U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year 2024 Federal Information Security Modernization Act

We recommend (REDACTED) management enable the collection of privileged and non-privileged audit logging events and design and implement a process for monitoring and analyzing significant events for unauthorized or unusual activities.

We recommend Cybersecurity and Privacy Operations Center management update existing policies and procedures to include repercussions when an individual does not complete their required role-based security training in the designed 45-day time frame.

We recommend Cybersecurity and Privacy Operations Center management develop a mechanism to track the completion of role-based security training and verify remedial action has occurred in the event an individual has not taken the training on a timely basis.

We recommend Departmental Administration Information Technology Office management enforce the requirements for information system security documentation to be updated, reviewed, and approved in accordance with USDA policy. When annual security requirements cannot be completed within the required timeframe, ensure a formal risk waiver is procured.

We recommend Departmental Administration Information Technology Office management conduct annual security control assessments in accordance with USDA’s continuous monitoring schedule.