Cybersecurity

The biggest information security risk for agencies isn't cyber

Shutterstock image (by YURALAITS ALBERT): business financial report.

(Image: Yuralaits Albert / Shutterstock)

The Office of Management and Budget's latest cyber assessment arrived late last month in the form of its annual report to Congress on agencies' implementation of the Federal Information Security Management Act.

Agencies' cyber defenses showed progress in fiscal 2014 on a number of the administration's Cybersecurity Cross Agency Priority Goals:

  • Information security continuous monitoring increased from 81 percent in FY 2013 to 92 percent in FY 2014 through the implementation of asset, configuration, and vulnerability management tools;
  • Use of strong authentication to securely connect to agency networks via personal identification verification cards has increased to 72 percent in FY 2014 (up five percent over FY 2013);
  • External network traffic passing through either a TIC or managed trusted internet protocol services provider met the Administration's CAP goal of 95 percent in FY 2014; and
  • Implementation of TIC 2.0 capabilities advanced from 87 percent in FY 2013 to 92 percent in FY 2014, entailing that agencies have deployed common cybersecurity controls.

Despite the advancements, the number of security reports submitted to US-CERT by CFO Act agencies increased from 57,971 to 67,196 documented incidents in FY 2014 (up 16 percent over FY 2013).

Of the incidents reported in FY 2014, 25 percent were labeled as "non-cyber," 22 percent were the result of "other" causes (e.g. currently under investigation, miscellaneous and unknown) and 17 percent derived from policy violations. While slight reductions or increases across categories are common, security incidents resulting from "other" causes were the exception this year and increased 157 percent in FY 2014.

The following chart presents a detailed comparison of each category by year:

CFO Act Agency Incidents Reported to US-CERT in FY 2013 & FY 2014

- FY 2013 - FY 2014


*Other applies to a "separate superset of multiple subcategories [that] has been employed to accommodate several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown."

**Non-Cyber applies to "all reports of PII spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records."

About the Author

Jonathan Lutton is an FCW editorial fellow. Connect with him at jlutton@fcw.com

Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.