At the FAIR Institute, we’ve long admired and supported the National Institute of Standards and Technology (NIST) for its leadership in advancing cybersecurity and risk management practices. The NIST Cybersecurity Framework (CSF) 2.0, the Risk Management Framework (RMF), and related guidance have helped thousands of organizations build stronger, more resilient cyber risk programs rooted in well-defined principles and measurable outcomes.
Image from 8286r1 showing enterprise hierarchy for cyber risk management
We were especially encouraged by NIST’s continued efforts to integrate cybersecurity with enterprise risk management (ERM) through the IR 8286 publication series. In a world where cyber risk is increasingly recognized as business risk, this integration is no longer optional—it’s essential. The 8286 series recognizes that fact and offers a much-needed roadmap to help risk and cybersecurity leaders align language, processes, and priorities across organizational silos.
With that in mind, the FAIR Institute’s Standards Committee, management team, and other members (collectively) recently submitted comments on three public draft documents: NIST IR 8286r1, 8286Ar1, and 8286Cr1. Our feedback aims to support and strengthen NIST’s vision by highlighting the importance of quantitative methods, scenario-based risk articulation, and alignment with industry-proven models like FAIR, FAIR-CAM™, and the FAIR Cyber Risk Scenario taxonomy.
We’re pleased to share our full letter to NIST below, and we hope it contributes to the ongoing development of clear, actionable guidance that bridges cyber and enterprise risk in a way that’s both practical and defensible.
************************
Date: April 14, 2025
Re: Comments on NIST IR 8286r1, 8286Ar1, and 8286Cr1 – Public Drafts
Dear NIST Cybersecurity Team,
On behalf of the FAIR Institute’s Standards Committee and our broader membership—over 16,000 cyber risk professionals from private industry, government, and academia—we thank NIST for its continued leadership in advancing the integration of cybersecurity and enterprise risk management (ERM).
We appreciate the opportunity to review the initial public drafts of NIST IR 8286r1, 8286Ar1, and 8286Cr1, and are encouraged by many of the updates in this series. Below, we provide feedback and recommendations based on our experience advancing cyber risk quantification standards, including the FAIR model and its extensions (FAIR-CAM and the FAIR Cyber Risk Scenario taxonomy). We recommend referring to the following supporting references: the FAIR Controls Analytics Model (FAIR-CAM) and our recently released Cyber Risk Scenario (CRS) Guide.
We commend NIST for describing quantitative methods of assessment, and that they “are based on statistical probabilities and a monetized valuation of loss or gain.” We also appreciate your explicit references to quantitative techniques such as Bayesian analysis, Monte Carlo simulation, and PERT-like three-point estimation. These approaches are foundational to the FAIR model and reflect best practices in modern cyber risk quantification. Their inclusion significantly strengthens the practical utility of these publications.
In our experience, enterprise risk management programs very often measure risks in quantitative terms using techniques such as value-at-risk (VaR) models and loss distribution approaches (LDAs) for risk types such as market risk, portfolio risk, credit risk, and operational risk. Given the need to allocate capital and other resources to the many types of risk, ERM leaders are best served by the quantification of all types of risk, including cybersecurity risk, where possible. We recommend, where possible, stronger encouragement of cyber risk quantification to conform with and aid enterprise risk management decisions.
IR 8286r1 (borrowing from NIST SP 800-30r1) appears to describe “semi-quantitative” assessment methods as a type of quantitative approach. We do not agree because those methods do not meet the criteria or address the goals of true quantitative methods. We recommend you describe three types of assessments, qualitative, quantitative, and semi-quantitative, and avoid implying that the semi-quantitative methods are a form of quantitative ones. We suggest you include a third bullet point on line 1009 of IR 8286r1 to make this clear.
Figures 6 and 7 in IR 8286r1 illustrate what appear to be scores derived from a “semi-quantitative” approach. The text then introduces the concept of an “exposure factor cost” in order to translate the numerical exposure factor to a monetary value. This is an unnecessary step, and introduces an additional concept that has not been described elsewhere in the 8286 series (as far as we can tell).
We recommend that NIST illustrate a quantitative risk register using a monetary impact value (vs. a numerical weighting) followed by an exposure value in monetary terms, avoiding the need for a “exposure factor cost.” This is consistent with the approach illustrated in Figure 18 of IR 8286Ar1.
Finally, we recommend that NIST encourage organizations to quantify risk in financial terms wherever feasible to support defensible prioritization and treatment decisions.
IR 8286r1 provides helpful elements for defining risk (threats, assets, vulnerabilities, consequences) but stops short of a coherent definition of a risk scenario. Specifically, we recommend NIST defines a risk scenario as the specific conditions (or factors) that create both a probable likelihood and probable impact of a loss event. This will help cybersecurity leaders better define scenarios in the context of events, rather than vague conditions or trends (e.g., cloud risk, AI risk, insider risk).
NIST IR 8286Ar1 makes a strong contribution by including techniques such as three-point estimation and encouraging the use of historical data to improve the accuracy of cybersecurity risk assessments. These are core practices in quantitative risk analysis and align well with methods used in frameworks such as FAIR.
However, the draft does not address a common and persistent challenge in enterprise environments: stakeholders often question the credibility of risk factor estimates, especially when based on expert judgment. This is also often true when integrating cybersecurity risk assessments into enterprise risk programs. To improve trust, transparency, and defensibility of estimates, we recommend that NIST expand its guidance to include estimation discipline techniques already used in the field—particularly those employed by practitioners of the FAIR model and other structured risk analysis methodologies.
These include:
These techniques directly address concerns from boards, regulators, and auditors who expect traceable and defendable estimates in line with how other business risks (e.g., financial, operational) are quantified. We encourage NIST to include these practices—particularly in Section 2.3.2 of 8286Ar1—and note that these are supported in frameworks such as FAIR and are increasingly adopted across sectors seeking to mature their risk quantification capabilities.
The drafts do not specifically define a risk scenario, but IR 8286r1 (lines 801-807) describes the use of assets, threats, vulnerabilities, and consequences as the core components of risk identification. We recognize that this combination of factors has been used traditionally to define risk.
When defining risk scenarios, we recommend the use of “method” over “vulnerability” because method describes attacker behavior, covers multiple vulnerabilities that may be exploited by the attacker, and results in a scenario definition that is more stable and actionable over time. In many scenarios, attackers exploit multiple vulnerabilities or susceptible conditions to compromise an asset and cause harm; therefore, limiting a risk or a risk scenario definition to a vulnerability or even a set of vulnerabilities introduces unnecessary constraints for analysts.
Examples of methods include ransomware, phishing, account takeover, data corruption, and more. Cyber threat intelligence sources (e.g., MITRE ATT&CK) generally specify methods (i.e., tactics, techniques, and procedures) when describing threat actors. They often link methods to vulnerabilities and update their linkages as new vulnerabilities arise.
Our cyber risk scenario guide provides additional discussion of the use of methods.
7. Controls as Analytical Inputs, Not Just Treatment Mechanisms
The current drafts primarily position controls within risk response planning (e.g., Section 3.5 of IR 8286r1). We strongly recommend their inclusion during the risk analysis phase (Section 3.3). Specifically, the absence or weakness of controls drives susceptibility, a key determinant of risk.
Furthermore, we recommend that NIST consider a broader array of controls beyond what we call loss event controls (i.e., controls that directly reduce likelihood and/or impact). Other important types to consider when assessing risk are variance management controls (i.e., those that help ensure control effectiveness and coverage over time) and decision support controls (i.e., those that support the cost-effective use of controls).
For a deeper perspective on the consideration of controls in cyber risk analysis, please refer to the FAIR-CAM document.
8. Addressing Continuous Risk Monitoring via Systems
IR 8286r1 mentions continuous risk monitoring, but focuses largely on cultural and procedural aspects. We recommend that NIST address the use of Cyber Risk Management Systems (CRMS) or Cyber Risk Quantification Systems (CRQS). In Gartner’s July 2024 “Hype Cycle for Cyber Risk Management” report (G00812067), the firm predicts mainstream adoption within 2-5 years and a benefit rating of “High,” and they cite ten (10) vendors providing software solutions. In Forrester’s “Cyber Risk Quantification Solutions Landscape, Q4 2024” report (December 2024), the firm lists fourteen (14) vendors providing solutions and describes their increasing adoption.
These platforms vary in functionality but increasingly provide the following capabilities:
This system-level capability is critical for organizations seeking to implement continuous risk management at scale. 8286 refers to automated vulnerability scanners, and 8286A discusses automation support for asset discovery; however, we feel a more specific discussion of data-driven, systematic approach to CSRM is warranted now that commercial and homegrown systems have been developed to pull together these datasets and automate many aspects of CSRM.
We also recommend discussing the use of a CRMS in 8286C in section 5.2 on monitoring risk.
9. Including FAIR in List of Acronyms
We recommend the “FAIR” (“Factor Analysis of Information Risk”) be added to the appropriate IR 8286 lists of acronyms due to its widespread adoption and its publication as Open Group and FAIR Institute standards.
The FAIR Institute appreciates the thoughtful and detailed work that NIST has invested in this revision cycle. We believe that with the incorporation of the recommendations above—especially the adoption of financial quantification, scenario definitions, system-based continuous monitoring, and control analytics—this series can offer clear, actionable guidance that bridges cyber and enterprise risk management.
We are available to engage in further dialogue and would welcome collaboration as NIST advances this critical body of work. This document represents the official views of the FAIR Institute (organization) and the personal views of those individuals below who are not employees of the FAIR Institute.
Sincerely,
The FAIR Institute
Standards Committee Members
Management
Contributing Members