The Department of Energy has started factoring quantitative cybersecurity risk into its internal budget decisions.
DOE adopted the Factor Analysis of Information Risk (FAIR) management framework and has begun initial, daily risk assessments at interested national laboratories, Emery Csulak, the department’s chief information security officer, told FedScoop.
This fall, DOE plans to onboard even more agencies.
“Our goal is to find the army of the willing — get that buy-in early in the process — so that we’re not sitting there spending all of our time fighting with the naysayers,” Csulak said.
So far FAIR has been employed when weighing the pros and cons of a particular cloud’s adoption or migrating a certain product into the cloud, versus keeping it deployed locally, he added.
The goal is to use FAIR to make business cases during the fiscal 2021 budget process with the Office of Management and Budget, Csulak said.
Recently the National Institute of Standards and Technology opted to formally reference FAIR within its Cybersecurity Framework.
“That’s a major coup,” Nick Sanna, president of the FAIR Institute, said Tuesday at FAIRCON 2019.
DOE was one of the first agencies to use FAIR because its offices are “highly federated,” Csulak said.
“They need to be able to make honest risk decisions at the level where they affect their operational capabilities — whether or not it’s with science or nuclear protection,” he said.
Rather than wait for the “perfect set of metrics,” DOE started talking to vendors about their quantified risk management approaches and launching risk analysis projects to establish standard operating procedures.
The DOE Office of Inspector General and the Government Accountability Office have already been impressed with the department’s use of the FAIR model, Csulak said.
“When you can demonstrate that you have put forward a thoughtful means of looking at risk, they’re very receptive to that,” he said.