The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Report: Still Work To Be Done Safeguarding Federal Agencies

by Chris Brook on Thursday June 27, 2019

Contact Us
Free Demo
Chat

Many federal agencies are unprepared to "confront the dynamic cyber threats of today," according to a Senate investigation this week.

A Senate report this week cautioned that the federal sector needs to be doing a better job when it comes to protecting the personal data of Americans.

A report carried out by the U.S. Senate's Committee on Homeland Security and Governmental Affairs blasted a handful of federal agencies on Tuesday for not only failing to address vulnerabilities in their IT infrastructure but failing to comply with basic cybersecurity standards.

For the report, “Federal Cybersecurity: America's Data at Risk,” (.PDF) the Permanent Subcommittee on Investigations reviewed 10 years of Inspector General reports from eight departments, including the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, and the Social Security Administration.

Seven of the eight agencies it looked at - the Departments of State, DOT, HUD, Education, and SSA - failed to properly protect failing to comply with basic cybersecurity standards protect personally identifiable information, or PII.

The Inspector General has gone on record, insisting that “an accurate inventory of IT systems, interconnections, and software and hardware assets are critical foundational elements for managing risk.” Five of the eight departments didn't keep a list of IT assets, meaning they’d have a hard time knowing what kind of applications are running on its network.

Six of the eight failed to install security patches, increasing the risk of vulnerabilities being exploited.

Legacy systems, many which are expensive to maintain and tricky to secure, remain a stumbling block for agencies as well. HUD told the Subcommittee it spends $35 million annually on the maintenance of legacy systems, the USDA said it spends $3.75 million. Other departments, like the HHS and the Department of Education, couldn't pinpoint exactly how much they spend on legacy technology.

The report breaks down each department, what sensitive data they're in charge of protecting -- then evaluates each department's security programs against five NIST security functions: identify, protect, detect, respond, and recover.

"After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal and sensitive information unsafe and vulnerable to theft," Ohio Republican Sen. Rob Portman, chairman of the Senate Homeland Security Committee's Subcommittee on Investigations, said in a statement. "The federal government can and must do a better job of shoring up our defenses against the rising cybersecurity threats."

As part of the research, the subcommittee affirmed that the government is not fully in compliance with FISMA, the Federal Information Security Management Act, a 2002 law that requires federal agencies have an information security and protection program in place.

“The longstanding cyber vulnerabilities consistently highlighted by Inspectors General illustrate the federal government’s failure to meet basic cybersecurity standards to protect sensitive data,” the report reads, “The Subcommittee will continue to track federal agency cybersecurity to ensure agencies meet FISMA’s primary legislative objective to secure government information systems.”

Tags: Government

Recommended Resources


  • An overview of the FFIEC CAT
  • How to use the CAT to identify areas of risk
  • How Digital Guardian helps reduce these risks
  • A compliance timeline for all 18 provisions
  • Financial services case studies
  • How Digital Guardian can help

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.