U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), the Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, released a new bipartisan report reviewing cybersecurity at eight federal agencies and documenting the continued failure of seven of those agencies to comply with the baseline cybersecurity requirements in the Federal Information Security Modernization Act (FISMA) and safeguard America’s data. The report titled Federal Cybersecurity: America’s Data Still at Risk shows that, two years after Portman’s bipartisan 2019 report on federal agency cybersecurity, which he released as then-Chairman of the Permanent Subcommittee on Investigations (PSI), there are still systemic failures to safeguard American data at the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration, including failures: to protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and to retire legacy technology no longer supported by the vendor.
The Portman-Peters report follows Portman’s bipartisan 2019 report on federal agency cybersecurity and reviews FY 2020 Inspectors Generals reports on compliance with federal information security standards and finds that seven federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data. In fact, the Inspectors General identified many of the same issues that have plagued federal agencies for more than a decade. The report makes specific recommendations to shore up federal agency cybersecurity and address these vulnerabilities. The report also includes a cybersecurity report card for all the cabinet departments and the largest independent agencies, and the average grade of the large federal agencies’ overall information security maturity was a C-.
“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” said Senator Portman.“This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers. I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade – the American people deserve better. In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America’s data is protected. This report makes it clear that the Biden administration must also ensure there is a single point of accountability for federal cybersecurity to oversee the implementation of our recommendations and address these cybersecurity failures.”
“Shortcomings in federal cybersecurity allow cybercriminals to access Americans’ personal information, which not only compromises our national security – but risks the livelihoods of people in Michigan and across the country. This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data,” said Senator Peters. “Through the American Rescue Plan, I was able to help secure vital resources to modernize and safeguard information systems critical to the federal pandemic response – but there’s more work to be done. As Chairman of the Homeland Security and Governmental Affairs Committee, I will continue working with the Administration and Ranking Member Portman to secure federal IT systems and ensure that federal agencies are taking necessary steps to prevent Americans’ valuable information from being stolen.”
The report’s key findings include:
- According to agency inspectors general, the average grade of the large federal agencies’ overall information security maturity was a C-.
- Six agencies operated systems without current authorizations to operate;
- Seven agencies used legacy systems or applications no longer supported by the vendor with security updates;
- Six agencies failed to install security patches and other vulnerability remediation controls quickly;
- Seven agencies failed to maintain accurate and comprehensive information technology asset inventories; and
- Seven agencies failed to protect personally identifiable information adequately.
- Since the 2019 Portman-Carper report evaluating the same eight agencies, only the Department of Homeland Security (DHS) established an effective information security program. Three agencies – the Department of Transportation (DOT), Department of Education, and Social Security Administration (SSA) – showed very little improvement since the Subcommittee’s report in 2019.
- There is no single point of accountability for federal cybersecurity. Instead, cybersecurity responsibilities are highly federated, making government-wide information security improvements difficult. Additionally, the federal government lacks a unified cybersecurity strategy to combat the current threat landscape.
- The DHS Inspector General failed to submit its annual evaluation to Congress prior to this report’s release. Of the eight agencies examined by the Committee, the DHS OIG was the only agency which failed to do so.
- The federal government’s continued overreliance on costly and difficult-to-secure legacy technology diverts critical funding away from other security efforts.
- DHS’s flagship cybersecurity program for federal agencies—the National Cybersecurity Protection System (NCPS), operationally known as EINSTEIN—suffers from significant limitations in detecting and preventing intrusions.
- Agencies consistently failed to implement certain key cybersecurity requirements including encryption of sensitive data, limiting each user’s access to the information and systems needed to perform their job, and multi-factor authentication, or to certify to Congress that the system is nonetheless secure.
The report makes the following recommendations:
- The Office of Management and Budget (OMB) should develop and require agencies to adopt a risk-based budgeting model for information technology investments. Agencies currently use limited technology funds on capabilities for perceived security weaknesses instead of those most likely to be exploited by hostile actors. This risk-based model would address blind information technology spending and provide agencies with a better sense of their return on investment for each capability acquired.
- There should be a centrally coordinated approach for government-wide cybersecurity to ensure accountability. A primary office should coordinate with appropriate agencies to develop and implement a cybersecurity strategy for the federal government.
- The Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Quality Services Management Office should expand shared services offerings to federal agencies, including improved, government-wide endpoint detection using primarily commercial off the shelf products and services to improve the operational effectiveness of EINSTEIN. Shared services are often the most time and cost efficient way for agencies to fortify their cyber defenses and strengthen the security posture of federal networks.
- DHS should provide Congress with a plan to update EINSTEIN and to justify its cost.
- The annual Inspector General FISMA Reporting Metrics developed by OMB, DHS, and the Council of the Inspectors General on Integrity and Efficiency should prioritize risk-based metrics that best demonstrate the maturity of an agency’s information security program. Those metrics, among other things, should assess an agency’s ability to identify: (1) common threat patterns; (2) security controls that address those common threat patterns; and (3) any other security risks unique to that agency’s networks.
- Congress should update the Federal Information Security Modernization Act of 2014:
- To reflect current cybersecurity best practices, including focusing on mitigating identified and analyzed cybersecurity risks, in addition to meeting compliance risks;
- To formalize CISA’s role as the operational lead for federal cybersecurity;
- To require federal agencies and contractors notify CISA of certain cyber incidents; and
- To define “major incident” in a way that ensures federal agencies notify Congress in a timely manner of significant cyber incidents instead of continuing to rely on the current definition which has promoted inconsistent notification to Congress.