The Agriculture Department is "struggling" to prioritize how it will address numerous IT security weaknesses, according to an oversight official. In the course of 3 years the Agriculture Department's office of inspector general has made a total of 43 recommendations for improving IT security, but the department has barely put a dent in remedying the weaknesses, according to a Dec. 1 House panel.

"The department has only been able to close six of these 43 recommendations," said Agriculture Department Inspector General Phyllis Fong. She testified before the House Agriculture subcommittee on department operations, oversight and credit.

The office of the chief information officer has told OIG that they will be able to complete the remaining IT security fixes recommended by auditors, "but our work continues to show that they don't seem to be able to get them finished," said Assistant IG for Audit Gil Harden.

The OIG is working with the OCIO to help them prioritize remediative actions, said Harden. However, the number of recommendations only continues to grow as new requirements are issued by the National Institutes of Standards and Technology, he said, compounding Agriculture's IT security backlog.

Rep. Marcia Fudge (D-Ohio) asked Harden about accountability and penalties if Agriculture does not close more of the OIG's IT security recommendations. Harden said the OIG makes recommendations to CIO Chris Smith and if timelines are not met to remedy weaknesses, it is reported to the chief financial officer for monitoring and possibly listed in the department's performance accountability report at the end of the year.

"So there really is no penalty. You tell on them," said Fudge.

"That's the department's statement for itself," responded Harden.

"I mean it's nothing more than an audit...So if nobody enforces it, that could be in the audit for the next 20 years," said Fudge, who added "thank you" and left the hearing.

The OIG published Nov. 30 Agriculture's fiscal 2011 FISMA compliance report (.pdf). The report made 10 recommendations for complying with security requirements. Among the recommendations were:

• Developing and implementing a plan to mitigate the IT material weaknesses within the Department ;
• Developing a risk management policy and associated procedures that fully comply with NIST;
• Developing monitoring procedures to verify that monthly vulnerability scans are completed; and
• Updating incident response reporting procedures.

For more:
- go to the hearing page (includes prepared testimony and archived video)
- see the FISMA compliance report (.pdf)

Related Articles:
Obstacles forestall HSPD-12 cards in logical access
Farm Service Agency IT modernization falling behind schedule, says GAO
High-priority agency IT projects covered in second round of OMB reviews