We audited 19 agencies between 2017 and 2019. This report shows more than half of the agencies did not substantially comply with applicable IT security standards and best practices. Agencies struggled with properly scanning and patching their computers. Agencies also had compliance problems because they did not create, maintain, or test incident response plans or continuity of operations plans. Other significant issues included poor security awareness training or failed social engineering tests and inadequate data encryption, back up, or destruction processes. Agencies also had inadequate network boundary protection and were missing account security controls. Additionally, we noted poor access or environmental controls at several data centers. Several agencies also had management, contract, or policy-related weaknesses. We also noted significant security issues within agencies’ specific IT systems. The security findings in this report are similar to those in previous summary reports. The main reasons for compliance problems across the 19 agencies included insufficient top management attention and inadequate resources.