Senate Passes 'Strengthening American Cybersecurity Act,' Requires a Federal Cyber Risk Model
The Senate recently passed the Strengthening American Cybersecurity Act that directs the Office of Management and Budget to “develop a standard model for informing a risk-based budget for cybersecurity spending.”
Several federal regulations and directives already mandate“risk-based” budgeting for cybersecurity (including FISMA, OMB guidance and Executive Order 13800) and the NIST Cybersecurity Framework (NIST CSF), the basis for many federal cybersecurity standards, lists Factor Analysis of Information Risk (FAIR™), the standard model for cyber risk quantification, as a best practice for risk analysis and management. However, most federal agencies still can’t prioritize or justify their security spending as risk-based, in other words, with quantifiable risk reduction in dollars.
This new legislation gives the strongest push yet to an action plan to implement quantitative risk management in the federal government, requiring the model in full use in five years. What might the model look like?
The U.S. Energy Department is pioneering just such a model, with FAIR at the center. As Ignatius Liberto, Director, Cybersecurity Compliance and Oversight for the DOE, presented to the first quarterly event in the 2022 FAIR Conference series, the model is designed to
- Generate quantitative reporting to support risk-based decision-making that’s particularly relevant to federal budgeting (DOE uses the RiskLens platform for FAIR analysis)
- Be compatible with all federal standards and directives, as well as Energy Department initiatives
- Heavily promote training and education in FAIR, with the goal of pushing out quantitative risk expertise to all the operating units of the department. The DOE is a particularly good testbed for a federal risk management model as its many units operate with their own processes and procedures in a “federated” arrangement.
Watch the video of Energy Dept. presentation “Maturing A Quantitative Risk Management Program in the Federal Government” at FAIRCON22. FAIR Institute membership required to view – join now.
The Strengthening American Cybersecurity Act passed the Senate by unanimous consent and next heads to the House with a strong tailwind from concern over cyber attacks on the US by Russians because of the war in Ukraine. In addition to the requirement for a new cyber risk management model, the legislation would compel critical-infrastructure organizations to report cyber attacks to CISA within 72 hours and ransomware payments within 24 hours.