New report finds cybersecurity lacking across multiple federal agencies

A new report from U.S. Sens. Rob Portman (R-OH) and Tom Carper (D-DE) details the failure of eight federal agencies, over the course of two administrations, to address vulnerabilities in their IT infrastructure.

The senators, who serve as the chairman and ranking member of the Permanent Subcommittee on Investigations (PSI), said this failure leaves Americans’ sensitive and personal information unsafe and vulnerable to theft.

In a 10-month investigation, the senators reviewed 10 years of Inspectors General reports on compliance with federal information security standards for the Department of Homeland Security; the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration. OMB cited the latter seven agencies as rating the lowest concerning cybersecurity practices.

The report examines how each of these agencies failed to comply with basic cybersecurity protocols and includes several recommendations to address those failures.

“In 2014, Congress came together in a bipartisan way to update the Federal Information Security Management Act (FISMA) to address critical issues that had arisen since the legislation was first passed in 2002 and ensure that federal agencies had the tools needed to shore up our cyber defenses. But we know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers,” Carper said. “While some federal agencies appear to have made progress in recent years, this report makes it clear that there is still much work to be done. Specifically, the Office of Management and Budget, which is ultimately responsible for cybersecurity efforts across government, must provide the necessary leadership to ensure that agencies are staying vigilant and prioritizing good cybersecurity practices.”

The report found that seven of the eight federal agencies failed to provide for the adequate protection of personally-identifiable information, while five failed to maintain accurate and comprehensive IT asset inventories. Also, six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application, while all eight use legacy systems or applications that are no longer supported by the vendor with security updates.

“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said. “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”

The report said the agencies should consolidate security processes and capabilities commonly referred to as Security Operations Centers to address these issues. This would provide agencies with better visibility across their networks and allow them to detect cybersecurity incidents and exfiltration attempts better. They should also ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity. Without this authority, agencies have no senior officer to hold personnel accountable to security standards and implement policies. They should also prioritize cyber hiring to fill CIO vacancies and other IT positions critical to agency cybersecurity efforts.

Further, all federal agencies should include progress reports on cybersecurity audit remediation in their annual budget justification submission to Congress.