementation (Question 20) have been updated to assess the agency’s progress in planning for the effective implementation of the security capabilities outlined in M-19-26.
Federal Information Security Modernization Act of 2014
On December 17, 2002, the President signed the E-Government Act of 2002 (Public Law 107-347), which includes Title III, entitled the Federal Information Security Management Act of 2002. Title III required each Federal agency to develop, document, and implement an agencywide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.
On December 18, 2014, the President signed FISMA, which amended the Federal Information Security Management Act of 2002 and provided several modifications that modernize Federal security practices to address evolving security concerns. These changes reduce overall reporting, strengthen the use of continuous monitoring in systems, increase focus on the agencies for compliance, and produce reporting on more focused issues caused by security incidents.
FISMA requires Federal agencies to have an annual, independent assessment of their information security program and practices performed to determine the effectiveness of such program and practices, and to report the results of the assessment to OMB. In addition to the annual review and reporting requirements, FISMA includes new provisions that further strengthened the Federal Government’s data and information systems security, such as requiring the development of minimum control standards for agencies’ systems. FISMA provides OMB oversight authority of agency security policies and practices and provides authority for the implementation of agency policies and practices for information systems to the Department of Homeland Security (DHS).
According to FISMA, the Secretary of DHS must develop and oversee the implementation of operational directives requiring agencies to implement OMB standards and guidelines for safeguarding Federal information and systems from a known or reasonably suspected information security threat, vulnerability, or risk. It authorizes the Director of OMB to revise or repeal operational directives that are not in accordance with the Director’s policies.
FISMA “directs the Secretary to consult with and consider guidance developed by the National Institute of Standards and Technology (NIST) to ensure that operational directives do not conflict with NIST information security standards.”
Additionally, FISMA directs Federal agencies to submit an annual report regarding major incidents to OMB, DHS, Congress, and the Comptroller General of the Government Accountability Office (GAO). Reports are required to include: (1) threats and threat factors, vulnerabilities, and impacts; (2) risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; (3) detection, response, and remediation actions; (4) total number of incidents; and (5) a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information.
Further, FISMA “requires OMB to ensure the development of guidance for evaluating the effectiveness of information security programs and practices.” As part of NIST’s statutory role in providing technical guidance to Federal agencies, NIST works with agencies in developing information security standards and guidelines. NIST developed an integrated Risk Management Framework that effectively brought together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs for all Federal agencies.
FISMA requires the head of each agency to be responsible for:
- providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of the agency and information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;
- complying with the requirements of NIST’s related policies, procedures, and standards;
- ensuring information security management processes are integrated with agency strategic, operational, and budgetary planning processes; and
- ensuring senior agency officials provide information security for the information and information systems that support the operations and assets under their control. This support includes assessing risk, determining the levels of information security, implementing policies to reduce risks cost-effectively, and periodically testing and evaluating security controls.
FISMA requires the Office of Inspector General (OIG) to conduct an annual independent assessment to determine the effectiveness of the information security program and practices of its respective agency. These assessments: (a) test the effectiveness of information security policies, procedures, and practices of a subset of agency information systems; and (b) assess the effectiveness of an agency’s information security policies, procedures, and practices.
The objectives of this audit were to evaluate the status of USDA’s overall IT security program by evaluating the five cybersecurity framework security functions. We also reviewed corrective actions taken by the Office of the Chief Information Officer to implement OIG’s prior audit recommendations.
WHAT OIG FOUND
The U.S. Department of Agriculture (USDA) continues to take positive steps to improve its information technology (IT) security posture, but many longstanding weaknesses remain. In fiscal years (FY) 2009–2019, there were 14 outstanding recommendations that remain unresolved—11 recommendations are completed, and 3 recommendations are scheduled for closure after the date of our report. We have also issued nine new recommendations based on security weaknesses identified in FY 2020.
The Office of Management and Budget establishes standards for an effective level of security and
considers “Managed and Measurable” to be a sufficient level. However, we found the Department’s maturity level to be at the “Consistently Implemented” level. Based on OMB’s criteria, the Department’s overall score indicates an ineffective level of security. In our detailed testing of the 67 Federal Information Security Modernization Act of 2014 (FISMA) Reporting Metrics, we found the Department increased its maturity level for 5 metrics. Seven metrics’ maturity level was downgraded because of a new requirement related to supply chain risk management and the most recent cyber incidents. The maturity level did not change for 55 metrics. The Department and its agencies must develop and implement an effective plan to mitigate security weaknesses identified in the prior fiscal year recommendations. OCIO generally concurred with the findings and recommendations in the report.
Due to existing security weaknesses identified, we continue to report a material weakness in USDA’s IT security that should be included in the Department’s Federal Managers Financial Integrity Act report.
This report contains sensitive content. Sections of this report are being withheld from public release due to concerns about the risk of circumvention of law.