You might not realize that cybersecurity is the latest legislative craze and hottest job in the Washington revolving door merely by perusing the Office of Management and Budget’s (OMB) most recent annual Federal Information Security Management Act (FISMA) compliance report.

Released quietly to the public late last month, the FISMA report paints a poor picture of federal information security practices. The recent push to expand federal influence over private cybersecurity practices through controversial measures like the Cybersecurity Information Sharing Act (CISA) follows the worst year for federal information security failures on record. The federal government should learn how to get its own network security in order before attempting to “improve” things for others.

More pragmatically, it will be difficult to trust the Department of Defense, Department of Justice, and Department of Homeland Security—agencies whose respective employees were fooled by false websites to download malicious software 182 times, allowed 1,816 pieces of computer equipment to be lost or stolen, and downloaded malware 370 times in the past year alone — to be good stewards of the massive amounts of cybersecurity data they would be empowered to collect under CISA.

The chart above is an updated version of one I produced with Eli Dourado and Rizqi Rachmat for a Mercatus Center analysis in January. Total reported cybersecurity incidents reached an all-time high of almost 70,000 incidents last year. Despite spending $2.4 billion in increased FISMA spending between FY 2013 and FY 2014, the number of reported federal information security incidents increased by 15%, from 61,214 in FY 2013 to 69,851 in FY 2014. Since FY 2006, the total number of reported information breaches increased by an astounding 1169%.

Part of the rise in reported information security incidents in FY 2014 can be attributed to “enhanced capabilities to identify, detect, manage, recover and respond to these incidents” — through enhanced incident reporting requirements to US-CERT and the new EINSTEIN 3 threat detection and repulsion software of the National Cybersecurity Protection System (NCPS) — as well as an overall increase in actual incidents. Accordingly, the true number of federal information security incidents in previous years may have been even greater than initially reported.

The number of reported security incidents involving personally identifiable information (PII) — including data such as contact information and even Social Security numbers and financial information — did slightly decrease overall and as a share of the total incidents between FY 2013 and FY 2014, but this damaging type of breach still constitutes roughly a quarter of all reported incidents.

We can also break down the figures by incident type. Non-cyber violations involving lost or mishandled physical records constituted the largest portion of information security incidents last year. The 14,747 incidents reported in the catch-all “other” category that includes random, miscellaneous, or unknown information breach incidents, also contributed to a large bulk of all information security failures in FY 2014.

Concerningly, policy violations, where federal employees fail to follow PII management procedures, made up the third most common information security failure last year, with 12,102 reported. Lost, stolen, or otherwise missing federal equipment incidents were also high, with 9,308 reported in FY 2014. Malware likewise is known to have infected federal networks at least 7,705 times.

Many of these incidents were dumb mistakes. The report concludes that around half of last years’ incidents could have been easily avoided through the use of strong authentication. But a good number of agencies have made little progress in reaching internal strong authentication goals. If the Department of Defense’s unusually compliant strong authentication credentials are omitted, then only 41% of civilian federal agencies require strong authentication for users.

Some agencies are struggling more than others. The chart above displays the total number of information security incidents reported by the 24 “CFO agencies” (so designated by the Chief Financial Officer Act of 1990) that are held to stricter FISMA standards and reporting requirements for FY 2014.

NASA accounted for 15,256 of the 67,196 information security incidents reported by CFO agencies last year, 12,017 of which are categorized as “other” while another 1,226 malware infections and 1,185 “social engineering” incidents — where federal employees are fooled by fake webpages to download malicious software — also plagued the spacemen and spacewomen.

The Department of Veteran’s Affairs — which has suffered numerous data breaches throughout the 2000's and recently ignored reports of impending cybersecurity peril only to expose the PII of thousands more veterans to outside groups — came in second with 11,800 reported incidents, 4,877 of which were non-cyber, 2,490 of which involved policy violations, 2,065 of which related to unauthorized equipment access, and 1,583 incidents of malware.

The Department of Health and Human Services — recently thrust into a much more prominent data management role through its responsibilities managing the Affordable Care Act — reported the third highest number of incidents, consisting of 3,631 non-cyber incidents, 2,000 policy violations, and 1,060 malware infections.

Here’s the weird part. The report assembles this data and provides a final score to each CFO agency based on their compliance with FISMA goals. You might expect that there would be a pretty strong association between poor FISMA scores and poor information security outcomes (and vice versa). But this isn’t necessarily the case.

NASA received top marks, the VA was in the range of a respectable C+, and HHS wore the dunce’s cap in dead last place. Other low-performers like DOJ and SSA also received high FISMA compliance scores. The Department of Homeland Security — whose lax security practices exposed 25,000 employees’ PII to malicious hackers last August — also got a gold star.

In this way, the FISMA report reveals a subtler problem with the government approach to cybersecurity more generally. Some agencies that are the stars of FISMA compliance on paper allowed the greatest number of information security failures last year. These kinds of bureaucratic standards direct resources to optimizing static metrics that do not always translate to intended results.