Interesting article that states a number of government agencies have repeatedly failed to adhere to the NIST Cybersecurity framework. Some of these agencies are failing in a spectacular fashion. Some of the agencies pointed out in the article are:
- Department of Homeland Security (DHS)
- Department of State ("State")
- Department of Transportation (DOT)
- Department of Housing and Urban Development (HUD)
- Department of Agriculture (USDA)
- Department of Health and Human Services (HHS)
- Department of Education ("Education")
- Social Security Administration (SSA)
The NIST framework is the playbook that the government wants all its agencies to measure their security readiness against. This framework has been marketed for all corporations public and private to instill good hygiene. The concern I have is that if government agencies are not adopting good security practices that they have laid out how can the government expect corporations to also do so.
The government needs to lead by example or at least have timelines and consequences for its agencies to follow some of its own requirements. If the government takes the journey to secure themselves then the laws and regulations that they write for the private sector will be achievable, realistic and valuable.
"In FY 2018, the Department of Housing and Urban Development’s information security program was ineffective in all five NIST functions."