CIS 8.0 to FAIR-CAM Mapping V1
PDF | Thought Leadership
A team of FAIR Institute members led by FAIR creator Jack Jones have mapped the CIS Critical Security Controls v. 8.0 to the new FAIR Controls Analytics Model (FAIR-CAM™). The CIS Controls are a popular 18-category set of best practices that, like other cybersecurity frameworks, tell you what controls to implement but not what measurable effect they have on reducing cyber risk singly or as an interdependent system. Jack developed FAIR-CAM to make compliance with frameworks more about mitigating risk than checking off boxes on a list.
The FAIR-CAM model:
- Categorizes controls by type and function.
- Sets them in relation to each other, clarifying their interplay.
- Accounts for the direct and indirect effect of controls on risk
- Assigns units of measurement for control performance enabling a quantitative approach for reliable analysis of the effectiveness of controls and controls systems.
A member of the FAIR-CAM mapping team, Drew Brown of of the US Federal Aviation Administration (FAA), described the goal at a 2022 FAIR Conference session:
“Compliance is going to radically change. An assessor comes in and asks does the control exist and is it functioning the way it’s supposed to? Now we know. We can actively measure and document if that control is doing what it supposed to do. Now when we get that audit finding we can answer if it is really a big deal or something we can work on in the next fiscal year.”
The FAIR Institute released the first mapping, to the National Institute of Standards Cybersecurity Framework (NIST CSF), in December, 2023, and the mapping will continue with other cybersecurity standards from ISO, NIST and MITRE.
It’s difficult work, as these standards and frameworks aren’t focused on a coherent view of what it takes to reduce cybersecurity risk. Jack writes that the broadly written descriptions in the CIS Controls meant that many controls had to be mapped to multiple FAIR-CAM categories, making a simple maturity rating tough. The FAIR Institute uncovered a similar problem with the NIST CSF mapping and sent a letter to NIST proposing that “the NIST CSF sub-categories have to be redefined to cover no more than a single control function.”
FAIR-CAM analysis also reveals gaps in the controls standards. As Jack reports, the mapping team found “there are no CIS controls specifically related to threat intelligence sources.”
In 2024, the FAIR Institute takes a serious run at expanding the scope and range of FAIR-based analysis led by several Standards Workgroups. Get the story here: FAIR Institute Launches Research Initiative to Extend the FAIR Standard to AI, Third-Party Risk, Materiality Analytics. Also in 2024, expect to see the first FAIR-CAM powered products hit the marketplace, bringing deeper insights into the controls stack in real-time.