GAO Grades Federal Agencies ‘Fail' on Cyber Risk, Accelerating Movement to CRQ

August 19, 2019  Jeff B. Copeland

It’s a devastating report from the Government Accountability Office that should accelerate the movement to cyber risk quantification (CRQ) and the FAIR model, already underway at the Department of Energy. The GAO (the investigative arm of Congress) looked at 23 federal agencies for these key risk management practices:

  • Designating a cybersecurity risk executive
  • Developing a risk management strategy and policies
  • Assessing cyber risks
  • Coordinating between cybersecurity and enterprise-wide risk management functions

All but one agency had designated a cybersecurity risk executive but none could claim to have fully implemented the other practices. “Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy,” the report says.

Agency officials told the GAO that a number of roadblocks hold back their risk management and assessment efforts, including…

  • Managing competing priorities between operations and cybersecurity
  • Establishing and implementing consistent policies and procedures
  • Receiving quality risk data
  • Incorporating cyber risks into enterprise risk management

…Roadblocks that all could be overcome by a risk management program based on 1) a common vocabulary and taxonomy and 2) quantifying cyber risk based on the impact of scenarios to either national security or personal privacy.  The FAIR model (Factor Analysis of Information Risk) fits the bill. When decision makers are presented with risk analyzed in terms of impact, and discussed in standard terms they understand, they can weigh competing priorities, establish consistent policies and align cyber risk with the rest of enterprise risk management.

A look into the details of the GAO report shows the disarray in the federal government that at each point calls out for a FAIR-based solution.  Some examples:

  • The Department of Treasury’s Enterprise Cybersecurity Risk Management Officer stated that incorporating cyber risks into ERM is a challenge because cybersecurity risk is not currently quantified in the same way as other risks. The official expressed the need for a standard vocabulary for discussing cyber alongside other risks, adding that this makes it very challenging to integrate cybersecurity risk management into ERM.” Private sector organizations are already solving the ERM integration issue with FAIR.  Learn more: Cybersecurity Has Joined ERM.
  • The Department of State’s Enterprise Risk Officer for Cybersecurity reported that…with regard to vulnerability data, sufficient data exist and are gathered on a regular basis; however, it is difficult in a large global enterprise to prioritize actions without credible information on the likelihood of a threat or its impact on the agency’s mission.” Quantifying likelihood and impact are bottom-line deliverables from a FAIR analysis. Learn moreWhat Is Cyber Risk? The FAIR Definition.
  • “The Department of Health and Human Services’ Acting Deputy CISO stated that…the guidance from NIST provides limited direction for producing specific metrics and checklists in support of laws, policies, directives, instructions, and standards.” FAIR analysis provides those metrics. Learn more: How NIST CSF and the FAIR Risk Model Are Complementary
  • “The Environmental Protection Agency’s CISO reported that it was a challenge to establish an agency- wide statement of risk tolerance. This is because it was difficult to determine such factors as how much the mission’s operation is worth, how much information resources are worth, and how much negative public perception of the agency costs in terms of money or resources.” Putting a financial value on all these elements are a standard deliverable of FAIR. Learn more: How to Set a (Meaningful) Cyber Risk Appetite with RiskLens.

Confusion starts at the top, the GAO found, with OMB and NIST, the agencies responsible for guiding the rest of the federal cybersecurity establishment. For instance, “While existing OMB guidance requires agencies to establish ERM programs and NIST guidance requires agencies to establish cybersecurity risk management programs, this guidance does not address how these efforts should be integrated or coordinated.”

The Department of Energy, for one, is getting its house in order with FAIR. DOE Deputy CISO Greg Sisson recently told a gathering how his team is using the FAIR model for cyber risk quantification on the department’s Continuous Diagnostics and Mitigation program implementation, as described by FedScoop:

“DOE wants to increase cybersecurity visibility across its national labs and sites…But rather than focusing on which tools to deploy, the department is first assessing the data it needs. Once DOE implements a Factor Analysis of Information Risk, or FAIR, risk-assessment model, then it can start its cloud migration pilot.”

With the DOE as a model — and the GAO report as a push factor — more federal infosecurity officials will be looking at FAIR, then taking the next step to get staff FAIR-trained before the federal fiscal year runs out.  The RiskLens Academy offers online or in-person a FAIR Analysis Fundamentals Course that covers learning and applying the FAIR model to risk scenarios and controls. Course completion earns 16 CPE credits and a free voucher to take the OpenFAIR Certification exam.

Learn more about FAIR for federal agencies —join the non-profit FAIR Institute (membership is free to security and risk professionals), and attend the next meeting of the Federal Government Chapter of the Institute in the Washington, DC, area.

Read the GAO Report: Agencies Need to Fully Establish Risk Management Programs and Address Challenges