The Office of Management and Budget (OMB) said this week that reported cyber “incidents” involving Federal government systems declined by about five percent in fiscal year 2022 – to a total of 30,659 incidents – compared to the prior year’s tally.

OMB provided those figures in its FY2022 FISMA Report released on May 2. The annual report is required by the Federal Information Security Modernization Act (FISMA). The report’s data comes mainly from information reported to OMB and the Department of Homeland Security (DHS) by Federal agencies as part of their own FISMA reporting obligations.

In addition to the general downtick in cyber incidents for FY2022, also notable in the new figures is the  reporting of only three incidents as “major incidents.”

The three major cyber incidents were reported by:

  • The Department of Agriculture, which tallied a major incident involving personally identifiable information (PII) due to a process failure at the National Finance Center (NFC), a shared service provider for financial management and human resource management services for Federal agencies. “NFC performed a manual feed to the Payroll and Personnel System that did not account for employee address changes,” OMB said, adding, “this resulted in 69,708 W-2C forms being generated and sent out through bulk physical mail. The W-2Cs included the employee’s full name, unmasked full social security number (SSN), home address, wages, and employer information.”
  • The Department of Education, which reported a major incident involving the breach of PII involving a loan servicing vendor’s system. “Beginning in June of 2022, a non-state criminal actor began attacking a web application, leveraging a vulnerability on a vendor-operated loan registration website,” OMB said. “The attacker maintained a presence on the system until July 2022 when the activity was detected and the system was immediately shutdown.”
  • The Department of Treasury’s Internal Revenue Service (IRS), which reported a major cybersecurity incident involving the inadvertent disclosure of 990-T forms (Exempt Organization Business Income Tax Return) filed by tax-exempt entities. OMB said the PII exposed was limited to names, addresses, e-mail addresses and phone numbers.

Commenting on the year-over-year decline in cyber incidents, OMB said, “While the trend is encouraging, drawing conclusions based on this data point, particularly as agencies have adjusted to several new sets of reporting guidelines over the last few years, would be premature.”

Elsewhere under the heading of major takeaways from the report, OMB concluded that Federal agencies “show improvements in adoption of cyber defensive measures.”

“However, more work is necessary and agencies must continue to drive adoption of zero trust priorities such as phishing resistant multi-factor authentication,” OMB said.

OMB said it tracked Federal agency progress on zero trust security migration throughout the year, and identified progress on priority patching as another bright spot.

“Notably, every agency reported the use of a patch management process that prioritized patching based on the severity of a vulnerability,” OMB said. “This action enables agency security personnel to focus limited resources on the most critical vulnerabilities, which helps protect the agency as it continues to deliver on its mission.”

Also on the zero trust front, OMB said that it received zero trust implementation plans from all 24 CFO Act agencies, and 46 smaller Federal agencies. “Agency zero trust implementation plans show that they have assessed their environments, understand the resources required to implement their zero trust plans, and are progressing toward alignment of resources to address cyber risks,” OMB said.

In another somewhat upbeat assessment, OMB said that Federal agencies “are well positioned to respond to incidents, should they occur.”

“Every agency worked to evaluate CISA’s Cybersecurity Incident and Vulnerability Response Playbooks against their current incident response procedures and determined a process for sharing incident details electronically with CISA,” the agency said.

Read More About
More Topics
John Curran
John Curran
John Curran is MeriTalk's Managing Editor covering the intersection of government and technology.