Senate Passes 'Strengthening American Cybersecurity Act,' Requires a Federal Cyber Risk Model

US Flag Digital CybersecurityThe Senate recently passed the Strengthening American Cybersecurity Act that directs the Office of Management and Budget to “develop a standard model for informing a risk-based budget for cybersecurity spending.”

Several federal regulations and directives already mandate“risk-based” budgeting for cybersecurity (including FISMA, OMB guidance and Executive Order 13800) and the NIST Cybersecurity Framework (NIST CSF), the basis for many federal cybersecurity standards, lists Factor Analysis of Information Risk (FAIR™), the standard model for cyber risk quantification, as a best practice for risk analysis and management.  However, most federal agencies still can’t prioritize or justify their security spending as risk-based, in other words, with quantifiable risk reduction in dollars. 


Learn more: How FAIR™ Can Help the US Federal Government Better Prioritize and Right-Size Its Cybersecurity Investments


This new legislation gives the strongest push yet to an action plan to implement quantitative risk management in the federal government, requiring the model in full use in five years. What might the model look like?

The U.S. Energy Department is pioneering just such a model, with FAIR at the center. As Ignatius Liberto, Director, Cybersecurity Compliance and Oversight for the DOE, presented to the first quarterly event in the 2022 FAIR Conference series, the model is designed to

  • Generate quantitative reporting to support risk-based decision-making that’s particularly relevant to federal budgeting (DOE uses the RiskLens platform for FAIR analysis)
  • Be compatible with all federal standards and directives, as well as Energy Department initiatives
  • Heavily promote training and education in FAIR, with the goal of pushing out quantitative risk expertise to all the operating units of the department. The DOE is a particularly good testbed for a federal risk management model as its many units operate with their own processes and procedures in a “federated” arrangement.

Watch the video of Energy Dept. presentation “Maturing A Quantitative Risk Management Program in the Federal Government” at FAIRCON22. FAIR Institute membership required to view – join now.


The Strengthening American Cybersecurity Act passed the Senate by unanimous consent and next heads to the House with a strong tailwind from concern over cyber attacks on the US by Russians because of the war in Ukraine.  In addition to the requirement for a new cyber risk management model, the legislation would compel critical-infrastructure organizations to report cyber attacks to CISA within 72 hours and ransomware payments within 24 hours.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37