Earlier this month, The FAIR Institute partnered with The Open Group to submit comments and recommendations to the draft version 1.1 of NIST's Cybersecurity Framework (NIST CSF). The NIST CSF and its Framework Core were created in 2014 to provide guidance on how organizations can better “Identify, Protect, Detect, Respond, Recover” when assessing cyber threats.
We commend NIST for the on-going work to improve the CSF. The new CSF version 1.1 now provides language that organizations should use self-assessments to both measure and manage cyber risk. FAIR experts who have reviewed this version 1.1 note that while the CSF begins to mention quantification and measurement of cyber risk, it still points to the use of qualitative measurement scales such as 1-4. The document fails to include any examples of quantitative risk analysis methods that express risk as loss exposure in monetary terms.
"The FAIR Institute and The Open Group’s ultimate recommendation is to explicitly include FAIR in the NIST CSF v 1.1, as a pragmatic method to measure cybersecurity risk and assess the effectiveness of controls and other risk management activities."
We believe that the inclusion of the FAIR model as a measurement method in CSF v 1.1 would help enterprises and government organizations at large to adopt proven and state-of-the-art quantification practices that many of their peers are already adopting. Failure to include FAIR, an international standard methodology for quantifying risk, in the CSF will set the industry back by keeping it anchored to ineffective risk measurement methods, such as ordinal scales (currently proposed in draft v 1.1), especially if the stated goal of the CSF continues to be the enablement of cost-effective decision making as it relates to prioritizing risks and resource allocation.
Additionally, the joint use of FAIR and NIST CSF can help organizations satisfy the requirements of the recent Executive Order 13800 for government agencies and the greater federal network to indicate the state of their cyber risk management activities and right-size their cybersecurity budgets.
The market is speaking. The number of our member organizations who use NIST CSF and FAIR in tandem continues to grow every quarter. These organizations recognize the complementary nature of the NIST CSF and FAIR, as FAIR adds an economical dimension to the CSF as illustrated in a series of highly popular articles listed on both the NIST CSF Industry Solution page and the FAIR Institute website. Organizations that use NIST CSF and FAIR together are part of many critical infrastructure industries such as financial services, defense, utilities, and technology.
The FAIR Institute continues to partner with The Open Group to promote the FAIR model as an open international standard by The Open Group. The FAIR principles have been captured and published in standards documents that are available free of charge to any interested party.
About the FAIR Institute
The FAIR Institute is a rapidly growing, non-profit, expert organization of forward-thinking risk officers, cybersecurity leaders, and business executives from enterprises of all sizes, government organizations, and academic institutions around the globe. We operate with the central mission to establish and promote information risk management best practices that empower risk professionals to collaborate with their business partners on achieving the right balance between protecting the organization and running the business. Factor Analysis of Information Risk (FAIR) is the standard risk model behind our mission. FAIR is the only international standard quantitative model for information security and operational risk.
About The Open Group
The Open Group is a global consortium that enables the achievement of business objectives through technology standards. Our diverse membership of more than 680 organizations includes customers, systems and solutions suppliers, tool vendors, integrators, academics, and consultants across multiple industries. The Open Group has published two standards based upon FAIR, these are the Risk Taxonomy Standard (O-RT, and the Risk Analysis Standard (O-RA, collectively referred to as the Open FAIR body of knowledge.
