Of eight federal agencies examined two years ago for their cybersecurity posture, seven still have made little progress and many of the issues have existed for the past decade, says a bipartisan report issued this week by the staff of the Senate Homeland Security and Governmental Affairs Committee.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” Sen. Rob Portman (R-Ohio), ranking member on the committee, said in a statement Tuesday, the day the report was released. “I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade.”
The new report, Federal Cybersecurity: America’s Data Still at Risk, follows a 2019 report by the committee’s investigations panel that analyzed 10 years of inspector generals’ reports from eight departments and agencies for compliance with federal statutory cybersecurity standards. That report reviewed the Departments of Agriculture, Education, Health and Human Services, Homeland Security, Housing and Urban Development, State, Transportation, and the Social Security Administration.
Key findings from the earlier report included seven of the agencies didn’t adequately protect personally identifiable information, five agencies failed to maintain accurate and comprehensive inventories of their information technology assets, six agencies failed to patch and remediate network vulnerabilities on a timely basis, and all of the agencies were using outdated systems or applications that were no longer supported by vendors with security updates.
Fast forward to this week’s report, it says that only DHS has in place “an effective cybersecurity program” while the other agencies have made only “minimal improvements in one or more areas” and have also “failed to implement an effective cybersecurity program.”
The latest report cites an inspector general audit at the State Department that showed it couldn’t provide documentation for 60 percent of an employee sample who had access to a classified network and had left the agency yet their accounts remained active “for extended periods of time.”
The inspector general at Health and Human Services found that two agencies had not fully deployed the DHS EINSTEIN intrusion detection system that identifies known threats attempting to access a network even though the system had been required by law for five years, the report says. It also cites the department as saying it couldn’t make subordinate components install tools furnished through a DHS cybersecurity program designed to detect threats on networks.
Overall, at large federal agencies, the average grade for information security is a C-minus, the report says.
“There is no single point of accountability for federal cybersecurity,” the report says. “Instead, cybersecurity responsibilities are highly federated making Government-wide information security improvements difficult. Additionally, the Federal Government lacks a unified cybersecurity strategy to combat the current threat landscape.”
Portman joined Committee Chairman Gary Peters (D-Mich.) in releasing the new report.