State and Local Governments: Get the Most from Federal Grants for Cybersecurity with CRQ

October 13, 2022  Jeff B. Copeland

GAO-Report-Grades-Federal-Agencies-Fair-on-Cyber-Risk-Capitol-Dome-Congress--1Last year’s big infrastructure spending bill included $1 billion in federal grants for state and local governments to improve their cybersecurity, particularly to protect critical infrastructure from cyber attack. For the first year, $185 million will be awarded to governments to establish a cybersecurity strategic plan (applications due November 15, 2022). Governments will be awarded up to $2 million in grants, after CISA and FEMA approve their plans. 

It’s a great opportunity for officials to make a fresh start on planning with a methodology that prioritizes spending based on risks quantified in financial terms. 

RiskLens is the leader in cyber risk quantification.


To explain…Faced with a windfall like these federal grants, conventional cybersecurity planning would fall back on trying to increase program maturity using the Capability Maturity Model Integration (CMMI), NIST CSF or other frameworks (often pushed by vendors) that dictate adding controls in pursuit of higher maturity scores. The result can be cybersecurity spending viewed as a wish list detached from the organization’s mission.


Many organizations, both private and public, have turned to cyber risk quantification (CRQ) using Factor Analysis of Information Risk (FAIR™) to re-orient their strategic plans for cybersecurity towards their organizations’ risks, as defined by loss exposure in financial terms. With CRQ, cybersecurity teams can effectively prioritize budgets, evaluate controls spending for return on investment and align cybersecurity strategy with the broader missions of government. 

CISOs who make the move to CRQ, particularly in government, report another benefit – competing for scarce budget, perhaps at an agency that must choose between maintaining existing systems to fulfill its mission vs spending to protect against probable cyber risk. Communicating with hard data from quantitative analysis makes a more compelling case than talking tech-speak about maturity. 

FAIR and Frameworks

FAIR doesn’t replace controls frameworks, it complements them. Many federal standards and frameworks, for instance, suggest risk-based budgeting but don’t specify how to get there. The NIST publication Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286) does call out FAIR as a tool to “better prioritize risks or prepare more accurate risk exposure forecasts” in a risk register. NISTIR 8286 also endorsed many of the standard practices of FAIR analysis, including risk scenario modeling, Monte Carlo simulations and quantification of cyber risk in financial terms.

Learn more: RiskLens Fast Facts on Cyber Risk for Local Governments

RiskLens offers a full range of cyber risk quantification services to government agencies, including RiskLens Pro, a managed service for agencies with limited budget, time and staff. Learn more about RiskLens Pro in a solutions brief.