OMB Submits Annual FISMA Report On Federal Cybersecurity, Noting 8% Fewer Incidents

The federal civilian government’s cybersecurity metrics keep trending in positive directions, a development the Administration claims can be attributed to its policies.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

This week, the Office of Management and Budget (OMB) submitted its annual report on the status of federal cybersecurity per the “Federal Information Security Modernization Act of 2014” (FISMA) (P.L. 113-283) and reported continuing progress on account of Trump Administration measures to shore up the federal government’s cybersecurity. The number of cybersecurity incidents is down and the number of agencies deemed to be managing risk has increased.

In terms of methodology, OMB collects the cybersecurity incidents reported to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). In the preface, OMB added that the

report also incorporates OMB’s analysis of agency application of the intrusion detection and prevention capabilities, as required by Section 226(c)(l)B) of the Cybersecurity Act of 2015, P.L. No. 114-113. OMB obtained information from the Department of Homeland Security (DHS), Chief Information Officers (CIOs) and Inspectors General (IGs) from across the Executive Branch to compile this report. This report primarily includes Fiscal Year 2019 data reported by agencies to OMB and DHS on or before October 31, 2019.

OMB claimed “[a]gencies reported 28,581 cybersecurity incidents in FY 2019, an 8% decrease over the 31,107 incidents that agencies reported in FY 2018…[and] [t]he decline in incidents is correlated with the continued maturation of agencies’ information security programs.” In last year’s FISMA report, OMB stated “31,107 incidents [were] reported by Federal agencies, and validated with US-CERT, across nine attack vector categories…[and] [t]his represents a 12% decrease from FY 2017, when agencies reported 35,277 incidents.” OMB further asserted “[i]n FY 2019, a total of 72 agencies received an overall rating of “Managing Risk” in the annual cybersecurity Risk Management Assessment (RMA) process…up from 33 agencies in FY 2017 and 62 agencies in FY 2018.”

Of the 28,581 incidents reported in FY 2019, three incidents were determined by agencies to meet the threshold for major incidents in accordance with the definition in OMB Memorandum M-20-04, Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements. A summary these major incidents is provided below, as well as their rating on the CISA Cyber Incident Scoring System:

• On December 3, 2019, DHS declared a major incident after determining that the Federal Emergency Management Agency (FEMA) National Emergency Management Information System Information Assurance (NEMIS-IA) system continued to send sensitive PII of disaster victims to a contractor responsible for meeting temporary shelter needs long after it was no longer required. FEMA took immediate steps to mitigate the incident by discontinuing the unnecessary sharing of PII with the contractor. Furthermore, a DHS-FEMA joint assessment team conducted a security assessment to revise the architecture of the system to meet the requirements of the DHS Sensitive Systems Policy Directive. An estimated 2.5 million hurricane survivors were impacted. The impact of this breach is Low (Green).
• On January 31, 2019, DHS declared a major incident after determining potential unauthorized sharing of disaster survivors’ PII by FEMA with a third-party volunteer organization. The organization had an approved Information Sharing Access Agreement (ISAA) with FEMA, but the agreement did not cover several data elements. FEMA amended the FEMA-State Agreement with the State of Texas on February 7, 2019, to further clarify that the third-party organization should have the same level of access these data elements as the State. An estimated 895,000 individuals were impacted. The impact of this breach is Minimal (blue).
• On June 3, 2019, DHS declared a major incident following a ransomware attack at a contractor that manufacturer’s license plate readers (LPR) utilized by U.S. Customs and Border Protection (CBP) at multiple US Border Patrol check points across the United States. CBP learned the contractor had taken unauthorized copies of images collected by CBP to their company network. The copied files included license plates images and facial images of the profile and front of travelers inside of a vehicle. These images were subsequently exfiltrated during the cyberattack on the company. The impact of this breach is Negligible (White).

In terms of the policy backdrop, OMB attributed the positive trend lines in the metrics being tracked annually in recent FISMA reports:

• The President’s Management Agenda (PMA) sets a clear goal to modernize the Federal Government’s information systems. The path forward will continue to rely on the maturation of cybersecurity efforts across Federal agencies in order to reduce operational risk and provide secure services for the American public. In September 2018, the President released the National Cyber Strategy, which outlined objectives for defending the homeland and promoting American prosperity by protecting public and private systems and information and promoting a secure digital economy. The first fully articulated cybersecurity strategy in 15 years, the National Cyber Strategy builds and expands upon the work begun under Executive Order 13800. Strengthening the Cybersecuritv of Federal Networks and Critical Infrastructure. (Executive Order 13800) released in May 2017 to enhance cybersecurity risk management across the Federal Government. Executive Order13800 recognizes the importance of mission delivery, service quality and securing citizens’ information even as malicious cyber actors seek to disrupt those services.
• This report highlights that Fiscal Year (FY) 2019 has begun to show the cybersecurity improvements due to the decisive actions the Administration has taken to address high risk areas for the Federal Government. Updated policies around High Value Assets (HVAs), Trusted Internet Connections (TIC), and Identity Credential and Access Management (ICAM) have been coupled with Department of Homeland Security (DHS) programs and directives to empower agencies to mitigate risks across the Federal Government. We have efforts underway to further enhance cybersecurity in the areas of supply chain risk, Security Operations Center (SOC) maturation, and third party privacy risk. As progress continues, the executive and legislative branch must continue its collaboration to confirm there is sustained momentum for addressing these critical capability gaps.

Here are some key charts from the report:

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.