A team of FAIR Institute members (see the photo) led by FAIR creator Jack Jones have mapped the CIS Critical Security Controls v. 8.0 to the new FAIR Controls Analytics Model (FAIR-CAM™). The CIS Controls are a popular 18-category set of best practices that, like other cybersecurity frameworks, tell you what controls to implement but not what measurable effect they have on reducing cyber risk singly or as an interdependent system. Jack developed FAIR-CAM to make compliance with frameworks more about mitigating risk than checking off boxes on a list.
The FAIR-CAM model:
>>Categorizes controls by type and function.
>>Sets them in relation to each other, clarifying their interplay.
>>Accounts for the direct and indirect effect of controls on risk
>>Assigns units of measurement for control performance enabling a quantitative approach for reliable analysis of the effectiveness of controls and controls systems.
A member of the FAIR-CAM mapping team, Drew Brown of the US Federal Aviation Administration (FAA), described the goal at a 2022 FAIR Conference session:
“Compliance is going to radically change. An assessor comes in and asks ‘does the control exist and is it functioning the way it’s supposed to?’ Now we know. We can actively measure and document if that control is doing what it is supposed to do. Now, when we get that audit finding we can answer if it is really a big deal or something we can work on in the next fiscal year.”
The FAIR Institute released the first FAIR-CAM mapping, to the National Institute of Standards Cybersecurity Framework (NIST CSF), in December, 2023. Mappings will continue with other cybersecurity standards from ISO, NIST and MITRE.
It’s difficult work, as these standards and frameworks weren’t developed with an explicit understanding of controls physiology. Jack writes that the broadly written descriptions in most control frameworks mean that many controls have to be mapped to multiple FAIR-CAM functions, making a simple maturity rating tough.
FAIR-CAM mapping also reveals potential gaps in the controls standards. For example, the mapping team found “there are no CIS controls specifically related to threat intelligence sources.”
In 2024, the FAIR Institute takes a serious run at expanding the scope and range of FAIR-based analysis led by several Standards Workgroups. Get the story here: FAIR Institute Launches Research Initiative to Extend the FAIR Standard to AI, Third-Party Risk, Materiality Analytics. Also in 2024, expect to see the first FAIR-CAM powered products hit the marketplace, bringing deeper insights into the controls stack in real-time.