The Office of Management and Budget cautioned, however, against drawing conclusions, given agencies' shifting reporting guidelines.

Until individual agencies like the Department of Energy and Department of the Treasury see success quantifying risk, the practice won't likely be mandated.

As of fiscal 2018, "many federal agencies were often not adequately or effectively implementing their information security policies and practices" under the Federal Information Security Modernization Act.

The Section 809 Panel argues in a new report that Congress should exempt DOD from the Clinger-Cohen Act provisions under Title 40 of the U.S. code.

That's a substantial increase since last year.

The latest iteration of the so-called FITARA shows an upward trend for agencies, due in large part to improvements in software licensing.