Federal agencies endured 31,107 cybersecurity incidents in Fiscal Year (FY) 2018, a 12-percent decrease over the 35,277 incidents that agencies reported in FY 2017.

According to the FISMA FY 2018 Annual Report to Congress, no federal agency during FY 2018 had a major cybersecurity incident. "While this is encouraging, drawing conclusions based on this data point, particularly as agencies have adjusted to several new sets of reporting guidelines over the last few years, would be concerning,” says the report. “[E]mail-based threats remain prevalent, with email/phishing continuing to be a highly-targeted attack vector.” 

According to information provided by DHS, there were 6,930 phishing incidents in the past year. Moreover, nearly 27 percent of all incidents did not have an identified attack vector, which "continues to suggest that the government must take additional steps to help agencies identify the sources and vectors of these incidents," says the report.  

Improper usage remains prevalent, as well. Improper usage is defined as any incident resulting from violation of an organization’s acceptable usage policies by an authorized user. There were 9,674 cyber incidents due to improper usage. Moreover, loss of theft or equipment caused 2,552 cyber incidents. 

In FY 2018, DHS conducted 61 High Value Assets (HVA) assessments, resulting in 356 findings (221 System Architecture Review findings and 135 Risk and Vulnerability Assessment findings). "These assessments revealed that the Federal Government continues to face challenges mitigating basic security vulnerabilities," says the report.

Top 5 HVA findings in FY 2018:

  1. Lack of data protection
  2. Lack of network segmentation
  3. Inconsistent patch management
  4. Lack of strong authentication
  5. Lack of continuous monitoring (including audit and logging capabilities)

Furthermore, the federal government spent nearly $15 billion on cybersecurity in 2018.