Several key federal agencies failed to fix vulnerabilities in their IT infrastructure over the last 10 years, leaving a storehouse of sensitive personal information unguarded and vulnerable to hackers, a new report issued by the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations said.
The report, entitled Federal Cybersecurity: America’s Data at Risk, was led by subcommittee chairman Rob Portman (R-OH) and ranking member Tom Carper (D-DE). The Subcommittee reviewed 10 years of Inspectors General data on compliance with federal information security standards for the departments of State (DOS), Homeland Security (DHS), Health and Human Services (HHS), Transportation (DOT), Education (ED), Agriculture (USDA), Housing and Urban Development (HUD), and the Social Security Administration (SSA). The audit assigned ratings based on security functions set by the National Institutes of Science and Technology (NIST), namely: identify, protect, detect, respond, and recover.
Top line findings:
- Seven of the eight agencies failed to provide for the adequate protection of personally identifiable information (PII).
- Five agencies failed to maintain accurate and comprehensive IT asset inventories.
- Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application.
- All eight agencies use legacy systems or applications that are no longer supported by the vendor with security updates resulting in cyber vulnerabilities for the system or application.
Key findings:
- DHS failed to address cybersecurity weaknesses for at least a decade.
- DOS had re-occurring cybersecurity vulnerabilities, some of which were outstanding for over five years.
- DOT failed to remediate vulnerabilities in a timely fashion for 10 consecutive years.
- HUD does not have a mature process for monitoring network and web application data exfiltration.
- USDA maintained systems without valid authorities to operate since FY 2009.
- HHS failed to properly apply security patches and remediate vulnerabilities eight times in the past 11 fiscal years.
- ED failed to properly address vulnerabilities and adequately protect PII in eight annual reviews since FY 2008
- SSA had deficiencies involving the timely installation of security patches in six of the past 11 fiscal years and lacked a comprehensive IT asset inventory seven times during that period.
Recommendations:
- The Office of Management and Budget (OMB) should require agencies to adopt its risk-based budgeting model addressing blind IT spending.
- Federal agencies should consolidate security processes and capabilities in Security Operations Centers (SOCs).
- OMB should ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity.
- OMB should ensure that CIOs are reporting to agency heads on the status of its information security program.
- Federal agencies should prioritize cyber hiring to fill CIO vacancies and other IT positions critical to agency cybersecurity efforts.
- OMB should consider reestablishing CyberStat or regular in person reviews with agency leadership to focus on cybersecurity issues and generate actionable recommendations.
- When DHS launches a shared service, it should consider piloting the service with a small number of agencies to confirm operability and functionality.
- All federal agencies should include progress reports on cybersecurity audit remediation in their annual budget submissions to Congress.
- Federal agencies should create open cybersecurity recommendation dashboards.
“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” Portman said in a statement. “Yet our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats" he said.