The for nonclassified data at civilian agencies, released July 31, leave many federal IT systems out of the highest security requirements, the Cyber Secure Institute said. Federal systems rated as low- or moderate-impact targets would have security controls not designed to stand up to skilled and well-funded hackers, the group said in a critique published this week.

"So called high-end threats are now the norm not the exception," CSI said in . "Federal and private sector IT professionals increasingly report that the attacks they confront on a regular basis are from highly skilled, highly motivated and well-resourced actors -- ranging from the Russian mob, to the Chinese military, to organized cyber-criminals."

The problem is that many sensitive federal systems would fall into the moderate-impact category, including systems containing information related to "extremely sensitive" investigations at federal law enforcement agencies, said Rob Housman, acting executive director at CSI. Electronic health data also would appear to fall into the moderate-impact category, he said.

"If an IRS [Internal Revenue Service] investigation isn't the sort of thing that you want to have a higher degree of protection against a sophisticated attacker, I don't know what is," said Housman, who served as assistant director for strategic planning in the White House Drug Czar's Office and who teaches counter-terrorism and homeland security classes at the University of Maryland. "In almost all my conversations with both public- and private-sector CIOs, CISOs and others, what they're telling that they see is ... sophisticated hackers."

The NIST recommendations require low- and moderate-impact systems to be secure only against unsophisticated threat, or "the proverbial teenager vanity hacker hacking away in the basement," the CSI report said.