Policy

Energy is using cyber risk assessments to make cloud decisions

The department has launched risk analysis initiatives at national labs, rather than waiting for the perfect metrics, to establish standards.

By Dave Nyczepir

September 25, 2019

Emery Csulak speaks on a panel at the 2016 Security Through Innovation Summit. (FedScoop)

The Department of Energy has started factoring quantitative cybersecurity risk into its internal budget decisions.

DOE adopted the Factor Analysis of Information Risk (FAIR) management framework and has begun initial, daily risk assessments at interested national laboratories, Emery Csulak, the department’s chief information security officer, told FedScoop.

This fall, DOE plans to onboard even more agencies.

“Our goal is to find the army of the willing — get that buy-in early in the process — so that we’re not sitting there spending all of our time fighting with the naysayers,” Csulak said.

So far FAIR has been employed when weighing the pros and cons of a particular cloud’s adoption or migrating a certain product into the cloud, versus keeping it deployed locally, he added.

The goal is to use FAIR to make business cases during the fiscal 2021 budget process with the Office of Management and Budget, Csulak said.

Recently the National Institute of Standards and Technology opted to formally reference FAIR within its Cybersecurity Framework.

“That’s a major coup,” Nick Sanna, president of the FAIR Institute, said Tuesday at FAIRCON 2019.

DOE was one of the first agencies to use FAIR because its offices are “highly federated,” Csulak said.

“They need to be able to make honest risk decisions at the level where they affect their operational capabilities — whether or not it’s with science or nuclear protection,” he said.

Rather than wait for the “perfect set of metrics,” DOE started talking to vendors about their quantified risk management approaches and launching risk analysis projects to establish standard operating procedures.

The DOE Office of Inspector General and the Government Accountability Office have already been impressed with the department’s use of the FAIR model, Csulak said.

“When you can demonstrate that you have put forward a thoughtful means of looking at risk, they’re very receptive to that,” he said.

Energy is using cyber risk assessments to make cloud decisions

More Like This

ICE pursuing privacy approvals related to controversial phone location data

House Modernization panel advances bill to improve CRS’s data access in first-ever markup

Scientists must be empowered — not replaced — by AI, report to White House argues

Top Stories

White House hopeful ‘more maturity’ of data collection will improve AI inventories

404 page: the error sites of federal agencies

Generative AI could raise questions for federal records laws

Oracle approved to handle government secret-level data

Cybersecurity executive order requirements are nearly complete, GAO says

GSA administrator: Generative AI tools will be ‘a giant help’ for government services

State Department encouraging workers to use ChatGPT

More Scoops

Inventories to be ‘more central part’ of understanding how agencies use AI under White House guidance

Increase in Energy’s reported AI uses reflects ‘enhanced’ guidance from White House

Experts warn of ‘contradictions’ in Biden administration’s top AI policy documents

House Dems call on White House to make agencies adopt NIST AI framework

Shila Cooch joins Energy as Office of Science CIO

Idaho National Lab spearheading cyber-informed engineering action plan for electric grid

AI ‘Bill of Rights’ must be accompanied by NIST risk management framework say experts

Latest Podcasts

Energy is using cyber risk assessments to make cloud decisions

Leveraging modern access management to achieve zero trust

The role of the federal chief AI officer

Los Angeles CIO discusses how AI and cloud technologies transform urban public services

Tech

Defense

Cyber

Acquisition