Congressional Report Highlights a Lack of Progress
A congressional report examining eight federal agencies found that seven continue to improperly protect sensitive data and do not meet basic cybersecurity standards.
The 47-page report prepared by the staff of the Senate Committee on Homeland Security and Governmental Affairs, which was released Tuesday, states: “Inspectors general identified many of the same issues that have plagued federal agencies for more than a decade.”
Despite being cited for these same shortcomings in a similar report in 2019, the departments of State, Housing and Urban Development, Agriculture, Health and Human Services and Education – and the Social Security Administration – are still failing to meet even basic cybersecurity standards, the report concludes. Only the Department of Homeland Security was credited with improving its security since the last report was issued.
Among the congressional report’s findings: The Transportation Department had no record of thousands of IT assets being used by its staff. The State Department had active accounts for workers who had left the agency. And unauthorized shadow IT devices are in use at HUD.
The data for the latest report was compiled using the 2020 annual audit findings from the eight agencies’ inspectors general.
The report finds that the seven federal agencies “still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
This is particularly troubling, the report states, because nearly 31,000 information security incidents were reported across the federal government in 2020, an 8% increase from 2019.
“Large-scale cyber incidents like SolarWinds and Microsoft Exchange illustrate the considerable threats facing federal agencies,” the report says. “These attacks also make the longstanding vulnerabilities repeatedly documented by inspector generals all the more concerning. Unpatched critical vulnerabilities and shadow IT make breaching agencies’ networks and stealing sensitive data easier and cheaper, at a time when the federal government should be making it harder and more expensive.”
The Report’s Findings
Among the report’s findings:
- The State Department could not provide documentation for 60% of the sample of employees checked who had access to the agency’s classified network;
- The DOT found no record of 7,321 mobile devices, 4,824 servers and 2,880 workstations currently used by its staff;
- The USDA has a significant number of high vulnerabilities on the agency’s public-facing websites;
- Penetration testing of the Education Department’s network led to exfiltration of hundreds of files containing PII, along with 200 credit card numbers;
- The Social Security Administration did not apply proper access management controls.
The report also states that the seven agencies continue to use legacy unsupported computer systems, and six of the agencies failed to install patches.
The report calls for a coordinated approach to cybersecurity across the entire government, including designating a primary office to coordinate with all agencies to develop and implement a cybersecurity strategy for the entire federal government.
It recommends that the Office of Management and Budget enforce the adoption of a risk-based strategy when budgeting for IT and security improvements so agencies would only spend money on actual, and not perceived, risks to their systems.
The report also recommends that DHS provide to Congress a plan to update the Einstein intrusion detection system and justify its cost.
And it calls for Congress to update the Federal Information Security Modernization Act of 2014 to include current security practices, formalize the U.S. Cybersecurity and Infrastructure Security Agency’s role as the lead federal agency for cybersecurity and require contractors and agencies to notify CISA of certain cyber incidents.
Meanwhile, National Cyber Director Chris Inglis, while speaking at an Atlantic Council virtual event, called attention to a recommendation made by the Cyberspace Solarium Commission to establish the Bureau of Cyber Statistics within DHS to collect, analyze and publicly disseminate information on cyber incidents.
Data would be reported to the bureau every 180 days by cybersecurity first responders and cyber insurance carriers, Inglis said. This would help support the development of cybersecurity standards for critical infrastructure, he added.
“I would observe that to properly address risk, we have to first understand it,” he said.