Agencies dinged for cyber failures
- By Derek B. Johnson
- Jun 28, 2019
Federal agencies are coming under increasing criticism for their inability to remedy known cybersecurity vulnerabilities.
The Government Accountability Office released a report on June 26 that found that as of June 2019, federal agencies had fully implemented 60% of GAO's 1,277 IT management-related recommendations and 78% percent of the 3,058 security-related recommendations made since 2010.
Meanwhile, the Senate Homeland Security and Governmental Affairs Subcommittee on Investigations issued a June 25 report citing agencies' overall failure to keep pace with even basic federal cybersecurity standards.
The subcommittee staff dug through a decade of inspector general reports for eight federal agencies that rated lowest for compliance with the National Institute of Standards and Technology's Cybersecurity Framework in 2017: the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services and Education as well as the Social Security Administration.
Seven of the eight agencies weren't properly protecting personally identifiable information, and six failed to regularly patch their machines and systems. Five agencies (DOT, HUD, HHS, State and SSA) weren't even able to keep an accurate inventory of their own IT assets, opening them up to potential intrusions or cyberattacks from unauthorized devices and users connected to their network, something that contributed to a 2018 data breach at NASA's Jet Propulsion Lab.
Not surprisingly, all eight agencies were also over-reliant on outdated legacy software, and the report indicates that IT modernization could dramatically improve the status quo.
For instance, HUD's Computer Homes Underwriting Management System, which initiates and tracks loan case numbers and associated data, is "so old that lenders are unable to submit loan applications electronically" and must do so by mail. A 21-year-old system used by USDA to allocate and coordinate agency resources to fight wildfires was called out by the U.S. Forest Service for being "on the verge of technical obsolescence." Other agencies reported decades-old systems that still use COBOL and are no longer supported or patched by the original vendor, yet remain in use.
The federal government collectively spends about $90 billion on IT every year, and three out of every four of those dollars goes toward maintenance of legacy systems. The Trump administration has pushed IT modernization of federal agencies as a major pillar of its Presidential Management Agenda and cybersecurity vision.
The high proportion of IT funding that goes toward keeping older government systems alive has frustrated lawmakers in oversight and appropriations hearings who say they want to see more money dedicated to modernization efforts. Agency IT officials for their part often say that keeping old systems online and functional year-round is an expensive and time-consuming endeavor that can eat up much of their IT budget, leaving little time and fewer resources to focus on implementing newer tech.
The subcommittee recommended that Office of Management and Budget force agencies to adopt risk-based budgeting linking IT spending to The Federal Information Security Management Act metrics that can help flag an agency's most glaring cyber weaknesses and examine whether legislation is needed for compliance. Other recommendations include consolidating security operations centers, giving agency CIOs more authority over cybersecurity matters, prioritizing the hiring of personnel with cybersecurity backgrounds, re-establishing stat-based accountability sessions and creating a new dashboard for federal agencies to update Congress on progress closing out audit recommendations.
A longer version of this article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at firstname.lastname@example.org, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.