The federal government as a whole continues to make solid strides in improving cybersecurity management and meeting goals set out by the White House, according to the latest annual Federal Information Security Management Act (FISMA) report to Congress.
That is a result of improved risk management, the report says, as 73 federal agencies now meet the highest rating of “managing risks” in their CIO -assessed FISMA posture. That’s up from 62 agencies the year prior and 33 in 2017.
“This FISMA report reflects improvements in areas of focus under the President’s Management Agenda and Federal Agency elements of the National Cybersecurity Strategy,” Federal CIO Suzette Kent said in a statement. “It shows Agencies are making significant progress in managing risk and also highlights that focused efforts to secure government mobile devices have been especially important in today’s expanded telework environment.”
The progress comes at a time when attacks on agencies continue to trend upward. Senior administration officials told FedScoop they believe agencies are getting better at detecting and defending against adversaries. Phishing incidents, for instance, are down by more than a third. On the other hand, incidents due to violation of usage policies are trending in the wrong direction, up by about a third governmentwide.
“We certainly believe that the added due diligence and the added depth that everyone has taken in our ability to patch critical vulnerabilities, significant vulnerabilities have led to that decrease in the number of overall incidents that we’ve seen,” senior administration officials told FedScoop on background.
Agencies’ abilities to meet those marks come from a combination of investments made by the agencies themselves and those made by OMB at the policy-level, the officials said. Cybersecurity and Infrastructure Security Agency-led efforts like the Continuous Diagnostics and Mitigation program, the Einstein system and the National Cybersecurity Protection System have helped tremendously, officials said, as have recently updated policies around high-value assets, Trusted Internet Connections (TIC), and identity credential and access management, which CISA also helps amplify with supplementary guidance. Other efforts include bug bounty programs in military and civilian agencies.
The more agencies take advantage of these investments in tools and policy, the more they pay off, the administration officials said. “Most incidents that you will look at from a cyber standpoint, there was a policy and technical a solution already published that would have prevented the incident. It is more often that the incident goes through a known vulnerability versus a new vulnerability”
Of the 28,581 incidents reported in fiscal 2019, just three were considered “major” as they resulted in the mishandling of personally identifiable information (PII). They all occurred within Department of Homeland Security agencies and were considered to have a low, minimal or negligible impact. One incident at the Federal Emergency Management Agency resulted in the unnecessary sharing of PII with a contractor that impacted 2.5 million hurricane survivors.
Though the reporting comes from a pre-coronavirus environment in fiscal 2019, the trends detailed within reflect cybersecurity management efforts that will continue to be key whether federal personnel are working in a federal office or remotely during social distancing, the officials said. For instance, the Office of Management and Budget issued a directive for CFO Act agencies to develop capabilities to wipe mobile devices remotely if they are lost or stolen. Twenty-two of those agencies met the directive.
“Those things have proven especially valuable in the situation that we’re in right now. It was good foresight and we are happy with the progress that agencies made,” a senior administration official said. “Cyber is an ever-changing field of battle and the fact that we’re able to decrease the total number of incidents is reflective of a significant increase in tools, tactics and all those types of things. And some of those learnings and lessons about communication, quality of information, whether it’s rapidly patching or just rapidly acting period on the things that we’ve seen have also been important in this COVID situation.”