The Senate Homeland Security and Governmental Affairs Committee took seven Federal agencies to task in a report issued today for failing to make sufficient progress on a range of cybersecurity-related problems since the committee last examined security at those agencies in 2019.
The committee report finds that seven of eight agencies examined were failing – as of 2020 – to comply with “baseline cybersecurity requirements” of the Federal Information Security Modernization Act (FISMA), and “still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
The seven agencies singled out by the report for continuing “systemic failures to safeguard American data” are the departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education, along with the Social Security Administration.
Only one of the eight agencies – the Department of Homeland Security – examined in 2019 was found to have since then “established an effective information security program” when reexamined by the committee.
The committee’s findings released today may not rely on the most up-to-date data, as the committee said they were compiled from information in individual agency inspectors general reports covering fiscal year 2020, which ended about ten months ago.
Numerous Deficiencies Cited
Lingering security deficiencies flagged by the latest report – issued by committee Chairman Gary Peters, D-Mich., and Ranking Member Rob Portman, R-Ohio – include failures “to protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and to retire legacy technology no longer supported by the vendor.”
The bottom line, the senators said, was that the average information security maturity grade assigned by the agency inspectors general came out to a “C-.”
The report offers a list of recommendations to improve the state of Federal agency cybersecurity, several of which have been discussed by Sens. Peters and Portman at hearings earlier this year, including undertaking FISMA reform, establishing a more central point of responsibility in the Federal government for cybersecurity, and evaluating effectiveness of the EINSTEIN security technology.
Sen. Portman said today he planned to introduce legislation this year to address some of those recommendations.
Among the recommendations listed in today’s report are:
The Office of Management and Budget (OMB) should develop and require Federal agencies to use a “risk-based budgeting model” for IT investments, which the senators said would address “blind information technology spending and provide agencies with a better sense of their return on investment for each capability acquired.”
The government should adopt a “centrally coordinated approach” for governmentwide cybersecurity, with a “primary office” that would “coordinate with appropriate agencies to develop and implement a cybersecurity strategy for the Federal government.”
The Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Quality Services Management Office (QSMO) should expand shared service offerings to Federal agencies, including improved endpoint detection technology “using primarily off the shelf products and services to improve the operational effectiveness” of CISA’s EINSTEIN perimeter defense program.
The Department of Homeland Security should give Congress a plan to update EINSTEIN and justify its cost.
Existing inspector general FISMA reporting metrics developed by the Office of Management and Budget, DHS, and Council of the Inspectors General on Integrity and Efficiency “should prioritize risk-based metrics that best demonstrate the maturity of an agency’s information security program.”
Congress should update the 2014 FISMA law to, among other steps: 1) reflect “current cybersecurity best practices” including focusing on mitigating “identified and analyzed” security risks; 2) formalize CISAs role as the “operational lead for Federal cybersecurity”; 3) require Federal agencies and contractors to notify CISA of certain cyber incidents; and 4) to define “major” cybersecurity incident in such a way to ensure that Congress gets notified of those incidents in a timely way.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own Federal agencies are not doing everything possible to safeguard America’s data,” Sen. Portman said.
“This report shows a sustained failure to address cybersecurity vulnerabilities at our Federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers,” he said.
“Shortcomings in Federal cybersecurity allow cybercriminals to access Americans’ personal information, which not only compromises our national security – but risks the livelihoods of people in Michigan and across the country. This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data,” commented Sen. Peters.
“I will continue working with the Administration and Ranking Member Portman to secure Federal IT systems and ensure that federal agencies are taking necessary steps to prevent Americans’ valuable information from being stolen,” he said.