WASHINGTON (Reuters) - U.S. federal, state and local government agencies rank in last place in cyber security when compared against 17 major private industries, including transportation, retail and healthcare, according to a new report released Thursday.

An analyst looks at code in the malware lab of a cyber security defense lab at the Idaho National Laboratory in Idaho Falls, Idaho September 29, 2011. REUTERS/Jim Urquhart

The analysis, from venture-backed security risk benchmarking startup SecurityScorecard, measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network.

Educations, telecommunications and pharmaceutical industries also ranked low, the report found. Information services, construction, food and technology were among the top performers.

Government agencies have struggled for years to keep pace with malicious hackers and insider threats, a challenge that came into focus after it was disclosed last year that more than 21 million individuals had their sensitive data pilfered during a breach at the Office of Personnel Management.

SecurityScorecard said it tracked 35 major data breaches across government from April 2015 to April 2016.

President Barack Obama has made improving cyber defenses a top priority of his remaining year in office. His administration asked Congress to dedicate $19 billion to cyber security in its fiscal 2017 budget proposal, which would include $3.1 billion for technology modernization at various federal agencies.

Federal agencies scored most poorly on network security, software patching flaws and malware, according to SecurityScorecard, which said they may be more vulnerable to risk due to their large size.

Of the 600 government entities tracked, NASA performed the worst, the report found. The space exploration agency was vulnerable to email spoofing and malware intrusions, among other weaknesses, according to SecurityScorecard’s analysis.

Other low-performing government organizations included the U.S. Department of State and the information technology systems used by Connecticut, Pennsylvania, Washington and Maricopa County, Arizona.

Government organizations with the strongest security postures included Clark County, Nevada, the U.S. Bureau of Reclamation, and the Hennepin County Library in Minnesota.

For more on the report: here