U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2024 Federal Information Security Modernization Act

View Report

Date Issued

Thursday, July 25, 2024

Submitting OIG

Department of Agriculture OIG

Other Participating OIGs

Department of Agriculture OIG

Agencies Reviewed/Investigated

Department of Agriculture

Report Number

50503-0013-12

Report Description

As required by FISMA, OIG reviewed USDA’s ongoing efforts to improve its information technology security program and practices during FY 2024.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 11 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
4	Yes	$0	$0
USDA OIG has determined that this recommendation contains sensitive information and will not be publicly released due to privacy concerns.
5	Yes	$0	$0
USDA OIG has determined that this recommendation contains sensitive information and will not be publicly released due to privacy concerns.
6	Yes	$0	$0
USDA OIG has determined that this recommendation contains sensitive information and will not be publicly released due to privacy concerns.
7	Yes	$0	$0
USDA OIG has determined that this recommendation contains sensitive information and will not be publicly released due to privacy concerns.
11	Yes	$0	$0
We recommend Departmental Administration Information Technology Office management enforce multi-factor authentication, or the equivalent thereof, to the application.
12	Yes	$0	$0	We recommend (REDACTED) management implement a system of quality control to ensure the timely completion of quarterly privileged user access reviews in accordance with USDA Departmental Regulation 3505-003.
We recommend (REDACTED) management implement a system of quality control to ensure the timely completion of quarterly privileged user access reviews in accordance with USDA Departmental Regulation 3505-003.
14	Yes	$0	$0
We recommend Departmental Administration Information Technology Office management configure the system to generate user listings with the required data elements (e.g., first name, last name, account creation date, and roles or privileges) to support its system of internal controls and operational needs.
16	Yes	$0	$0
We recommend (REDACTED) management enable the collection of privileged and non-privileged audit logging events and design and implement a process for monitoring and analyzing significant events for unauthorized or unusual activities.
17	Yes	$0	$0
We recommend Cybersecurity and Privacy Operations Center management update existing policies and procedures to include repercussions when an individual does not complete their required role-based security training in the designed 45-day time frame.
18	Yes	$0	$0
We recommend Cybersecurity and Privacy Operations Center management develop a mechanism to track the completion of role-based security training and verify remedial action has occurred in the event an individual has not taken the training on a timely basis.
26	Yes	$0	$0
We recommend the Chief Information Officer perform a cybersecurity resource assessment to identify any technology, people, or tool gaps.