Two familiar problems -- old tech and the lack of a qualified cyber workforce -- were blamed for leaving many agencies vulnerable to modern-day hacking groups.
Approximately three out of four federal agencies are at significant risk from cyber attackers, according to a May 2018 report from the Office of Management and Budget.
More specifically, 71 of 96 federal agencies participating in the assessment were found to have cybersecurity programs that were either at risk or at high risk, findings OMB said demonstrate the need for "bold approaches" to improve federal cybersecurity.
Just 25 agencies were reported to be managing risk using recommended tools and policies.
The report is a product of President Donald Trump's 2017 executive order on cybersecurity, which mandated risk assessments for all federal agencies. Two long-familiar problems -- old tech and the lack of a qualified cyber workforce -- were blamed for leaving many agencies vulnerable to modern-day hacking groups, and both weaknesses will be the focus of future reports by the American Technology Council and the Departments of Commerce and Homeland Security.
Beyond those problems, the report found that the nation's cyber enemies have grown steadily more sophisticated and advanced while federal agency defenses and visibility have largely stagnated. Just 40 percent of the agencies examined reported the ability to detect when their data is being exfiltrated. Only a quarter can detect attempts to access large volumes of data on their systems and fewer still actually bother to test those capabilities on an annual basis.
That lack of visibility and timely threat data around the latest tactics and strategies used by malicious cyber attackers have left many IT leaders flying blind. The end result: Of the 30,899 cyber incidents that lead to the compromise of information or system functionality in 2016, agencies couldn't identify the method of attack or attack vector for 11,802.
"Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years," the report states.
Agencies also lack a standardized set of cybersecurity tools – something the government hopes to address through programs like Continuous Diagnostics and Mitigation. CDM is designed to scan federal networks, quickly identify unauthorized users or programs and kick them off. However, the program has been beset by numerous implementation delays over the years. Most agencies are still in Phase 1, which focuses on identifying what's on the network; DHS is hoping that a re-tooled contracting process will help the program better gel with agency needs and priorities.
The OMB report makes four major recommendations: implement the Cyber Threat Framework to improve situational threat awareness, standardize IT and cybersecurity capabilities across the federal government, create more centralized security operations centers within agencies and instill a greater sense of responsibility and accountability around cybersecurity among both IT and non-IT agency leadership.
Editor's note: This article was changed May 30 to remove an mistaken reference to GAO.