Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

New FISMA Report Shows Progress, Gaps in Federal Cybersecurity

No major incidents mixed with continuing gaps in implementation paint an improving, but still muddy, picture of cybersecurity in the federal government.

Each year, the Office of Management and Budget (OMB) is required to report to Congress on the state of federal cybersecurity, as per the Federal Information Security Modernization Act of 2014 (FISMA). The latest version of the report, for fiscal 2018, is mostly filled with the sort of information common in previous versions — with one big exception: For the first time since "major incident" was defined, not even one was reported.

That's not to say there were no cybersecurity incidents. In fact, 31,107 were reported in 2018 — but even that number is a 12% decrease from the 35,277 incidents reported in fiscal year 2017.

Kiersten Todt, managing director of the Cyber Readiness Institute, believes investments in government security seem to be paying off. "I do think we have comprehensively, in both government and industry, been more effective in taking a risk management approach to cybersecurity, focusing on prevention when possible and resiliency — defined as minimizing disruption — when an incident does occur," she says.

As noted, cybersecurity incidents against federal IT continue. The report notes email remains a top attack vector, with 6,930 incidents reported in 2018. These targeted phishing attacks are no surprise to Sean Finnegan, vice president, federal services, at Coalfire. "It is unlikely there has been a reduction in the number of threat actors and more probable the sophistication of attacks has increased, resulting in a smaller volume with the same level of risk," he says.

The shift may reflect actions of the government as much as changes in criminal priorities. "This could be an indication that the government is improving defense of low-level attacks and threat actors are adapting their tactics to be more focused," Finnegan explains.

While the report contains individual assessments of incidents at 97 agencies, ranging from the American Battle Monuments Commission to the Department of Homeland Security, the aggregated statistics show the government as a whole has yet to meet the implementation targets established by FISMA. Best results came in implementing privileged network access management, where agencies showed, on average, they have hit 94% of the target goal, and 96% of the mobile asset management goal.

The worst performance is in software asset management, where the 58% implementation average is down from 69% in FY 2017. "The federal government is assuredly getting better," says Phil Reitinger, president and CEO at the Global Cyber Alliance. "But so are the bad guys — and they do not take summers off. Incidents also may not have been discovered yet."

Even within the incidents reported, many observers are concerned about gaps, one of which is in fully understanding the threats against federal systems. In 27% of the reported incidents, no attack vector could be identified.

Another area of ongoing concern is the security of contractors and other third parties with legitimate access to federal systems and data. "There have also been successful attacks leveraged against government contractors," says Terence Jackson, CISO at Thycotic. "The malicious actors are targeting the weaker links in the supply chain." Tthe report also notes significant disparities in the state of contractor security for different agencies.

Still, the report is seen as progress by most. And based on budgets, cybersecurity remains a priority within the federal government, with nearly $15 billion set to be invested in non-classified security for fiscal year 2018.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Avoid Technical Debt in Open Source Projects."

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jon M. Kelley
50%
50%
Jon M. Kelley,
User Rank: Moderator
8/22/2019 | 12:54:56 PM
OMB issues a nothing happened security report?? really?
An Office of Management and Budget (OMB) data exfiltration was 1st discovered 20Mar2014, but they had no knowledge of when they were hacked, or what was taken. 

Less than two months later, on 7May2014, OMB was hacked again and lost control of their databases until 15Apr2015.  The hackers exfiltrated detailed security investigation reports on 21.5 MILLION American people that had applied for clearances.  OMB 1st reported that no important information was lost. 

I don't think that I would ever trust another OMB report saying that nothing bad had happened, and no important information was lost. 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.
CVE-2019-6650
PUBLISHED: 2019-09-20
F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.
CVE-2014-10396
PUBLISHED: 2019-09-20
The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.