NIST Maps FAIR to the NIST CSF, Major Recognition of the Power of Cyber Risk Quantification

Following is re-published from the FAIR Institute website:

Today marks a milestone in the history of FAIR (Factor Analysis of Information Risk) as NIST has formally published FAIR as an Informative Reference to the NIST CSF, the most widely used cybersecurity framework in the U.S. This means that there is mapping between FAIR and the NIST CSF standard in the sections covering risk analysis and risk management.

The FAIR Institute has long held that FAIR is a complementary standard to other information security frameworks. This is confirmation that organizations can be confident employing FAIR for their risk analyses alongside the other NIST CSF framework processes.

Jack Freund, PhD, co-author with Jack Jones of the FAIR book, Measuring and Managing Information Risk and Risk Science Director for RiskLens, has been working with NIST on behalf of the FAIR Institute to gain this recognition. Jack is also going to be moderating a panel discussion at the upcoming FAIR Conference, September 24-25, entitled “Building a Cybersecurity Program with a Risk Management Framework and FAIR.” This panel will have Kevin Stine, Chief of the Applied Cybersecurity Division of NIST, as well as Ian Amit, CSO of Cimpress (recently cited by NIST as a “success story” in integrating FAIR and NIST CSF), and will be a great opportunity to hear from people responsible for these standards and those that have implemented them.

The CSF is essentially a very thorough, step-by-step walk-through of defensive measures for cybersecurity, including risk assessment (RA) and risk management (RM).

An example of the mapping:

NIST CSF:

ID.RA-4 Potential business impacts and likelihoods are identified

Is mapped to:

FAIR Risk Taxonomy:

C13K – 3.5 – Forms of Loss

“The potential for loss stems from the value of the affected asset(s) and/or the liability it introduces to an organization…”

And it goes on to discuss the six forms of loss, familiar concepts to FAIR users.

“As the adoption of the NIST CSF has taken hold,” says Nick Sanna, CEO of RiskLens, “users of the framework found themselves in need of prioritizing the many activities the framework recommends as best practices. They needed to justify investments to management and to ultimately meet the requirements for building an effective risk management program so that they can help an organization achieve an acceptable level of risk, cost-effectively. Cost-effective risk management is stated as a goal in the first page of the NIST CSF. FAIR brings that vision to fulfillment.”

Visit the NIST CSF website to see the new FAIR documentation in the Informative Reference Catalog.


The RiskLens Platform is the only application purpose-built on the FAIR model and with the participation of Jack Jones, creator of FAIR. RiskLens is the technical adviser to the FAIR Institute and the leading trainer of FAIR analysts. More than 6,000 risk professionals are members of the FAIR Institute, representing about one-third of the Fortune 1000.

Let's Talk About Your Cyber Risk in Business Terms

RiskLens is leading a revolution in the way cyber risk is assessed, measured and managed by bringing to market a Software as a Service solution that makes cyber risk quantification a reality.
We help organizations translate cyber risk from the technical into the economic language of business.

Schedule a Demo