How Federal Agencies Can Use FAIR Cyber Risk Quantification to Improve FITARA Scores

August 26, 2020  Ted Stettinius

The latest annual FITARA scorecard came out recently and the good news is that, for the first time, no federal agency outright flunked though most agencies only rated an overall grade of “C”, and some grades actually declined from last year.  Additionally, C’s and D’s predominated in the Cyber/FISMA component.

Fifty percent of the Cyber/FISMA component grade is influenced by an agency’s OIG FISMA Maturity Metrics Rating. A Level 4 rating, “Managed and Measurable” is considered to be an effective level of security. It requires that:
  • “Quantitative and qualitative measures on the effectiveness of policies, procedures, and strategies are collected across the organization and used to assess them and make necessary changes.”
  • “Resources (people, processes, and technology) are allocated in a risk-based manner”.
As evidenced by the continued challenge achieving Level 4 “Managed and Measurable”, agencies and IGs are coming to the realization that "risk-based” and “cost-effective” risk management can’t be achieved by qualitative, color-coded, high/medium/low ratings systems that essentially are based on judgment calls, not a formal risk measurement model that yields analysis results in dollars.
Ted Stettinius is Federal Practice Leader for RiskLens

In part, the challenge is the thicket of federal mandates on cybersecurity that just serve to direct without giving direction -- like the FISMA requirement to perform risk assessments to achieve “cost-effective security” with very little guidance as to how to accomplish this.

Now, some pioneering federal agencies such as NASA and the Department of Energy are moving toward a solution: Cyber risk quantification with the FAIR™ model (Factor Analysis of Information Risk), the international standard for financial analysis of cybersecurity risk that’s the basis of the  RiskLens platform.

FAIR is recognized in the NIST CSF as a recommended “Informative Resource” for risk analysis and risk management --and the CSF is the framework underlying the IG FISMA Maturity Ratings. The draft NISTIR 8286 standard in development at NIST has also cited FAIR and risk quantification as the gold standard for aligning cybersecurity with enterprise risk management – and OMB Circular A-123 mandates agencies move toward that alignment.

FAIR also aligns with EO 13800 that holds agency heads accountable for implementing risk management measures commensurate with the probability and magnitude of the harm resulting from cybersecurity events. 

The FAIR model specifically quantifies probability and magnitude to set dollar values of cyber loss events. One of the key benefits of a FAIR based approach is enabling an agency to meet FISMA compliance requirements while also supporting cost-effective risk management practices as required by various directives.

Simply defining maturity as checking off the recommended best practices on the NIST CSF doesn’t cut it without assessing a return on investment (ROI) to understand the reduction in loss exposure provided by additional controls. With FAIR analysis, an agency can:

  • Identify/quantify/prioritize top risks
  • Specify risk tolerance in financial terms
  • Prioritize control activities
  • Allocate resources and dollars based on ROI
Together these strategies and tactics support Level 4 “Managed and Measurable” through the required quantitative measurement of risk – and ultimately higher FITARA Cyber/FISMA component grades.