The Senate Committee on Homeland Security and Governmental Affairs has identified continued major cybersecurity failings across agencies and is calling for the Federal Information Security Modernization Act (FISMA) to be reformed.
A new report published Tuesday identifies IT security flaws across almost every major U.S. government department, including the failure to secure citizens’ personal and financial data and the inability to keep track of thousands of items of IT equipment.
According to the committee, lawmakers should update FISMA to require federal agencies and contractors to notify the Cybersecurity and Infrastructure Security Agency (CISA) of certain cyber incidents and to amend the definition of “major event” to ensure Congress is notified of breaches quickly.
FISMA was enacted in 2014 to create a requirement that each federal agency develop, document and implement a complete information security plan. It has come under scrutiny following recent hacks, including the SolarWinds attack in late 2020, during which multiple government departments were compromised.
The report recommends also that CISA expand shared offerings to all federal agencies, including enhanced endpoint detection.
Core government departments, including the Social Security Administration, are failing to handle data securely, according to the report.
An audit by the Department of Transportation’s Inspector General found 14,935 IT assets belonging to the department of which it had no record. This included 7,231 mobile devices, 4,824 servers, and 2,880 workstations that were unaccounted for.
The Senate committee’s review highlighted also that many agencies continue to run copies of software on their computer systems that are no longer supported by technology vendors and also flagged the failure of agencies to obtain the required authorities to operate for all of their technology business systems.
The committee’s findings are based on its own analysis, as well as work carried out by the inspectors general of federal agencies during fiscal 2020.
It followed up on an earlier report, issued in 2019, that identified the failure of eight key government agencies to comply with federal cybersecurity standards. According to the latest iteration of the study, seven agencies have made only minimal progress in improving their compliance with the regime, and only one – the Department of Homeland Security – was judged to have employed satisfactory cybersecurity standards during 2020.