Software Engineering Institute

The SEI has worked diligently to deliver a quantitative set of metrics that relates the magnitude and likelihood of a risk in a standardized manner with greater fidelity than current processes. We use real world incident data as validation to serve the United States Defense Industrial Base (DIB) in executing the NIST Risk Management Framework (RMF) process. Understanding that the United States is facing and addressing increased kinetic threats, the cybersecurity community must reduce its overall cost and deliver greater value.

This presentation serves as an update the our work regarding the calculation of risk exposure with greater reproducibility and fidelity than current practices, which will ultimately reduce costs through better control selection with greater standardization in the risk analysis process. Furthermore, the presentation will provide a compelling case for this research and its applicability to measure and gauge risk exposure for the sake of providing Authorization to Operate (ATO) per the NIST SP 800-37 Rev 2 direction for implementation on the NIST Risk Management Framework (RMF).

Specifically, we will emphasize the importance of a standardized approach, informed with greater fidelity by incident data, supporting the shift from responsive to predictive in addressing cyber risks.