Report: Still Work To Be Done Safeguarding Federal Agencies
Many federal agencies are unprepared to "confront the dynamic cyber threats of today," according to a Senate investigation this week.
A Senate report this week cautioned that the federal sector needs to be doing a better job when it comes to protecting the personal data of Americans.
A report carried out by the U.S. Senate's Committee on Homeland Security and Governmental Affairs blasted a handful of federal agencies on Tuesday for not only failing to address vulnerabilities in their IT infrastructure but failing to comply with basic cybersecurity standards.
For the report, “Federal Cybersecurity: America's Data at Risk,” (.PDF) the Permanent Subcommittee on Investigations reviewed 10 years of Inspector General reports from eight departments, including the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, and the Social Security Administration.
Seven of the eight agencies it looked at - the Departments of State, DOT, HUD, Education, and SSA - failed to properly protect failing to comply with basic cybersecurity standards protect personally identifiable information, or PII.
The Inspector General has gone on record, insisting that “an accurate inventory of IT systems, interconnections, and software and hardware assets are critical foundational elements for managing risk.” Five of the eight departments didn't keep a list of IT assets, meaning they’d have a hard time knowing what kind of applications are running on its network.
Six of the eight failed to install security patches, increasing the risk of vulnerabilities being exploited.
Legacy systems, many which are expensive to maintain and tricky to secure, remain a stumbling block for agencies as well. HUD told the Subcommittee it spends $35 million annually on the maintenance of legacy systems, the USDA said it spends $3.75 million. Other departments, like the HHS and the Department of Education, couldn't pinpoint exactly how much they spend on legacy technology.
The report breaks down each department, what sensitive data they're in charge of protecting -- then evaluates each department's security programs against five NIST security functions: identify, protect, detect, respond, and recover.
"After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft," Ohio Republican Sen. Rob Portman, chairman of the Senate Homeland Security Committee's Subcommittee on Investigations, said in a statement. "The federal government can and must do a better job of shoring up our defenses against the rising cybersecurity threats."
As part of the research, the subcommittee affirmed that the government is not fully in compliance with FISMA, the Federal Information Security Management Act, a 2002 law that requires federal agencies have an information security and protection program in place.
“The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government’s failure to meet basic cybersecurity standards to protect sensitive data,” the report reads, “The Subcommittee will continue to track federal agency cybersecurity to ensure agencies meet FISMA’s primary legislative objective to secure government information systems.”