The program also tests employees with social engineering to get an idea of how they'd react to phishing attempts. There's a ful report to go along with this too. Perhaps most damning? Over half of the weak spots discovered were either high or critical in terms of their severity. Ouch. But, 99 percent of federal Heartbleed vulnerabilities were cleared up in three weeks. There are plenty more facts like those in the National Cybersecurity Assessment and Technical Services 2014 report (PDF). And of course if you want pretty deep analysis on the whole situation, make sure to read Krebs' take.