Government IT Security

National Risk Management and Cybersecurity

What is National Risk Management?

The National Risk Management Center (NRMC) is the planning, analysis, and collaboration center within the Cybersecurity and Infrastructure Security Agency (CISA), leading strategic risk reduction efforts for the nation1. Sources of strategic risk are widespread and include cyber and physical attacks, supply chain vulnerabilities, malicious exploits of emerging technology, nation-state aggression, insider threats, pandemics, natural disasters, and the convergence of previously siloed risks. The NRMC works with public and private stakeholders to identify, analyze, prioritize, and manage these risks to help advance the nation’s collective defense. The NRMC focuses on risks to National Critical Functions (NCFs). CISA defines NCFs as, “…functions of the government and the private sector so vital to the United States their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”2

One of the risk management initiatives that the NRMC has highlighted as a priority risk management initiative is the “systemic cyber risk reduction venture”. CISA notes that cyberattacks such as the SolarWinds Orion cyber campaign, school ransomware schemes, and data exfiltration cyberattacks emphasize the cascading impact of cyber risks to NCFs and to our daily lives3. As cybersecurity risks cannot be managed in isolation, CISA recommends collecting data across organizations, sectors, and NCFs in order to mitigate cybersecurity risks that are shared in an interconnected world. CISA’s role in reducing systemic cyber risk is:

Build underlying cyber risk analysis architecture. CISA asserts that leveraging NCF risk architecture can help to protect cybersecurity, as it is captures multiple data layers to understand how entities come together to produce critical functions, and what assets, systems, networks, and technologies underpin those functions. Those tools can answer questions such as: What is the likelihood that a cyberattack can degrade a system in such a way that a function cannot be delivered? And, if that function cannot be delivered, what is the impact?

Cyber risk metric development. CISA rallies stakeholders to discuss how to use existing security controls to connect the relationship between threat, vulnerabilities, and consequence on critical functions to further develop metrics to quantify cyber risk in the following manner:

  • Threat. Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or (e.g., a DoS attack)
  • Vulnerabilities. Physical feature or operational attribute that renders an entity, asset, system, or network, open to exploitation or susceptible to a given hazard (e.g., a software flaw that lets hackers into a network)
  • Consequence. Effect of an event, incident, or occurrence (e.g., stolen data leading to damaged reputation and financial loss)

Cyber risk assessment tools. Central to CISA’s venture to reduce systemic cyber risk is finding concentrated sources of risk that, if mitigated, provide heightened risk management and cost benefits. In the critical infrastructure community, supported by the dependent web of hardware, software, services, and other connected components, cyber risk creates an opportunity for cascading or correlated impact to NCFs. CIS has developed a public-private Information and Communications Technology (ICT) Supply Chain Risk Management Task Force aimed at reducing software-derived supply chain threats.

1 NRMC, 2022, “NRMC Overview”

2 CISA, 2021, “National Critical Functions”

3 CISA, 2022, “Systemic Cyber Risk Reduction Venture”