Nearly half of the contractors with access to the U.S. Department of Agriculture’s (USDA) online data network do not have a required security clearance, according to the Office of the Inspector General (OIG).
In an audit released on Thursday, the OIG warned that sensitive information of beneficiaries and USDA employees are at risk due to security failings in a multimillion-dollar IT contract that is being administered by AT&T.
The Universal Telecommunications Network (UTN) is the "network backbone for [USDA’s] customers and agencies," which provides food assistance to 101 million people. The government entered into a $350.9 million contract with AT&T in 2010, to provide services for the telecommunications system.
Due to "inadequate oversight" the system has numerous security failings, the OIG found. In addition, mismanagement over the AT&T contract has led to nearly $2 million in billing errors, resulting in the agency paying for services they are not getting.
"The Office of the Chief Information Officer (OCIO) staff concentrated on the operational aspects of the UTN, without placing adequate emphasis on security and task order management, and the contracting officer (CO) from the Office of Procurement and Property Management (OPPM) was not familiar with the task order," the audit said. "We also found that AT&T had not yet installed required network security features."
"As a result, USDA faces an increased risk of sensitive information being lost, disclosed, altered, or destroyed, and is paying for task order services that are not being provided," the OIG said.
The contract required employees at AT&T with access to USDA data have at least a secret level clearance with a background check. The OIG found that nearly half of the AT&T contractors working on the system did not have clearance.
"[W]e identified 167 out of 370 contractors working on the UTN who did not have a secret level security clearance, as required," the audit said.
The USDA did not even know who has working on its data system, leaving it vulnerable to "unscrupulous persons." Both the USDA and AT&T could not provide an "accurate listing of all AT&T personnel working on the UTN," the audit said.
A former IT specialist for the USDA was recently sentenced to two years in federal prison for stealing $113,000 from her coworkers by accessing their Social Security numbers.
The agency also failed to follow government-wide security standards at the UTN, which is made up of two trusted Internet connections (TIC) located in Washington, D.C., and San Francisco.
"[W]e found both TIC sites and three [customer edge router] CER sites either did not keep physical visitor logs or review them on a regular basis," the audit said.
The USDA has also had trouble assigning filters for its own websites. In one instance, a filter that was meant to allow access to one user was made to "allow the entire department to access the site." Such errors could lead to downloading malicious software, the audit said.
The agency has also failed to ensure that AT&T has met the requirements of its contract. A required intrusion prevention system (IPS) that monitors network traffic was "not enabled," risking unauthorized access to USDA data.
The company also failed to install a data loss prevention system, putting sensitive data "at risk for exposure outside of USDA." The system has yet to be put in place.
The audit placed some of the blame for failing to meet requirements on the fact that contracting officer did not have a copy of the contract and its requirements for six months after it went into effect.
Additionally, the USDA has not been able to properly bill AT&T for its work.
"As a result of inadequate oversight, we found that USDA is paying for UTN services that are not being provided," the audit said.
In all, the audit found that due to AT&T’s "inadequate and outdated" procedures, billing errors amounted to mistakes of more than $1.9 million.
The audit was a follow up to a report in 2006. The OIG said the USDA has yet to fulfill all of the recommendations from the previous audit in 8 years.