According to OMB, 3 out of 4 agencies is risking cyber attack


Approximately three out of four federal agencies are at significant risk from cyber attackers, according to a May 2018 report from the Office of Management and Budget.

More specifically, 71 of 96 federal agencies participating in the assessment were found to have cybersecurity programs that were either at risk or at high risk, findings OMB said demonstrate the need for "bold approaches" to improve federal cybersecurity.

Just 25 agencies were reported to be managing risk using recommended tools and policies.

The report is a product of President Donald Trump's 2017 executive order on cybersecurity, which mandated risk assessments for all federal agencies. Two long-familiar problems -- old tech and the lack of a qualified cyber workforce -- were blamed for leaving many agencies vulnerable to modern-day hacking groups, and both weaknesses will be the focus of future reports by the American Technology Council and the Departments of Commerce and Homeland Security.

Beyond those problems, the report found that the nation's cyber enemies have grown steadily more sophisticated and advanced while federal agency defenses and visibility have largely stagnated. Just 40 percent of the agencies examined reported the ability to detect when their data is being exfiltrated. Only a quarter can detect attempts to access large volumes of data on their systems and fewer still actually bother to test those capabilities on an annual basis.

That lack of visibility and timely threat data around the latest tactics and strategies used by malicious cyber attackers have left many IT leaders flying blind. The end result: Of the 30,899 cyber incidents that lead to the compromise of information or system functionality in 2016, agencies couldn't identify the method of attack or attack vector for 11,802.

"Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years," the report states.

Agencies also lack a standardized set of cybersecurity tools – something the government hopes to address through programs like Continuous Diagnostics and Mitigation. CDM is designed to scan federal networks, quickly identify unauthorized users or programs and kick them off. However, the program has been beset by numerous implementation delays over the years. Most agencies are still in Phase 1, which focuses on identifying what's on the network; DHS is hoping that a re-tooled contracting process will help the program better gel with agency needs and priorities.

The OMB report makes four major recommendations: implement the Cyber Threat Framework to improve situational threat awareness, standardize IT and cybersecurity capabilities across the federal government, create more centralized security operations centers within agencies and instill a greater sense of responsibility and accountability around cybersecurity among both IT and non-IT agency leadership.

Editor's note: This article was changed May 30 to remove an mistaken reference to GAO.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.