A new report issued by the U.S. Office of Management and Budget (OMB) says federal agencies reported eight percent fewer cybersecurity incidents in fiscal year 2019, compared to 2018 — an improvement it attributes to the recent “maturation of agencies’ information security programs.”

High-value IT assets (HVAs) remain a work in progress, however: In FY 2019, the Department of Homeland Security conducted 71 HVA assessments, which collectively revealed that the federal government “continues to face challenges mitigating basic security vulnerabilities,” the report states. OBM identified the five most common issuing facing HVA environments as spear pushing, patch management, admin password reuse, insecure default configurations and weak password policies.

The document, OMB’s annual FISMA (Federal Information Security Modernization Act of 2014) report, says that federal agencies reported 28,581 cybersecurity incidents in FY 2019, compared to 31,107 incidents in FY 2018.

The most common attack vector in FY2019 was “improper usage” — defined as a violation of an organization’s acceptable usage policies by an authorized user — which resulted in 12,507 incidents (up from 9,674 in FY 2018). “The prevalence of this incident vector indicates that agencies have processes or capabilities that detect when a security policy is being violated, but lack automated enforcement or prevention mechanisms,” the document states.

The next most frequent known attack vector was email/phishing schemes, which was responsible for 4,388 incidents (down from 6,930 the year before.)

About 25 percent of the incidents, or 7,240 altogether, had an unknown attack vector, “which continues to suggest that the government must take additional steps to help agencies identify the sources and vectors of these incidents,” the report concludes.

The OMB also reported that 72 out of 96 agencies in FY 2019 received an overall rating of “Managing Risk” in the annual cybersecurity Risk Management Assessment process that was established in 2017 by President Donald Trump’s Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” That’s 10 more than the 62 that earned the Managing Risk rating in FY 2018.

The remaining 24 were agencies were scored “At Risk” in FY 2019, but none was designated “High Risk,” which is the worst possible rating.

Also according to the report, roughly 16.936 billion was spent on cybersecurity across America’s various federal agencies, with the largest expenditures attributed to the Department of Defense ($8.527 billion), DHS ($2.591 billion) and the Department of Justice ($837.2 million).

Although the OMB acknowledged that improvements must continue in regards to high value assets, it did credit the current White House Administration with instituting updated policies pertaining to HVAs, as well as Trusted Internet Connections (TIC) and Identity Credential and Access Management (ICAM). The report also cites current efforts to reduce supply chain risk and third-party privacy risk as well bolster Security Operations Center operations.