We know that cybersecurity standards in U.S. government agencies have not exactly been up to par, but how bad is it, really?
With serious cyber incidents such as SolarWinds and the Office of Personnel Management (OPM), anyone could answer that question and say, "not good."
Well, now we have an actual score to give our largest and most important agencies defending America from cyberattacks: a whopping C-minus.
While a C-minus might be a passing grade in school, it is certainly not a passing grade when it comes to defending a nation's critical infrastructure and other sensitive data.
Senators Rob Portman and Gary Peters jointly released a new report, Federal Cybersecurity: America's Data Still at Risk, that looks into eight federal agencies' cybersecurity protocols, seven of which have shown continued failure to comply with baseline cybersecurity requirements.
This comes two years after Portman's 2019 report on federal agency cybersecurity, and the following agencies are still showing "systemic failures" in protecting information:
• The Department of State
• The Department of Transportation
• The Department of Housing and Urban Development
• The Department of Agriculture
• The Department of Health and Human Services
• The Department of Education
• The Social Security Administration
The report also specifically mentions these agencies failed:
"To protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and to retire legacy technology no longer supported by the vendor."
Taking all of this into mind, the report includes a cybersecurity report card for all cabinet departments and the largest independent agencies, where the overall average grade was a C-minus.
Senators Portman and Peters, who are the Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, expressed their concerns and urged everyone in government to listen.
Here is what Senator Portman had to say:
"From SolarWinds to recent ransomware attacks against critical infrastructure, it's clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America's data.
This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.
I am concerned that many of these vulnerabilities have been outstanding for the better part of a decade—the American people deserve better. In the coming months, I will be introducing legislation to address the recommendations raised in this report so that America's data is protected."
He also makes clear the Biden Administration must ensure there is a single point of accountability for federal cybersecurity to address these failures.
Here is what Senator Peters said:
"Shortcomings in federal cybersecurity allow cybercriminals to access Americans' personal information, which not only compromises our national security—but risks the livelihoods of people in Michigan and across the country. This report has identified an urgent need to further strengthen cybersecurity defenses at federal agencies and protect this sensitive data."
The report looks into each agency to specifically review ways it failed in meeting the baseline cybersecurity requirements, and provides overall key findings.
Looking forward, it also provides a list of recommendations for these agencies, which can work as recommendations for private business as well.
Here are six recommendations from the cybersecurity report:
For more information on cybersecurity in the U.S. government, read the full report.