State of Federal Cybersecurity

KEY TAKEAWAYS

• The Federal Information Security Modernization Act requires federal agencies to have specific cybersecurity plans, periodically review their controls, and report major data breaches to Congress.
• Most federal agencies are still not doing a very good job implementing the law, even though it has been in place since 2002.
• A review six months after President Biden’s May cybersecurity executive order found that only 19 of 46 tasks mandated had been completed.

Cybersecurity continues to be one of our most urgent national security issues. Federal agencies are key targets for cybersecurity attacks from foreign countries, cyberterrorists, and cybercriminals.

FIsma failures

The Federal Information Security Modernization Act is the primary cybersecurity law governing federal agencies. FISMA requires federal agencies to have specific cybersecurity plans in place, periodically review their controls, and report major data breaches to Congress as they occur and as part of annual reports. FISMA also requires agency inspectors general or an independent external auditor to conduct annual evaluations to determine the effectiveness of the agency’s information security programs. A recent Government Accountability Office report found agency IG’s reported ineffective FISMA programs at 16 of 23 civilian agencies.

FISMA was last updated in 2014. Senator Rob Portman has introduced bipartisan legislation, along with Senator Gary Peters, to update and modernize FISMA. Their bill would clarify the roles of the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, and the national cyber director in federal cybersecurity. It requires agencies to report major cybersecurity incidents to OMB, CISA, and Congress and to notify people when their information is compromised. It also requires federal agencies to institute penetration testing of networks. The Homeland Security and Governmental Affairs Committee advanced the bill last October.

Since 2018, the House Committee on Oversight and Reform has issued a bipartisan, biannual scorecard that includes letter grades for federal agencies’ implementation of FISMA, based on data analyzed by GAO. Agencies have improved somewhat over the years, but most still earned C or D grades on the most recent scorecard.

Cybersecurity Executive order

In the wake of the SolarWinds attack and the Colonial Pipeline ransomware attack, President Biden issued an executive order last May directing federal agencies to take a variety of steps, by specific dates, to increase their cybersecurity. For example, agencies had 180 days to implement multi-factor authentication and encryption technologies.

The order mandates 46 actions different agencies are to take, including removing barriers to sharing threat information with private sector IT service providers, transitioning to the cloud, improving supply chain security, and moving to a “zero-trust” security posture and architecture. An industry report in November, six months after the initial order, found that only 19 of 46 tasks had been completed.

A HSGAC staff report released by Senators Portman and Peters last August found seven of eight federal agencies the committee had examined in a 2019 report “still have not met the basic cybersecurity standards necessary to protect America’s sensitive data.” Agencies continue to fail basic cybersecurity best practices. The State Department left thousands of accounts active, for both classified and unclassified networks, after employees left the department; the IG was able to exfiltrate hundreds of sensitive files from the Education Department without the department detecting or blocking it; and seven of the eight agencies still operated unsupported “legacy” IT systems, which lack modern cybersecurity tools.