In an article just out on FedScoop, Why government is slow to endorse frameworks for quantifying cybersecurity risk, Dave Nyczepir reports that, while qualitative, red-yellow-green approaches risk still dominate, the move to FAIR-based, quantification-driven risk management is well underway among federal agencies – actually, despite the FedScoop headline, at high speed by the cautious standards of the federal bureaucracy. The article quotes FAIR Institute Chairman Jack Jones and President Nick Sanna extensively.
As the FedScoop article details:
- The Office of Management and Budget (OMB) had staff trained on FAIR, though, as Sanna points out, feels it’s too early to issue guidance to agencies on quantification methods.
- The Department of Energy (DOE) is running a FAIR analysis preparatory to a major cloud migration project.
- The Treasury Department’s Office of the Comptroller of the Currency (OCC) trained 40 officials on FAIR and is looking for a contract vehicle to start a risk management project.
More signs of momentum: The Army's new Defend Forward strategy for cyber warfare takes a risk-based approach that's FAIR-friendly. And the FAIR Institute is receiving a marked upturn in new memberships from civilian and military branches of the government (join the Institute's Federal Government Chapter to learn more).
Pushing the movement forward is the 2017 Executive Order from President Trump that directs agencies to assess their budgets based on the risks they face. A report by the Congressional Government Accountability Office (GAO) last month revealing inadequate cybersecurity practices at 23 agencies, gave another push: Improve or “face an increased risk of cyber-based incidents that threaten national security and personal privacy,” the GAO warned.
“While it may seem a difficult hill to climb, there are already people in these agencies who do this on a day-to-day basis,” Jack Jones told FedScoop, “that is, help to look at the impact of events that interrupt the mission...
“The FAIR model actually makes it easy to harness the power of the data already available,” Jack said.
Nick Sanna said that he’s optimistic that the next iteration of the NIST Cybersecurity Framework will reference FAIR and raise the model's profile among government cybersecurity officials. The FAIR Institute has been in talks with NIST about the CSF, and Kevin Stine, Chief of the Applied Cybersecurity Division at NIST will speak at the upcoming FAIR Conference. Nick also wants to see the Federal Information Security Management Act (FISMA) reporting rules updated to mandate use of FAIR.
“There’s a lag, but now the administration is pressuring the agencies to do better because otherwise, what’s the alternative?” Nick said. “They’re going to cut their budget arbitrarily if you cannot demonstrate you need money.”
Join us for the 2019 FAIR Conference, bringing leaders in information and operational risk management together to explore best FAIR practices that produce greater value and alignment with business goals. Gaylord National Resort & Convention Center, National Harbor, MD, September 24 & 25, 2019. More information on FAIRCON19.