The U.S. State Department and NASA have some work to do, according to a report released Thursday on how federal, state and local government agencies are handling cybersecurity. The various federal departments ranked last for cybersecurity when stacked against the private sector, including retail and healthcare providers.

“Federal agencies may be susceptible to more risk due to the sheer size of their infrastructure, but in many cases, may be prepared to fare better against cybersecurity threats due to larger budgets and teams of security personnel,” the report issued by security risk firm SecurityScorecard found. 

In an effort to determine the strength of security standards, the SecurityScorecard report analyzed security at 600 local, state and federal organizations that each have more than 1,000 public IP addresses. During the survey from April 2015 to April 2016, 35 major data breaches were recorded. Government organizations struggle most with malware infections, network security and software patching cadence, which refers to vulnerabilities within software and hardware used by organizations that can no longer be upgraded for protection.

The report also found NASA susceptible to email spoofing and malware, while several states, including Connecticut, Pennsylvania and Washington, were especially vulnerable.

The findings come as the U.S. government tries to bolster its cybersecurity following the major 2015 breach at the Office of Personnel Management that resulted in the disclosure of more than 21 million people’s data. President Barack Obama has made cybersecurity a key administration focus, requesting that Congress earmark $19 billion in the 2017 fiscal budget, an increase from $5 billion in 2016, Reuters reported.

In an op-ed written for the Wall Street Journal in February, Obama stressed the importance of improving America’s cybersecurity in the face of threats from foreign nations that have targeted the government and private businesses.

“Still, with the nation’s cyber-adversaries getting more sophisticated every day —developing new botnets, spyware, malware and ransomware — we have to be even more nimble and resilient, and stay ahead of these threats,” Obama wrote. “The federal government — which is obligated to protect the information provided to it by the American people — has a unique responsibility to lead.”