Some agencies have begun to quantify their cybersecurity risk — but don’t expect the government to make the practice mandatory anytime soon.
In April 2018, the National Institute of Standards and Technology (NIST) published the latest version of its Cybersecurity Framework for agencies, where risk is reduced to a qualitative one-to-four scale with traffic light color coding: red, yellow and green.
“Investment decisions are made that way,” a spokesperson for Rep. Jim Langevin, D-R.I., told FedScoop. Langevin wants to see agencies justify their cyber budgets with quantitative risk frameworks in time.
The international Factor Analysis of Information Risk (FAIR) standard is one of a handful in use and, in an agency first, the Department of Energy intends to implement the risk-assessment model before migrating data to the cloud.
First comes agencywide risk management training so everyone speaks the same language on cyber risk. At the same time, DOE is building a risk assessment program to quantify risk to information technology infrastructure before and after its cloud migration.
“What we’ve seen anecdotally in the industry is the risk in most scenarios of running data or applications in the cloud is less than if you do it on-premise — oftentimes with the same types of security tools — because cloud providers have typically been a bit more diligent in applying those security measures than IT folks within agencies,” said Nick Sanna, founder of the government endorse frameworks quantifying cybersecurity
