New Whitepaper: Use FAIR to Build a NIST CSF 2.0-Based Cyber Risk Management Program

Read the White Paper: How to Use FAIR to Mature Your Cyber Risk Management Program Based on NIST CSF 2.0

Authors: 

Heather Dart, Ph.D., Cybersecurity Risk Lead, Danaher Corp.

Jack Jones, Creator of FAIR

Pankaj Goyal, Research Director, FAIR Institute

Todd Tucker, Managing Director, FAIR Institute

Michael Smilanich, Risk Advisor, SAFE

This white paper is a guide to a practical, advanced approach to building a Cybersecurity Risk Management Program (CRMP), emphasizing integration with the NIST CSF 2.0. It leverages the CSF’s Govern function as the structural foundation for defining, measuring, and maturing cybersecurity risk governance to create actionable steps for bridging technical execution with strategic decision-making.

WHAT: A CRMP establishes a structured, risk-driven framework that systematically identifies, assesses, mitigates, and monitors cybersecurity risks, integrating with organizational objectives and regulatory requirements to provide a repeatable process for safeguarding critical systems and data.

WHY: A strong CRMP is essential for defending against cyber threats, ensuring business continuity, and meeting regulatory requirements like NIST CSF, ISO 27001, GDPR, and PCI-DSS. It provides a structured approach to risk management, aligning security efforts with business goals while preventing financial and reputational damage.

WHO: Stakeholders in the CRMP include executives and board members, as well as IT, legal, cyber, and business function or operational teams, all of whom rely on the program’s outputs to align security efforts with their related roles in governance, finance, technical execution, and regulatory adherence.

WHERE: Within an organization, the CRMP operates through the Governance, Risk, and Compliance (GRC) function, supported by risk analysts and operational teams, embedding risk management practices into daily processes and strategic planning across all departments.

HOW: Leveraging the CSF’s Govern function, this guide defines implementation tiers that guide organizations in assessing their current governance maturity, establishing risk management policies and enhancing program effectiveness through a structured, scalable roadmap tailored to the organization’s unique risk profile..

WHEN:  The CRMP is a continuous, ongoing process rather than a point-in-time exercise; it incorporates real-time threat monitoring, period risk assessments, and iterative improvements to address dynamic cybersecurity threats and organizational changes effectively. 

Shift Right: By integrating the Factor Analysis of Information Risk (FAIR) model, the CRMP advances to a more data-driven and forward-looking approach, allowing for quantification of risk in financial terms and providing an avenue for precise, predictive decision-making designed to optimize outcomes.

This guide assumes familiarity with the overall NIST cybersecurity methodology  and aims to equip organizations with actionable insights to develop, refine, and sustain an effective cyber risk governance strategy.

Read the Guide: How to Use FAIR to Mature Your Cyber Risk Management Program Based on NIST CSF 2.0

The FAIR Institute Standards Committee wants to know your reaction. Reach out to us at standards@fairinstitute.org!