Several US federal agencies are unprepared to protect the personal information of everyday Americans should they become the target of a cyberattack, according to a new report put together by the Senate Homeland Security Committee. The panel found that out of eight federal bodies, including the departments of State, Transportation and Education, only Homeland Security complied with the Federal Information Security Modernization Act (FISMA), an Obama-era law Congress passed to enable the US government to better respond to online threats.
"All agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cybersecurity requirements including encryption of sensitive data, least privilege and multi-factor authentication," the report said.
As The Record points out, one of the more glaring oversights the panel found was that the State Department left thousands of employee accounts on its classified and unclassified networks active even after those individuals left the agency. In another particularly worrisome example, the Department of Agriculture had vulnerabilities on its websites that it wasn't aware of. What's more, at least seven of the eight agencies the panel audited were using outdated and unsupported IT systems, leaving them vulnerable to attacks. "It is clear that the data entrusted to these eight agencies remains at risk," the report said.
"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming," Senator Rob Portman, the panel's top Republican, said on Twitter. "It is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data. I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade — the American people deserve better."
Among other recommendations, the report highlights the need for a single agency to oversee federal cybersecurity. To that end, the panel suggests Congress update the Federal Information Security Modernization Act to make the law better reflect current cybersecurity practices and establish the Cybersecurity and Infrastructure Security Agency as the federal lead for those types of issues. It also recommends amending FISMA to require agencies to notify both CISA and, in some instances, Congress when they become entangled in a major incident.