U.S. federal, state, and local government agencies rank in last place in cybersecurity when compared against 17 major private industries, including transportation, retail and healthcare, according to a new report released Thursday.
The analysis, from venture-backed security risk benchmarking startup SecurityScorecard, measured the relative security health of government and industries across 10 categories, including vulnerability to malware infections, exposure rates of passwords and susceptibility to social engineering, such as an employee using corporate account information on a public social network.
Educations, telecommunications and pharmaceutical industries also ranked low, the report found. Information services, construction, food, and technology were among the top performers.
Government agencies have struggled for years to keep pace with malicious hackers and insider threats, a challenge that came into focus after it was disclosed last year that more than 21 million individuals had their sensitive data pilfered during a breach at the Office of Personnel Management.
Get Data Sheet, Fortune’s technology newsletter.
SecurityScorecard said it tracked 35 major data breaches across government from April 2015 to April 2016.
President Barack Obama has made improving cyber defenses a top priority of his remaining year in office. His administration asked Congress to dedicate $19 billion to cybersecurity in its fiscal 2017 budget proposal, which would include $3.1 billion for technology modernization at various federal agencies.
Federal agencies scored most poorly on network security, software patching flaws, and malware, according to SecurityScorecard, which said they may be more vulnerable to risk due to their large size.
Of the 600 government entities tracked, NASA performed the worst, the report found. The space exploration agency was vulnerable to email spoofing and malware intrusions, among other weaknesses, according to SecurityScorecard’s analysis.
Other low-performing government organizations included the U.S. Department of State and the information technology systems used by Connecticut, Pennsylvania, Washington, and Maricopa County, Arizona.
Government organizations with the strongest security postures included Clark County, Nevada, the U.S. Bureau of Reclamation, and the Hennepin County Library in Minnesota.
