"All agencies failed to comply with statutory requirements to certify to Congress they have implemented certain key cybersecurity requirements including encryption of sensitive data, least privilege and multi-factor authentication."
Of most concern, the State Department had left thousand of employee accounts on its classified and unclassified networks active even after those individuals left the agency.
Ryan O'Ramsay Barrett, CEO, ORAM Corporate Advisors weighed in on this report and waht it means for the state of cybersecurity at the government level:
"Unfortunately, it’s not surprising that the report found government agencies are not up to par on their own cybersecurity despite requiring vendors to meet stringent security standards such as the relatively new Cybersecurity Maturity Model Certification (CMMC). Even though the government is attempting to hold everyone else to these high security standards, they are not meeting the requirements themselves. I would imagine with government agencies being so vast and large in stature, they are having difficulty meeting their own requirements. It’s interesting that a recent piece by CPO Magazine states a report from the incident response firm BlueVoyant shows that of 300 small to medium defense contractors, 48 percent had “severe vulnerabilities,” including unsecured ports and data storage. Another 10 percent were found to harbor “critical vulnerabilities” such as evidence of compromised data. Of those vendors surveyed, 28 percent were assessed as being unable to achieve CMMC requirements. If the government expects businesses to achieve such rigorous cybersecurity standards then it should set the example by meeting those standards first and foremost."