Across federal agencies, there were more than 30,899 incidents that led to compromised information or system functionality in 2016, according to an Office of Management and Budget report.
The report, published in accordance with the Federal Information Security Modernization Act of 2014, evaluates federal agencies' progress toward cybersecurity goals in fiscal year 2016 based on data the agencies reported through Nov. 13, 2016. The report also includes the results of independent Inspectors General assessments, which identify areas federal agencies need to improve upon.
Here are four assessments from HHS' cybersecurity performance summary.
1. The Chief Information Officer Assessment is an annual performance metric conducted by the agency's CIO. The assessment said HHS has "made considerable progress in prioritizing and implementing security initiatives" to align with various national targets and action plans. It also stated that the agency has improved its ability to patch critical vulnerabilities, implemented an anti-phishing program and developed a security information communication program, called CyberCare.
2. The Inspector General Assessment is an annual independent assessment of information security programs that ranks agencies' maturity level on five cybersecurity function areas, based on levels one through five: one (ad-hoc), two (defined), three (consistently implemented), four (managed and measurable) and five (optimized). The Inspector General ranked HHS level three for four function areas: its ability to identify, detect, respond and recover. HHS ranked level two for its ability to protect.
3. The CAP Goal Metrics track agencies' compliance with National Institute of Standards and Technology standards. In 2016, HHS met its CAP goal for four cybersecurity metrics: secure configuration management (which it did not achieve in 2015), unprivileged user personal identity verification implementation, anti-phishing defenses and other defenses. It did not meet its GAP goal for five metrics, including hardware asset management and vulnerability management.
4. The US-CERT Incidents by Attack Vector reports summary information related to incident data at each agency. In 2016, HHS experienced a total of 8,121 cybersecurity incidents. The plurality of these incidents (3,466) were designated as "other." The top sources of identified incidents were web (1,458), improper usage (1,445), loss or theft of equipment (884) and email or phishing (693).
Click here to view the full report.