FAIR Institute Message to NIST Proposes Enhancing the NIST CSF with Quantitative Controls Analysis (FAIR-CAM)

FAIR-CAM Detail - Featured ImageContributing to the National Institute of Standards and Technology (NIST) effort to update the Cybersecurity Framework (NIST CSF), the FAIR Institute sent a proposal to help align the framework with the FAIR Controls Analytics Model (FAIR-CAM™), the new model for quantifying the risk reduction effect of cybersecurity controls in financial terms.  

Our message to NIST said in part:

We believe that even as NIST CSF has seen wonderful adoption as a way to gauge an organization’s risk management posture or maturity, even more benefits can be realized. Specifically, there is a great opportunity to increase CSF’s value by enabling it to help organizations empirically measure and prioritize their risk remediation efforts. 

Luke Bader is Director, Membership and Programs, for the FAIR Institute

With the recent release of the new FAIR Controls Analytics Model (FAIR-CAM™), there is now a way to empirically measure control efficacy and risk reduction value. With some modifications, NIST CSF could map cleanly to FAIR-CAM™, which would help organizations understand the efficacy and value of controls in their risk programs.  

Our proposed first steps are as follows:

>>Modify NIST CSF to provide more granularity at, or below, the subcategory level 

>>Define measurement scales for each of the elements in the framework to reduce ambiguity and improve quality of benchmarking and measurement


A model that: 

>>Categorizes controls by type and function

>>Sets them in relation to each other, clarifying their interplay

>>Accounts for the direct and indirect effect of controls on risk

>>Assigns units of measurement for control performance enabling a quantitative approach for reliable analysis of the effectiveness of controls and controls systems.

 See the FAIR-CAM documentation


FAIRCON22 Ad - Email 

Background on Mapping FAIR-CAM to the NIST CSF 

In a video presentation to the FAIR Conference Series earlier this year, Jack Jones, creator of FAIR-CAM and FAIR™ (Factor Analysis of Information Risk), the standard for cyber risk quantification, explained the FAIR Institute’s nearly complete project to map the categorization of controls in FAIR-CAM to the NIST CSF’s categories and subcategories of controls.

Watch the video:

Overcoming the Challenges of Mapping NIST CSF to FAIR CAM™  

Jack identified two challenges:

Challenge #1: Clarifying how the NIST CSF subcategories affect risk so they can be mapped to FAIR-CAM

FAIR-CAM Mapping - Large Image

That can get confusing as this example shows -- with the CSF subcategory on the right and the FAIR-CAM categorization on the left – and also casts doubt on what’s measured when the subcategory gets a numeric score as a maturity exercise.

Jack’s proposal: “The NIST CSF sub-categories have to be redefined to cover no more than a single control function.”

Challenge #2: Standardizing the NIST CSF scoring system

Cybersecurity teams routinely assign scores for compliance with the recommended controls in NIST subcategories, but the scores aren’t standardized. One organization’s “2” may not be another’s. Secondly, as shown in the example above, a single score can’t cover a subcategory with multiple functions – each type of control could have a different unit of measurement in FAIR-CAM.

Jack’s proposal: “To overcome this challenge, ordinal scale definitions should be developed for each control function.”

Get the latest on the development of FAIR-CAM – attend the 2022 FAIR Conference for presentations by Jack Jones and FAIR-CAM users.

FAIRCON22 Ad - Email


Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37