Since Jack Jones introduced the FAIR Controls Analytics Model (FAIR-CAM™) at the 2021 FAIR Conference, “I get asked all the time, ‘Can we take our NIST CSF scores and plug them into FAIR-CAM and measure controls efficacy and risk reduction value?’” Jack told the first quarterly event in the 2022 FAIR Conference series.
Jack and a team from the FAIR Institute are hard at work mapping FAIR-CAM – the new standard for quantifying the risk-reduction effect of controls – to the most-used control framework (and the other popular frameworks, as well). It’s not an easy process but once completed, could lead to some fundamental improvements in how we use the NIST CSF and perhaps changes in the framework itself.
Watch the video of Jack’s presentation:
Overcoming the Challenges of Mapping NIST CSF to FAIR-CAM™ at the Q1 event in the FAIRCON event series for 2022. FAIR Institute membership required to view. Join the FAIR Institute now..
What is FAIR-CAM?
A model that:
- Categorizes controls by type and function
- Sets them in relation to each other, clarifying their interplay
- Accounts for the direct and indirect effect of controls on risk
- Assigns units of measurement for control performance enabling a quantitative approach for reliable analysis of the effectiveness of controls and controls systems.
The mapping problem, Jack said, is that FAIR-CAM precisely defines and categorizes control functions while subcategories with the NIST CSF are defined in a way that covers multiple control functions within a single subcategory.
A case in point from the NIST CSF Protect Function subcategory PR.AC-1 covering identity management, as this chart shows:
“In order to map cleanly, the NIST CSF subcategories would have to be redefined to cover no more than a single function,” Jack said. Recognizing that’s not likely to happen anytime soon – the short-term goal for the FAIR-CAM mapping team is to bring more clarity to the NIST CSF by breaking out how the subcategories map to multiple functions. Absent this specificity in how subcategories affect risk, any effort to quantitatively measure risk using NIST CSF is certain to generate unreliable results.
Jack is also working on creating a standard scoring system for NIST CSF; currently, there’s no standard. “Translating an undefined NIST score of '2' into real units of measurement is never going to stand up.” Jack said. “If we want to be able to score NIST subcategories in a way that translates to quantitative risk analysis and have them stand up, we have to have a very clearly defined scoring model.”
Also in development: a series of FAIR-CAM use cases. Later this year, he said “We expect to have the ability to demonstrate the application of FAIR-CAM that I think will blow the socks off people in terms of what this can do analytically.”
Watch the video of Jack’s presentation Overcoming the Challenges of Mapping NIST CSF to FAIR-CAM™