The U.S. Government Accountability Office (GAO) recently gave failing grades to 22 federal agencies for their cyber risk management programs – despite the fact that the May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure explicitly calls for the creation of better cyber risk management programs. The EO also mandates adherence to the NIST Framework for Critical Infrastructure Cybersecurity which adopts a heavy risk management approach.
A primary reason for the failing grades is the fact that neither the EO, nor the Framework, provide guidance on how to develop these risk programs. In a new article for Homeland Security Today, RiskLens Risk Science Director Jack Freund gets further to the root of the problem. Too often, Jack writes, government risk managers take a controls-based approach (such as following a framework like CMMI - Capability Maturity Model Integration) and “the result tends to be cybersecurity spending being viewed as a wish list without relevance to the organization’s mission.”
Read Jack’s article in HST: Lack of Actionable Data Contributes to Federal Cybersecurity Risk Program Failure
Jack has the solution: Apply cyber risk quantification (CRQ) through Factor Analysis of Information Risk (FAIR) to “develop a true risk-based methodology” to rationalize controls, set risk appetites, develop strategic priorities, then handle audits like the GAO’s.
The good news is that the CRQ movement in the federal government is already underway:
- The Department of Energy has acquired the RiskLens platform, the only risk management platform purpose built on FAIR, to apply quantified cyber risk analysis to cloud migration and other projects.
- The Office of Management and Budget has been trained on the FAIR model and now accepts FAIR-based analyses for federal agencies reporting on cyber risk.
- The National Institute of Standards and Technology (NIST), developer of the cybersecurity frameworks followed by federal agencies, this year added Factor Analysis of Information Risk (FAIR), the international standard for CRQ, to its flagship CSF framework as a recommended resource for risk analysis and risk management.
FAIR “allows agencies to think about the loss [from a cyber event] in terms of the activities and their corresponding costs when assessing mission impact,” Jack writes. For public sector risk analysis, that might include “lost/delayed wages and tax revenues, healthcare costs, loss of life, relocations, and quality of life.”
“Having these conversations is challenging as prioritizing and allocating limited resources is an emotional activity,” Jack writes, but misallocation could have devastating consequences for government agencies. “If your risk management program can’t help you prioritize your top risk items, then your biggest risk may be your risk management program.”