Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Senate Report: Federal Agencies Still Have Poor Cybersecurity Practices

A bipartisan report released this week by the United States Senate’s Homeland Security and Governmental Affairs Committee shows that key government agencies have made little progress in terms of cybersecurity over the past two years.

A bipartisan report released this week by the United States Senate’s Homeland Security and Governmental Affairs Committee shows that key government agencies have made little progress in terms of cybersecurity over the past two years.

A report published in 2019 found that eight federal agencies failed to meet even the basic cybersecurity standards and protocols. Two years later, cybersecurity at those agencies was again analyzed and the findings are — as described in the new report — “stark.”

The new report, titled “Federal Cybersecurity: America’s Data Still at Risk,” is based on recent inspector general audits. The targeted agencies are the Department of Homeland Security, Department of State, Department of Transportation, Department of Housing and Urban Development, Department of Agriculture, Department of Health and Human Services, Department of Education, and the Social Security Administration.

According to the report, only the DHS has established an effective cybersecurity program, while the rest made only minimal improvements.

The findings are alarming considering that threat actors believed to be working for the Chinese and Russian governments successfully infiltrated many federal agencies since the previous report. Moreover, the White House reported 30,819 information security incidents across the federal government for 2020, which represents an 8 percent increase compared to the prior year.

“While several of the agencies made minimal improvements in one or more areas, inspectors general found essentially the same failures as the prior 10 years,” the 47-page report reads. “Only DHS had an effective cybersecurity program for 2020; every other agency failed to implement an effective cybersecurity program.”

It adds, “It is clear that the data entrusted to these eight key agencies remains at risk. As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.”

Problems identified at the audited agencies included unpatched systems, the use of outdated systems and applications, failure to maintain accurate IT asset inventories, and failure to adequately protect personally identifiable information (PII).

Advertisement. Scroll to continue reading.

In addition to pointing out problems, ​the report makes some recommendations, including the OMB developing and requiring agencies to adopt a risk-based budgeting model for IT investments, a coordinated approach for government-wide cybersecurity to ensure accountability, CISA expanding shared services offerings to federal agencies, and Congress making some changes to the Federal Information Security Modernization Act of 2014.

Related: Electricity Distribution Systems at Increasing Risk of Cyberattacks, GAO Warns

Related: DHS Gives Federal Agencies 5 Days to Identify Vulnerable MS Exchange Servers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...