In its annual Federal Information Security Management Act (FISMA) report to Congress, which the administration made public on Aug. 16, OMB said the number of cyber incidents dropped by 12% as compared to 2017.
The fact that agencies didn’t suffer a major cyber incident, which OMB defines as one that impacts national or economic security and/or one that effects more than 100,000 people, and that the number of overall incidents went down is significant. In 2017, OMB reported the number of cyber attacks that reached the major incident threshold increased by 14%.
The administration called the progress “encouraging,” but warned that threats and bad actors will continue to go after agency systems and data.
“[E]mail-based threats remain prevalent, with email/phishing continuing to be a highly-targeted attack vector. According to information provided by [the Department of Homeland Security], 6,930 incidents occurring in the past year,” the report states. “Moreover, nearly 27% of all incidents did not have an identified attack vector, which continues to suggest that the government must take additional steps to help agencies identify the sources and vectors of these incidents.”
Some other interesting findings from the 2018 FISMA report:
As of Sept. 26, 2018, DHS reported that, of 102 federal civilian agencies, 70 implemented all three National Cybersecurity Protection System (NCPS) capabilities, including all 23 Chief Financial Officers Act of 1990 agencies. The NCPS includes all three EINSTEIN capabilities where 31 more agencies implemented the E3A email capabilities and nine more implemented domain name service (DNS) sinkholing tools.
All 23 civilian CFO Act agencies currently report data, in near-real time, to their respective agency dashboards under phase 1 of the continuous diagnostics and mitigation (CDM) program. The CDM program office also successfully established data exchanges between all 23 civilian CFO Act agency dashboards and the federal dashboard, which the DHS National Cybersecurity and Communications Integration Center (NCCIC) hosts. Additionally, the CDM program office connected almost a dozen non-CFO Act agencies to the CDM shared services platform and worked to onboard more than 40 additional non-CFO Act agencies.
Furthermore, the CDM program office has made Phase 3 boundary protection, event management, and security lifecycle tools available to 96% of participating agencies through the CDM DEFEND contract.
DHS conducted 61 high value asset (HVA) assessments, resulting in 356 findings (221 system architecture review findings and 135 risk and vulnerability assessment findings) last year. “These assessments revealed that the federal government continues to face challenges mitigating basic security vulnerabilities,” the report states.
Agency cyber budgets and data about spending on cybersecurity increased last year. OMB said the better data they have, the easier it will be to make risk-based decisions. OMB also gave the total spending on cyber including the Defense Department, which totaled more than $14 billion in 2018. Last year, OMB only provided federal civilian cyber spending in the FISMA report. Still, civilian agency cyber spending did increase by $1.3 billion year over year.
“Accordingly, OMB is working to develop reporting structures to capture agency spending and budget information at the cybersecurity capability level,” the report stated. “The reporting structure is aligned against the NIST Cybersecurity Framework as well as the FISMA CIO metrics used to evaluate the degree to which agencies are managing their cybersecurity risk. This allows a common vocabulary and taxonomy as agencies make difficult resourcing decisions. OMB has worked with agencies to integrate these structures into strategic planning and risk management discussions with agency CIOs, CISOs and CFOs.”
The Trump administration requested more than $17 billion for cybersecurity in fiscal 2020 budget request, including $115 million for CDM.