Senate turns up a decade of federal cybersecurity failure

Some of the biggest civilian agencies have failed to act on internal cybersecurity audits dating back multiple years, a Senate report found.

HHS tightens FISMA compliance, but risks remain

Some of the biggest civilian agencies in the federal government have failed to act on internal cybersecurity audits dating back multiple years, a Senate report found.

The Senate Homeland Security and Governmental Affairs Subcommittee on Investigations

dug through a decade of inspector general reports for eight federal agencies that rated lowest for compliance with the National Institute of Standards and Technology's Cybersecurity Framework in 2017: the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services and Education as well as the Social Security Administration.

The primary finding was an overall failure to keep pace with even basic federal cybersecurity standards.

Seven of the eight agencies weren't properly protecting personally identifiable information, and six failed to regularly patch their machines and systems. Five agencies (DOT, HUD, HHS, State and SSA) weren't even able to keep an accurate inventory of their own IT assets, opening them up to potential intrusions or cyberattacks from unauthorized devices and users connected to their network, something that contributed to a 2018 data breach at NASA's Jet Propulsion Lab.

"Given the sustained vulnerabilities identified by numerous Inspectors General, the Subcommittee finds that the federal government has not fully achieved its legislative mandate under [the Federal Information Security Management Act] and is failing to implement basic cybersecurity standards necessary to protect America's sensitive data," the subcommittee wrote.

Other metrics showed similar results. Seven of the eight agencies mentioned in the Senate report received a grade of "C" or lower for FISMA compliance in the newest version of the Federal Information Technology Acquisition Reform Act Scorecard released by the House Oversight Committee June 26. Two (HHS and USDA) were given "F" scores, while DHS received the highest rating of the group with a "B." More broadly, a 2018 Office of Management and Budget assessment of the cybersecurity posture for 96 federal agencies found that 71 had programs that were at risk or high risk for a cyberattack, citing many of the same institutional problems referenced in the Senate report.

DHS, which houses the Cybersecurity and Infrastructure Security Agency, was not immune to these deficiencies. Despite partnering with NIST in 2017 to develop governmentwide metrics for evaluating the effectiveness of an information security program, the subcommittee found the department wasn't following its own guidance.

The department was also taken to task for repeatedly missing implementation timelines associated with the governmentwide EINSTEIN and the Continuous Diagnostics and Mitigation cybersecurity programs it manages that are supposed to provide agencies with greater visibility into and protection from malicious activity on their networks. Most concerning, despite investing years of work and approximately $5.7 billion into EINSTEIN since 2013, DHS officials still haven't instituted metrics that would allow them to measure whether the program is actually improving federal IT security.

Not surprisingly, all eight agencies were also over-reliant on outdated legacy software, and the report indicates that IT modernization could dramatically improve the status quo.

For instance, HUD's Computer Homes Underwriting Management System, which initiates and tracks loan case numbers and associated data is "so old that lenders are unable to submit loan applications electronically" and must do so by mail. A 21-year-old system used by USDA to allocate and coordinate agency resources to fight wildfires was called out by the U.S. Forest Service for being "on the verge of technical obsolescence." Other agencies reported decades-old systems that still use COBOL and are no longer supported or patched by the original vendor yet remain in use.

The subcommittee recommended that OMB force agencies to adopt risk-based budgeting linking IT spending to FISMA metrics that can help flag an agency's most glaring cyber weaknesses and examine whether legislation is needed for compliance. Other recommendations include consolidating security operations centers, giving agency CIOs more authority over cybersecurity matters, prioritizing the hiring of personnel with cybersecurity backgrounds, re-establishing stat-based accountability sessions and creating a new dashboard for federal agencies to update Congress on progress closing out audit recommendations.

The federal government collectively spends about $90 billion on IT every year, and three out of every four of those dollars goes toward maintenance of legacy systems. The Trump administration has pushed IT modernization of federal agencies as a major pillar of its Presidential Management Agenda and cybersecurity vision.

The high proportion of IT funding that goes toward keeping older government systems alive has frustrated lawmakers in oversight and appropriations hearings who say they want to see more money dedicated to modernization efforts. Agency IT officials for their part often say that keeping old systems online and functional year-round is an expensive and time-consuming endeavor that can eat up much of their IT budget, leaving little time and fewer resources to focus on implementing newer tech.