The biggest information security risk for agencies isn't cyber

Shutterstock image (by YURALAITS ALBERT): business financial report.

(Image: Yuralaits Albert / Shutterstock)

The Office of Management and Budget's latest cyber assessment arrived late last month in the form of its annual report to Congress on agencies' implementation of the Federal Information Security Management Act.

Agencies' cyber defenses showed progress in fiscal 2014 on a number of the administration's Cybersecurity Cross Agency Priority Goals:

  • Information security continuous monitoring increased from 81 percent in FY 2013 to 92 percent in FY 2014 through the implementation of asset, configuration, and vulnerability management tools;
  • Use of strong authentication to securely connect to agency networks via personal identification verification cards has increased to 72 percent in FY 2014 (up five percent over FY 2013);
  • External network traffic passing through either a TIC or managed trusted internet protocol services provider met the Administration's CAP goal of 95 percent in FY 2014; and
  • Implementation of TIC 2.0 capabilities advanced from 87 percent in FY 2013 to 92 percent in FY 2014, entailing that agencies have deployed common cybersecurity controls.

Despite the advancements, the number of security reports submitted to US-CERT by CFO Act agencies increased from 57,971 to 67,196 documented incidents in FY 2014 (up 16 percent over FY 2013).

Of the incidents reported in FY 2014, 25 percent were labeled as "non-cyber," 22 percent were the result of "other" causes (e.g. currently under investigation, miscellaneous and unknown) and 17 percent derived from policy violations. While slight reductions or increases across categories are common, security incidents resulting from "other" causes were the exception this year and increased 157 percent in FY 2014.

The following chart presents a detailed comparison of each category by year:

CFO Act Agency Incidents Reported to US-CERT in FY 2013 & FY 2014

- FY 2013 - FY 2014

*Other applies to a "separate superset of multiple subcategories [that] has been employed to accommodate several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown."

**Non-Cyber applies to "all reports of PII spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records."

About the Author

Jonathan Lutton is an FCW editorial fellow. Connect with him at [email protected]


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.