It’s a devastating report from the Government Accountability Office that should accelerate the movement to cyber risk quantification (CRQ) and the FAIR model, already underway at the Department of Energy. The GAO (the investigative arm of Congress) looked at 23 federal agencies for these key risk management practices:
All but one agency had designated a cybersecurity risk executive but none could claim to have fully implemented the other practices. “Until they address these practices, agencies will face an increased risk of cyber-based incidents that threaten national security and personal privacy,” the report says.
Agency officials told the GAO that a number of roadblocks hold back their risk management and assessment efforts, including…
…Roadblocks that all could be overcome by a risk management program based on 1) a common vocabulary and taxonomy and 2) quantifying cyber risk based on the impact of scenarios to either national security or personal privacy. The FAIR model (Factor Analysis of Information Risk) fits the bill. When decision makers are presented with risk analyzed in terms of impact, and discussed in standard terms they understand, they can weigh competing priorities, establish consistent policies and align cyber risk with the rest of enterprise risk management.
A look into the details of the GAO report shows the disarray in the federal government that at each point calls out for a FAIR-based solution. Some examples:
Confusion starts at the top, the GAO found, with OMB and NIST, the agencies responsible for guiding the rest of the federal cybersecurity establishment. For instance, “While existing OMB guidance requires agencies to establish ERM programs and NIST guidance requires agencies to establish cybersecurity risk management programs, this guidance does not address how these efforts should be integrated or coordinated.”
The Department of Energy, for one, is getting its house in order with FAIR. DOE Deputy CISO Greg Sisson recently told a gathering how his team is using the FAIR model for cyber risk quantification on the department’s Continuous Diagnostics and Mitigation program implementation, as described by FedScoop:
“DOE wants to increase cybersecurity visibility across its national labs and sites…But rather than focusing on which tools to deploy, the department is first assessing the data it needs. Once DOE implements a Factor Analysis of Information Risk, or FAIR, risk-assessment model, then it can start its cloud migration pilot.”
With the DOE as a model — and the GAO report as a push factor — more federal infosecurity officials will be looking at FAIR, then taking the next step to get staff FAIR-trained before the federal fiscal year runs out. The RiskLens Academy offers online or in-person a FAIR Analysis Fundamentals Course that covers learning and applying the FAIR model to risk scenarios and controls. Course completion earns 16 CPE credits and a free voucher to take the OpenFAIR Certification exam.
Learn more about FAIR for federal agencies —join the non-profit FAIR Institute (membership is free to security and risk professionals), and attend the next meeting of the Federal Government Chapter of the Institute in the Washington, DC, area.
Read the GAO Report: Agencies Need to Fully Establish Risk Management Programs and Address Challenges