Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireSecurity Leadership and ManagementSecurity & Business ResilienceCybersecurity NewsGovernment: Federal, State and Local

Federal Agencies’ Cybersecurity Failures Leaving Americans’ Personal Information at Risk

cyber 3 responsive default
June 26, 2019

U.S. Senators Rob Portman (R-OH) and Tom Carper (D-DE) published a report that documents the failure of eight federal agencies, over the course of two administrations, to address vulnerabilities in their IT infrastructure, leaving Americans’ sensitive and personal information unsafe and vulnerable to theft. 

The Subcommittee reviewed 10 years of Inspectors General reports on compliance with federal information security standards for the Department of Homeland Security and seven other federal agencies: (1) the Department of State; (2) the Department of Transportation; (3) the Department of Housing and Urban Development; (4) the Department of Agriculture; (5) the Department of Health and Human Services; (6) the Department of Education; and (7) the Social Security Administration. These seven agencies were cited by OMB as rating the lowest with regard to cybersecurity practices. The report details how each of these agencies failed to comply with basic cybersecurity protocols. It also includes a number of recommendations to address those failures. 

The report documents that since 2011, the Department of Education has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network. In its 2018 audit, the IG found the agency had managed to restrict unauthorized access to 90 seconds, but explained that this was enough time for a malicious actor to “launch an attack or gain intermittent access to internal network resources that could lead to” exposing the agency’s data. 

The report’s key findings include: 

  • Seven of the eight federal agencies failed to provide for the adequate protection of personally-identifiable information;
  • Five agencies failed to maintain accurate and comprehensive IT asset inventories;
  • Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application;
  • All eight agencies use legacy systems or applications that are no longer supported by the vendor with security updates, resulting in cyber vulnerabilities for the system or application.
  • Several Chief Information Officers for the agencies reviewed by the Subcommittee did not have the authority provided by Congress to make organization-wide decisions concerning information security.  This creates confusion about who governs issues of information security and diminishes accountability for the implementation of policies that improve agency cybersecurity.
  • The Department of Homeland Security failed to address cybersecurity weaknesses for at least a decade.  DHS operated systems lacking valid authorities to operate for seven consecutive fiscal years. 
  • The State Department had reoccurring cybersecurity vulnerabilities, some of which were outstanding for over five years. 
  • The Department of Transportation Inspector General identified cybersecurity weaknesses at the agency that were outstanding for at least 10 years. 
  • The Department of Agriculture had reoccurring cybersecurity issues that have persisted for as long as 10 years.
  • The Department of Health and Human Services had longstanding cybersecurity weaknesses, including some identified nearly a decade ago.   
  • The Department of Education had reoccurring cybersecurity weaknesses that impeded the Department’s ability to achieve an effective information security program. 
  • The Social Security Administration had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans who receive Social Security benefits.  

The report makes the following recommendations: 

  • OMB should require agencies to adopt its risk-based budgeting model addressing blind IT spending.  This process links agency IT spending to FISMA metrics to help agencies identify cybersecurity weaknesses that place the security of agency information at risk. OMB should report to Congress whether legislation is needed.
  • Federal agencies should consolidate security processes and capabilities commonly referred to as Security Operations Centers. This would provide agencies with better visibility across their networks.  With this visibility, agencies could better detect cybersecurity incidents and exfiltration attempts.
  • OMB should ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity. Without this authority, agencies have no senior officer to hold personnel accountable to security standards and implement policies that strengthen the agency’s information security program.  Congress should consider whether legislation is needed.
  • OMB should ensure that CIOs are reporting to agency heads on the status of its information security program as mandated by FISMA. To ensure this line of communication, CIOs should submit quarterly reports to agency heads detailing agency performance against FISMA metrics and return on investment for existing cybersecurity capabilities.
  • Federal agencies should prioritize cyber hiring to fill CIO vacancies and other IT positions critical to agency cybersecurity efforts.  To facilitate this prioritization, OMB should determine if additional flexibility is needed across the government for cyber hiring and suggest any legislation necessary to Congress.
  • OMB should consider reestablishing CyberStat or regular in-person reviews with agency leadership to focus on cybersecurity issues and generate actionable recommendations to accelerate the fortification of government networks.  OMB should include a summary of the value added by these reviews in its annual FISMA report to Congress.
  • In developing shared services for cybersecurity, DHS should consult agency CIOs to ensure that the proposed service will be widely utilized.  When DHS launches a shared service, it should consider piloting the service with a small number of agencies to confirm operability and functionality.  As the Quality Service Management Office for cybersecurity, DHS should include a summary of the five-year services implementation plan required by OMB in its annual FISMA report to Congress.
  • All federal agencies should include progress reports on cybersecurity audit remediation in their annual budget justification submission to Congress.
  • Federal agencies should create open cybersecurity recommendation dashboards. 
KEYWORDS: cyber security cybersecurity IT infrastructure IT security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Columns
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

Person working on laptop

Governance in the Age of Citizen Developers and AI

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Security newswire default

    How do Americans View Federal Agencies?

    See More
  • security-protection-freepik9374.jpg

    Biden administration issues cybersecurity mandate for federal agencies

    See More
  • Security newswire default

    New Executive Order Changes Cybersecurity Requirements for Federal Agencies

    See More

Related Products

See More Products
  • databasehacker

    The Database Hacker's Handboo

See More Products

Events

View AllSubmit An Event
  • March 6, 2025

    Why Mobile Device Response is Key to Managing Data Risk

    ON DEMAND: Most organizations and their associating operations have the response and investigation of computers, cloud resources, and other endpoint technologies under lock and key. 
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing