The federal government was the victim of more than 31,000 cybersecurity incidents in fiscal year 2018, according to an Office of Management and Budget report released Aug. 16.

The annual report on cybersecurity, the FISMA FY 2018 Annual Report to Congress, found that the number of cyber incidents at agencies dropped 12 percent from last year. That figure is down from 35,000 incidents the previous year.

The good news for federal government? This was the first year that agencies didn’t have an incident that reached the “major incident” threshold set by OMB. That means no known breaches constituted a national security threat or released personally identifiable information.

The federal government spent nearly $15 billion on cybersecurity in fiscal 2018. The Pentagon accounted for more than half of that spending. The Department of Homeland Security spent about $1.8 billion on cybersecurity.

The report found that email-based threats remain “prevalent" because of the high success rate of phishing attacks. Almost 7,000 attacks came through phishing. The report also found that the government was not able to identify the way in which 27 percent agency systems were attacked.

This trend “continues to suggest that the government must take additional steps to help agencies identify the sources and vectors of these incidents,” the report read.

The most common attack was classified in the report as “improper usage” with more than 9,600 incidents. Improper usage is defined as “any incident resulting from violation of an organization’s acceptable usage policies by an authorized user.”

OMB found five common security shortfalls across the federal agencies:

* Lack of data protection,

* Lack of network segmentation,

* Inconsistent patch management,

* Lack of strong authentication,

* Lack of continuous monitoring,

Several of these technologies are considered part of basic cybersecurity hygiene by cyber experts.

DHS also provides agencies with a cybersecurity package to protect against cyberattacks. As of the end of September 2018, 70 agencies had implemented all of DHS’s security offerings. This included the 23 agencies described in the Chief Financial Officers Act and the 102 civilian agencies evaluated.

Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.

More In IT & Networks