The latest batch of priority open recommendations released April 11 by the Government Accountability Office (GAO) calls out existing IT and cybersecurity issues at the Department of Agriculture (USDA) and the IRS.
USDA Pushed for More Action on Critical Infrastructure
GAO’s letter to USDA centers on the agency’s role in securing critical infrastructure.
As the sector partner for the Food and Agriculture sector, along with the Department of Health and Human Services, USDA is responsible for leading adoption of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework in the industry. In a 2018 report, GAO called on USDA to collaborate with NIST and the Department of Homeland Security to develop methods for determining the level of adoption of the framework across the sector.
While USDA did not agree or disagree, the department did express its intention to provide guidance on framework adoption and develop a measurement mechanism. USDA also noted that it brings up the NIST Cybersecurity Framework at monthly sector calls, though the call participants generally focus on non-cyber concerns. However, GAO kept the recommendation open, and continues to push for standards and a more comprehensive understanding of the framework.
IRS Security Controls Remain Open Recommendation Area
Because the IRS holds a wealth of taxpayer and financial data, GAO recommended that the agency address two open recommendations from a 2015 report on security controls for that data.
According to GAO, the IRS needs to ensure that testing meets the intent of the security controls, and needs to update its remedial action verification process to ensure full implementation. The IRS agreed with both recommendations, but remedies have not been fully implemented, according to GAO, and these areas will be monitored in FY 2019 audits of the agency.