What OIG Found
The U.S. Department of Agriculture (USDA) has not fully implemented cybersecurity and governance controls within Artificial Intelligence (AI) systems (approved AI use cases). The Office of the Chief Information Officer (OCIO) has not adequately performed authorizations to operate (ATO) or risk assessments for all USDA AI use cases. Additionally, USDA is not in full compliance with federal standards related to AI. This occurred due to USDA’s implementation process, which prioritized AI implementation over cybersecurity and governance controls outlined in federal guidance. As a result, USDA AI technologies could be vulnerable and lack critical security controls, leaving the agency susceptible to data breaches or reputational harm.
What OIG Recommends
We recommend that OCIO: (1) implement controls and Department-wide regulations to ensure high-impact assessments of AI use cases are conducted in compliance with the Office of Management and Budget (OMB) requirements; (2) review and update all applicable policies and procedures to incorporate AI in compliance with OMB requirements; (3) develop and implement a process to continually review and update USDA’s AI inventory; and (4) develop and implement a process to ensure a risk assessment, ATO determination, and an overall system impact analysis is conducted prior to AI technologies being permitted on the USDA network.
Very few agencies have done this fully,