Sens. Rob Portman (R-Ohio) and Tom Carper (D-Del.), the chairman and ranking member of the Senate Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations (PSI), published a new bipartisan report Tuesday that documents the failure of eight federal agencies, over the course of two administrations, to address vulnerabilities in their IT infrastructure, leaving Americans’ sensitive and personal information unsafe and vulnerable to theft.
During a 10-month investigation, the Subcommittee reviewed 10 years of Inspectors General reports on compliance with federal information security standards for the Department of Homeland Security and seven other federal agencies: (1) the Department of State; (2) the Department of Transportation; (3) the Department of Housing and Urban Development; (4) the Department of Agriculture; (5) the Department of Health and Human Services; (6) the Department of Education; and (7) the Social Security Administration. These seven agencies were cited by OMB as rating the lowest with regard to cybersecurity practices. The report details how each of these agencies failed to comply with basic cybersecurity protocols. It also includes a number of recommendations to address those failures.
In one notable example, the report documents that since 2011, the Department of Education has been unable to prevent unauthorized outside devices from easily connecting to the agency’s network. In its 2018 audit, the IG found the agency had managed to restrict unauthorized access to 90 seconds, but explained that this was enough time for a malicious actor to “launch an attack or gain intermittent access to internal network resources that could lead to” exposing the agency’s data. This is concerning because that agency holds personally-identifiable information on millions of Americans.
“Hackers with malicious intent can and do attack federal government cyber infrastructure consistently. In 2017 alone, federal agencies reported 35,277 cyber incidents,” said Portman. “After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft. The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats. I look forward to continuing my work with Senator Carper and my bipartisan colleagues to address this issue to ensure the safety and security of Americans’ sensitive information and federal agency assets.”
“In 2014, Congress came together in a bipartisan way to update the Federal Information Security Management Act (FISMA) to address critical issues that had arisen since the legislation was first passed in 2002 and ensure that federal agencies had the tools needed to shore up our cyber defenses. But we know that the threats posed by cyber-attacks continue to evolve and grow every day, so it is crucial that agencies across our government prioritize efforts to better protect their networks from hackers,” said Carper. “While some federal agencies appear to have made progress in recent years, this report makes it clear that there is still much work to be done. Specifically, the Office of Management and Budget, which is ultimately responsible for cybersecurity efforts across government, must provide the necessary leadership to ensure that agencies are staying vigilant and prioritizing good cybersecurity practices. I look forward to continue working in a bipartisan way with my colleague Senator Portman to ensure that government assets and citizens’ personal, private information is protected.”
The report’s key findings include:
- Seven of the eight federal agencies failed to provide for the adequate protection of personally-identifiable information;
- Five agencies failed to maintain accurate and comprehensive IT asset inventories;
- Six agencies failed to timely install security patches and other vulnerability remediation actions designed to secure the application;
- All eight agencies use legacy systems or applications that are no longer supported by the vendor with security updates, resulting in cyber vulnerabilities for the system or application.
- Several Chief Information Officers for the agencies reviewed by the Subcommittee did not have the authority provided by Congress to make organization-wide decisions concerning information security. This creates confusion about who governs issues of information security and diminishes accountability for the implementation of policies that improve agency cybersecurity.
- The Department of Homeland Security failed to address cybersecurity weaknesses for at least a decade. DHS operated systems lacking valid authorities to operate for seven consecutive fiscal years.
- The State Department had reoccurring cybersecurity vulnerabilities, some of which were outstanding for over five years.
- The Department of Transportation Inspector General identified cybersecurity weaknesses at the agency that were outstanding for at least 10 years.
- The Department of Agriculture had reoccurring cybersecurity issues that have persisted for as long as 10 years.
- The Department of Health and Human Services had longstanding cybersecurity weaknesses, including some identified nearly a decade ago.
- The Department of Education had reoccurring cybersecurity weaknesses that impeded the Department’s ability to achieve an effective information security program.
- The Social Security Administration had persistent cybersecurity issues risking the exposure of the personal information of 60 million Americans who receive Social Security benefits.
The report makes the following recommendations:
- OMB should require agencies to adopt its risk-based budgeting model addressing blind IT spending. This process links agency IT spending to FISMA metrics to help agencies identify cybersecurity weaknesses that place the security of agency information at risk. OMB should report to Congress whether legislation is needed.
- Federal agencies should consolidate security processes and capabilities commonly referred to as Security Operations Centers. This would provide agencies with better visibility across their networks. With this visibility, agencies could better detect cybersecurity incidents and exfiltration attempts.
- OMB should ensure that CIOs have the authority to make organization-wide decisions regarding cybersecurity. Without this authority, agencies have no senior officer to hold personnel accountable to security standards and implement policies that strengthen the agency’s information security program. Congress should consider whether legislation is needed.
- OMB should ensure that CIOs are reporting to agency heads on the status of its information security program as mandated by FISMA. To ensure this line of communication, CIOs should submit quarterly reports to agency heads detailing agency performance against FISMA metrics and return on investment for existing cybersecurity capabilities.
- Federal agencies should prioritize cyber hiring to fill CIO vacancies and other IT positions critical to agency cybersecurity efforts. To facilitate this prioritization, OMB should determine if additional flexibility is needed across the government for cyber hiring and suggest any legislation necessary to Congress.
- OMB should consider reestablishing CyberStat or regular in-person reviews with agency leadership to focus on cybersecurity issues and generate actionable recommendations to accelerate the fortification of government networks. OMB should include a summary of the value added by these reviews in its annual FISMA report to Congress.
- In developing shared services for cybersecurity, DHS should consult agency CIOs to ensure that the proposed service will be widely utilized. When DHS launches a shared service, it should consider piloting the service with a small number of agencies to confirm operability and functionality. As the Quality Service Management Office for cybersecurity, DHS should include a summary of the five-year services implementation plan required by OMB in its annual FISMA report to Congress.
- All federal agencies should include progress reports on cybersecurity audit remediation in their annual budget justification submission to Congress.
- Federal agencies should create open cybersecurity recommendation dashboards.