U.S. Senators Rob Portman (R-OH) and Tom Carper (D-DE) published a report that documents the failure of eight federal agencies, over the course of two administrations, to address vulnerabilities in their IT infrastructure, leaving Americans’ sensitive and personal information unsafe and vulnerable to theft. 

The Subcommittee reviewed 10 years of Inspectors General reports on compliance with federal information security standards for the Department of Homeland Security and seven other federal agencies: (1) the Department of State; (2) the Department of Transportation; (3) the Department of Housing and Urban Development; (4) the Department of Agriculture; (5) the Department of Health and Human Services; (6) the Department of Education; and (7) the Social Security Administration. These seven agencies were cited by OMB as rating the lowest with regard to cybersecurity practices. The report details how each of these agencies failed to comply with basic cybersecurity protocols. It also includes a number of recommendations to address those failures. 

The report documents that since 2011, the Department of Education has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network. In its 2018 audit, the IG found the agency had managed to restrict unauthorized access to 90 seconds, but explained that this was enough time for a malicious actor to “launch an attack or gain intermittent access to internal network resources that could lead to” exposing the agency’s data. 

The report’s key findings include: 

  • Seven of the eight federal agencies failed to provide for the adequate protection of personally-identifiable information;
  • Five agencies failed to maintain accurate and comprehensive IT asset inventories;
  • Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application;
  • All eight agencies use legacy systems or applications that are no longer supported by the vendor with security updates, resulting in cyber vulnerabilities for the system or application.
  • Several Chief Information Officers for the agencies reviewed by the Subcommittee did not have the authority provided by Congress to make organization-wide decisions concerning information security.  This creates confusion about who governs issues of information security and diminishes accountability for the implementation of policies that improve agency cybersecurity.
  • The Department of Homeland Security failed to address cybersecurity weaknesses for at least a decade.  DHS operated systems lacking valid authorities to operate for seven consecutive fiscal years. 
  • The State Department had reoccurring cybersecurity vulnerabilities, some of which were outstanding for over five years. 
  • The Department of Transportation Inspector General identified cybersecurity weaknesses at the agency that were outstanding for at least 10 years. 
  • The Department of Agriculture had reoccurring cybersecurity issues that have persisted for as long as 10 years.
  • The Department of Health and Human Services had longstanding cybersecurity weaknesses, including some identified nearly a decade ago.   
  • The Department of Education had reoccurring cybersecurity weaknesses that impeded the Department’s ability to achieve an effective information security program. 
  • The Social Security Administration had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans who receive Social Security benefits.  

The report makes the following recommendations: 

  • OMB should require agencies to adopt its risk-based budgeting model addressing blind IT spending.  This process links agency IT spending to FISMA metrics to help agencies identify cybersecurity weaknesses that place the security of agency information at risk. OMB should report to Congress whether legislation is needed.
  • Federal agencies should consolidate security processes and capabilities commonly referred to as Security Operations Centers. This would provide agencies with better visibility across their networks.  With this visibility, agencies could better detect cybersecurity incidents and exfiltration attempts.
  • OMB should ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity. Without this authority, agencies have no senior officer to hold personnel accountable to security standards and implement policies that strengthen the agency’s information security program.  Congress should consider whether legislation is needed.
  • OMB should ensure that CIOs are reporting to agency heads on the status of its information security program as mandated by FISMA. To ensure this line of communication, CIOs should submit quarterly reports to agency heads detailing agency performance against FISMA metrics and return on investment for existing cybersecurity capabilities.
  • Federal agencies should prioritize cyber hiring to fill CIO vacancies and other IT positions critical to agency cybersecurity efforts.  To facilitate this prioritization, OMB should determine if additional flexibility is needed across the government for cyber hiring and suggest any legislation necessary to Congress.
  • OMB should consider reestablishing CyberStat or regular in-person reviews with agency leadership to focus on cybersecurity issues and generate actionable recommendations to accelerate the fortification of government networks.  OMB should include a summary of the value added by these reviews in its annual FISMA report to Congress.
  • In developing shared services for cybersecurity, DHS should consult agency CIOs to ensure that the proposed service will be widely utilized.  When DHS launches a shared service, it should consider piloting the service with a small number of agencies to confirm operability and functionality.  As the Quality Service Management Office for cybersecurity, DHS should include a summary of the five-year services implementation plan required by OMB in its annual FISMA report to Congress.
  • All federal agencies should include progress reports on cybersecurity audit remediation in their annual budget justification submission to Congress.
  • Federal agencies should create open cybersecurity recommendation dashboards.