NIST Maps FAIR to the CSF - Big Step Forward in Acceptance of Cyber Risk Quantification
It's official: NIST has formally published FAIR as an Informative Reference to the NIST CSF, the most widely used cybersecurity framework in the U.S, a major milestone in the history of FAIR. This means that there is mapping between FAIR and the NIST CSF standard in the sections covering risk analysis and risk management.
See FAIR officially listed in the Informative Reference Catalog on the NIST CSF website.
The FAIR Institute has long since held that FAIR is a complementary standard to other information security frameworks. This is confirmation that organizations can be confident employing FAIR for their risk analyses alongside the other NIST CSF framework processes.
Jack Freund, PhD, co-author with Jack Jones of the FAIR book, Measuring and Managing Information Risk and Risk Science Director for RiskLens, worked with NIST on behalf of the FAIR Institute to gain this recognition. Jack also moderated a panel discussion at the 2019 FAIR Conference entitled Building a Cybersecurity Program with a Risk Management Framework and FAIR. The panel included Ian Amit, CSO of Cimpress, recently cited by NIST as a "success story" in integrating FAIR and NIST CSF.
The CSF is essentially a very thorough, step-by-step walk-through of defensive measures for cybersecurity, including risk assessment (RA) and risk management (RM).
An example of the mapping:
ID.RA-4 Potential business impacts and likelihoods are identified
Is mapped to:
FAIR Risk Taxonomy:
C13K - 3.5 - Forms of Loss
"The potential for loss stems from the value of the affected asset(s) and/or the liability it introduces to an organization..."
And it goes on to discuss the six forms of loss, familiar concepts to FAIR users.
"As the adoption of the NIST CSF has taken hold," says Nick Sanna, President of the FAIR Institute, "users of the framework found themselves in need of prioritizing the many activities the framework recommends as best practices. They needed to justify investments to management and to ultimately meet the requirements for building an effective risk management program so that they can help an organization achieve an acceptable level of risk, cost-effectively. Cost-effective risk management is stated as a goal in the first page of the NIST CSF. FAIR brings that vision to fulfillment."
Visit the NIST CSF website to see the new FAIR documentation in the Informative Reference Catalog.