Three US Agencies Get Failing Grades For Not Following IT Best Practices (theregister.com) 19
The Government Accountability Office has issued reports criticizing the Department of Homeland Security, Environmental Protection Agency, and General Services Administration for failing to implement critical IT and cybersecurity recommendations.
DHS leads with 43 unresolved recommendations dating to 2018, including seven priority matters. The EPA has 11 outstanding items, including failures to submit FedRAMP documentation and conduct organization-wide cybersecurity risk assessments. GSA has four pending recommendations.
All three agencies failed to properly log cybersecurity events and conduct required annual IT portfolio reviews. The DHS' HART biometric program remains behind schedule without proper cost accounting or privacy controls, with all nine 2023 recommendations still open.
DHS leads with 43 unresolved recommendations dating to 2018, including seven priority matters. The EPA has 11 outstanding items, including failures to submit FedRAMP documentation and conduct organization-wide cybersecurity risk assessments. GSA has four pending recommendations.
All three agencies failed to properly log cybersecurity events and conduct required annual IT portfolio reviews. The DHS' HART biometric program remains behind schedule without proper cost accounting or privacy controls, with all nine 2023 recommendations still open.
Re:Bureaucratic Bullshit (Score:5, Insightful)
Please share how your IT organization goes through the process of identifying, correcting, documenting, testing and deploying security protocols and fixed but without having beauacracy.
Now take all that and have it comply with public recordkeeping laws and procedures as well as government security protocols, which we all want government to "be accountable" right?
Re: (Score:2)
Re: (Score:1)
Re:Bureaucratic Bullshit (Score:5, Interesting)
I mean DOGE told us we'd see $2T in waste, had a crack team with unprecedented access to all levels of information, personnel, systems, were able to get inside every government organization with every motivation to root it out.
Upon investigation the estimate was downgraded by 50%, then 80%, then 90% to where we just passed a bill that increased the deficit and budget.
Sounds to me the government has been quite efficient and accountable this whole time.
Re: (Score:2)
Please share how your IT organization goes through the process of identifying, correcting, documenting, testing and deploying security protocols and fixed but without having bureaucracy.
Now take all that and have it comply with public recordkeeping laws and procedures as well as government security protocols, which we all want government to "be accountable" right?
Fear will keep the local systems in line, fear of this battle station.
Re: (Score:2)
That "bunch of paperwork" seems irrelevant, until you actually look at it and what it requires. As a part-time IT and IT security auditor, I can attest that an organizations with real skill and strategic vision does not need any of that paper. Or rather, they will already have created their own, better version. For all others (>99%), that "paperwork" will assure they have minimal standards in place where they count, because they would never do that by themselves.
So, yes, this is about "actual IT matters"
New hires! (Score:3)
Security? (Score:5, Insightful)
It seems really ironic that the Department of Homeland Security is failing to "implement critical IT and cybersecurity recommendations".
Re: (Score:2)
They only apply standards to others, not to themselves. Sounds familiar, doesn't it?
Colour me shocked (Score:2)
It seems really ironic that the Department of Homeland Security is failing to "implement critical IT and cybersecurity recommendations".
The department of homeland security has long been known as the chief purveyor of insecurity.
Recommendation: bin Microsoft (Score:3)
Suggest the number one recommendation be: bin Microsoft. Close 99% of the holes right there, never mind the licensing evil.
Re: (Score:2)
That would mean stopping to make bad tech decisions. Somehow I do not see that happening.
Don't Worry (Score:3)
The government's AI will totally fix these issues without raising new ones. /s
The big question... (Score:4, Insightful)
Who at GAO is getting the axe for delivering bad news?
Who is surprised by this? (Score:2)
Go to just about any government website, and you'll see 1990's era craftsmanship.
The 2025 audit will never happen (Score:2)
The 2018 report is the least of our data security issues.
DOGE went and hacked back doors into all the systems and then loaded our data into systems where they could play with it. They didn't have to go through any interview process. Some had criminal records.