Why government is slow to endorse frameworks for quantifying cybersecurity risk

Until individual agencies like the Department of Energy and Department of the Treasury see success quantifying risk, the practice won't likely be mandated.
(Getty Images)

Some agencies have begun to quantify their cybersecurity risk — but don’t expect the government to make the practice mandatory anytime soon.

In April 2018, the National Institute of Standards and Technology (NIST) published the latest version of its Cybersecurity Framework for agencies, where risk is reduced to a qualitative one-to-four scale with traffic light color coding: red, yellow and green.

“Investment decisions are made that way,” a spokesperson for Rep. Jim Langevin, D-R.I., told FedScoop. Langevin wants to see agencies justify their cyber budgets with quantitative risk frameworks in time.

The international Factor Analysis of Information Risk (FAIR) standard is one of a handful in use and, in an agency first, the Department of Energy intends to implement the risk-assessment model before migrating data to the cloud.


First comes agencywide risk management training so everyone speaks the same language on cyber risk. At the same time, DOE is building a risk assessment program to quantify risk to information technology infrastructure before and after its cloud migration.

“What we’ve seen anecdotally in the industry is the risk in most scenarios of running data or applications in the cloud is less than if you do it on-premise — oftentimes with the same types of security tools — because cloud providers have typically been a bit more diligent in applying those security measures than IT folks within agencies,” said Nick Sanna, founder of the FAIR Institute and CEO of RiskLens.

Jack Jones created FAIR in 2001 while he was chief information security officer at Nationwide Insurance, hoping to answer his employers’ questions about how high the company’s cyber risk was and how much he could reduce it if given enough funding. On the heels of high-profile breaches like the 2014 Sony Pictures hack, many private sector boards started asking the same questions, Sanna said.

The FAIR Institute formed as a nonprofit in 2016 and boasts about 6,000 members including 30% of Fortune 1000 companies like Bank of America, Cisco Systems and Fannie Mae. Its goal is to accelerate learning and share best practices around risk management — a goal echoed in President Trump’s May 2017 executive order pushing agencies to assess their cyber budgets based on the risk they face.

The Office of Management and Budget “is saying, ‘We need better data. [Agencies] are throwing us a bunch of technical data. We have no idea if that presents a lot of risk or very little risk,’” Sanna said.


But while OMB had staff trained on FAIR, it’s held off on issuing guidance absent agency success stories it can highlight — so as not to appear heavy-handed, Sanna added.

“While OMB does encourage agencies to adopt methods for better understanding and managing their cybersecurity risks, it does not endorse any one methodology over another and does not have plans to,” said a senior administration official.

Sanna wants to see the Government Accountability Office update Federal Information Security Management Act reporting rules to mandate agencies use the FAIR standard. He’s met with Langevin, chair of the Congressional Cybersecurity Caucus, along with Bank of America to encourage such an update.

It’s all about metrics

But frameworks are only as good as the metrics plugged into them.


“One of the things we challenged the FAIR Institute people with is the fact a lot of the assumptions that go into their models are squishy at best,” Langevin’s spokesperson said.

In the immediate term, Congress is in touch with DOE Assistant Secretary for Cybersecurity Karen Evans about the state of its framework and metrics being tested, the spokesperson added.

FAIR works by breaking problems down into their factors to determine what data is required for analysis.

“FAIR helps you understand that a controlled efficiency only makes sense when you have an asset attached to it, there is a threat affecting it and a resulting negative impact,” Sanna said.

He uses the analogy of a bald tire, which is only a risk if it’s actually on a car.


The framework considers things like the frequency of a threat, whether the threat actor is capable of overcoming a control, and if a breach would result in loss of availability or data and paying for credit monitoring for the affected afterward.

Bad metrics don’t reflect poorly on the FAIR model so much as the readiness of government agencies to implement the framework, said Jones, who’s also co-founder and chief risk scientist of RiskLens.

In July, GAO released findings that only seven of the 23 civilian Chief Financial Officers Act agencies had a cyber risk management strategy in place, and a failure to hire and retain key personnel was primarily to blame.

“The FAIR model actually makes it easy to harness the power of the data already available,” Jones said. “That said, with respect to looking at the impact of cyber events — the right side of the FAIR model — while it may seem more difficult a hill to climb, there are already people in these agencies who do this on a day-to-day basis — that is, help to look at the impact of events that interrupt the mission.”

For instance, he explained, the EPA has people on staff who evaluate how business activity impacts the population’s health and apply models to that to help drive regulation.


While there is room for metrics to mature, the FAIR Institute believes they’re “highly effective,” and corporations are finding data on increases in attack frequency and potential losses helpful when allocating cyber resources, Jones said.

And increasingly federal agencies are joining industry.

The Department of the Treasury is the latest agency turning to metrics to quantify risk in terms of dollars rather than color-coding.

About 40 employees with the Office of the Comptroller of the Currency, Treasury’s regulatory arm, have trained in FAIR. Now the department is looking for the right contract vehicle to start a risk management project, Sanna said.

NIST said it isn’t currently seeking public comment on or evaluating FAIR risk assessments, but the Enterprivacy Consulting Group has posted a privacy risk assessment tool, FAIR Privacy, to its Privacy Engineering Collaboration Space. The online venue allows practitioners like Enterprivacy the ability to share and receive feedback on risk management solutions.


Sanna is optimistic the next iteration of the NIST Cybersecurity Framework will reference FAIR as a way to assess risk, thereby raising its profile among agencies.

“There’s a lag, but now the administration is pressuring the agencies to do better because otherwise what’s the alternative?” Sanna asked. “They’re going to cut their budget arbitrarily if you cannot demonstrate you need money.”

Latest Podcasts