Connect with us

Hi, what are you looking for?


Risk Management

Classification Concerns Over FISMA Report on Improving Agency Cybersecurity

The Federal Information Security Modernization Act (FISMA) annual report to Congress for full year 2018 indicates considerable success in improving the cybersecurity of federal agencies.

The Federal Information Security Modernization Act (FISMA) annual report to Congress for full year 2018 indicates considerable success in improving the cybersecurity of federal agencies.

The headline statistics indicate a 12% reduction in the occurrence of cybersecurity incidents from 35,277 in FY 2017 to 31,107 in FY 2018. “However,” adds the report (PDF), “FY 2018 marked the first year since the creation of the major incident designation that no incidents met the threshold.”

A ‘major incident’ is defined as any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. It also applies, with the same criteria, to any breach involving the theft or alteration of PII belonging to more than 100,000 people.

This means that unless actual harm occurs, ‘likely to’ becomes a value judgment by those affected; which in turn means that major incidents could have occurred, but haven’t been classified and reported as such. Would something most people might consider to be major incident within one agency actually “result in demonstrable harm to the national security interests”?

Chris Roberts, chief security strategist at Attivo Networks, picks up on this classification concern. “So, there were no reported ‘major incidents’ in the reporting period,” he said to SecurityWeek.” Frankly, our detection is arguably not in a place where we can accurately state that. What are we defining as a major incident? Would that include airports going offline? Transportation being manipulated? Data being syphoned off on a daily basis? This, to me, would be considered critical and major. But, nope. Nobody turned the lights off on the Eastern seaboard… so I guess part of it depends what the definition of critical actually is.”

The weakness in this method of reporting is that it aggregates general statistics across all the agencies, but then defines major incidents in terms of individual agencies. “Zoom out and look at the harvesting of all of the elements,” continued Roberts, “and you quickly realize that the overall issue is that we’re still a sieve. Therefore, the bigger picture is that we’re still a mess and everyone else, including our adversaries, both foreign and domestic, have all the data.”

Similarly concerning is that FISMA reports the median maturity level of the agencies in the five NIST Cybersecurity Framework functions of identify, protect, detect, respond and recover as ‘consistently implemented’. While this sounds promising, it is only the third of five maturity levels. It does not include ‘managed and measurable’, or ‘optimized’. Without quantitative and qualitative measures on the effectiveness of policies, procedures and strategies, there has to be a question mark on the accuracy of incident reporting.

Advertisement. Scroll to continue reading.

These concerns aside, FISMA is nevertheless reporting a reassuring reduction in the number of incidents across the majority of attack vectors. Email/phishing attacks are down from 7,328 in 2017 to 6,930 in 2018. Loss or theft of equipment is down from 4,395 to 2,552, and multiple vector attacks down from 601 to 92.

Sean Finnegan, VP federal services at Coalfire, notes this. “Federal agencies have embraced information security continuous monitoring (ISCM) and the continuous diagnostic and mitigation (CDM) program to improve their security posture,” he told SecurityWeek. “The programs serve to reduce threat, increase visibility across the government, improve responsiveness, and streamline reporting. The FY18 Federal Information Security Modernization Act (FISMA) report demonstrates the value in investing in these programs.”

But he still has some concerns over the message given out by these statistics. “It is unlikely there has been a reduction in the number of threat actors, and more probable that the sophistication of attacks has increased, resulting in a smaller volume with the same level of risk. This could be an indication that the government is improving defense of low-level attacks, and threat actors are adapting their tactics to be more focused. It could also be an indication that adversarial attention has changed to more specific targets, such as election systems.”

The generally favorable and improving picture of federal cybersecurity should not be allowed to invoke complacency. “Recent news events,” he continued, “serve as an ever-present reminder that federal agencies must continually adapt and adjust capabilities to prevent, detect, and respond to attacks. The attack tactics, techniques, and procedures are evolving; it is always possible we could see significant exploit events soon, and federal agencies must remain focused on proactive measures while both government and the industry identify innovative and cost-effective methods to thwart attacks.”

Roberts adds that a lack of network intelligence is also a failing. “Note that the report doesn’t talk about intelligence efforts. The fact is that as an attacker, without a good defense, without a detection/deception framework, we really don’t know how far into systems anyone is… or is watching.”

Related: NASA’s Cybersecurity Program Gets Failing Grade 

Related: Defense Department Continuously Challenged on Cybersecurity 

Related: Continuous Monitoring and the Confusion It Causes 

Related: Think Tank Pushes Continuous Monitoring To Help Combat Cyber Attacks 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.