Federal Cybersecurity – America’s Data Still at Risk

In June 2019, the Permanent Subcommittee on Investigations (Subcommittee) issued a bipartisan report titled: Federal Cybersecurity: America’s Data at Risk (2019 Report.) The report highlighted systemic failures of eight key Federal agencies to comply with Federal cybersecurity standards identified by agencies’ inspectors general. The report documented how none of these eight agencies met basic cybersecurity standards and protocols, including properly protecting Americans’ personally identifiable information (PII); maintaining a list of the equipment and programs on agency networks; and promptly installing security patches to remediate vulnerabilities that hackers could exploit. The report also highlighted that all eight agencies were operating legacy computer systems, which are costly to maintain and difficult to secure. Based on those findings, the Subcommittee determined that these eight Federal agencies were failing to protect the sensitive data they stored and maintained.

This report revisits those same eight agencies two years later. What this report finds is stark. Inspectors general identified many of the same issues that have plagued Federal agencies for more than a decade. Seven agencies made minimal improvements, and only DHS managed to employ an effective cybersecurity regime for 2020. As such, this report finds that these seven Federal agencies still  have not met the basic cybersecurity standards necessary to protect America’s sensitive data.