When compared with the initial 2002 statistics, the federal government has come a long way. For instance, 92% of systems have been properly certified and accredited, compared with only 42% in 2002. And 86% of agencies have tested their contingency plan, while 95% have tested their security controls. Those figures where a dismal 35% and 60%, respectively, in 2002.
According to the report, a number of larger agencies made significant gains, including NASA and the departments of State, Treasury, and Defense.
The report also states that these federal agencies spent $5.9 billion, or 9.2% of their total IT budget, on IT security.
Yet, the number of security incidents reported to the US-CERT has skyrocketed. In 2007, the federal agencies reported 12,986 security incidents, compared with 5,146 incidents in 2006, and 3,569 in 2005.
While it may be counterintuitive, I regard the dramatic rise in reported incidents as a good indicator. At least the agencies have a greater awareness of the systems under their control, which provides for better visibility into potentially malicious activity.