Despite its best efforts, the US government has seen reported cybersecurity incidents jump 10% in fiscal 2015, according to a new report from the Office of Management and Budget (OMB).
The report to Congress, which assesses the government’s compliance with the Federal Information Security Modernization Act of 2014 (FISMA), hailed “unprecedented improvements” over the previous year.
However, it admitted that reported incidents went up from 69,851 to 77,183.
“Additionally, independent evaluations of information security programs and practices conducted by agency Inspectors General identified several performance areas in need of improvement, including configuration management, identity and access management, and risk management practices. Furthermore, Senior Agency Official for Privacy (SAOP) reviews found that Federal agencies must continue to take steps to analyze and address privacy risks and ensure privacy protections are in place throughout systems’ lifecycles.”
Several areas stood out as needing extra attention. Just 57% of agencies have a risk management program in place, for example.
Other areas where improvements are needed include configuration management (70%), contractor systems (70%), identity and access management (74%), contingency planning (78%) and POA&M (plans of action and milestones) (78%).
Washington was, of course, rocked in 2015 by a massive data breach at the Office of Personnel Management (OPM) which exposed the sensitive details of 22 million current and former government employees and some of their families.
In response to that the federal CIO, Tony Scott, launched a 30-day Cybersecurity Sprint which boosted the take-up of strong authentication in civilian government to around 70%.
Following that, the OMB developed the Cybersecurity Strategy and Implementation Plan (CSIP) which identified further actions to take inside government.
Also, in February 2016, the Obama administration announced the Cybersecurity National Action Plan (CNAP), to further strengthen government security. The president wants $19 billion in resources to fund this and related projects such as replacing legacy IT systems.
However, it remains to be seen whether Congress will agree to the budget.