Several large federal agencies continue to be at risk for cyberattacks even as the number of cyber incidents reported during fiscal 2018 fell compared with the previous year, the Office of Management and Budget said in a report sent to Congress on Friday.

The number of cyber incidents reported by federal agencies fell 12 percent to 31,107 during fiscal 2018 but “drawing conclusions based on this data point, particularly as agencies have adjusted to several new sets of reporting guidelines over the last few years, would be concerning,” the report said.

Email-based threats continue to be the most prevalent means of cyberattack on federal agencies, the report said. In
 about 27 percent of all cyber incidents, federal agencies could not identify the source of the attack, according to the annual report required under a 2014 law .

The departments of Energy and Health and Human Services, as well as the EPA, Federal Communication Commission and the Federal Trade Commission, were all ranked as being “at risk” for cyberattacks because “significant gaps remain” despite policies and processes in place, the report said.

Overall the federal government spent $14.9 billion on cybersecurity, with the Defense Department accounting for about $8.05 billion.

The agencies’ risk profile was ranked on five factors: ability to identify information technology assets, protect them, detect attacks, respond to and recover from attacks.

On those scores, the Energy Department was ranked as being at “high risk” for protecting its assets, and “at risk” on detect, respond and recover factors.

The department “faces many cyber threats including espionage from nation states, advanced persistent threats, and disruptive non-state actors,” the report said. “Successful attack by a cyber threat actor could result in damage, disruption, or unauthorized access to business/mission critical assets associated with the integrity and safety of personnel, nuclear weapons, energy infrastructure, and applied scientific R&D.”

HHS was ranked as “at risk,” the report said, because the department’s “information security program was ‘Not Effective’ since it was not at a ‘Managed and Measurable’ maturity level for Identify, Protect, Detect, Respond, and Recover functional areas.”

The EPA “has significant gaps in cybersecurity capabilities, human resources, and supporting infrastructure,” the report said. The agency “also has limited ability to gather quantitative data and relies on qualitative measures, leaving significant blind spots. Inadequate funding hurts the agency’s ability to manage its security operations and incident response teams, the report said. 

The FCC’s information security program is not effective, including its financial management and inventory management systems, the report said.

Other agencies rated as being “at risk” included the Equal Employment Opportunity Commission, the National Archives, the Tennessee Valley Authority and the Privacy and Civil Liberties Oversight Board.

The Smithsonian Institution was the only agency listed as being at “high risk.”

In addition to the risk assessments, the Department of Homeland Security also assessed the ability of federal agencies to safeguard so-called high value assets among the government’s computer systems. Of the 61 assessments conducted by DHS, the agency found the top deficiencies included lack of data protection, inconsistent application of software security fixes, lack of strong authentication requirements for accessing systems, and absence of continuous monitoring of systems.