The Office of Inspector General (OIG) has released its “Evaluation of DHS' Information Security Program for Fiscal Year 2017” (pdf). In short, the Department of Homeland Security (DHS) is running outdated software, has unpatched critical vulnerabilities — including the flaw to allow WannaCry ransomware — and some workstation security patches haven’t been deployed for years.
When President Trump issued an executive order in May 2017 about strengthening the cybersecurity of federal networks and critical infrastructure, each federal agency was required to use the NIST Cybersecurity Framework to manage cybersecurity risk.