A Senate subcommittee recommended that the Office of Management and Budget help federal agencies optimize IT spending to increase cybersecurity.

The Senate Homeland Security Committee’s permanent subcommittee on investigations released a June 25 report, titled “Federal Cybersecurity: America’s Data at Risk,” that details the deficiencies of the seven agencies with the lowest cybersecurity practices ratings in fiscal year 2017, as well as the Department of Homeland Security, which is responsible for setting directives to implement cybersecurity measures in other agencies.

Federal cybersecurity is a perennial concern of the federal government and has appeared on the Government Accountability Office’s high-risk list every year since 1997. In 2017 alone, federal agencies reported 35,277 cyber incidents.

The subcommittee recommended that the Office of Management and Budget assist agencies in their spending decisions and expand the role of each agency’s chief information officer. The OMB has a risk-based budgeting model that would allow agencies to identify security risks that are most likely to be exploited and spend their IT budgets accordingly, the report said.

In August 2018, the Government Accountability Office found that none of the 24 major federal agencies had fully implemented the position of CIO as Congress had wanted. The subcommittee recommended expanding the scope of those offices by ensuring that CIOs are able to make agencywide decisions on cybersecurity.

The subcommittee also recommended that federal agencies consolidate their cybersecurity efforts into security operations centers, specialized facilities for information security teams.

The report compiles the findings of yearly audits by the inspector general belonging to each agency. Over the past decade, inspectors general noted failures by many of these agencies to protect personally identifiable information, maintain a comprehensive list of information technology assets, remediate cyber vulnerabilities, ensure authority to operate or replace legacy systems.

Federal agencies are responsible for a plethora of personally identifiable information such as taxpayer records, medical records, Social Security numbers and much more and seven of the eight agencies studies failed to adequately protect it, the report said. In one of the largest breaches of government information, a hacker stole 22 million security clearance files, which included personally identifiable information on workers eligible to access classified information.

Among the problems listed, all eight agencies studied failed to remediate vulnerabilities, according to the report. In addition, all eight agencies studied used legacy systems, such as Windows XP and Windows 2003, the report said. These legacy systems are more difficult and more expensive to secure than their modern counterparts.