Federal Cybersecurity Failures in Safeguarding America’s Data

What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. 

A recently published bipartisan report, Federal Cybersecurity: America’s Data ‘Still’ at Risk, shows that two years after an initial cybersecurity investigation, Federal agencies are still not doing enough to safeguard American’s personal information.

The initial June 2019 report titled: Federal Cybersecurity: America’s Data at Risk highlighted systemic failures of eight key Federal agencies (the Department of Homeland Security; the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration) to comply with Federal cybersecurity standards identified by agencies’ inspectors general.

The August 2021 investigation revisits those same eight agencies two years later.  It found that seven Federal agencies still have not met the basic cybersecurity standards necessary to protect America’s sensitive data, and only DHS managed to employ an effective cybersecurity regime for 2020.

The report includes the following recommendations:

  1. The Office of Management and Budget (OMB) should develop and require agencies to adopt a risk-based budgeting model for information technology investments.
  2. There should be a centrally coordinated approach for government-wide cybersecurity to ensure accountability.
  3. The Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Quality Services Management Office should expand shared services offerings to federal agencies, including improved, government-wide endpoint detection using primarily commercial off the shelf products and services to improve the operational effectiveness of EINSTEIN.
  4. The Department of Homeland Security should provide Congress with a plan to update EINSTEIN and to justify its cost.
  5. The annual Inspector General FISMA Reporting Metrics developed by OMB, DHS, and the Council of the Inspectors General on Integrity and Efficiency should prioritize risk-based metrics that best demonstrate the maturity of an agency’s information security program.
  6. Congress should update the Federal Information Security Modernization Act of 2014.

For more information on topics related to this piece, please see the Homeland Security Digital Library (HSDL) Featured Collection on Cyber Policy or additional documents on Cybersecurity, EINSTEIN and Personally Identifiable Information (PII) housed within the collection.

Please note: HSDL login is required to view some of these resources.

Need help finding something?  Ask one of our librarians for assistance!