Phishing-related cybersecurity incidents at federal agencies dropped by one-third in fiscal 2019, according to the Office of Management and Budget’s annual cybersecurity report to Congress.

The report, mandated by the Federal Information Security Modernization Act, found that email-related cybersecurity incidents among federal agencies dropped from 6,930 in last year’s report to 4,388 in FY19. Overall, the federal government saw an 8 percent decrease in cyber incidents, from about 31,100 in FY18 to 28,600 in FY19.

"This FISMA report reflects improvements in areas of focus under the President’s Management Agenda and Federal Agency elements of the National Cybersecurity Strategy,” reported Federal Chief Information Officer Suzette Kent. “It shows Agencies are making significant progress in managing risk and also highlights that focused efforts to secure government mobile devices have been especially important in today’s expanded telework environment.”

Though the decrease is good news for the federal government, spear-phishing continues to be the most significant vulnerability among federal agencies, the report said. Security reviews of agencies’ high-value assets completed by the Department of Homeland Security identified spear-phishing, patch management, administrator password reuse, insecure default configuration and weak password policy as the top five risks faced by federal agencies, respectively.

The report also said DHS conducted 71 security assessments of high-value assets in FY19, up from 61 in FY18. It found 448 cybersecurity issues, up from 356 the previous year.

“These assessments revealed that the Federal Government continues to face challenges mitigating basic security vulnerabilities,” the report said.

Several Cabinet-level agencies experienced significant reductions in incidents related to spear-phishing since the FY18 report. The State Department saw the largest reduction, dropping from 3,082 email incidents in FY18 to 1,043 in FY19. The Department of Health and Human Services saw a drop to 603 in FY19 from 885 in FY18, down significantly from 1,120 in FY17. Phishing incidents at the Commerce Department dropped by half, from 660 in FY19 to 330 in FY18.

Greg Touhill, the former first federal chief information security officer and current president of AppGate Federal, said the results are a positive sign, but warned that adversaries are pivoting to other areas of weakness to infiltrate federal networks.

“They’re just picking other targets,” Touhill said. “They’re phishing at home. They’re phishing on social media. They’re phishing against our weak underbelly with our contracts and our supply chains.”

The Department of Education reported zero phishing incidents — the only Cabinet agency to do so. In the CIO self-assessment, the department wrote that it has employed “increasingly complex phishing scenarios" and improved its spam filtering and anti-phishing policies through its email provider.

The Commerce Department cited an investment in an anti-phishing training tool as one of the CIO office’s main accomplishments in FY19. Overall, federal agencies spent $16.9 billion on cybersecurity in FY19.

The Small Business Administration reported a drastic increase in phishing incidents, with reported incidents rising from 135 in FY18 to 1,100 in FY19. SBA’s section of the report didn’t give any explanation for the rise in incidents. A spokesperson for SBA did not return a request for comment.

Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.

More In