Cyber Risk Quantification Movement Hits Federal Government, DOE in the Lead

July 1, 2019  Jeff B. Copeland

Big progress is underway in the measurement and management of cyber risk and it is being led by pioneers in both industry and government. Nearly 6,000 leading thinkers in risk and security have come to the conclusion that cyber risk must be quantified in financial terms in order to be managed effectively. They've embraced the FAIR (Factor Analysis of Information Risk) standard risk model, are training themselves and their teams on FAIR and are joining the FAIR Institute and meeting with their peers in quarterly discussions at Institute chapters around the globe - including a newly launched Federal Government chapter. The momentum is palpable and the winds of change are blowing strong.

As evidence - consider that the Department of Energy will deploy cyber risk quantification to meet the requirements of the Continuous Diagnostics and Mitigation (CDM) program that aims to improve security and risk monitoring on federal systems, especially as they migrate to the cloud.

As Greg Sisson, deputy chief information security officer at DOE, was quoted in FedScoop:

DOE wants to increase cybersecurity visibility across its national labs and sites…But rather than focusing on which tools to deploy, the department is first assessing the data it needs. Once DOE implements a Factor Analysis of Information Risk, or FAIR, risk-assessment model, then it can start its cloud migration pilot.

The Energy Department may be in the lead but federal cybersecurity policies are pushing all agencies to rationally assess their most important data and most serious risks before going ahead with the ambitious IT modernization plans of the federal government — and, as DOE came to realize, that’s a job for analysis based on cyber risk quantification (CRQ).

Key Federal initiatives besides CDM make clear the need for agencies to develop CRQ capabilities:

Presidential Executive Order 13800 makes agency heads accountable for implementing “effective risk management”, including risk-based mitigation and acceptance plans.

The Federal Information Security Modernization Act (FISMA) requires agencies to show they are providing information security protection commensurate with risks.

The Department of Homeland Security’s new Binding Operational Directive 19-02 that accelerates the patching schedule for government agencies “exposes some basic limitations in the way the federal frameworks address cyber risk,” as RiskLens Risk Science Director Jack Freund recently wrote in Homeland Security Today — the frameworks don’t enable agencies to put a risk rating on their IT assets, necessary to prioritize patching.

The Office of Management and Budget (OMB) guidance on Federal Information Security and Privacy Management Requirements M-19-02 directs agencies to prioritize risk management on their “crown jewel” IT assets. Done right, that requires a quantitative risk analysis to identify high-value assets, as Jack Jones, creator of the FAIR model, wrote, also in Homeland Security Today—not the high-medium-low qualitative approach that the guidance document has been suggesting until now.

For federal infosecurity decision-makers looking to get out ahead of the movement to cyber risk quantification, here’s a first step to take (before the fiscal year runs out): Get your cyber risk or IT risk personnel trained and certified on the FAIR model.

The RiskLens Academy offers online or in-person a FAIR Analysis Fundamentals Course that covers learning and applying the FAIR model to risk scenarios and controls. Course completion earns 16 CPE credits and a free voucher to take the OpenFAIR Certification exam.

Learn more about how FAIR and quantification will change risk management in the federal government—join the non-profit FAIR Institute (membership is free to security and risk professionals), and meet your peers at the next meeting of the Federal Government Chapter of the Institute in the Washington, DC, area.