Federal agencies are unprepared to confront and mitigate cyberthreats today, the Senate Homeland Security and Governmental Affairs Committee Investigations Subcommittee determined in a report released today, recommending that agencies give CIOs more authority to make decisions on cybersecurity.
The subcommittee reviewed the last decade’s worth of Inspector General (IG) audits that reviewed eight agencies’ compliance with basic cybersecurity standards based on the National Institute of Standards and Technology (NIST) cybersecurity framework.
More specifically, the subcommittee reviewed audits of the Departments of Homeland Security (DHS), State, Transportation (DoT), Housing and Urban Development (HUD), Agricultural (USDA), Health and Human Services (HHS), Education, and the Social Security Administration (SSA). The agency found that all eight currently and have historically failed to comply with basic cybersecurity standards.
“During the Subcommittee’s review, a number of concerning trends emerged regarding the eight agencies’ failure to comply with basic NIST cybersecurity standards,” the report said.
The subcommittee found that all eight agencies have failed to remediate cyber vulnerabilities and apply security patches in a timely over the past decade. HUD and State IGs found the agencies have failed to patch security vulnerabilities seven of the last 10 annual audits, while HHS and Education have failed eight, USDA failed the last nine, and DHS and DoT both failed all 10.
The IGs also found an overreliance on legacy systems across all eight agencies. Legacy systems, according to a May 2018 Office of Management and Budget (OMB) report, are one of the two most critical contributions to agency cybersecurity risk.
Furthermore, State, DoT, HUD, Education, and SSA have also failed to properly protect personally identifiable information (PII) they hold, and HUD notably failed nine of the last 11 audits in PII security.
HHS, SSA, DoT, State, and HUD have also struggled to maintain accurate and comprehensive inventories of its IT assets. Meanwhile, DHS, DoT, HUD, USDA, HHS, and Education IGs have said their respective agencies have failed to ensure their system had valid authorities to operate (ATOs).
Despite the increased authority Congress has given to Federal CIOs in plenary governance over agency IT budgets and priorities with FISMA (Federal Information Security Management Act) and the Federal Information Acquisition Reform Act (FITARA), the subcommittee also said that 24 major agencies – including the eight the subcommittee reviewed – have struggled to empower CIOs and have not addressed their CIO roles as Congress directed.
“Given the sustained vulnerabilities identified by numerous Inspectors General, the Subcommittee finds that the federal government has not fully achieved its legislative mandate under FISMA and is failing to implement basic cybersecurity standards necessary to protect America’s sensitive data,” the report said.
After reviewing the IG findings, the subcommittee issued nine recommendations, many of which direct OMB and DHS – which decide agency cybersecurity priorities and implements those priorities, respectively – to address the shortfalls the IGs reported. The recommendations are that:
- OMB should ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity;
- OMB should ensure that CIOs report to agency heads on the status of information security program according to FISMA mandate; OMB should require agencies to adopt its risk-based budgeting model addressing blind IT spending;
- Federal agencies should consolidate security processes and capabilities commonly referred to as Security Operations Centers (SOCs);
- Federal agencies should prioritize cyber hiring to fill CIO vacancies and other IT positions critical to cybersecurity efforts, and suggest relevant legislation to Congress;
- OMB should reestablish CyberStat or regular in-person reviews with agency leadership to focus on cyber issues and create recommendations to accelerate government network fortification;
- DHS should consult agency CIOs to ensure wide adoption of proposed shared cybersecurity services;
- All Federal agencies should provide progress reports on cybersecurity audit remediation in their annual budget justification submissions to Congress; and
- Federal agencies should create open cybersecurity recommendation dashboards and submit to Congress audit recommendation closure rates and accomplishments.