A Congressional report has blasted the US Federal Government for lax cybersecurity that puts sensitive citizen data in danger and violates US law.

The report, from the Committee on Homeland Security and Governmental Affairs, investigated eight agencies: the Departments of Homeland Security (DHS); State; Transportation; Housing and Urban Development (HUD); Agriculture; Health and Human Services (HHS); Education; and the Social Security Administration (SSA). It found a long list of transgressions extending back over a decade. In many cases, the situation was so bad that agencies lacked government certification that their systems were in proper working order (known as 'authority to operate').

The damning report follows the first cybersecurity mandate, created under the Federal Information Security Management Act of 2002 (FISMA). The government updated this law in 2014, which mandated the DHS to oversee agency information security policies and practices.

“Given the sustained vulnerabilities identified by numerous Inspectors General, the Subcommittee finds that the federal government has not fully achieved its legislative mandate under FISMA and is failing to implement basic cybersecurity standards necessary to protect America’s sensitive data,” the report said.

Among the most serious concerns were these:

Failure to protect PII. Seven of the eight agencies reviewed didn't protect personally identifiable information. This problem has arisen in nine of the last 11 audits.

Inadequate IT documentation. Five of the agencies didn't keep an accurate list of their IT assets. State, DOT, HUD, HHS, and SSA were repeat offenders.

Poor bug remediation. Six agencies failed to properly mitigate vulnerabilities and patch their software.

Failure to upgrade legacy systems. All eight agencies relied on legacy systems or unsupported applications, which can be hard to maintain. The DHS – which is supposed to monitor and enforce security in other agencies – used unsupported, obsolete operating systems for at least four years, according to its own Inspector General.

No leadership. All eight agencies (and in fact, all 24 major agencies) have failed to give their CIO the authority to implement security policies outlined in Congressional legislation.

There were some embarrassing failings among individual agencies. For example, the DHS developed cybersecurity metrics to hold other agencies accountable, and then failed to comply with them itself. Meanwhile, the State Department's information security program ranked among the worst among federal agencies during 2018, scoring in the lowest possible category.

The report recommended a range of measures including consolidating security operation centers, giving CIOs the appropriate powers and reporting responsibilities, and the use of ‘cybersecurity recommendation dashboards’ that would show each agency's progress on open cybersecurity recommendations to Congress every six months.