This week, President Trump signed into law the Modernizing Government Technology Act (MGTA) that authorizes government agencies to set up “IT working capital funds” and appropriates $500 billion that agencies can spend to enhance cybersecurity and retire legacy systems. But there are some new requirements to tap into the working capital funds.
Under the law, agencies will have to:
- Make a “strong business case” for their projects.
- Propose “risk-based, and cost-effective information technology capabilities that address evolving threats to information security.”
- Commit to repay the fund within 5 years – in effect, to generate a return on their IT or infosecurity investments by cost savings.
With the MGTA funding coming, government CIOs are already asking:
- Which legacy systems/projects should be trimmed and by how much?
- Which future initiatives should be prioritized?
- What does bottom line mission impact look like after execution?
In particular for cybersecurity projects, CIOs need a clear picture of which new security controls on which IT assets will reduce risk (in other words, potential losses from cyber attacks) and by how much, in dollars.
Technology Business Management (TBM) for Government
One method agencies are currently using to answer these questions is the Technology Business Management Taxonomy (TBM), which encourages organizations to run their IT operations much like a business.
Margie Graves, Acting U.S. CIO, is pushing TBM because she sees this as a path forward to move from “Wow, IT costs a lot and we can’t really put our finger on exactly how much it costs and where all those costs are located” to “We fixed that problem, we understand what our costs are, we understand what our business cases are” and now we’re moving to the conversation about how IT adds value to the delivery of the mission.
Factor Analysis of Information Risk (FAIR)
Many organizations in the private sector are turning to Factor Analysis of Information Risk (FAIR) to supplement their TBM initiatives with an economics-driven approach to cyber risk management.
Using a platform like RiskLens, purpose built to run the FAIR model, organizations calculate the ROI of cybersecurity initiatives with a cost/benefit analysis. Unlike traditional risk assessment frameworks that generate guesswork color-coded charts, FAIR provides a model for assessing the value of IT assets and probable losses from cyber attacks, all in dollar terms. Federal CIOs and CISOs looking to make a “strong business case” that’s “risk based” should feel right at home. Contact RiskLens for the details.