On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.
According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.
Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:
- Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
- Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
- Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.
Federal agencies will look to continue these cybersecurity improvements in 2017.