A new report released this week by United States Sens. Rob Portman (R-OH) and Gary Peters (D-MI) revealed glaring cybersecurity failures at eight federal agencies over the past decade, along with the inability of seven of them to comply with basic cybersecurity requirements.
The Federal Cybersecurity: America’s Data Still at Risk report released by the ranking member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, respectively, followed a 2019 report from Portman, which lambasted these same agencies for years of failures. These failures are systemic, the report shows, and continue to plague the U.S. Departments of State; Transportation; Housing and Urban Development; Agriculture; the Health and Human Services; Education; and the Social Security Administration.
Such failures leave many at risk, opening personally identifiable information to hackers. They also include failures to maintain accurate and comprehensive IT asset inventories, current authorizations for operating such information systems, and the retirement of legacy technology no longer supported by vendors. The average grade it gave for large federal agencies’ overall information security maturity was a C-.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming, and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” Portman said. “This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers. I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade – the American people deserve better. In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America’s data is protected.”
Part of these recommendations includes the creation of a single point of accountability for federal cybersecurity. That person or organization would oversee the rollout of recommendations and attempts to fix cybersecurity flaws. Among other recommendations, the report called for the Office of Management and Budget to develop and require agencies to adopt a risk-based budgeting model for IT investments, create a centralized, government-wide cybersecurity approach, and expand services from the Cybersecurity and Infrastructure Security Agency (CISA).
“Shortcomings in federal cybersecurity allow cybercriminals to access Americans’ personal information, which not only compromises our national security – but risks the livelihoods of people in Michigan and across the country,” Peters said. “This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data.”