No major incidents mixed with continuing gaps in implementation paint an improving, but still muddy, picture of cybersecurity in the federal government.
FISMA Report- Each year, the Office of Management and Budget (OMB) is required to report to Congress on the state of federal cybersecurity, as per the Federal Information Security Modernization Act of 2014 (FISMA). The latest version of the report, for fiscal 2018, is mostly filled with the sort of information common in previous versions — with one big exception: For the first time since “major incident” was defined, not even one was reported.
That’s not to say there were no cybersecurity incidents. In fact, 31,107 were reported in 2018 — but even that number is a 12% decrease from the 35,277 incidents reported in fiscal year 2017.
Kiersten Todt, managing director of the Cyber Readiness Institute, believes investments in government security seem to be paying off. “I do think we have comprehensively, in both government and industry, been more effective in taking a risk management approach to cybersecurity, focusing on prevention when possible and resiliency — defined as minimizing disruption — when an incident does occur,” she says.
As noted, cybersecurity incidents against federal IT continue. The report notes email remains a top attack vector, with 6,930 incidents reported in 2018. These targeted phishing attacks are no surprise to Sean Finnegan, vice president, federal services, at Coalfire. “It is unlikely there has been a reduction in the number of threat actors and more probable the sophistication of attacks has increased, resulting in a smaller volume with the same level of risk,” he says.
The shift may reflect actions of the government as much as changes in criminal priorities. “This could be an indication that the government is improving defense of low-level attacks and threat actors are adapting their tactics to be more focused,” Finnegan explains.
While the report contains individual assessments of incidents at 97 agencies, ranging from the American Battle Monuments Commission to the Department of Homeland Security, the aggregated statistics show the government as a whole has yet to meet the implementation targets established by FISMA. Best results came in implementing privileged network access management, where agencies showed, on average, they have hit 94% of the target goal, and 96% of the mobile asset management goal.