FAIR Fulfills Goals of Proposed RISC Act Requiring Federal Agencies to Prioritize Cybersecurity Based on Risk

October 9, 2020  Ted Stettinius

Senators Rob Portman (R-OH) and Gary Peters (D-MI) are introducing the bi-partisan Risk-Informed Spending for Cybersecurity (RISC) Act which would require federal agencies to make better investments in cybersecurity protections by effectively allocating limited cybersecurity resources to address their most pressing cyber threats.  The proposed legislation would require federal agencies to understand their risks, and prioritize their cybersecurity budgets based on those risks.

According to Portman. “Through the budget process, agencies make decisions about the tools they need to ensure they are addressing risks and closing capability gaps. Too often, insufficient information about threats and their associated risks inhibits their ability to make the best, most informed decisions. It is crucial that federal agencies know the return on investment for each cybersecurity capability acquired and whether those capabilities address existing security vulnerabilities.”

Ted Stettinius is Federal Practice Leader for RiskLens

Senators Portman and Peters and the nearly 10,000 members of the FAIR Institute are clearly like-minded in their recognition of the importance of return on investment in prioritizing risk mitigation activities.  What better way to evaluate return on investment than to translate exposure to risk in financial terms?

FAIR™ (Factor Analysis of Information Risk), the only standard quantitative model for information security and operation risk, is well-established (adopted by over 35% of the Fortune 1000 and several federal agencies) and aligns perfectly to the goals of the legislation by enabling organizations including federal agencies to:

  • Understand and communicate cyber risk in financial terms, facilitating communication and decision making across multiple functions and stakeholders in the federal government
  • Evaluate and prioritize cybersecurity investments relative to the amount of risk they reduce, measuring their value and optimizing spending
  • Better adhere to the existing and growing regulatory and privacy requirements that call for the assessment and management of top cyber risks

RiskLens is the only SaaS application purpose-built to run FAIR analysis at enterprise scale. RiskLens is the technical advisor to the FAIR Institute.

Federal Recognition for FAIR

The NIST Cyber Security Framework (CSF), mandated for government agencies by Executive Order in May, 2017,  includes FAIR as an “Informative Resource” for meeting the framework’s standards for Risk Assessment and Risk Management Strategy. The CSF builds on NIST SP 800-53, the security controls guidelines for federal agencies to comply with the Federal Information Security Act (FISMA).

Learn more:  (Podcast) Jack Freund Explains NIST CSF and FAIR Integration

OMB Circular No. A-123 mandated agencies to establish an enterprise risk management (ERM) capability and a risk profile as part of strategic annual reviews. NIST’s recently released proposed draft document  NISTIR 8286 to guide agencies on integrating cybersecurity and enterprise risk management urges risk officers to follow “a more quantitative methodology with a more scientific approach to estimating likelihood and the impact of consequences. This may help to better prioritize risks or to prepare more accurate risk exposure forecasts.”

Learn more:   NISTIR 8286 Second Draft: Strong Focus on Risk Quantification for Aligning Cyber and Enterprise Risk Management (FAIR Institute)


Starting October, 2020, with their fiscal year 2021 budgets, federal agencies are required to report on their IT investments to OMB following  Technology Business Management (TBM), the standardized framework for aligning IT spending with organizational objectives. Similar in spirit to FAIR, the TBM model guides users on a path that starts with financial considerations, moves through IT assets and applications to business services and ultimately to organizational mission.

The Cyber Security & Incident Response section of the  TBM documentation (see page 25) ) directs users to “determine associated risk to ensure the organization has the appropriate defense and responses to each incident” but doesn’t define how to determine or quantify that risk. Thus, FAIR, as the standard for quantifying cybersecurity risk is a necessary component for implementing TBM in the information security space – and to fulfill the spirit of federal directives.

FAIR Is Already in Use in the Federal Government

Department of Energy CISO Emery Csulak and NASA Chief Cyber Risk Officer Cody Scott discussed their implementations of FAIR on a panel at the 2020 RSA Conference ( watch the video)  The DOE is using FAIR to assess risk on another federal mandate, cloud migration, and more broadly, committed in its energy sector cybersecurity plan to “use risk-based methods to make decisions and prioritize activities to support the risk management responsibilities of energy owners and operators.”

As Emery Csulak explained DOE’s enthusiasm for FAIR at the RSA Conference 2020, “We’ve spent years trying to teach executives how to talk about IT and we’ve spent almost no time at all trying to teach IT people how to talk like executives…We want to give tools to the IT executives to have more meaningful conversations” – exactly in the spirit of the RISC Act Legislation.

Senators Portman and Peters, through their legislation, are advancing the requirement for cost-effective cyber risk management and good government.  The FAIR Methodology stands as the recognized open-standard risk-based model to support the goals of the legislation in enabling a financially based cyber budgeting model.

For more detail on how FAIR, risk quantification and the RiskLens-FAIR Enterprise Model can support your agency –  contact us