Federal Cybersecurity Report – Summary
On August 3, 2021, U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI) released a bipartisan report on the state of cybersecurity and cyber preparedness at eight federal agencies titled Federal Cybersecurity: America’s Data Still at Risk. The report comes two years after Portman’s bipartisan 2019 report on federal agency cybersecurity.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Senator Portman in a press release. “This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.”
Here, we provide an overview of the main findings and recommendations.
Key findings
The average grade of the large federal agencies’ overall information security maturity was a C-.
The following table presents the five levels of maturity based on which federal agencies are evaluated.
- According to the report, the most significant cybersecurity vulnerabilities showcased by the eight agencies include:
- Operating systems without current authorization to operate them
- Using legacy systems and applications that are no longer supported by vendors, which means these systems and apps can’t be updated with the latest security patches
- Failing to swiftly install security patches
- Lacking an accurate and comprehensive inventory of IT assets
- Failing to adequately protect personally identifiable information (PII)
- The only agency that showed significant improvements in its cybersecurity maturity was the Department of Homeland Security. However, its flagship cybersecurity program for federal agencies – the National Cybersecurity Protection System (NCPS) – was found to have severe limitations in detecting and preventing cyberattacks.
- Federal agencies lack a single point of accountability for federal cybersecurity.
- The agencies failed to implement such recommended practices as encryption of sensitive data, managing and limiting users’ access to data, and multi-factor authentication.
Recommendations
Based on the assessment of the state of cybersecurity at federal agencies and the lack of progress made in the past two years, the committee presented a list of recommendations in its reports:
- Currently, agencies allocate their IT budgets towards patching up their systems’ perceived weaknesses as opposed to the weaknesses that are most likely to be used by threat actors. As such, the committee recommends that the United States Office of Management and Budget (OMB) develops a risk-based budgeting model for IT investments and that federal agencies be required to follow the model.
- To ensure accountability, the committee recommends a centrally coordinated approach for government-wide cybersecurity.
- The Cybersecurity and Infrastructure Security Agency (CISA) should expand shared service offerings to federal agencies. The committee believes is the most time- and cost-efficient way to bolster agencies’ cybersecurity.
- Risk-based metrics should be prioritized by the annual Inspector General FISM Reporting Metrics – a collaborative document by OMB, DHS, and the Council of the Inspectors General on Integrity and Efficiency that outlines reporting requirements across key areas to be addressed in the independent evaluations of agencies’ information security programs.
- The Federal Information Security Modernization Act of 2014 must be updated to reflect current cybersecurity best practices and needs, and to require federal agencies and contractors to notify CISA of certain cyber incidents.
You can find the 2019 edition of the report here.
