Use of a cyber risk framework would be mandatory for agencies under Senate bill
Agencies should spend their limited cybersecurity funds better by prioritizing tools that address the most pressing threats, a bipartisan pair of senators says.
Rob Portman, R-Ohio, and Gary Peters, D-Mich., introduced the Risk-Informed Spending for Cybersecurity (RISC) Act on Thursday, in response to a 2019 report revealing most agencies lack comprehensive cyber risk frameworks.
The Office of Management and Budget would be required to develop a risk-based budgeting model that agencies must use because, while some quantify their cyber risk, the practice isn’t mandatory.
“Too often, insufficient information about threats and their associated risks inhibits [agencies’] ability to make the best, most informed decisions,” Portman said in the announcement. “It is crucial that federal agencies know the return on investment for each cybersecurity capability acquired and whether those capabilities address existing security vulnerabilities.”
Inspectors general found seven of eight agencies reviewed failed to properly protect personally identifiable information, and all used outdated legacy systems that were costly and difficult to secure, according to a 2019 staff report for the Homeland Security and Governmental Affairs Permanent Subcommittee on Investigations. Portman is chairman of the subcommittee and a former OMB director. Peters is ranking Democrat for the full committee.
About three-fourths of agencies aren’t fully able to identify, respond to and recover from cyberattacks, according to OMB.
“As government operations increasingly move online, particularly during the current pandemic, we must ensure that our cybersecurity defenses are capable of guarding against attacks,” Peters said in a statement.
The Department of Energy announced in June of 2019 its plans to adopt the international Factor Analysis of Information Risk (FAIR) framework before migrating data to the cloud. But OMB declined to issue guidance on such frameworks absent legislation, so as not to endorse one over another.
Department of Commerce CIO André Mendes says agencies can definitely do more to justify the money they spend on cybersecurity, and doing so will lower the overall cost of IT and free up resources for incident response.
The legislation would serve two big purposes, said Matthew Cornelius, executive director of the Alliance for Digital Innovation.
“The bill would push agencies to leverage better intelligence, data, and real time information to provide a more robust understanding of their current cybersecurity performance and to improve the budget and appropriations process to ensure agencies have the resources they need to mitigate critical threats and vulnerabilities,” Cornelius said.
