A Better Way to Meet Trump’s Cybersecurity Order: Quantify Risk

April 11, 2020  Chris Bryant

It’s official, President Trump’s  new Executive Order on cybersecurity has been signed, after versions circulated around the government and security community for months.

Ultimately, the President recognizes that the federal landscape is littered with legacy processes and IT and he wants to see a “modern, secure and more resilient” infrastructure to better protect the country and our national security. “The executive branch has for too long accepted antiquated and difficult–to-defend IT,” the cybersecurity order says.

This is what he’s asking for:

  • Modernization of federal IT systems and processes.
  • Specific recommendations from agency heads for cyber-infrastructure improvements in the most cost-efficient way possible.
  • Accountability at the agency head level.
  • Effective risk management” across federal agencies.

The EO gives agency heads 90 days to write a cyber risk management report laying out their

  • Risk mitigation and risk acceptance choices
  • Budgetary considerations behind those choices
  • Accepted risks, including from unmitigated vulnerabilities

To meet these demands, the EO mandates agencies follow the “ Framework for Improving Critical Infrastructure Cybersecurity” developed by the National Institute of Standards and Technology (NIST) during the last administration but never made mandatory for the government. The framework is a set of standards and best practices and it’s extremely useful in setting benchmarks for any organization.

After the agency heads hand in their reports, the Office of Management and Budget is directed to also apply the NIST Framework to put a dollar figure on the agency risk management programs.

Bottom line: Officials have been given the tough task of modernizing an outdated IT bureaucracy while keeping a lid on spending.

But here’s a problem: The NIST Framework is not enough.

The Framework is a “qualitative” risk management framework, not a “quantitative” analytics model. In other words, it helps answer the question "What is the level of maturity of our cybersecurity initiatives?" but not the questions of

  • “How much risk do we have?"
  • "What cybersecurity activities matter the most?"
  • "How can we figure the return on investment from spending limited budget on one activity vs. another?”

The good news is that a model does exist to aid in risk quantification. That model is called  FAIR, the only standard quantitative model for cybersecurity risk. FAIR has been recognized by NIST as a complementary quantitative analysis standard to NIST's Cybersecurity Framework, a guideline under development for federal agencies.

FAIR has also been recognized by US Federal Banking Regulators (Federal Reserve, OCC, FDIC) as a valid method to rigorously and consistently quantify cyber risk.

If you’re interested in learning more about FAIR or the RiskLens platform that’s purpose-built around the model, please contact us. We’re already working with the biggest companies in the world to quantify cyber risk, and it would be a pleasure to aid federal entities in meeting this new mandate.