Several U.S. Senators queried Secretary of State Mike Pompeo in a letter earlier this week on why mandated cybersecurity reforms, including the implementation of multifactor authentication (MFA), had not been implemented.

Sens. Cory Gardner, R-Colo.; Ron Wyden, D-Ore.; Ed Markey, D-Mass.; Jeanne Shaheen, D-N.H.; and Rand Paul, R-Ky. expressed their concern over a General Service Administration report indicating that enhanced access controls have been only deployed to 11 percent of required State Department devices, despite passing of The Federal Cybersecurity Enhancement Act which requires MFA for all State accounts with elevated privileges. Additionally, the Senators expressed their dismay that 33 percent of U.S. diplomatic missions failed to conduct any cybersecurity audits or reviews.

“We are sure you will agree on the need to protect American diplomacy from cyberattacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA,” the letter states.

Click the letter for a full view.

The Senators requested the State Department explain what actions it has taken to improve cybersecurity along with a list of any cyberattacks that have taken place against the agency in the last three years.

Elected officials were not the only people upset over the fact a major federal agency has not kept current with its security. Anupam Sahai, Cavirin’s VP of product management, noted the fact that the government issues excellent cybersecurity advice to others makes this failing hard to swallow.

“The U.S. government, through NIST, has done a great job of providing best practice guidance to enterprises via the Cybersecurity Framework and other documents.  However, it is sad that they are not as widely adopted across the different agencies,” he said.

Steve Durbin, managing director of the Information Security Forum, said enabling MFA is essentially a cybersecurity 101 task that any organization dealing in secure information would have implemented. “You would suppose that anyone handling sensitive data would have enabled multi-factor authentication as one of their rudimentary security protocols. It’s imperative that all types of organizations ensure they have robust standard security measures in place. This requires more diligence and organization-wide discipline than simply throwing money at the latest, glorified software solution,” he said.