The biggest information security risk for agencies isn't cyber

The Office of Management and Budget's latest cyber assessment arrived late last month in the form of its annual report to Congress on agencies' implementation of the Federal Information Security Management Act.

Agencies' cyber defenses showed progress in fiscal 2014 on a number of the administration's Cybersecurity Cross Agency Priority Goals:

• Information security continuous monitoring increased from 81 percent in FY 2013 to 92 percent in FY 2014 through the implementation of asset, configuration, and vulnerability management tools;
• Use of strong authentication to securely connect to agency networks via personal identification verification cards has increased to 72 percent in FY 2014 (up five percent over FY 2013);
• External network traffic passing through either a TIC or managed trusted internet protocol services provider met the Administration's CAP goal of 95 percent in FY 2014; and
• Implementation of TIC 2.0 capabilities advanced from 87 percent in FY 2013 to 92 percent in FY 2014, entailing that agencies have deployed common cybersecurity controls.

Despite the advancements, the number of security reports submitted to US-CERT by CFO Act agencies increased from 57,971 to 67,196 documented incidents in FY 2014 (up 16 percent over FY 2013).

Of the incidents reported in FY 2014, 25 percent were labeled as "non-cyber," 22 percent were the result of "other" causes (e.g. currently under investigation, miscellaneous and unknown) and 17 percent derived from policy violations. While slight reductions or increases across categories are common, security incidents resulting from "other" causes were the exception this year and increased 157 percent in FY 2014.

The following chart presents a detailed comparison of each category by year:

CFO Act Agency Incidents Reported to US-CERT in FY 2013 & FY 2014

- FY 2013 - FY 2014

*Other applies to a "separate superset of multiple subcategories [that] has been employed to accommodate several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown."

**Non-Cyber applies to "all reports of PII spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records."