A bipartisan report released by the U.S. Senate Homeland Security and Governmental Affairs Committee has found that federal agencies continue to suffer shortcomings in their cybersecurity posture.

The report, a follow-up to an investigation and report from two years ago that delved into the cybersecurity posture of eight federal agencies, found that only the Department of Homeland Security had managed to employ an effective cybersecurity regime in that time.

The remaining seven agencies were found to be still lacking. Those agencies are the Departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education and the Social Security Administration.

Of the eight agencies, seven agencies fail to provide adequate protection of personally identifiable information. Five agencies failed to maintain accurate and comprehensive IT asset inventories and six agencies failed to timely install security patches and other vulnerability actions.

All eight agencies – including DHS, were found to use legacy systems or applications that are no longer supported by the vendor with security updates resulting in cyber vulnerabilities for the system or application.

“While several of the agencies made minimal improvements in one or more areas, inspectors general found essentially the same failures for ten years,” the report notes. “Only DHS had an effective cybersecurity program for 2020; every other agency failed to implement an effective cybersecurity program.”

Other concerning findings included the State Department not being able to provide documentation for 60% of sample employees who had access to the agency’s classified network. Further, the department was found to leave thousands of accounts active after an employee had left the agency.

The Department of Transportation found 14,935 IT assets belonging to the department, of which there was no record. At Education, the Inspector General was able to exfiltrate hundreds of PII files, including credit card numbers, without the agency detecting it or blocking it.

The report comes amid increasing cyberattacks against government agencies, notable among them being the SolarWinds hack. According to The Hill, the running total of government agencies known to have been breached is now nine.

The report makes a number of recommendations, among them establishing a central office to establish a national cybersecurity strategy and coordinate cyber policy between agencies.

“This is an unnerving report and should be considered as a call to action,” Doug Britton, chief executive officer of cybersecurity testing firm Haystack Solutions Inc. told SiliconANGLE. “These agencies deal with data that reaches the heart of what helps our country work, regulating transportation, research and social services. It is startling to see how basic cyber protections are still not yet in place as we continue to see significant breaches making headlines.”

Rajiv Pimplaskar, chief research offer at identity platform provider Veridium Ltd. said that “since cybersecurity investment often lags cybercrime, such lapses are not unusual in the federal and commercial sector.”

Noting that the report indicates systems housing user data and PII are especially vulnerable, Pimplaskar explained that “a core vulnerability that needs to be addressed across many environments is the over-reliance on credential or password-based authentication systems.”

“Federal Agencies can and should adopt passwordless authentication utilizing Phone as a token or FIDO2 security keys, ” Pimplaskar added. “Such solutions reduce the attack surface of credentials that can be exploited in a data breach making the environment impervious to such attacks. Further, such solutions also reduce friction enabling a better user experience.”

Photo: Senate Homeland Security and Governmental Affairs Committee