re/code on some potential reasons for why the United States government sucks at cyber security:

Why aren’t government agencies fixing their flaws? Because no one is requiring them to do so, says Veracode CTO Chris Wysopal. “They don’t fix them because there’s no regulation or compliance rules that require it,” he said in an interview with Re/code.

Additionally, government agencies often work with outside contractors to build their software or to deploy commercial software, Wysopal said. Often when security problems are discovered, government contracts don’t specifically require that the contractor fix the problem.

Government agencies tend to follow what IT pros call a policy-based approach to computer security, where agencies check off a list of requirements set by lawmakers and regulators that they have to follow. Private companies typically do the same thing, but they also add to their mix a risk-based approach. “With a risk-based approach, you look at what you have that attackers might want and what’s in place to stop them,” Wysopal said. “Both approaches are valid, but everyone should do both.”

And sadly, none of this is news in government circles. An April report by the report by the Government Accountability Office found that the number of security incidents at federal agencies grew from 5,500 in 2006 to more than 67,000 last year. And the number of security incidents that involved personal information of either employees or other people rose from about 10,500 to nearly 28,000 in 2014.

Gregory Wilshusen, the GAO’s director for information security issues and the author of that report, says agencies rarely have adequate programs and procedures for testing the security of their software and systems. “When we evaluate these agencies, we often find that their internal testing procedures involve nothing more than interviewing the people involved, and not testing the systems themselves,” he said. “We consistently found that vulnerabilities that we identify as part of our testing and audit procedures are not being found or fixed by the agencies because they have inadequate or incomplete testing procedures.”

There is a lot to digest here, none of which comes as a surprise. The “checkbox approach” to security just does not work. As the article states, a combination of a baselines set of checkboxes and a risk-based approach is what works best. Private industry, and even the electrical industry, are using this approach. Why is it so difficult for the US government to get onboard this train?