Federal agencies reported 77,183 cyber incidents in fiscal year 2015, marking another year that cyber incidents in the federal government have grown by at least 10 percent, according to a new Federal Information Security Management Act compliance report from the Office of Management and Budget.
Those 77,183 total reported incidents are up from 69,851 in fiscal 2014 and 60,753 in fiscal 2013, according to the report published March 18. The data comes from the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, to which agencies are required to report cyber incidents.
“The increasing number and impact of these incidents demonstrate that continuously confronting cyber threats must remain a strategic priority,” states the report, which follows a number of others over the past decade that have shown a 1,000-percent increase in federal cybersecurity incidents.
More than a third of the incidents CFO Act agencies reported for fiscal 2015 were categorized as “Other” — “a separate superset of multiple subcategories … employed to accommodate several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown.” That’s an increase of 77 percent from the prior fiscal year, OMB reported. “Approximately 59% of ‘Other’ incidents fall within the attempted access subcategory due to the high volume of scans and probes,” the report reads.
The second most reported category with 12,217, or 16 percent, of reported incidents incidents in fiscal 2015 was “Non-Cyber,” “which includes incidents involving the mishandling of sensitive information without a cybersecurity component, such as the loss of hard copy [personally identifiable information] records.” That was closely followed by “Policy Violations,” which saw 10,408 reported incidents, or 14 percent of total incidents reported — making a total of 30 percent unrelated to any possible cyber-intrusion.
Small, non-CFO Act agencies only comprised 2,096 of the total incidents, the report says.
In fiscal 2015, federal inspectors general for the first time attempted to address criticism that FISMA measures are static, implementing a new maturity model to track agencies’ progress with information security continuous monitoring, or ISCM, capabilities. Overwhelmingly, IGs reported to OMB, federal agencies are very immature in their adoption of continuous monitoring, with 21 of 24 CFO Act agencies implementing only low-level ISCM maturity, most of which do so at a rudimentary, “ad-hoc” level — “performed in a reactive manner.”
Just one agency — the General Services Administration — scored favorably on its overall cyber assessment with a score of 91 percent. The average score was a 68 percent, down 8 percent from the year prior.
Since the Office of Personnel Management breaches in late 2014, however, things are improving in some aspects for federal cybersecurity — particularly those issues the administration set its crosshairs on with last year’s “cyber sprint.”
U.S. CIO Tony Scott focused the administration’s efforts in the wake of the breaches on strong authentication and increased agency use of personal identification verification cards, which OMB reported increased considerably in fiscal 2015.
“As of November 16, 2015, Federal civilian agencies had further increased their use of PIV to 81% – an increase of nearly 40% in less than a year,” the report reads.
With that, the percentage of incidents that could have been prevented by the use of PIV cards was down again in fiscal 2015, at 44 percent compared to 52 percent the year prior, according to OMB.
The report touts this progress made in fiscal 2015, much of which arguably came as a result of the response after the OPM hacks were announced. The authors expect progress to continue, based on the measures called for in February’s Cybersecurity National Action Plan and the $19 billion provision for cyber improvements in the president’s fiscal 2017 budget request.
Still OMB understands there’s a lot of work left to be done.
“While this progress is encouraging, additional work remains to improve the defense of Federal systems, networks, and data from persistent threats and increasingly sophisticated malicious activity,” the report says.
Contact the reporter on this story via email at Billy.Mitchell@FedScoop.com or follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.