SecurityScorecard, a security risk benchmarking organization, set out to examine what progress U.S. government agencies made in cybersecurity improvements following the Office of Personnel Management data breach last summer. When compared to 17 other industries, including healthcare, transportation and retail, U.S. government fell to the back of the pack.
SecurityScorecard analyzed security at 600 local, state and federal government organizations, each of which has more than 1,000 public-facing IP addresses. Additionally, the report details individual scores for the FBI, IRS and NASA.
Here are seven key things to know from the report.
1. SecurityScorecard noted 35 major data breaches among all government organizations from April 2015 to April 2016.
2. The top three cybersecurity struggles for low-performing government organizations are malware, network security and software patching.
3. NASA was the lowest performing agency out of all 600 government organizations analyzed. The bottom 10 performers include:
• NASA
• Connecticut
• U.S. Department of State
• Pennsylvania
• Maricopa County, Arizona
• Washington
• National Oceanic and Atmospheric Administration
• Missouri
• Indiana
• South Carolina
4. The top 10, with Clark County at the top, performers include:
• Clark County, Nev.
• United States Bureau of Reclamation
• Architect of the Capitol
• Hennepin County Library (Minnetonka, Minn.)
• City of Phoenix
• Central Intelligence Agency
• Federal Trade Commission
• National Science Foundation
• Clerk of Circuit Court, Hillsborough County (Fla.)
• New York State Education Department
5. NASA earned a cybersecurity grade of 'D.' The top threats NASA faces include malware, insecure open ports, SSL certificate issues, a misconfigured email sender policy framework which can lead to email spoofing, and more. Secondary threats include at-risk credentials and vulnerability to high severity common vulnerabilities and exposures.
6. The FBI ranks slightly higher with a 'C' grade. The law enforcement agency's top threats include open ports, various malware signatures, out-of-date browser usage and more. Secondary threats include vulnerability to common vulnerabilities and exposures.
7. From October 2015 to January 2016, the IRS' score hovered between the 'A' and 'B' range, but dropped to a 'C' following a data breach reported in February. Since the breach, its score has climbed, indicating efforts to improve cybersecurity are effective. The IRS worst-performing area is network security. Other threats include open ports and SSL certificate issues.