The State Department and 3 other US agencies earn a D for cybersecurity
Two years after a damning cybersecurity report, auditors find little has improved.
The 2019 report also highlighted that the agencies were operating legacy systems that were costly to maintain and hard to secure. All eight agencies—including the Social Security Administration and the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, and Education—failed to protect sensitive information they stored or maintained.
Tuesday’s report, titled Federal Cybersecurity: America’s Data Still at Risk, analyzed security practices by the same agencies for 2020. It found that only one agency had earned a grade of B for its cybersecurity practices last year.
“What this report finds is stark,” the authors wrote. “Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.”
The authors assigned the following grades:
| Department of State | D |
| Department of Transportation | D |
| Department of Education | D |
| Social Security Administration | D |
| Department of Agriculture | C |
| Department of Health and Human Services | C |
| Department of Housing and Urban Development | C |
| Department of Homeland Security | B |
> State Department systems, the auditors found, frequently operated without the required authorizations, ran software (including Microsoft Windows) that was no longer supported, and failed to install security patches in a timely manner.
> The department’s user management system came under particular criticism because officials couldn’t provide documentation of user access agreements for 60 percent of sample employees that had access to the department’s classified network. . .
> Details about the other departments are available in the report linked earlier.
> The report comes seven months after the discovery of a supply chain attack that led to the compromise of nine federal agencies and about 100 private companies. In April, hackers working on behalf of the Chinese government breached multiple federal agencies by exploiting vulnerabilities in the Pulse Secure VPN.
> For all of 2020, the White House reported 30,819 information security incidents across the federal government, an 8 percent increase from the prior year.
======================================================================
A key senator introduced a bill containing one of the more controversial recommendations of the Cyberspace Solarium Commission.
NSA to National Security Employees: Avoid Working on Public Wi-Fi
The agency offered best practices for remote work using wireless technologies.
Some of the biggest civilian agencies in the federal government have failed to act on internal cybersecurity audits dating back multiple years, a Senate report found.
The Senate Homeland Security and Governmental Affairs Subcommittee on Investigations dug through a decade of inspector general reports for eight federal agencies that rated lowest for compliance with the National Institute of Standards and Technology's Cybersecurity Framework in 2017: the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services and Education as well as the Social Security Administration.
The primary finding was an overall failure to keep pace with even basic federal cybersecurity standards.
Seven of the eight agencies weren't properly protecting personally identifiable information, and six failed to regularly patch their machines and systems. Five agencies (DOT, HUD, HHS, State and SSA) weren't even able to keep an accurate inventory of their own IT assets, opening them up to potential intrusions or cyberattacks from unauthorized devices and users connected to their network, something that contributed to a 2018 data breach at NASA's Jet Propulsion Lab. . .
"Given the sustained vulnerabilities identified by numerous Inspectors General, the Subcommittee finds that the federal government has not fully achieved its legislative mandate under [the Federal Information Security Management Act] and is failing to implement basic cybersecurity standards necessary to protect America's sensitive data," the subcommittee wrote.
Other metrics showed similar results. Seven of the eight agencies mentioned in the Senate report received a grade of "C" or lower for FISMA compliance in the newest version of the Federal Information Technology Acquisition Reform Act Scorecard released by the House Oversight Committee June 26. Two (HHS and USDA) were given "F" scores, while DHS received the highest rating of the group with a "B." More broadly, a 2018 Office of Management and Budget assessment of the cybersecurity posture for 96 federal agencies found that 71 had programs that were at risk or high risk for a cyberattack, citing many of the same institutional problems referenced in the Senate report."
No comments:
Post a Comment