OMB Reports $13.1 Billion Spent on Cybersecurity in FY 2015

The latest FY 2015 Report to Congress on the Federal Information Security Modernization Act (FISMA) provides    OMB’s FY 2015 assessment on what agencies have achieved in FISMA-related information security in the previous fiscal year.  Last week, I looked at the number of reported federal cybersecurity incidents and noticed that they were up 10% in FY 2015 across a broad range of categories from policy violations to malware. This week, let’s look at the spending data reported within the FISMA report.

Agencies reported spending a total of $13.1B on their IT security in FY 2015, compared to $10.3B and $12.7B in FY 2013 and FY 2014 respectively. This reflects a modest increase from FY 2014 to FY 2015 following more pronounced growth from FY 2013 to FY 2014. The federal cybersecurity spend in the classified areas of the civilian and defense segments are not reported. The Department of Defense (DoD) accounts for nearly 70% of total reported spending, which is more than double what the civilian departments and agencies spend combined. (See chart below.)

OMB does not provide a breakout of the Defense components, but they do so for the civilian departments. The top ten civilian departments and agencies account for about 27% of total IT security spending reported under FISMA in FY 2015. (See chart below.)

With its role as security lead for the .gov side of the federal landscape, the Department of Homeland Security (DHS) dominates the civilian segment spending and accounts for 10% of total federal and 33% of civilian IT security spending reported in FY 2015 – percentages that have remained fairly stable the last three years. The next closest department is Justice which spends less than half of DHS. The Other Civilian category above includes in descending order of spending Transportation, Agriculture, SSA, GSA, Interior, Education, NRC, Labor, AID, HUD, EPA, OPM, and the SBA.

To dig a bit deeper … since FY 2013, OMB has required agencies to report their information security spending data broken out by the following three functional categories:

• Prevent Malicious Cyber Activity – monitoring government systems and networks and protecting the data within from both external and internal threats. Such categories include trusted internet connection (TICs); intrusion prevention systems; user identity management and authentication; supply chain monitoring; network and data protection; counterintelligence; and insider threat mitigation activities.
  
  
• Detect, Analyze, and Mitigate Intrusions – systems and processes used to detect security incidents, analyze the threat, and attempt to mitigate possible vulnerabilities. These categories include Computer Emergency Readiness Teams (CERTs); federal incident response centers; cyber threat analysis; law enforcement; cyber continuity of operations (COOP); incident response and remediation; forensics and damage assessment; continuous monitoring and IT security tools; and annual FISMA testing.
  
  
• Shaping the Cybersecurity Environment – improve the efficacy of current and future information security efforts, including building a strong information security workforce and supporting broader IT security efforts. These categories include the National Strategy for Trusted Identities in Cyberspace (NSTIC); workforce development; employee security training; Standards development and propagation; international cooperation activities; and information security and assurance research and development.
  
  

OMB provides the reported spending for the departments and agencies by the three functions defined above and we are now getting enough consistency in the reported categories to allow some comparison. Due to their relative size I have separated out DoD and DHS from the other organizations.

The DoD continues to allot more than 50% of its yearly spend to shaping the environment, which includes various IT security workforce development efforts. (See chart below.)

By contrast, DHS puts the majority of its IT security dollars in the Detect, Analyze, and Mitigate Intrusions function, with nearly 55% of their spending going to this function in FY 2013 and FY 2014 and approaching 60% in FY 2015. (See chart below.)

The remaining top civilian departments and agencies vary widely in their functional spending mix based on their individual security needs and existing posture. (See chart below.)

Understanding each department’s particular cybersecurity needs, near-term priorities, and current security posture is critical to knowing how and where they may be looking to industry for help in meeting those needs. The variety of security “profiles” depicted above reflects the diversity of the current federal cybersecurity landscape as well as the need for an individualized approach to offering potential solutions.