Last year’s big infrastructure spending bill included $1 billion in federal grants for state and local governments to improve their cybersecurity, specifically to protect critical infrastructure from cyberattacks. For the first year, $185 million will be given to governments to establish a cybersecurity strategic plan (applications due November 15, 2022). Governments will receive up to $2 million in grants, once CISA and FEMA approve their plans.
This is a great opportunity for managers to make a fresh start in planning with a methodology that prioritizes spending based on risks quantified in financial terms.
To explain… Faced with a boon like these federal grants, conventional cybersecurity planning would fall back on an attempt to increase program maturity using Capability Maturity Model Integration (CMMI), the NIST CSF or d other frameworks (often pushed by vendors) that dictate adding controls in pursuit of higher maturity scores. The result can be cybersecurity spending seen as a wish list detached from the mission of the organization.
CRQ and EQUITABLE
Many organizations, both private and public, have turned to Cyber Risk Quantification (CRQ) using Factor Analysis of Information Risk (FAIR™) to reorient their strategic cybersecurity plans towards the risks of their organizations. , as defined by the exposure to losses in financial terms. . With CRQ, cybersecurity teams can effectively prioritize budgets, assess control spend for ROI, and align cybersecurity strategy with broader government missions.
CISOs switching to CRQ, particularly in government, report another benefit: competition for a limited budget, perhaps in an agency that must choose between maintaining existing systems to fulfill its mission or spending to protect against probable cyber risks. Communicating with hard data from quantitative analysis is a more compelling argument than talking technology about maturity.
FAIR and Frameworks
FAIR does not replace control frameworks, it complements them. Many federal standards and frameworks, for example, suggest risk-based budgeting but do not specify how to achieve it. The NIST publication Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286) calls FAIR as a tool to “better prioritize risks or prepare more accurate risk exposure forecasts” in a risk register. NISTIR 8286 has also endorsed many standard practices of FAIR analysis, including risk scenario modeling, Monte Carlo simulations, and quantifying cyber risk in financial terms.
RiskLens offers a full range of cyber risk quantification services to government agencies, including RiskLens Pro, a managed service for agencies with limited budget, time and staff. Learn more about RiskLens Pro in a solutions brief.
*** This is a syndicated blog from the Security Bloggers Network of RiskLens Resources written by Jeff B. Copeland. Read the original post at: https://www.risklens.com/resource-center/blog/state-local-governments-federal-grants-cybersecurity-crq