On March 10, 2017, the Office of Management and Budget (“OMB”) released its annual report to Congress under the Federal Information Security Modernization Act of 2014. The report compiles fiscal year 2016 information from the Department of Homeland Security and executive branch Chief Information Officers and Inspectors General to assess “the state of Federal cybersecurity.”
In 2016, federal agencies experienced “30,899 cyber incidents that led to the compromise of information or system functionality in the federal agencies.” Government-wide, these incidents stemmed primarily from the loss or theft of equipment, attacks from a website or web-based application, email phishing schemes, and improper use of information in violation of agency policy. Thirty-eight percent of the incidents fell into the “other” category, where “[a]n attack method does not fit into any other vector or the cause of attack is unidentified.”
The 30,899 incidents included sixteen events “that met the threshold for a major incident, a designation that triggers a series of mandatory steps for agencies, including reporting certain information to Congress.” Agencies assess incidents using the following criteria, and may determine that an event constitutes a “major incident” when it:
-
Involves information that is Classified, Controlled Unclassified Information (“CUI”) proprietary, CUI Privacy, or CUI Other;
-
Is not recoverable, not recoverable within a specified amount of time, or is recoverable only with supplemental resources; and
-
Has a high or medium functional impact to the mission of an agency; or
-
Involves the exfiltration, modification, deletion or unauthorized access or lack of availability to information or systems within certain parameters to include either:
-
10,000 or more records or 10,000 or more users affected; or,
-
Any record that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in a significant or demonstrable impact on agency mission, public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
Major incidents in FY2016 included a Department of Health and Human Services event that involved the “potential compromise of Personally Identifiable Information (PII);” a Housing and Urban Development incident in which PII “including Social Security numbers, were accessible via an internet-based Google search;” and ten major incidents from the Federal Deposit Insurance Corporation “which generally stemmed from employees taking PII or other sensitive information on removable media in an unauthorized fashion.”
The report also includes individual performance summaries for ninety agencies. According to Acting Federal Chief Information Security Officer Grant Schneider, “a significant amount of work remains to implement . . . controls and protect Federal networks and data.”
Nevertheless, considerable progress in combatting cyber threats was made during 2016, with 81% of government users now using designated Personal Identification Verification credentials to access federal networks and over 70% of federal agencies having employed strong antiphishing and malware capabilities. This year also saw the creation of the OMB and Office of Personnel Management Federal Cybersecurity Workforce Strategy and the revision of OMB Circular A-130, the document that “sets the overarching framework for managing Federal IT resources.”
