Not a single federal agency received an ‘A’ in a new Senate cybersecurity report card

On Tuesday, members from the US Senate Homeland Security and Governmental Affairs Committee released a bipartisan report [PDF] that states that seven out of the eight federal agencies they reviewed still have not met the basic cybersecurity standards needed to protect the sensitive data they stored and maintained. 

The report was led by US Senators Rob Portman (R-OH) and Gary Peters (D-MI) and is a follow-up to Portman’s bipartisan 2019 report on federal agency cybersecurity, which found that none of the eight agencies met basic cybersecurity standards and protocols to secure the personal identification information of Americans as well as equipment and programs on the agency’s networks. 

The eight departments under the magnifying glass are the Departments of Homeland Security, State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, and the Social Security Administration. Most of them had made just “minimal improvements” since 2019 and only the Department of Homeland Security was found to have an “effective” cybersecurity system in place in 2020. 

[Related: The Biden Administration just revealed its plan to stop the next Colonial Pipeline hack]

Portman and Peters also included a cybersecurity report card that graded cabinet departments and the largest independent agencies based on ratings from their inspector general, who judged their adherence to information security requirements under the updated 2014 Federal Information Security Modernization Act. The average grade for all the large federal agencies was a C-minus. None of the agencies received an A. 

In general, agencies “consistently failed to implement certain key cybersecurity requirements including encryption of sensitive data, limiting each user’s access to the information and systems needed to perform their job, and multi-factor authentication, or to certify to Congress that the system is nonetheless secure,” the statement outlines. Nearly all agencies used outdated systems or applications, and six agencies failed to install software patches and other security fixes. 

Peters notes that the American Rescue Plan has recently invested more than $1 billion to modernize and secure federal IT and networks, but still, more work needs to be done. 

[Related: How a ransomware attack shut down a major US fuel pipeline]

“From SolarWinds to recent ransomware attacks against critical infrastructure, it’s clear that cyberattacks are going to keep coming and it is unacceptable that our own federal agencies are not doing everything possible to safeguard America’s data,” Senator Portman said in a statement. “This report shows a sustained failure to address cybersecurity vulnerabilities at our federal agencies, a failure that leaves national security and sensitive personal information open to theft and damage by increasingly sophisticated hackers.” 

The December 2020 SolarWinds attack allowed Russian hackers to infiltrate nine federal agencies including DHS, State, Energy, and Treasury. A private cybersecurity firm alerted the government to the attack, and to date, the government is still working to uncover what information was accessed, the report lays out. A similar incident followed in April 2021 when Chinese hackers bypassed the current cybersecurity at multiple federal agencies. And on the private-sector side, when a crucial petroleum transit system run by a company called Colonial Pipeline was hit by a ransomware attack, it created a fuel disruption on the East Coast. That attack and others prompted the Biden Administration to issue a National Security Memorandum that urges critical infrastructure industries to collaborate with the federal government on improving cybersecurity. 

Portman followed by saying that he will be introducing legislation to “address the recommendations raised in this report.”