"That's not the way things work in government." This is the catch all excuse for not doing what needs to be done in the government. The Federal Government has had issues with cybersecurity for years. Recent news indicates that the outlook for the Federal government is not progressing. Having worked for the Federal Government and other government agencies, I think they are their own worst enemies. The bureaucracy created to secure systems has replace the intent and purpose. Security has not been systematized and is still viewed as an annoyance. Mainly from a miss application of NIST's Risk Management Framework. There is a resistance for line of business managers or business unit managers to be the Authorizing Officials. Instead it is viewed as too technical and handed off to the CIO or abrogated to some other department. IT supports a department and that department has a mission. IT cannot and should never make risk decisions for anther department. Only the department in question is fully aware it's mission and what it will take to accomplish that mission.
I also don't see any repercussions for failing. Equifax has a breach and 3 C level executives "retire" early. SEC has a breach and the Chairmen is still in place.
Until responsibility and accountability are added to the equation plane to see the Fed on the wrong side of the news when it comes to cybersecurity. We need cybersecurity leadership from the government.
Federal Times, "Government Among Most Targeted for Web Application Attacks" 18 SEP 2017: https://www.federaltimes.com/civilian/2017/09/18/report-government-among-most-targeted-for-web-application-attacks/
ISMG, "Inspector General: IRS's Aging IT Puts Taxpayer Data at Risk, IRS Pegs Replacement Costs at $430 Million," by Eric Chabrow, 20 SEP 2017: https://www.govinfosecurity.com/inspector-general-irss-aging-puts-taxpayer-data-at-risk-a-10312
NextGov.com, "Soon, DHS Will Have Eyes on Computer Vulnerabilities Across the Government" Joseph Mark, 29 SEP 2017: http://www.nextgov.com/cybersecurity/2017/09/soon-dhs-will-have-eyes-computer-vulnerabilities-across-government/141408/
ISMG, "GAO: 24 Agencies Still Struggle With IT Security Weaknesses, HHS, NASA, OPM, IRS Among Agencies Criticized." by Marianne Kolbasuk McGee, 4 OCT 2017: https://www.govinfosecurity.com/gao-24-agencies-still-struggle-security-weaknesses-a-10358
Reuters, "U.S. Financial Regulator Must Beef Up Cyber Security: Inspector," Lisa Lambert, 4 OCT 2017: http://www.reuters.com/article/us-usa-consumers-cyber/u-s-financial-regulator-must-beef-up-cyber-security-inspector-idUSKBN1C92X5
ISMG, "HHS's New 5-Year Strategic Plan Includes Cyber Goals, Objectives in Draft Include Ensuring Data Privacy, Integrity," by Marianne Kolbasuk McGee, 5 OCT 2017: https://www.govinfosecurity.com/hhss-new-5-year-strategic-plan-includes-cyber-goals-a-10360