Cybersecurity

The biggest information security risk for agencies isn't cyber

Shutterstock image (by YURALAITS ALBERT): business financial report.

(Image: Yuralaits Albert / Shutterstock)

The Office of Management and Budget's latest cyber assessment arrived late last month in the form of its annual report to Congress on agencies' implementation of the Federal Information Security Management Act.

Agencies' cyber defenses showed progress in fiscal 2014 on a number of the administration's Cybersecurity Cross Agency Priority Goals:

  • Information security continuous monitoring increased from 81 percent in FY 2013 to 92 percent in FY 2014 through the implementation of asset, configuration, and vulnerability management tools;
  • Use of strong authentication to securely connect to agency networks via personal identification verification cards has increased to 72 percent in FY 2014 (up five percent over FY 2013);
  • External network traffic passing through either a TIC or managed trusted internet protocol services provider met the Administration's CAP goal of 95 percent in FY 2014; and
  • Implementation of TIC 2.0 capabilities advanced from 87 percent in FY 2013 to 92 percent in FY 2014, entailing that agencies have deployed common cybersecurity controls.

Despite the advancements, the number of security reports submitted to US-CERT by CFO Act agencies increased from 57,971 to 67,196 documented incidents in FY 2014 (up 16 percent over FY 2013).

Of the incidents reported in FY 2014, 25 percent were labeled as "non-cyber," 22 percent were the result of "other" causes (e.g. currently under investigation, miscellaneous and unknown) and 17 percent derived from policy violations. While slight reductions or increases across categories are common, security incidents resulting from "other" causes were the exception this year and increased 157 percent in FY 2014.

The following chart presents a detailed comparison of each category by year:

CFO Act Agency Incidents Reported to US-CERT in FY 2013 & FY 2014

- FY 2013 - FY 2014


*Other applies to a "separate superset of multiple subcategories [that] has been employed to accommodate several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown."

**Non-Cyber applies to "all reports of PII spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records."

About the Author

Jonathan Lutton is an FCW editorial fellow. Connect with him at jlutton@fcw.com

Featured

  • People
    Dr. Ronny Jackson briefs the press on President Trump

    Uncertainty at VA after nominee withdraws

    With White House physician Adm. Ronny Jackson's withdrawal, VA watchers are wondering what's next for the agency and its planned $16 billion health IT modernization project.

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.