But ongoing efforts to upgrade these systems tend to get bogged down by budget restrictions, chronic talent shortages and a revolving door of agency information-technology leaders.
As a result, some of the vulnerabilities listed in the directive, issued by the Biden Administration Wednesday, date back years in older versions of software from Microsoft Corp. and other large technology firms. Agencies that haven’t continually upgraded these and other apps may lack protections needed to ward off the kinds of organized, sophisticated and widespread attacks that have crippled public- and private-sector systems in recent years.
Michael Kratsios, managing director and head of strategy at data-management startup Scale AI Inc. and former federal chief technology officer in the Trump administration, said years of neglect have made a number of agencies ready targets for hackers. Over that time, he said, cybersecurity has become inextricably linked to federal information-technology modernization efforts. “No longer can the two be seen as separate initiatives,” Mr. Kratsios said.
The directive, which applies to all executive-branch departments and agencies, except for the Defense Department, the Central Intelligence Agency and the Office of the Director of National Intelligence, lists some 290 known security flaws identified by cybersecurity professionals.
It describes the flaws as carrying “significant risk to the federal enterprise.”
While many vulnerabilities listed were identified this year, it was interesting that some date back several years, including some vulnerabilities with Microsoft Office, said Chronis Kapalidis, principal at the U.K.-based Information Security Forum, a security and risk-management firm whose clients include corporations and government agencies.
“You would expect that most organizations have already tackled that,” he said.
The deadline for addressing the more serious vulnerabilities is Nov. 17, 2021, and the deadline for the less serious ones is May 3, 2022, according to the directive.
Given that some of these vulnerabilities were identified years ago, Mr. Kapalidis said he was surprised that a number of resolution due dates are six months away.
The Government Accountability Office’s IT and cybersecurity unit estimates that software being used across the federal government is about seven years old, on average, including a 35-year-old Transportation Department system that holds sensitive aircraft information and a nearly 50-year-old system used by the Education Department to store student-loan data.
Older systems mean many agencies operate with overly complicated IT infrastructure that is expensive and difficult to protect, in some cases relying on manual processes, said Adelaide O’Brien, research director at research firm International Data Corp.’s Government Insights unit.
The Office of Management and Budget, which includes the federal chief information officer, acknowledges that legacy systems create myriad challenges for agencies, including additional cybersecurity risks, an agency spokesperson said.
While the directive covers a broad range of vulnerabilities, the spokesperson said, “when dealing with fragile legacy infrastructure that supports mission-critical operations, deploying patches can be a complicated endeavor.”
Under the Federal Information Security Management Act, enacted in 2002, federal agencies are already required to meet a set of information-security standards, said Daniel Castro, vice president of the Information Technology and Innovation Foundation, a Washington, D.C., think tank.
“It’s a bit shocking that this is even a directive,” Mr. Castro said about Wednesday’s announcement. “It’s literally telling the federal government’s cybersecurity staff that they should patch IT systems with known vulnerabilities,” he said. “Of course they should.”
Instead of new policies, he added, federal officials should create measures to gauge agency compliance with existing rules, while accelerating efforts to update legacy systems across the government. “Newer systems tend to have more features that allow for remote management, and many cloud-based systems do not rely on users to manually deploy patches,” Mr. Castro said.
Jonathan Alboum, principal digital strategist for the federal government at enterprise-software company ServiceNow Inc., said that despite obstacles, federal agencies are making “valiant strides” in upgrading outdated systems. Some are leveraging the four-year-old Modernizing Government Technology Act, which allows federal agencies to reprogram unused IT budget allocations to fund future modernization projects, Mr. Alboum said.
The Biden administration’s new directive will “likely serve as a forcing function that empowers more federal agencies to modernize their IT infrastructure and ultimately improve their cybersecurity posture,” Mr. Alboum said.
Sen. Maggie Hassan (D., N.H.), chair of the Senate Subcommittee on Emerging Threats and Spending Oversight, said she is encouraged by the White House directive, calling cybersecurity a “new frontier in warfare.”
“We also know that there is still more work to do,” Ms. Hassan said.