Skip to main content
Security Scorecard

SecurityScorecard Exposes Government Security Vulnerabilities Across Federal, State and Local Levels

Posted on March 29th, 2018

NEW YORK, March 29, 2018 -- SecurityScorecard, the leader in security ratings, today released a new report entitled, “2018 Government Cybersecurity Report,” which identifies significant security weaknesses in federal, state, county, and municipal government agencies that leave mission critical services, such as court systems, municipal utilities, bill payment services, traffic control systems, and voting registration infrastructures susceptible to cyberattacks.

SecurityScorecard’s research team analyzed and graded the security posture of 655 governmental entities across the country and determined that a significant portion of all assessed entities are performing poorly across key cybersecurity factors.

“The majority of significant high risk issues that were identified within the government sector are related to the public availability of legacy web applications and legacy network services - many with actively exploitable conditions,” said Alex Heid, head of research, SecurityScorecard. “The bureaucratic protocols of government make it difficult to quickly implement the controls needed to respond to the constantly evolving nature of software exploitation. We anticipate that these problems will continue to grow - especially as the availability and rapid adoption of emerging IoT technologies continue to expand the available attack surface area of critical government networks.”

U.S. Swing State Scorecard Snapshot

The report specifically looked at election swing states where budget for information security resources was supposed to have been provisioned over the last several years. The prominent visibility of swing state governments during election cycles will bring increased attention to their websites and internet resources. With the naturally-occurring increased volume of normal users as a result of media coverage, there will also come an inevitable and natural increase of malicious users seeking to identify exploitable conditions to leverage in various creative ways.

Further Key Insights:

  • Government entities continue to be plagued by and perform especially poorly in; Endpoint Security, Network Security, and Patching Cadence
  • Government employees continue to use multiple outdated browsers and applications, likely because new versions are incompatible with legacy infrastructure that remains in place in many government organizations
  • Government agencies (and nearly all industry sectors) still have open access points, misconfigured SSL certificates, and database vulnerabilities that are susceptible to attack
  • Government agencies are patching slowly and/or using vulnerable legacy systems and software that cannot be patched

Government entities performed well in DNS Health, Social Engineering, and Application Security risk factors, compared to other industry sectors. The government continues to nurture employee security awareness and maintain good DNS health practices to protect agency information systems. Agency employees generally know not to use work email addresses and credentials for marketing lists, social networks, etc. Government agencies are also rigorously deploying web application firewalls to protect against DDoS attacks and the OWASP Top 10 Most Critical Web Application Security Risks.

A complimentary copy of the report can be downloaded by clicking here. To receive a free SecurityScorecard assessment and consultation for your business, visit

About SecurityScorecard
Headquartered in the heart of New York City, SecurityScorecard's vision is to create a new language for measuring and communicating security risk. The company was founded in late 2013 by Dr. Aleksandr Yampolskiy and Sam Kassoumeh, two former cybersecurity practitioners who had served, respectively, as Chief Information Security Officer and Head of Security and Compliance. With cloud solutions becoming an increasingly integral part of the security technology stack, Yampolskiy and Kassoumeh recognized the need to address third- and fourth-party risk as well as better understand the security capabilities of their business partners. Since its founding, the company has grown dramatically and now counts hundreds of leading brands as customers. SecurityScorecard is backed by leading venture capital investors including Sequoia Capital, GV, and Nokia Growth Partners among others. For more information, visit

Join us in making the world a safer place.