“The federal government can, and must,
do a better job of shoring up our defenses
against the rising cybersecurity threats,”
said Sen. Rob Portman (R-OH),
chairman of the Senate Permanent
Subcommittee on Investigations.

IT infrastructure vulnerabilities at the Department of Health and Human Services, the Department of Housing and Urban Development, the Social Security Administration and five other government agencies has put the personal information of Americans at risk of identity theft, according to a new bipartisan report from the Senate Permanent Subcommittee on Investigations.

The cybersecurity failures have extended over the past two administrations, according to the report, published Tuesday by Sens. Rob Portman (R-OH) and Tom Carper (D-DE), the chairman and ranking member, respectively, of the subcommittee, which is a part of the Committee on Homeland Security and Governmental Affairs.

In 2017 alone, federal agencies reported 35,277 cyber incidents, Portman said.

“After a decade of negligence, our federal agencies have failed at implementing basic cybersecurity practices, leaving classified, personal, and sensitive information unsafe and vulnerable to theft,” he said. “The federal government can, and must, do a better job of shoring up our defenses against the rising cybersecurity threats.”

The subcommittee spent 10 months reviewing 10 years of inspectors general reports on compliance with federal information security standards for the aforementioned agencies as well as the Homeland Security, State, Transportation, Education and Agriculture departments. All but Homeland Security had been cited by the White House Office of Management and Budget as rating the lowest with regard to cybersecurity practices.

“While some federal agencies appear to have made progress in recent years, this report makes it clear that there is still much work to be done,” Carper said.

Among the report’s key findings: 

  • All eight agencies use legacy computer systems or applications that no longer are supported by the vendor with security updates, resulting in cyber vulnerabilities for the system or application.
  • The Department of Health and Human Services had long-standing cybersecurity weaknesses, including some identified almost a decade ago.   
  • The Social Security Administration had persistent cybersecurity issues, risking the exposure of the personal information of 60 million Americans who receive Social Security benefits.  
  • Seven of the eight federal agencies did not adequately protect personally identifiable information.
  • Six agencies did not install security patches and other vulnerability remediation actions in a timely manner.
  • Five agencies did not maintain accurate and comprehensive IT asset inventories.

Among the recommendations made in the report are that federal agencies fill chief information officer vacancies and other IT positions critical to their cybersecurity efforts; that the OMB consider re-establishing regular in-person reviews with agency leadership to focus on cybersecurity issues, and that all federal agencies include progress reports on cybersecurity audit remediation in their annual budget justification submissions to Congress.