The U.S. Department of Agriculture (USDA) Office of the Inspector General (OIG) found that the USDA is not properly disciplining employees or contractors for improper uses of IT resources. OIG found that a lack of clear policies and procedures were to blame for the lack of accountability.
In a report released Aug. 19, the OIG reviewed the USDA’s internal controls to prevent, detect, and report employees’ and contractors’ improper use of IT resources. To conduct its investigation, the OIG examined the three agencies – the Forest Service, the Agricultural Research Service, and the Animal and Plant Health Inspection Service – with the highest number of improper usage incidents. Then the OIG tested each agency’s networks, reviewed agency records, and conducted interviews with applicable personnel.
The USDA’s Agriculture Security Operations Center, a part of the Office of the Chief Information Officer (OCIO), is tasked with detecting and investigating cases of potential IT misuse. The USDA agencies’ supervisors and human resources (HR) personnel serve as a first line of defense in tracking, addressing, and preventing repeat incidents. However, the report found that of the 36 improper use incidents, 28 (roughly 75 percent) were not referred to HR officials. Additionally, of the 28 incidents, 19 (roughly 68 percent) were not referred to supervisors.
“This occurred because neither USDA nor its agencies have sufficient improper usage policies in place to direct agency personnel on how or when to involve HR and supervisors in the remediation process,” the report says. “Without guidance clearly communicating roles and responsibilities, instances of IT improper use may go unnoticed or unresolved by key parties in the resolution process.”
Without proper tracking, the OIG says that repeat offenders “may be able to continually misuse USDA IT resources, wasting those resources, and exposing USDA networks to increased risk of malware and other internet-based threats.”
As a result of its findings, OIG offered up recommendations for USDA.
“The Office of Human Resources Management and OCIO need to define improper usage and develop and implement a documented process for ensuring all parties are notified of incidents, agencies,” the report recommends. Additionally, “staff offices need to track and monitor incidents, and OCIO and Departmental Administration need to ensure contractors and other non-Government employees are held accountable to the same improper usage standards as employees.”
USDA agreed with all of the recommendations and is undertaken steps to develop the needed policies and procedures.