From bbc77ff4f3c99c7b8b96fd0e43394f67f370b948 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 14:45:32 -0500 Subject: [PATCH 01/24] refactor a _Valued mixin class --- src/ssvc/_mixins.py | 14 ++++++++++++++ src/ssvc/decision_points/base.py | 12 +++--------- src/test/test_doctools.py | 8 ++++---- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/src/ssvc/_mixins.py b/src/ssvc/_mixins.py index 414c99e1..10b19973 100644 --- a/src/ssvc/_mixins.py +++ b/src/ssvc/_mixins.py @@ -65,6 +65,20 @@ class _Keyed(BaseModel): key: str +class _Valued(BaseModel): + """ + Mixin class for valued SSVC objects. + """ + + values: tuple + + def __iter__(self): + """ + Allow iteration over the values in the object. + """ + return iter(self.values) + + def exclude_if_none(value): return value is None diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index 869e3263..bd06340e 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -20,7 +20,7 @@ from pydantic import BaseModel -from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned +from ssvc._mixins import _Base, _Keyed, _Namespaced, _Valued, _Versioned logger = logging.getLogger(__name__) @@ -61,18 +61,12 @@ class SsvcDecisionPointValue(_Base, _Keyed, BaseModel): """ -class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, BaseModel): +class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, _Valued, BaseModel): """ Models a single decision point as a list of values. """ - values: list[SsvcDecisionPointValue] = [] - - def __iter__(self): - """ - Allow iteration over the decision points in the group. - """ - return iter(self.values) + values: tuple[SsvcDecisionPointValue, ...] def __init__(self, **data): super().__init__(**data) diff --git a/src/test/test_doctools.py b/src/test/test_doctools.py index c59226a5..aedbed8b 100644 --- a/src/test/test_doctools.py +++ b/src/test/test_doctools.py @@ -31,10 +31,10 @@ "key": "DPT", "name": "Decision Point Test", "description": "This is a test decision point.", - "values": [ + "values": ( {"key": "N", "name": "No", "description": "No means no"}, {"key": "Y", "name": "Yes", "description": "Yes means yes"}, - ], + ), } @@ -120,9 +120,9 @@ def test_dump_json(self): self.assertTrue(os.path.exists(json_file)) # file is loadable json - d = json.load(open(json_file)) + new_obj = SsvcDecisionPoint.model_validate(json.load(open(json_file))) for k, v in dp.model_dump().items(): - self.assertEqual(v, d[k]) + self.assertEqual(getattr(dp, k), getattr(new_obj, k)) # should not overwrite the file overwrite = False From 1cd67e92cdb4be5332f80c52b831c9064974fb04 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:21:14 -0500 Subject: [PATCH 02/24] add incident severity decision point (+1 squashed commit) Squashed commits: [7e4fada] update incident severity --- src/ssvc/decision_points/base.py | 2 +- src/ssvc/decision_points/nciss/__init__.py | 28 +++++++++++++++++ src/ssvc/decision_points/nciss/base.py | 36 ++++++++++++++++++++++ 3 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 src/ssvc/decision_points/nciss/__init__.py create mode 100644 src/ssvc/decision_points/nciss/base.py diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index bd06340e..af511c91 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -61,7 +61,7 @@ class SsvcDecisionPointValue(_Base, _Keyed, BaseModel): """ -class SsvcDecisionPoint(_Base, _Keyed, _Versioned, _Namespaced, _Valued, BaseModel): +class SsvcDecisionPoint(_Valued, _Keyed, _Versioned, _Namespaced, _Base, BaseModel): """ Models a single decision point as a list of values. """ diff --git a/src/ssvc/decision_points/nciss/__init__.py b/src/ssvc/decision_points/nciss/__init__.py new file mode 100644 index 00000000..b8650798 --- /dev/null +++ b/src/ssvc/decision_points/nciss/__init__.py @@ -0,0 +1,28 @@ +#!/usr/bin/env python +""" +file: __init__.py +author: adh +created_at: 2/20/25 2:23 PM +""" + + +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + + +def main(): + pass + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/nciss/base.py b/src/ssvc/decision_points/nciss/base.py new file mode 100644 index 00000000..914c0346 --- /dev/null +++ b/src/ssvc/decision_points/nciss/base.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python +""" +Provides a base class for decision points modeled after the US National Cyber Incident Scoring System +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from pydantic import BaseModel + +from ssvc.decision_points import SsvcDecisionPoint + + +class NcissDecisionPoint(SsvcDecisionPoint, BaseModel): + """ + Models a single NCISS decision point as a list of values. + """ + + namespace: str = "nciss" + + +def main(): + pass + + +if __name__ == "__main__": + main() From b349146b6d383d2ae515f84be4c92c57120bdbb5 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:28:40 -0500 Subject: [PATCH 03/24] add recoverability decision point (+1 squashed commit) Squashed commits: [f5827ab] add recoverability add incident severity decision point --- .../nciss/incident_severity.md | 29 +++ mkdocs.yml | 2 + .../nciss/incident_severity.py | 168 ++++++++++++++++++ 3 files changed, 199 insertions(+) create mode 100644 docs/reference/decision_points/nciss/incident_severity.md create mode 100644 src/ssvc/decision_points/nciss/incident_severity.py diff --git a/docs/reference/decision_points/nciss/incident_severity.md b/docs/reference/decision_points/nciss/incident_severity.md new file mode 100644 index 00000000..dae4a3ad --- /dev/null +++ b/docs/reference/decision_points/nciss/incident_severity.md @@ -0,0 +1,29 @@ +# Incident Severity + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.incident_severity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +Version 2.0.0 is based on the +[National Cyber Incident Scoring System](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +developed by the Cybersecurity and Infrastructure Security Agency (CISA). + +Version 1.0.0 is based on the +[Cyber Incident Severity Schema](https://obamawhitehouse.archives.gov/sites/whitehouse.gov/files/documents/Cyber%2BIncident%2BSeverity%2BSchema.pdf) +adopted by the United States Federal Cybersecurity Centers, in coordination with departments and agencies with a +cybersecurity or cyber operations mission. + +## Previous Versions + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.incident_severity import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) +``` + diff --git a/mkdocs.yml b/mkdocs.yml index 922b7a98..dde5c903 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -71,6 +71,8 @@ nav: - Human Impact: 'reference/decision_points/human_impact.md' - Public Safety Impact: 'reference/decision_points/public_safety_impact.md' - Utility: 'reference/decision_points/utility.md' + - NCISS Decision Points: + - Incident Severity: 'reference/decision_points/nciss/incident_severity.md' - Code: - Intro: 'reference/code/index.md' - CSV Analyzer: 'reference/code/analyze_csv.md' diff --git a/src/ssvc/decision_points/nciss/incident_severity.py b/src/ssvc/decision_points/nciss/incident_severity.py new file mode 100644 index 00000000..df771acb --- /dev/null +++ b/src/ssvc/decision_points/nciss/incident_severity.py @@ -0,0 +1,168 @@ +#!/usr/bin/env python +""" +Provides a decision point for Incident Severity. +Based on [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs +from ssvc.decision_points.nciss.base import NcissDecisionPoint + +# Define the values for the Cyber Incident Severity decision point +# Intentionally omitting the color codes from the original schema at this time +# We can add them later if needed +LEVEL_5 = SsvcDecisionPointValue( + name="Emergency", + key="5", + description="Poses an imminent threat to the provision of wide-scale critical infrastructure services, national " + "government stability, or to the lives of U.S. persons.", +) + +LEVEL_4 = SsvcDecisionPointValue( + name="Severe", + key="4", + description="Likely to result in a significant impact to public health or safety, national security, economic " + "security, foreign relations, or civil liberties.", +) + +LEVEL_3 = SsvcDecisionPointValue( + name="High", + key="3", + description="Likely to result in a demonstrable impact to public health or safety, national security, economic " + "security, foreign relations, civil liberties, or public confidence.", +) + +LEVEL_2 = SsvcDecisionPointValue( + name="Medium", + key="2", + description="May impact public health or safety, national security, economic security, foreign relations, civil " + "liberties, or public confidence.", +) + +LEVEL_1 = SsvcDecisionPointValue( + name="Low", + key="1", + description="Unlikely to impact public health or safety, national security, economic security, foreign relations, " + "civil liberties, or public confidence.", +) + +LEVEL_0 = SsvcDecisionPointValue( + name="Baseline", + key="0", + description="Unsubstantiated or inconsequential event.", +) + +# Define the Cyber Incident Severity decision point +INCIDENT_SEVERITY = NcissDecisionPoint( + name="Incident Severity", + description="The United States Federal Cybersecurity Centers, in coordination " + "with departments and agencies with a cybersecurity or cyber operations mission, " + "adopted a common schema for describing the severity of cyber incidents affecting " + "the homeland, U.S. capabilities, or U.S. interests.", + key="IS", + version="1.0.0", + values=( + LEVEL_0, + LEVEL_1, + LEVEL_2, + LEVEL_3, + LEVEL_4, + LEVEL_5, + ), +) + +LEVEL_5_1 = SsvcDecisionPointValue( + name="Emergency", + key="5", + description="An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure " + "services, national government stability, or the lives of U.S. persons.", +) + +LEVEL_4_1 = SsvcDecisionPointValue( + name="Severe", + key="4", + description="A Severe priority incident is likely to result in a significant impact to public health or safety, national security, " + "economic security, foreign relations, or civil liberties.", +) + +LEVEL_3_1 = SsvcDecisionPointValue( + name="High", + key="3", + description="A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, " + "economic security, foreign relations, civil liberties, or public confidence.", +) + +LEVEL_2_1 = SsvcDecisionPointValue( + name="Medium", + key="2", + description="A Medium priority incident may affect public health or safety, national security, economic security, foreign " + "relations, civil liberties, or public confidence.", +) + +LEVEL_1_1 = SsvcDecisionPointValue( + name="Low", + key="1", + description="A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign " + "relations, civil liberties, or public confidence.", +) + +LEVEL_0_MINOR = SsvcDecisionPointValue( + name="Baseline - Minor", + key="0M", + description="A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, " + "national security, economic security, foreign relations, civil liberties, or public confidence. The potential for " + "impact, however, exists and warrants additional scrutiny.", +) + +LEVEL_0_NEGLIGIBLE = SsvcDecisionPointValue( + name="Baseline - Negligible", + key="0N", + description="A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, " + "national security, economic security, foreign relations, civil liberties, or public confidence. The potential for " + "impact, however, exists and warrants additional scrutiny.", +) + +INCIDENT_SEVERITY_2 = NcissDecisionPoint( + name="Incident Severity", + description="After an incident is scored, it is assigned a priority level. " + "The six levels listed below are aligned with CISA, " + "the Department of Homeland Security (DHS), " + "and the CISS to help provide a common lexicon when discussing incidents. " + "This priority assignment drives CISA urgency, " + "pre-approved incident response offerings, " + "reporting requirements, and recommendations for leadership escalation.", + key="IS", + version="2.0.0", + values=( + LEVEL_0_MINOR, + LEVEL_0_NEGLIGIBLE, + LEVEL_1_1, + LEVEL_2_1, + LEVEL_3_1, + LEVEL_4_1, + LEVEL_5_1, + ), +) + +VERSIONS = (INCIDENT_SEVERITY, INCIDENT_SEVERITY_2) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() From 0e40c2f6d205ea897474ca88162ea6b4935a0cb9 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:10:28 -0500 Subject: [PATCH 04/24] add observed activity location --- .../nciss/observed_activity_location.md | 8 ++ mkdocs.yml | 1 + .../nciss/observed_activity_location.py | 108 ++++++++++++++++++ 3 files changed, 117 insertions(+) create mode 100644 docs/reference/decision_points/nciss/observed_activity_location.md create mode 100644 src/ssvc/decision_points/nciss/observed_activity_location.py diff --git a/docs/reference/decision_points/nciss/observed_activity_location.md b/docs/reference/decision_points/nciss/observed_activity_location.md new file mode 100644 index 00000000..d3c797a6 --- /dev/null +++ b/docs/reference/decision_points/nciss/observed_activity_location.md @@ -0,0 +1,8 @@ +# Observed Location of Activity + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/mkdocs.yml b/mkdocs.yml index dde5c903..a2287c31 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -73,6 +73,7 @@ nav: - Utility: 'reference/decision_points/utility.md' - NCISS Decision Points: - Incident Severity: 'reference/decision_points/nciss/incident_severity.md' + - Observed Activity Location: 'reference/decision_points/nciss/observed_activity_location.md' - Code: - Intro: 'reference/code/index.md' - CSV Analyzer: 'reference/code/analyze_csv.md' diff --git a/src/ssvc/decision_points/nciss/observed_activity_location.py b/src/ssvc/decision_points/nciss/observed_activity_location.py new file mode 100644 index 00000000..10ae35d1 --- /dev/null +++ b/src/ssvc/decision_points/nciss/observed_activity_location.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python +""" +Provides a decision point for the location of observed activity. +Based on [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs +from ssvc.decision_points.nciss.base import NcissDecisionPoint + + +LEVEL_0 = SsvcDecisionPointValue( + name="Unsuccessful", + key="0", + description="Existing network defenses repelled all observed activity.", +) + + +LEVEL_1 = SsvcDecisionPointValue( + name="Business Demilitarized Zone", + key="1", + description="Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet.", +) + + +LEVEL_2 = SsvcDecisionPointValue( + name="Business Network", + key="2", + description="Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems.", +) + + +LEVEL_3 = SsvcDecisionPointValue( + name="Business Network Management", + key="3", + description="Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores.", +) + +LEVEL_4 = SsvcDecisionPointValue( + name="Critical System DMZ", + key="4", + description="Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems.", +) + +LEVEL_5 = SsvcDecisionPointValue( + name="Critical System Management", + key="5", + description="Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems.", +) + +LEVEL_6 = SsvcDecisionPointValue( + name="Critical Systems", + key="6", + description="Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments.", +) + +LEVEL_7 = SsvcDecisionPointValue( + name="Safety Systems", + key="7", + description="Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system.", +) + +UNKNOWN = SsvcDecisionPointValue( + name="Unknown", + key="U", + description="Activity was observed, but the network segment could not be identified.", +) + +OBSERVED_ACTIVITY_LOCATION = NcissDecisionPoint( + name="Observed Activity Location", + description="The location of observed activity describes where the observed activity was detected in the network. ", + key="OAL", + version="1.0.0", + values=( + LEVEL_0, + LEVEL_1, + LEVEL_2, + LEVEL_3, + LEVEL_4, + LEVEL_5, + LEVEL_6, + LEVEL_7, + UNKNOWN, + ), +) + +VERSIONS = (OBSERVED_ACTIVITY_LOCATION,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() From 0fe62b8d31160da395aabe595de91bb21860b718 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:22:35 -0500 Subject: [PATCH 05/24] add index --- docs/reference/decision_points/nciss/index.md | 17 +++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 18 insertions(+) create mode 100644 docs/reference/decision_points/nciss/index.md diff --git a/docs/reference/decision_points/nciss/index.md b/docs/reference/decision_points/nciss/index.md new file mode 100644 index 00000000..650d3626 --- /dev/null +++ b/docs/reference/decision_points/nciss/index.md @@ -0,0 +1,17 @@ +# National Cybersecurity Incident Scoring System (NCISS) Decision Points + +The [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +was developed by the Cybersecurity and Infrastructure Security Agency (CISA). + +Although the NCISS is implemented as a numerical scoring system, a number of +its criteria are amenable to modeling using SSVC decision points. We have +included a few examples here. + +## Decision Points + +
+ +- [Incident Severity](incident_severity.md) +- [Observed Location of Activity](observed_activity_location.md) + +
\ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index a2287c31..30ffb146 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -72,6 +72,7 @@ nav: - Public Safety Impact: 'reference/decision_points/public_safety_impact.md' - Utility: 'reference/decision_points/utility.md' - NCISS Decision Points: + - 'reference/decision_points/nciss/index.md' - Incident Severity: 'reference/decision_points/nciss/incident_severity.md' - Observed Activity Location: 'reference/decision_points/nciss/observed_activity_location.md' - Code: From 0aa9f93a56ba6bdc41cad352608fa289e95530ab Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:28:52 -0500 Subject: [PATCH 06/24] add recoverability add recoverability decision point --- docs/reference/decision_points/nciss/index.md | 1 + .../decision_points/nciss/recoverability.md | 8 ++ mkdocs.yml | 1 + .../decision_points/nciss/recoverability.py | 98 +++++++++++++++++++ 4 files changed, 108 insertions(+) create mode 100644 docs/reference/decision_points/nciss/recoverability.md create mode 100644 src/ssvc/decision_points/nciss/recoverability.py diff --git a/docs/reference/decision_points/nciss/index.md b/docs/reference/decision_points/nciss/index.md index 650d3626..a6dc8470 100644 --- a/docs/reference/decision_points/nciss/index.md +++ b/docs/reference/decision_points/nciss/index.md @@ -13,5 +13,6 @@ included a few examples here. - [Incident Severity](incident_severity.md) - [Observed Location of Activity](observed_activity_location.md) +- [Recoverability](recoverability.md) \ No newline at end of file diff --git a/docs/reference/decision_points/nciss/recoverability.md b/docs/reference/decision_points/nciss/recoverability.md new file mode 100644 index 00000000..897983ef --- /dev/null +++ b/docs/reference/decision_points/nciss/recoverability.md @@ -0,0 +1,8 @@ +# Recoverability + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.recoverability import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/mkdocs.yml b/mkdocs.yml index 30ffb146..36c76dd5 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -75,6 +75,7 @@ nav: - 'reference/decision_points/nciss/index.md' - Incident Severity: 'reference/decision_points/nciss/incident_severity.md' - Observed Activity Location: 'reference/decision_points/nciss/observed_activity_location.md' + - Recoverability: 'reference/decision_points/nciss/recoverability.md' - Code: - Intro: 'reference/code/index.md' - CSV Analyzer: 'reference/code/analyze_csv.md' diff --git a/src/ssvc/decision_points/nciss/recoverability.py b/src/ssvc/decision_points/nciss/recoverability.py new file mode 100644 index 00000000..8654ff51 --- /dev/null +++ b/src/ssvc/decision_points/nciss/recoverability.py @@ -0,0 +1,98 @@ +#!/usr/bin/env python +""" +Provides a decision point to represent the recoverability of a system. +Based on the [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs +from ssvc.decision_points.nciss.base import NcissDecisionPoint + +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +# RECOVERABILITY +# Recoverability represents the scope of resources needed to recover from the incident. In many cases, an +# entity’s internal computer network defense staff will be able to handle an incident without external support, +# resulting in a recoverability classification of Regular. An example of a Regular recovery would be a phishing +# email that was automatically blocked by a mail server. In Extended recoverability cases, significant efforts +# such as a multi-agency, multi-organizational response task force may be needed for recovery. For example, if +# an entity requests support from CISA, the incident is by its nature an Extended recovery. Lastly, it may not be +# feasible to recover from some types of incidents, such as significant confidentiality or privacy compromises. +# REGULAR +# Time to recovery is predictable with existing resources. + +REGULAR = SsvcDecisionPointValue( + name="Regular", + key="R", + description="Time to recovery is predictable with existing resources.", +) + +# SUPPLEMENTED +# Time to recover is predictable with additional resources. + +SUPPLEMENTED = SsvcDecisionPointValue( + name="Supplemented", + key="S", + description="Time to recover is predictable with additional resources.", +) + +# EXTENDED +# Time to recovery is unpredictable; additional resources and outside assistance may be required. + +EXTENDED = SsvcDecisionPointValue( + name="Extended", + key="E", + description="Time to recovery is unpredictable; additional resources and outside assistance may be required.", +) + +# NOT RECOVERABLE +# Recovery from the incident is not possible (e.g., sensitive data was exfiltrated and posted publicly, +# investigation launched). + +NOT_RECOVERABLE = SsvcDecisionPointValue( + name="Not Recoverable", + key="N", + description="Recovery from the incident is not possible (e.g., sensitive data was exfiltrated and posted publicly, investigation launched).", +) + +RECOVERABILITY = NcissDecisionPoint( + name="Recoverability", + description="Represents the scope of resources needed to recover from the incident.", + key="RECOVERABILITY", + version="1.0.0", + values=(REGULAR, SUPPLEMENTED, EXTENDED, NOT_RECOVERABLE), +) + +VERSIONS = (RECOVERABILITY,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() From b1c44b2f24242caf95278cc3675e88b84b62ef6b Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:49:55 -0500 Subject: [PATCH 07/24] s/cybersecurity/cyber/ --- docs/reference/decision_points/nciss/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/decision_points/nciss/index.md b/docs/reference/decision_points/nciss/index.md index a6dc8470..23e85496 100644 --- a/docs/reference/decision_points/nciss/index.md +++ b/docs/reference/decision_points/nciss/index.md @@ -1,6 +1,6 @@ # National Cybersecurity Incident Scoring System (NCISS) Decision Points -The [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +The [National Cyber Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) was developed by the Cybersecurity and Infrastructure Security Agency (CISA). Although the NCISS is implemented as a numerical scoring system, a number of From 466bf0d06d273f9f197a69595172ab47c2e17d86 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 15:59:05 -0500 Subject: [PATCH 08/24] markdownlint --- docs/reference/decision_points/nciss/incident_severity.md | 3 +-- docs/reference/decision_points/nciss/index.md | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/reference/decision_points/nciss/incident_severity.md b/docs/reference/decision_points/nciss/incident_severity.md index dae4a3ad..c8b2d54a 100644 --- a/docs/reference/decision_points/nciss/incident_severity.md +++ b/docs/reference/decision_points/nciss/incident_severity.md @@ -11,7 +11,7 @@ Version 2.0.0 is based on the [National Cyber Incident Scoring System](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) developed by the Cybersecurity and Infrastructure Security Agency (CISA). -Version 1.0.0 is based on the +Version 1.0.0 is based on the [Cyber Incident Severity Schema](https://obamawhitehouse.archives.gov/sites/whitehouse.gov/files/documents/Cyber%2BIncident%2BSeverity%2BSchema.pdf) adopted by the United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission. @@ -26,4 +26,3 @@ versions = VERSIONS[:-1] for version in versions: print(example_block(version)) ``` - diff --git a/docs/reference/decision_points/nciss/index.md b/docs/reference/decision_points/nciss/index.md index 23e85496..ec4152f4 100644 --- a/docs/reference/decision_points/nciss/index.md +++ b/docs/reference/decision_points/nciss/index.md @@ -15,4 +15,4 @@ included a few examples here. - [Observed Location of Activity](observed_activity_location.md) - [Recoverability](recoverability.md) - \ No newline at end of file + From 703afc13aeb16aacaba5673de09f0512e1a2b2ca Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 20 Feb 2025 16:07:46 -0500 Subject: [PATCH 09/24] fix docstrings and comments --- src/ssvc/decision_points/nciss/__init__.py | 19 ++--------- .../decision_points/nciss/recoverability.py | 33 ------------------- 2 files changed, 3 insertions(+), 49 deletions(-) diff --git a/src/ssvc/decision_points/nciss/__init__.py b/src/ssvc/decision_points/nciss/__init__.py index b8650798..775560dd 100644 --- a/src/ssvc/decision_points/nciss/__init__.py +++ b/src/ssvc/decision_points/nciss/__init__.py @@ -1,11 +1,3 @@ -#!/usr/bin/env python -""" -file: __init__.py -author: adh -created_at: 2/20/25 2:23 PM -""" - - # Copyright (c) 2025 Carnegie Mellon University and Contributors. # - see Contributors.md for a full list of Contributors # - see ContributionInstructions.md for information on how you can Contribute to this project @@ -18,11 +10,6 @@ # (“Third Party Software”). See LICENSE.md for more details. # Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the # U.S. Patent and Trademark Office by Carnegie Mellon University - - -def main(): - pass - - -if __name__ == "__main__": - main() +""" +This module contains decision points based on the National Cyber Incident Scoring System (NCISS). +""" diff --git a/src/ssvc/decision_points/nciss/recoverability.py b/src/ssvc/decision_points/nciss/recoverability.py index 8654ff51..df9b6d11 100644 --- a/src/ssvc/decision_points/nciss/recoverability.py +++ b/src/ssvc/decision_points/nciss/recoverability.py @@ -20,29 +20,6 @@ from ssvc.decision_points.helpers import print_versions_and_diffs from ssvc.decision_points.nciss.base import NcissDecisionPoint -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University - -# RECOVERABILITY -# Recoverability represents the scope of resources needed to recover from the incident. In many cases, an -# entity’s internal computer network defense staff will be able to handle an incident without external support, -# resulting in a recoverability classification of Regular. An example of a Regular recovery would be a phishing -# email that was automatically blocked by a mail server. In Extended recoverability cases, significant efforts -# such as a multi-agency, multi-organizational response task force may be needed for recovery. For example, if -# an entity requests support from CISA, the incident is by its nature an Extended recovery. Lastly, it may not be -# feasible to recover from some types of incidents, such as significant confidentiality or privacy compromises. -# REGULAR -# Time to recovery is predictable with existing resources. REGULAR = SsvcDecisionPointValue( name="Regular", @@ -50,28 +27,18 @@ description="Time to recovery is predictable with existing resources.", ) -# SUPPLEMENTED -# Time to recover is predictable with additional resources. - SUPPLEMENTED = SsvcDecisionPointValue( name="Supplemented", key="S", description="Time to recover is predictable with additional resources.", ) -# EXTENDED -# Time to recovery is unpredictable; additional resources and outside assistance may be required. - EXTENDED = SsvcDecisionPointValue( name="Extended", key="E", description="Time to recovery is unpredictable; additional resources and outside assistance may be required.", ) -# NOT RECOVERABLE -# Recovery from the incident is not possible (e.g., sensitive data was exfiltrated and posted publicly, -# investigation launched). - NOT_RECOVERABLE = SsvcDecisionPointValue( name="Not Recoverable", key="N", From ee96d8df2af31526db53ecd8663fb4bd727bb3c2 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 10 Mar 2025 16:22:08 -0400 Subject: [PATCH 10/24] add observed_activity.py --- .../nciss/observed_activity.py | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 src/ssvc/decision_points/nciss/observed_activity.py diff --git a/src/ssvc/decision_points/nciss/observed_activity.py b/src/ssvc/decision_points/nciss/observed_activity.py new file mode 100644 index 00000000..5a579c6e --- /dev/null +++ b/src/ssvc/decision_points/nciss/observed_activity.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python +""" +Provides the NCISS Observed Activity Decision Point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs +from ssvc.decision_points.nciss.base import NcissDecisionPoint + +PREPARE = SsvcDecisionPointValue( + key="P", + name="Prepare", + description="Prepare actions are actions taken to establish objectives, intent, and strategy; " + "identify potential targets and attack vectors; " + "identify resource requirements; " + "and develop capabilities.", +) + +ENGAGE = SsvcDecisionPointValue( + key="E", + name="Engage", + description="Engage activities are actions taken against a specific target or target set prior to gaining, " + "but with the intent to gain access to the victim's physical or virtual computer or information systems, " + "networks, and data stores.", +) + +PRESENCE = SsvcDecisionPointValue( + key="R", + name="Presence", + description="Presence is the set of actions taken by the threat actor once access to the target physical or " + "virtual computer or information system has been achieved. " + "These actions establish and maintain conditions for the threat actor to perform intended actions " + "or operate at will against the host physical or virtual computer or information system, network, " + "or data stores.", +) + +EFFECT = SsvcDecisionPointValue( + key="F", + name="Effect", + description="Effects are outcomes of a threat actor’s actions " + "on a victim’s physical or virtual computer or information systems, networks, and data stores.", +) + + +OBSERVED_ACTIVITY = NcissDecisionPoint( + key="OA", + name="Observed Activity", + description="Observed activity describes what is known about threat actor activity on the network.", + values=(PREPARE, ENGAGE, PRESENCE, EFFECT), +) + +VERSIONS = (OBSERVED_ACTIVITY,) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() From 10b4c4c152281428126adc9e497835c2dc1a8475 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 10 Mar 2025 16:42:01 -0400 Subject: [PATCH 11/24] add functional_impact.py and information_impact.py --- .../nciss/functional_impact.py | 133 ++++++++++++++++ .../nciss/information_impact.py | 144 ++++++++++++++++++ 2 files changed, 277 insertions(+) create mode 100644 src/ssvc/decision_points/nciss/functional_impact.py create mode 100644 src/ssvc/decision_points/nciss/information_impact.py diff --git a/src/ssvc/decision_points/nciss/functional_impact.py b/src/ssvc/decision_points/nciss/functional_impact.py new file mode 100644 index 00000000..1a65c7b8 --- /dev/null +++ b/src/ssvc/decision_points/nciss/functional_impact.py @@ -0,0 +1,133 @@ +#!/usr/bin/env python +""" +Provides the NCISS Functional Impact decision point and values. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs +from ssvc.decision_points.nciss.base import NcissDecisionPoint + +IMPACT_NONE = SsvcDecisionPointValue( + key="N", + name="No Impact", + description="Organization has experienced no loss in ability to provide all services to all users.", +) + +LOW = SsvcDecisionPointValue( + key="L", + name="Low", + description="Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance.", +) + +MEDIUM = SsvcDecisionPointValue( + key="M", + name="Medium", + description="Organization has lost the ability to provide a critical service to a subset of system users.", +) + +HIGH = SsvcDecisionPointValue( + key="H", + name="High", + description="Organization has lost the ability to provide all critical services to all system users.", +) + +FUNCTIONAL_IMPACT_1 = NcissDecisionPoint( + key="FI", + name="Functional Impact", + version="1.0.0", + description="A measure of the impact to business functionality or ability to provide services.", + values=( + IMPACT_NONE, + LOW, + MEDIUM, + HIGH, + ), +) + +NO_IMPACT = SsvcDecisionPointValue( + key="N", + name="No Impact", + description="Event has no impact.", +) + +NO_IMPACT_TO_SERVICES = SsvcDecisionPointValue( + key="S", + name="No Impact to Services", + description="Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers.", +) + +MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES = SsvcDecisionPointValue( + key="M", + name="Minimal Impact to Non-Critical Services", + description="Some small level of impact to non-critical systems and services.", +) + +MINIMAL_IMPACT_TO_CRITICAL_SERVICES = SsvcDecisionPointValue( + key="C", + name="Minimal Impact to Critical Services", + description="Minimal impact but to a critical system or service, such as email or active directory.", +) + +SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES = SsvcDecisionPointValue( + key="I", + name="Significant Impact to Non-Critical Services", + description="A non-critical service or system has a significant impact.", +) + +DENIAL_OF_NON_CRITICAL_SERVICES = SsvcDecisionPointValue( + key="D", + name="Denial of Non-Critical Services", + description="A non-critical system is denied or destroyed.", +) + +SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES = SsvcDecisionPointValue( + key="T", + name="Significant Impact to Critical Services", + description="A critical system has a significant impact, such as local administrative account compromise.", +) + +DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL = SsvcDecisionPointValue( + key="L", + name="Denial of Critical Services/Loss of Control", + description="A critical system has been rendered unavailable.", +) + + +FUNCTIONAL_IMPACT_2 = NcissDecisionPoint( + key="FI", + name="Functional Impact", + version="2.0.0", + description="A measure of the impact to business functionality or ability to provide services.", + values=( + NO_IMPACT, + NO_IMPACT_TO_SERVICES, + MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES, + MINIMAL_IMPACT_TO_CRITICAL_SERVICES, + SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES, + DENIAL_OF_NON_CRITICAL_SERVICES, + SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES, + DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL, + ), +) + +VERSIONS = (FUNCTIONAL_IMPACT_1,FUNCTIONAL_IMPACT_2,) +LATEST = VERSIONS[-1] + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == '__main__': + main() diff --git a/src/ssvc/decision_points/nciss/information_impact.py b/src/ssvc/decision_points/nciss/information_impact.py new file mode 100644 index 00000000..09fd5ec1 --- /dev/null +++ b/src/ssvc/decision_points/nciss/information_impact.py @@ -0,0 +1,144 @@ +#!/usr/bin/env python +""" +Provides the NCISS Information Impact Decision Point. +""" +# Copyright (c) 2025 Carnegie Mellon University and Contributors. +# - see Contributors.md for a full list of Contributors +# - see ContributionInstructions.md for information on how you can Contribute to this project +# Stakeholder Specific Vulnerability Categorization (SSVC) is +# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed +# with this Software or contact permission@sei.cmu.edu for full terms. +# Created, in part, with funding and support from the United States Government +# (see Acknowledgments file). This program may include and/or can make use of +# certain third party source code, object code, documentation and other files +# (“Third Party Software”). See LICENSE.md for more details. +# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the +# U.S. Patent and Trademark Office by Carnegie Mellon University + +from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.helpers import print_versions_and_diffs +from ssvc.decision_points.nciss.base import NcissDecisionPoint + +IMPACT_NONE = SsvcDecisionPointValue( + key="N", + name="None", + description="No information was exfiltrated, modified, deleted, or otherwise compromised.", +) + +INTEGRITY = SsvcDecisionPointValue( + key="I", + name="Integrity", + description="The necessary integrity of information was modified without authorization.", +) + +PRIVACY = SsvcDecisionPointValue( + key="P", + name="Privacy", + description="The confidentiality of personally identifiable information (PII) " + "or personal health information (PHI) was compromised.", +) + +PROPRIETARY = SsvcDecisionPointValue( + key="R", + name="Proprietary", + description="The confidentiality of unclassified proprietary information, such as " + "protected critical infrastructure information (PCII), intellectual property, or " + "trade secrets was compromised.", +) + +CLASSIFIED = SsvcDecisionPointValue( + key="C", + name="Classified", + description="The confidentiality of classified information was compromised.", +) + + +INFORMATION_IMPACT_1 = NcissDecisionPoint( + key="II", + name="Information Impact", + version="1.0.0", + description="Describes the type of information lost, compromised, or corrupted.", + values=(IMPACT_NONE, INTEGRITY, PRIVACY, PROPRIETARY, CLASSIFIED), +) + + +NO_IMPACT = SsvcDecisionPointValue( + key="N", + name="No Impact", + description="No known data impact.", +) + +SUSPECTED_BUT_NOT_IDENTIFIED = SsvcDecisionPointValue( + key="S", + name="Suspected But Not Identified", + description="A data loss or impact to availability is suspected, but no direct confirmation exists.", +) + +PROPRIETARY_INFORMATION_BREACH = SsvcDecisionPointValue( + key="R", + name="Proprietary Information Breach", + description="The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.", +) + +PRIVACY_DATA_BREACH = SsvcDecisionPointValue( + key="P", + name="Privacy Data Breach", + description="The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.", +) + + +CRITICAL_SYSTEMS_DATA_BREACH = SsvcDecisionPointValue( + key="C", + name="Critical Systems Data Breach", + description="Data pertaining to a critical system has been exfiltrated.", +) + +DESTRUCTION_OF_NON_CRITICAL_SYSTEMS = SsvcDecisionPointValue( + key="D", + name="Destruction of Non-Critical Systems", + description="Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system.", +) + + +CORE_CREDENTIAL_COMPROMISE = SsvcDecisionPointValue( + key="O", + name="Core Credential Compromise", + description="Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated.", +) + +DESTRUCTION_OF_CRITICAL_SYSTEM = SsvcDecisionPointValue( + key="E", + name="Destruction of Critical System", + description="Destructive techniques, such as MBR overwrite; have been used against a critical system.", +) + +INFORMATION_IMPACT_2 = NcissDecisionPoint( + key="II", + name="Information Impact", + version="2.0.0", + description="Describes the type of information lost, compromised, or corrupted.", + values=( + NO_IMPACT, + SUSPECTED_BUT_NOT_IDENTIFIED, + PRIVACY_DATA_BREACH, + PROPRIETARY_INFORMATION_BREACH, + DESTRUCTION_OF_NON_CRITICAL_SYSTEMS, + CRITICAL_SYSTEMS_DATA_BREACH, + CORE_CREDENTIAL_COMPROMISE, + DESTRUCTION_OF_CRITICAL_SYSTEM, + ), +) + +VERSIONS = ( + INFORMATION_IMPACT_1, + INFORMATION_IMPACT_2, +) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() From 990a8ca107f3e93596ce4666e38bec81e1b75e17 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 10 Mar 2025 16:55:59 -0400 Subject: [PATCH 12/24] remove example from value --- src/ssvc/decision_points/nciss/recoverability.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssvc/decision_points/nciss/recoverability.py b/src/ssvc/decision_points/nciss/recoverability.py index df9b6d11..52b68aa9 100644 --- a/src/ssvc/decision_points/nciss/recoverability.py +++ b/src/ssvc/decision_points/nciss/recoverability.py @@ -42,7 +42,7 @@ NOT_RECOVERABLE = SsvcDecisionPointValue( name="Not Recoverable", key="N", - description="Recovery from the incident is not possible (e.g., sensitive data was exfiltrated and posted publicly, investigation launched).", + description="Recovery from the incident is not possible.", ) RECOVERABILITY = NcissDecisionPoint( From 3fe850e712c2bc213c2e19b33832fa14f3b14b08 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Mon, 10 Mar 2025 16:57:56 -0400 Subject: [PATCH 13/24] add comments with reference links --- src/ssvc/decision_points/nciss/functional_impact.py | 11 ++++++++--- src/ssvc/decision_points/nciss/information_impact.py | 3 ++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/ssvc/decision_points/nciss/functional_impact.py b/src/ssvc/decision_points/nciss/functional_impact.py index 1a65c7b8..4b7cfda6 100644 --- a/src/ssvc/decision_points/nciss/functional_impact.py +++ b/src/ssvc/decision_points/nciss/functional_impact.py @@ -43,6 +43,7 @@ description="Organization has lost the ability to provide all critical services to all system users.", ) +## based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines_2015.pdf FUNCTIONAL_IMPACT_1 = NcissDecisionPoint( key="FI", name="Functional Impact", @@ -104,7 +105,7 @@ description="A critical system has been rendered unavailable.", ) - +# based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf FUNCTIONAL_IMPACT_2 = NcissDecisionPoint( key="FI", name="Functional Impact", @@ -122,12 +123,16 @@ ), ) -VERSIONS = (FUNCTIONAL_IMPACT_1,FUNCTIONAL_IMPACT_2,) +VERSIONS = ( + FUNCTIONAL_IMPACT_1, + FUNCTIONAL_IMPACT_2, +) LATEST = VERSIONS[-1] + def main(): print_versions_and_diffs(VERSIONS) -if __name__ == '__main__': +if __name__ == "__main__": main() diff --git a/src/ssvc/decision_points/nciss/information_impact.py b/src/ssvc/decision_points/nciss/information_impact.py index 09fd5ec1..007c2ee1 100644 --- a/src/ssvc/decision_points/nciss/information_impact.py +++ b/src/ssvc/decision_points/nciss/information_impact.py @@ -52,7 +52,7 @@ description="The confidentiality of classified information was compromised.", ) - +# based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines_2015.pdf INFORMATION_IMPACT_1 = NcissDecisionPoint( key="II", name="Information Impact", @@ -112,6 +112,7 @@ description="Destructive techniques, such as MBR overwrite; have been used against a critical system.", ) +# based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf INFORMATION_IMPACT_2 = NcissDecisionPoint( key="II", name="Information Impact", From 7ae9f4e2c22ac4eeedeeff0bafc32328613ebee9 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 12 Mar 2025 11:12:24 -0400 Subject: [PATCH 14/24] add functional impact, info impact, observed activity reference docs --- docs/reference/decision_points/nciss/functional_impact.md | 8 ++++++++ .../reference/decision_points/nciss/information_impact.md | 8 ++++++++ docs/reference/decision_points/nciss/observed_activity.md | 8 ++++++++ mkdocs.yml | 3 +++ 4 files changed, 27 insertions(+) create mode 100644 docs/reference/decision_points/nciss/functional_impact.md create mode 100644 docs/reference/decision_points/nciss/information_impact.md create mode 100644 docs/reference/decision_points/nciss/observed_activity.md diff --git a/docs/reference/decision_points/nciss/functional_impact.md b/docs/reference/decision_points/nciss/functional_impact.md new file mode 100644 index 00000000..d3c797a6 --- /dev/null +++ b/docs/reference/decision_points/nciss/functional_impact.md @@ -0,0 +1,8 @@ +# Observed Location of Activity + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/nciss/information_impact.md b/docs/reference/decision_points/nciss/information_impact.md new file mode 100644 index 00000000..d3c797a6 --- /dev/null +++ b/docs/reference/decision_points/nciss/information_impact.md @@ -0,0 +1,8 @@ +# Observed Location of Activity + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/nciss/observed_activity.md b/docs/reference/decision_points/nciss/observed_activity.md new file mode 100644 index 00000000..d3c797a6 --- /dev/null +++ b/docs/reference/decision_points/nciss/observed_activity.md @@ -0,0 +1,8 @@ +# Observed Location of Activity + +```python exec="true" idprefix="" +from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/mkdocs.yml b/mkdocs.yml index bf288f86..fce4c59c 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -109,7 +109,10 @@ nav: - Target Distribution: 'reference/decision_points/cvss/target_distribution.md' - NCISS Decision Points: - 'reference/decision_points/nciss/index.md' + - Functional Impact: 'reference/decision_points/nciss/functional_impact.md' - Incident Severity: 'reference/decision_points/nciss/incident_severity.md' + - Information Impact: 'reference/decision_points/nciss/information_impact.md' + - Observed Activity: 'reference/decision_points/nciss/observed_activity.md' - Observed Activity Location: 'reference/decision_points/nciss/observed_activity_location.md' - Recoverability: 'reference/decision_points/nciss/recoverability.md' - Code: From ff1661e19115cc966f044ed46e4b269ca5de2a79 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 13 Mar 2025 09:24:53 -0400 Subject: [PATCH 15/24] fix links --- docs/reference/decision_points/nciss/functional_impact.md | 5 ++--- docs/reference/decision_points/nciss/index.md | 3 +++ docs/reference/decision_points/nciss/information_impact.md | 4 ++-- docs/reference/decision_points/nciss/observed_activity.md | 4 ++-- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/docs/reference/decision_points/nciss/functional_impact.md b/docs/reference/decision_points/nciss/functional_impact.md index d3c797a6..654d0c86 100644 --- a/docs/reference/decision_points/nciss/functional_impact.md +++ b/docs/reference/decision_points/nciss/functional_impact.md @@ -1,7 +1,6 @@ -# Observed Location of Activity - +# Functional Impact ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.decision_points.nciss.functional_impact import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/docs/reference/decision_points/nciss/index.md b/docs/reference/decision_points/nciss/index.md index ec4152f4..c849b698 100644 --- a/docs/reference/decision_points/nciss/index.md +++ b/docs/reference/decision_points/nciss/index.md @@ -11,7 +11,10 @@ included a few examples here.
+- [Functional Impact](functional_impact.md) - [Incident Severity](incident_severity.md) +- [Information Impact](information_impact.md) +- [Observed Activity](observed_activity.md) - [Observed Location of Activity](observed_activity_location.md) - [Recoverability](recoverability.md) diff --git a/docs/reference/decision_points/nciss/information_impact.md b/docs/reference/decision_points/nciss/information_impact.md index d3c797a6..c6b500cf 100644 --- a/docs/reference/decision_points/nciss/information_impact.md +++ b/docs/reference/decision_points/nciss/information_impact.md @@ -1,7 +1,7 @@ -# Observed Location of Activity +# Information Impact ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.decision_points.nciss.information_impact import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/docs/reference/decision_points/nciss/observed_activity.md b/docs/reference/decision_points/nciss/observed_activity.md index d3c797a6..a4d4bfff 100644 --- a/docs/reference/decision_points/nciss/observed_activity.md +++ b/docs/reference/decision_points/nciss/observed_activity.md @@ -1,7 +1,7 @@ -# Observed Location of Activity +# Observed Activity ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.decision_points.nciss.observed_activity import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) From bb09944f0c75356464969545ff33dd24cdd4a7ce Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 13 Mar 2025 10:55:47 -0400 Subject: [PATCH 16/24] markdownlint --fix --- docs/reference/decision_points/nciss/functional_impact.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/reference/decision_points/nciss/functional_impact.md b/docs/reference/decision_points/nciss/functional_impact.md index 654d0c86..f94d7d70 100644 --- a/docs/reference/decision_points/nciss/functional_impact.md +++ b/docs/reference/decision_points/nciss/functional_impact.md @@ -1,4 +1,5 @@ # Functional Impact + ```python exec="true" idprefix="" from ssvc.decision_points.nciss.functional_impact import LATEST from ssvc.doc_helpers import example_block From 433d2595bcd911479bdfb9701def5a23292ec276 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 13 Mar 2025 11:00:27 -0400 Subject: [PATCH 17/24] move header --- docs/reference/decision_points/nciss/incident_severity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/decision_points/nciss/incident_severity.md b/docs/reference/decision_points/nciss/incident_severity.md index c8b2d54a..69b8feef 100644 --- a/docs/reference/decision_points/nciss/incident_severity.md +++ b/docs/reference/decision_points/nciss/incident_severity.md @@ -11,13 +11,13 @@ Version 2.0.0 is based on the [National Cyber Incident Scoring System](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) developed by the Cybersecurity and Infrastructure Security Agency (CISA). +## Previous Versions + Version 1.0.0 is based on the [Cyber Incident Severity Schema](https://obamawhitehouse.archives.gov/sites/whitehouse.gov/files/documents/Cyber%2BIncident%2BSeverity%2BSchema.pdf) adopted by the United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission. -## Previous Versions - ```python exec="true" idprefix="" from ssvc.decision_points.nciss.incident_severity import VERSIONS from ssvc.doc_helpers import example_block From fbb93e29682dcea12807d2d2b06d9310d02eccf2 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 18 Mar 2025 16:30:16 -0400 Subject: [PATCH 18/24] add `nciss` namespace --- src/ssvc/decision_points/nciss/base.py | 3 ++- src/ssvc/namespaces.py | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/ssvc/decision_points/nciss/base.py b/src/ssvc/decision_points/nciss/base.py index 914c0346..9e3ab439 100644 --- a/src/ssvc/decision_points/nciss/base.py +++ b/src/ssvc/decision_points/nciss/base.py @@ -18,6 +18,7 @@ from pydantic import BaseModel from ssvc.decision_points import SsvcDecisionPoint +from ssvc.namespaces import NameSpace class NcissDecisionPoint(SsvcDecisionPoint, BaseModel): @@ -25,7 +26,7 @@ class NcissDecisionPoint(SsvcDecisionPoint, BaseModel): Models a single NCISS decision point as a list of values. """ - namespace: str = "nciss" + namespace: str = NameSpace.NCISS def main(): diff --git a/src/ssvc/namespaces.py b/src/ssvc/namespaces.py index 058d711e..ea55b230 100644 --- a/src/ssvc/namespaces.py +++ b/src/ssvc/namespaces.py @@ -31,6 +31,7 @@ class NameSpace(StrEnum): # when used in a StrEnum, auto() assigns the lowercase name of the member as the value SSVC = auto() CVSS = auto() + NCISS = auto() class NamespaceValidator: From e4caa134cf6e7de74f8c40b8ced4616b0211d83b Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 18 Mar 2025 16:34:35 -0400 Subject: [PATCH 19/24] add _Valued mixin --- src/ssvc/decision_points/base.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py index 83b6fd79..2b01ab43 100644 --- a/src/ssvc/decision_points/base.py +++ b/src/ssvc/decision_points/base.py @@ -20,7 +20,7 @@ from pydantic import BaseModel -from ssvc._mixins import _Base, _Keyed, _Namespaced, _Versioned +from ssvc._mixins import _Base, _Keyed, _Namespaced, _Valued, _Versioned from ssvc.namespaces import NameSpace logger = logging.getLogger(__name__) @@ -62,7 +62,7 @@ class SsvcDecisionPointValue(_Base, _Keyed, BaseModel): """ -class SsvcDecisionPoint(_Keyed, _Versioned, _Namespaced, _Base, BaseModel): +class SsvcDecisionPoint(_Valued, _Keyed, _Versioned, _Namespaced, _Base, BaseModel): """ Models a single decision point as a list of values. """ From d42d61be57258bfd0c59a4ac7d3bc8e55290113e Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 27 Mar 2025 11:55:38 -0400 Subject: [PATCH 20/24] update copyright --- src/ssvc/decision_points/nciss/__init__.py | 30 ++++++---- src/ssvc/decision_points/nciss/base.py | 30 ++++++---- .../nciss/functional_impact.py | 30 ++++++---- .../nciss/incident_severity.py | 30 ++++++---- .../nciss/information_impact.py | 30 ++++++---- .../nciss/observed_activity.py | 55 +++++++++++-------- .../nciss/observed_activity_location.py | 30 ++++++---- .../decision_points/nciss/recoverability.py | 30 ++++++---- 8 files changed, 157 insertions(+), 108 deletions(-) diff --git a/src/ssvc/decision_points/nciss/__init__.py b/src/ssvc/decision_points/nciss/__init__.py index 775560dd..c7d4d2be 100644 --- a/src/ssvc/decision_points/nciss/__init__.py +++ b/src/ssvc/decision_points/nciss/__init__.py @@ -1,15 +1,21 @@ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 """ This module contains decision points based on the National Cyber Incident Scoring System (NCISS). """ diff --git a/src/ssvc/decision_points/nciss/base.py b/src/ssvc/decision_points/nciss/base.py index 9e3ab439..79e7995b 100644 --- a/src/ssvc/decision_points/nciss/base.py +++ b/src/ssvc/decision_points/nciss/base.py @@ -2,18 +2,24 @@ """ Provides a base class for decision points modeled after the US National Cyber Incident Scoring System """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from pydantic import BaseModel diff --git a/src/ssvc/decision_points/nciss/functional_impact.py b/src/ssvc/decision_points/nciss/functional_impact.py index 4b7cfda6..d46d6e4e 100644 --- a/src/ssvc/decision_points/nciss/functional_impact.py +++ b/src/ssvc/decision_points/nciss/functional_impact.py @@ -2,18 +2,24 @@ """ Provides the NCISS Functional Impact decision point and values. """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from ssvc.decision_points.base import SsvcDecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs diff --git a/src/ssvc/decision_points/nciss/incident_severity.py b/src/ssvc/decision_points/nciss/incident_severity.py index df771acb..2964f47f 100644 --- a/src/ssvc/decision_points/nciss/incident_severity.py +++ b/src/ssvc/decision_points/nciss/incident_severity.py @@ -3,18 +3,24 @@ Provides a decision point for Incident Severity. Based on [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from ssvc.decision_points.base import SsvcDecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs diff --git a/src/ssvc/decision_points/nciss/information_impact.py b/src/ssvc/decision_points/nciss/information_impact.py index 007c2ee1..131ef6d9 100644 --- a/src/ssvc/decision_points/nciss/information_impact.py +++ b/src/ssvc/decision_points/nciss/information_impact.py @@ -2,18 +2,24 @@ """ Provides the NCISS Information Impact Decision Point. """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from ssvc.decision_points.base import SsvcDecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs diff --git a/src/ssvc/decision_points/nciss/observed_activity.py b/src/ssvc/decision_points/nciss/observed_activity.py index 5a579c6e..7368c81e 100644 --- a/src/ssvc/decision_points/nciss/observed_activity.py +++ b/src/ssvc/decision_points/nciss/observed_activity.py @@ -2,18 +2,24 @@ """ Provides the NCISS Observed Activity Decision Point. """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from ssvc.decision_points.base import SsvcDecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs @@ -23,34 +29,34 @@ key="P", name="Prepare", description="Prepare actions are actions taken to establish objectives, intent, and strategy; " - "identify potential targets and attack vectors; " - "identify resource requirements; " - "and develop capabilities.", + "identify potential targets and attack vectors; " + "identify resource requirements; " + "and develop capabilities.", ) ENGAGE = SsvcDecisionPointValue( key="E", name="Engage", description="Engage activities are actions taken against a specific target or target set prior to gaining, " - "but with the intent to gain access to the victim's physical or virtual computer or information systems, " - "networks, and data stores.", + "but with the intent to gain access to the victim's physical or virtual computer or information systems, " + "networks, and data stores.", ) PRESENCE = SsvcDecisionPointValue( key="R", name="Presence", - description="Presence is the set of actions taken by the threat actor once access to the target physical or " - "virtual computer or information system has been achieved. " - "These actions establish and maintain conditions for the threat actor to perform intended actions " - "or operate at will against the host physical or virtual computer or information system, network, " - "or data stores.", + description="Presence is the set of actions taken by the threat actor once access to the target physical or " + "virtual computer or information system has been achieved. " + "These actions establish and maintain conditions for the threat actor to perform intended actions " + "or operate at will against the host physical or virtual computer or information system, network, " + "or data stores.", ) EFFECT = SsvcDecisionPointValue( key="F", name="Effect", description="Effects are outcomes of a threat actor’s actions " - "on a victim’s physical or virtual computer or information systems, networks, and data stores.", + "on a victim’s physical or virtual computer or information systems, networks, and data stores.", ) @@ -64,9 +70,10 @@ VERSIONS = (OBSERVED_ACTIVITY,) LATEST = VERSIONS[-1] + def main(): print_versions_and_diffs(VERSIONS) -if __name__ == '__main__': +if __name__ == "__main__": main() diff --git a/src/ssvc/decision_points/nciss/observed_activity_location.py b/src/ssvc/decision_points/nciss/observed_activity_location.py index 10ae35d1..be6584cc 100644 --- a/src/ssvc/decision_points/nciss/observed_activity_location.py +++ b/src/ssvc/decision_points/nciss/observed_activity_location.py @@ -3,18 +3,24 @@ Provides a decision point for the location of observed activity. Based on [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from ssvc.decision_points import SsvcDecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs diff --git a/src/ssvc/decision_points/nciss/recoverability.py b/src/ssvc/decision_points/nciss/recoverability.py index 52b68aa9..4efcfec1 100644 --- a/src/ssvc/decision_points/nciss/recoverability.py +++ b/src/ssvc/decision_points/nciss/recoverability.py @@ -3,18 +3,24 @@ Provides a decision point to represent the recoverability of a system. Based on the [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) """ -# Copyright (c) 2025 Carnegie Mellon University and Contributors. -# - see Contributors.md for a full list of Contributors -# - see ContributionInstructions.md for information on how you can Contribute to this project -# Stakeholder Specific Vulnerability Categorization (SSVC) is -# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed -# with this Software or contact permission@sei.cmu.edu for full terms. -# Created, in part, with funding and support from the United States Government -# (see Acknowledgments file). This program may include and/or can make use of -# certain third party source code, object code, documentation and other files -# (“Third Party Software”). See LICENSE.md for more details. -# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the -# U.S. Patent and Trademark Office by Carnegie Mellon University +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 from ssvc.decision_points import SsvcDecisionPointValue from ssvc.decision_points.helpers import print_versions_and_diffs From 3d87594d0135b014979fdc8283676c9ff59a9021 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Thu, 7 Aug 2025 14:01:51 -0400 Subject: [PATCH 21/24] merge nciss modules into ssvc.decision_points.cisa (+1 squashed commit) Squashed commits: [33590fc] use cisa namespace for nciss too --- .../cisa/functional_impact_1_0_0.json | 30 + .../cisa/functional_impact_2_0_0.json | 50 ++ .../cisa/incident_severity_1_0_0.json | 40 + .../cisa/incident_severity_2_0_0.json | 45 ++ .../cisa/information_impact_1_0_0.json | 35 + .../cisa/information_impact_2_0_0.json | 50 ++ .../cisa/observed_activity_0_0_1.json | 30 + .../observed_activity_location_1_0_0.json | 55 ++ .../cisa/recoverability_1_0_0.json | 30 + data/json/ssvc_object_registry.json | 715 ++++++++++++++++++ .../nciss/functional_impact.md | 2 +- .../nciss/incident_severity.md | 4 +- .../nciss/information_impact.md | 2 +- .../nciss/observed_activity.md | 2 +- .../nciss/observed_activity_location.md | 2 +- .../decision_points/nciss/recoverability.md | 2 +- src/ssvc/decision_points/cisa/base.py | 6 + .../{nciss => cisa}/functional_impact.py | 28 +- .../{nciss => cisa}/incident_severity.py | 30 +- .../{nciss => cisa}/information_impact.py | 30 +- .../{nciss => cisa}/observed_activity.py | 12 +- .../observed_activity_location.py | 23 +- .../{nciss => cisa}/recoverability.py | 13 +- src/ssvc/decision_points/nciss/__init__.py | 21 - src/ssvc/decision_points/nciss/base.py | 43 -- 25 files changed, 1160 insertions(+), 140 deletions(-) create mode 100644 data/json/decision_points/cisa/functional_impact_1_0_0.json create mode 100644 data/json/decision_points/cisa/functional_impact_2_0_0.json create mode 100644 data/json/decision_points/cisa/incident_severity_1_0_0.json create mode 100644 data/json/decision_points/cisa/incident_severity_2_0_0.json create mode 100644 data/json/decision_points/cisa/information_impact_1_0_0.json create mode 100644 data/json/decision_points/cisa/information_impact_2_0_0.json create mode 100644 data/json/decision_points/cisa/observed_activity_0_0_1.json create mode 100644 data/json/decision_points/cisa/observed_activity_location_1_0_0.json create mode 100644 data/json/decision_points/cisa/recoverability_1_0_0.json rename src/ssvc/decision_points/{nciss => cisa}/functional_impact.py (85%) rename src/ssvc/decision_points/{nciss => cisa}/incident_severity.py (91%) rename src/ssvc/decision_points/{nciss => cisa}/information_impact.py (86%) rename src/ssvc/decision_points/{nciss => cisa}/observed_activity.py (91%) rename src/ssvc/decision_points/{nciss => cisa}/observed_activity_location.py (90%) rename src/ssvc/decision_points/{nciss => cisa}/recoverability.py (89%) delete mode 100644 src/ssvc/decision_points/nciss/__init__.py delete mode 100644 src/ssvc/decision_points/nciss/base.py diff --git a/data/json/decision_points/cisa/functional_impact_1_0_0.json b/data/json/decision_points/cisa/functional_impact_1_0_0.json new file mode 100644 index 00000000..12273486 --- /dev/null +++ b/data/json/decision_points/cisa/functional_impact_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa", + "key": "FI", + "version": "1.0.0", + "name": "Functional Impact", + "description": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "description": "Organization has experienced no loss in ability to provide all services to all users." + }, + { + "key": "L", + "name": "Low", + "description": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + { + "key": "M", + "name": "Medium", + "description": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + { + "key": "H", + "name": "High", + "description": "Organization has lost the ability to provide all critical services to all system users." + } + ] +} diff --git a/data/json/decision_points/cisa/functional_impact_2_0_0.json b/data/json/decision_points/cisa/functional_impact_2_0_0.json new file mode 100644 index 00000000..bda26d3a --- /dev/null +++ b/data/json/decision_points/cisa/functional_impact_2_0_0.json @@ -0,0 +1,50 @@ +{ + "namespace": "cisa", + "key": "FI", + "version": "2.0.0", + "name": "Functional Impact", + "description": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "description": "Event has no impact." + }, + { + "key": "S", + "name": "No Impact to Services", + "description": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "description": "Some small level of impact to non-critical systems and services." + }, + { + "key": "C", + "name": "Minimal Impact to Critical Services", + "description": "Minimal impact but to a critical system or service, such as email or active directory." + }, + { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "description": "A non-critical service or system has a significant impact." + }, + { + "key": "D", + "name": "Denial of Non-Critical Services", + "description": "A non-critical system is denied or destroyed." + }, + { + "key": "T", + "name": "Significant Impact to Critical Services", + "description": "A critical system has a significant impact, such as local administrative account compromise." + }, + { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "description": "A critical system has been rendered unavailable." + } + ] +} diff --git a/data/json/decision_points/cisa/incident_severity_1_0_0.json b/data/json/decision_points/cisa/incident_severity_1_0_0.json new file mode 100644 index 00000000..41921928 --- /dev/null +++ b/data/json/decision_points/cisa/incident_severity_1_0_0.json @@ -0,0 +1,40 @@ +{ + "namespace": "cisa", + "key": "IS", + "version": "1.0.0", + "name": "Incident Severity", + "description": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Baseline", + "description": "Unsubstantiated or inconsequential event." + }, + { + "key": "1", + "name": "Low", + "description": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "description": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "description": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "description": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "description": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + ] +} diff --git a/data/json/decision_points/cisa/incident_severity_2_0_0.json b/data/json/decision_points/cisa/incident_severity_2_0_0.json new file mode 100644 index 00000000..65a28a88 --- /dev/null +++ b/data/json/decision_points/cisa/incident_severity_2_0_0.json @@ -0,0 +1,45 @@ +{ + "namespace": "cisa", + "key": "IS", + "version": "2.0.0", + "name": "Incident Severity", + "description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0M", + "name": "Baseline - Minor", + "description": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "0N", + "name": "Baseline - Negligible", + "description": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "1", + "name": "Low", + "description": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "description": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "description": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "description": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "description": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + ] +} diff --git a/data/json/decision_points/cisa/information_impact_1_0_0.json b/data/json/decision_points/cisa/information_impact_1_0_0.json new file mode 100644 index 00000000..74d23703 --- /dev/null +++ b/data/json/decision_points/cisa/information_impact_1_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cisa", + "key": "II", + "version": "1.0.0", + "name": "Information Impact", + "description": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "description": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + { + "key": "I", + "name": "Integrity", + "description": "The necessary integrity of information was modified without authorization." + }, + { + "key": "P", + "name": "Privacy", + "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary", + "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "C", + "name": "Classified", + "description": "The confidentiality of classified information was compromised." + } + ] +} diff --git a/data/json/decision_points/cisa/information_impact_2_0_0.json b/data/json/decision_points/cisa/information_impact_2_0_0.json new file mode 100644 index 00000000..487e853e --- /dev/null +++ b/data/json/decision_points/cisa/information_impact_2_0_0.json @@ -0,0 +1,50 @@ +{ + "namespace": "cisa", + "key": "II", + "version": "2.0.0", + "name": "Information Impact", + "description": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "description": "No known data impact." + }, + { + "key": "S", + "name": "Suspected But Not Identified", + "description": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + { + "key": "P", + "name": "Privacy Data Breach", + "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary Information Breach", + "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "description": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + { + "key": "C", + "name": "Critical Systems Data Breach", + "description": "Data pertaining to a critical system has been exfiltrated." + }, + { + "key": "O", + "name": "Core Credential Compromise", + "description": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + { + "key": "E", + "name": "Destruction of Critical System", + "description": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + ] +} diff --git a/data/json/decision_points/cisa/observed_activity_0_0_1.json b/data/json/decision_points/cisa/observed_activity_0_0_1.json new file mode 100644 index 00000000..2bd2b615 --- /dev/null +++ b/data/json/decision_points/cisa/observed_activity_0_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa", + "key": "OA", + "version": "0.0.1", + "name": "Observed Activity", + "description": "Observed activity describes what is known about threat actor activity on the network.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Prepare", + "description": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + { + "key": "E", + "name": "Engage", + "description": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + { + "key": "R", + "name": "Presence", + "description": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + { + "key": "F", + "name": "Effect", + "description": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + ] +} diff --git a/data/json/decision_points/cisa/observed_activity_location_1_0_0.json b/data/json/decision_points/cisa/observed_activity_location_1_0_0.json new file mode 100644 index 00000000..6aa617c0 --- /dev/null +++ b/data/json/decision_points/cisa/observed_activity_location_1_0_0.json @@ -0,0 +1,55 @@ +{ + "namespace": "cisa", + "key": "OAL", + "version": "1.0.0", + "name": "Observed Activity Location", + "description": "The location of observed activity describes where the observed activity was detected in the network. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Unsuccessful", + "description": "Existing network defenses repelled all observed activity." + }, + { + "key": "1", + "name": "Business Demilitarized Zone", + "description": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + { + "key": "2", + "name": "Business Network", + "description": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + { + "key": "3", + "name": "Business Network Management", + "description": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + { + "key": "4", + "name": "Critical System DMZ", + "description": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + { + "key": "5", + "name": "Critical System Management", + "description": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + { + "key": "6", + "name": "Critical Systems", + "description": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + { + "key": "7", + "name": "Safety Systems", + "description": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + { + "key": "U", + "name": "Unknown", + "description": "Activity was observed, but the network segment could not be identified." + } + ] +} diff --git a/data/json/decision_points/cisa/recoverability_1_0_0.json b/data/json/decision_points/cisa/recoverability_1_0_0.json new file mode 100644 index 00000000..56018aa7 --- /dev/null +++ b/data/json/decision_points/cisa/recoverability_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa", + "key": "RECOVERABILITY", + "version": "1.0.0", + "name": "Recoverability", + "description": "Represents the scope of resources needed to recover from the incident.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Regular", + "description": "Time to recovery is predictable with existing resources." + }, + { + "key": "S", + "name": "Supplemented", + "description": "Time to recover is predictable with additional resources." + }, + { + "key": "E", + "name": "Extended", + "description": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + { + "key": "N", + "name": "Not Recoverable", + "description": "Recovery from the incident is not possible." + } + ] +} diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index cda2426c..b952d459 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -9,6 +9,161 @@ "cisa": { "namespace": "cisa", "keys": { + "FI": { + "key": "FI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "FI", + "version": "1.0.0", + "name": "Functional Impact", + "description": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "description": "Organization has experienced no loss in ability to provide all services to all users." + }, + { + "key": "L", + "name": "Low", + "description": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + { + "key": "M", + "name": "Medium", + "description": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + { + "key": "H", + "name": "High", + "description": "Organization has lost the ability to provide all critical services to all system users." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No Impact", + "description": "Organization has experienced no loss in ability to provide all services to all users." + }, + "L": { + "key": "L", + "name": "Low", + "description": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + "M": { + "key": "M", + "name": "Medium", + "description": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + "H": { + "key": "H", + "name": "High", + "description": "Organization has lost the ability to provide all critical services to all system users." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "cisa", + "key": "FI", + "version": "2.0.0", + "name": "Functional Impact", + "description": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "description": "Event has no impact." + }, + { + "key": "S", + "name": "No Impact to Services", + "description": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "description": "Some small level of impact to non-critical systems and services." + }, + { + "key": "C", + "name": "Minimal Impact to Critical Services", + "description": "Minimal impact but to a critical system or service, such as email or active directory." + }, + { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "description": "A non-critical service or system has a significant impact." + }, + { + "key": "D", + "name": "Denial of Non-Critical Services", + "description": "A non-critical system is denied or destroyed." + }, + { + "key": "T", + "name": "Significant Impact to Critical Services", + "description": "A critical system has a significant impact, such as local administrative account compromise." + }, + { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "description": "A critical system has been rendered unavailable." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No Impact", + "description": "Event has no impact." + }, + "S": { + "key": "S", + "name": "No Impact to Services", + "description": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + "M": { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "description": "Some small level of impact to non-critical systems and services." + }, + "C": { + "key": "C", + "name": "Minimal Impact to Critical Services", + "description": "Minimal impact but to a critical system or service, such as email or active directory." + }, + "I": { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "description": "A non-critical service or system has a significant impact." + }, + "D": { + "key": "D", + "name": "Denial of Non-Critical Services", + "description": "A non-critical system is denied or destroyed." + }, + "T": { + "key": "T", + "name": "Significant Impact to Critical Services", + "description": "A critical system has a significant impact, such as local administrative account compromise." + }, + "L": { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "description": "A critical system has been rendered unavailable." + } + } + } + } + }, "KEV": { "key": "KEV", "versions": { @@ -49,6 +204,336 @@ } } }, + "IS": { + "key": "IS", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "IS", + "version": "1.0.0", + "name": "Incident Severity", + "description": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Baseline", + "description": "Unsubstantiated or inconsequential event." + }, + { + "key": "1", + "name": "Low", + "description": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "description": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "description": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "description": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "description": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + ] + }, + "values": { + "0": { + "key": "0", + "name": "Baseline", + "description": "Unsubstantiated or inconsequential event." + }, + "1": { + "key": "1", + "name": "Low", + "description": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "2": { + "key": "2", + "name": "Medium", + "description": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "3": { + "key": "3", + "name": "High", + "description": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "4": { + "key": "4", + "name": "Severe", + "description": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + "5": { + "key": "5", + "name": "Emergency", + "description": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "cisa", + "key": "IS", + "version": "2.0.0", + "name": "Incident Severity", + "description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0M", + "name": "Baseline - Minor", + "description": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "0N", + "name": "Baseline - Negligible", + "description": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "1", + "name": "Low", + "description": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "description": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "description": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "description": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "description": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + ] + }, + "values": { + "0M": { + "key": "0M", + "name": "Baseline - Minor", + "description": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + "0N": { + "key": "0N", + "name": "Baseline - Negligible", + "description": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + "1": { + "key": "1", + "name": "Low", + "description": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "2": { + "key": "2", + "name": "Medium", + "description": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "3": { + "key": "3", + "name": "High", + "description": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "4": { + "key": "4", + "name": "Severe", + "description": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + "5": { + "key": "5", + "name": "Emergency", + "description": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + } + } + } + }, + "II": { + "key": "II", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "II", + "version": "1.0.0", + "name": "Information Impact", + "description": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "description": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + { + "key": "I", + "name": "Integrity", + "description": "The necessary integrity of information was modified without authorization." + }, + { + "key": "P", + "name": "Privacy", + "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary", + "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "C", + "name": "Classified", + "description": "The confidentiality of classified information was compromised." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "None", + "description": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + "I": { + "key": "I", + "name": "Integrity", + "description": "The necessary integrity of information was modified without authorization." + }, + "P": { + "key": "P", + "name": "Privacy", + "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + "R": { + "key": "R", + "name": "Proprietary", + "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + "C": { + "key": "C", + "name": "Classified", + "description": "The confidentiality of classified information was compromised." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "cisa", + "key": "II", + "version": "2.0.0", + "name": "Information Impact", + "description": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "description": "No known data impact." + }, + { + "key": "S", + "name": "Suspected But Not Identified", + "description": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + { + "key": "P", + "name": "Privacy Data Breach", + "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary Information Breach", + "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "description": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + { + "key": "C", + "name": "Critical Systems Data Breach", + "description": "Data pertaining to a critical system has been exfiltrated." + }, + { + "key": "O", + "name": "Core Credential Compromise", + "description": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + { + "key": "E", + "name": "Destruction of Critical System", + "description": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No Impact", + "description": "No known data impact." + }, + "S": { + "key": "S", + "name": "Suspected But Not Identified", + "description": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + "P": { + "key": "P", + "name": "Privacy Data Breach", + "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + "R": { + "key": "R", + "name": "Proprietary Information Breach", + "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + "D": { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "description": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + "C": { + "key": "C", + "name": "Critical Systems Data Breach", + "description": "Data pertaining to a critical system has been exfiltrated." + }, + "O": { + "key": "O", + "name": "Core Credential Compromise", + "description": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + "E": { + "key": "E", + "name": "Destruction of Critical System", + "description": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + } + } + } + }, "MP": { "key": "MP", "versions": { @@ -99,6 +584,236 @@ } } }, + "OA": { + "key": "OA", + "versions": { + "0.0.1": { + "version": "0.0.1", + "obj": { + "namespace": "cisa", + "key": "OA", + "version": "0.0.1", + "name": "Observed Activity", + "description": "Observed activity describes what is known about threat actor activity on the network.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Prepare", + "description": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + { + "key": "E", + "name": "Engage", + "description": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + { + "key": "R", + "name": "Presence", + "description": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + { + "key": "F", + "name": "Effect", + "description": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + ] + }, + "values": { + "P": { + "key": "P", + "name": "Prepare", + "description": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + "E": { + "key": "E", + "name": "Engage", + "description": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + "R": { + "key": "R", + "name": "Presence", + "description": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + "F": { + "key": "F", + "name": "Effect", + "description": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + } + } + } + }, + "OAL": { + "key": "OAL", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "OAL", + "version": "1.0.0", + "name": "Observed Activity Location", + "description": "The location of observed activity describes where the observed activity was detected in the network. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Unsuccessful", + "description": "Existing network defenses repelled all observed activity." + }, + { + "key": "1", + "name": "Business Demilitarized Zone", + "description": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + { + "key": "2", + "name": "Business Network", + "description": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + { + "key": "3", + "name": "Business Network Management", + "description": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + { + "key": "4", + "name": "Critical System DMZ", + "description": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + { + "key": "5", + "name": "Critical System Management", + "description": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + { + "key": "6", + "name": "Critical Systems", + "description": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + { + "key": "7", + "name": "Safety Systems", + "description": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + { + "key": "U", + "name": "Unknown", + "description": "Activity was observed, but the network segment could not be identified." + } + ] + }, + "values": { + "0": { + "key": "0", + "name": "Unsuccessful", + "description": "Existing network defenses repelled all observed activity." + }, + "1": { + "key": "1", + "name": "Business Demilitarized Zone", + "description": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + "2": { + "key": "2", + "name": "Business Network", + "description": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + "3": { + "key": "3", + "name": "Business Network Management", + "description": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + "4": { + "key": "4", + "name": "Critical System DMZ", + "description": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + "5": { + "key": "5", + "name": "Critical System Management", + "description": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + "6": { + "key": "6", + "name": "Critical Systems", + "description": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + "7": { + "key": "7", + "name": "Safety Systems", + "description": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + "U": { + "key": "U", + "name": "Unknown", + "description": "Activity was observed, but the network segment could not be identified." + } + } + } + } + }, + "RECOVERABILITY": { + "key": "RECOVERABILITY", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "RECOVERABILITY", + "version": "1.0.0", + "name": "Recoverability", + "description": "Represents the scope of resources needed to recover from the incident.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Regular", + "description": "Time to recovery is predictable with existing resources." + }, + { + "key": "S", + "name": "Supplemented", + "description": "Time to recover is predictable with additional resources." + }, + { + "key": "E", + "name": "Extended", + "description": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + { + "key": "N", + "name": "Not Recoverable", + "description": "Recovery from the incident is not possible." + } + ] + }, + "values": { + "R": { + "key": "R", + "name": "Regular", + "description": "Time to recovery is predictable with existing resources." + }, + "S": { + "key": "S", + "name": "Supplemented", + "description": "Time to recover is predictable with additional resources." + }, + "E": { + "key": "E", + "name": "Extended", + "description": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + "N": { + "key": "N", + "name": "Not Recoverable", + "description": "Recovery from the incident is not possible." + } + } + } + } + }, "CISA": { "key": "CISA", "versions": { diff --git a/docs/reference/decision_points/nciss/functional_impact.md b/docs/reference/decision_points/nciss/functional_impact.md index f94d7d70..3d10e93a 100644 --- a/docs/reference/decision_points/nciss/functional_impact.md +++ b/docs/reference/decision_points/nciss/functional_impact.md @@ -1,7 +1,7 @@ # Functional Impact ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.functional_impact import LATEST +from ssvc.decision_points.cisa.functional_impact import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/docs/reference/decision_points/nciss/incident_severity.md b/docs/reference/decision_points/nciss/incident_severity.md index 69b8feef..fcd255a8 100644 --- a/docs/reference/decision_points/nciss/incident_severity.md +++ b/docs/reference/decision_points/nciss/incident_severity.md @@ -1,7 +1,7 @@ # Incident Severity ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.incident_severity import LATEST +from ssvc.decision_points.cisa.incident_severity import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) @@ -19,7 +19,7 @@ adopted by the United States Federal Cybersecurity Centers, in coordination with cybersecurity or cyber operations mission. ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.incident_severity import VERSIONS +from ssvc.decision_points.cisa.incident_severity import VERSIONS from ssvc.doc_helpers import example_block versions = VERSIONS[:-1] diff --git a/docs/reference/decision_points/nciss/information_impact.md b/docs/reference/decision_points/nciss/information_impact.md index c6b500cf..67b25a78 100644 --- a/docs/reference/decision_points/nciss/information_impact.md +++ b/docs/reference/decision_points/nciss/information_impact.md @@ -1,7 +1,7 @@ # Information Impact ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.information_impact import LATEST +from ssvc.decision_points.cisa.information_impact import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/docs/reference/decision_points/nciss/observed_activity.md b/docs/reference/decision_points/nciss/observed_activity.md index a4d4bfff..1e959adb 100644 --- a/docs/reference/decision_points/nciss/observed_activity.md +++ b/docs/reference/decision_points/nciss/observed_activity.md @@ -1,7 +1,7 @@ # Observed Activity ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.observed_activity import LATEST +from ssvc.decision_points.cisa.observed_activity import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/docs/reference/decision_points/nciss/observed_activity_location.md b/docs/reference/decision_points/nciss/observed_activity_location.md index d3c797a6..239ffa8a 100644 --- a/docs/reference/decision_points/nciss/observed_activity_location.md +++ b/docs/reference/decision_points/nciss/observed_activity_location.md @@ -1,7 +1,7 @@ # Observed Location of Activity ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.observed_activity_location import LATEST +from ssvc.decision_points.cisa.observed_activity_location import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/docs/reference/decision_points/nciss/recoverability.md b/docs/reference/decision_points/nciss/recoverability.md index 897983ef..a0ad8b70 100644 --- a/docs/reference/decision_points/nciss/recoverability.md +++ b/docs/reference/decision_points/nciss/recoverability.md @@ -1,7 +1,7 @@ # Recoverability ```python exec="true" idprefix="" -from ssvc.decision_points.nciss.recoverability import LATEST +from ssvc.decision_points.cisa.recoverability import LATEST from ssvc.doc_helpers import example_block print(example_block(LATEST)) diff --git a/src/ssvc/decision_points/cisa/base.py b/src/ssvc/decision_points/cisa/base.py index 342c37a9..b27395bb 100644 --- a/src/ssvc/decision_points/cisa/base.py +++ b/src/ssvc/decision_points/cisa/base.py @@ -28,3 +28,9 @@ class CisaDecisionPoint(DecisionPoint, BaseModel): namespace: str = NameSpace.CISA + + +class NcissDecisionPoint(CisaDecisionPoint, BaseModel): + """ + Models a single NCISS decision point as a list of values. + """ diff --git a/src/ssvc/decision_points/nciss/functional_impact.py b/src/ssvc/decision_points/cisa/functional_impact.py similarity index 85% rename from src/ssvc/decision_points/nciss/functional_impact.py rename to src/ssvc/decision_points/cisa/functional_impact.py index d46d6e4e..4bff8f50 100644 --- a/src/ssvc/decision_points/nciss/functional_impact.py +++ b/src/ssvc/decision_points/cisa/functional_impact.py @@ -21,29 +21,29 @@ # subject to its own license. # DM24-0278 -from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs -from ssvc.decision_points.nciss.base import NcissDecisionPoint -IMPACT_NONE = SsvcDecisionPointValue( +IMPACT_NONE = DecisionPointValue( key="N", name="No Impact", description="Organization has experienced no loss in ability to provide all services to all users.", ) -LOW = SsvcDecisionPointValue( +LOW = DecisionPointValue( key="L", name="Low", description="Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance.", ) -MEDIUM = SsvcDecisionPointValue( +MEDIUM = DecisionPointValue( key="M", name="Medium", description="Organization has lost the ability to provide a critical service to a subset of system users.", ) -HIGH = SsvcDecisionPointValue( +HIGH = DecisionPointValue( key="H", name="High", description="Organization has lost the ability to provide all critical services to all system users.", @@ -63,49 +63,49 @@ ), ) -NO_IMPACT = SsvcDecisionPointValue( +NO_IMPACT = DecisionPointValue( key="N", name="No Impact", description="Event has no impact.", ) -NO_IMPACT_TO_SERVICES = SsvcDecisionPointValue( +NO_IMPACT_TO_SERVICES = DecisionPointValue( key="S", name="No Impact to Services", description="Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers.", ) -MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES = SsvcDecisionPointValue( +MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES = DecisionPointValue( key="M", name="Minimal Impact to Non-Critical Services", description="Some small level of impact to non-critical systems and services.", ) -MINIMAL_IMPACT_TO_CRITICAL_SERVICES = SsvcDecisionPointValue( +MINIMAL_IMPACT_TO_CRITICAL_SERVICES = DecisionPointValue( key="C", name="Minimal Impact to Critical Services", description="Minimal impact but to a critical system or service, such as email or active directory.", ) -SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES = SsvcDecisionPointValue( +SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES = DecisionPointValue( key="I", name="Significant Impact to Non-Critical Services", description="A non-critical service or system has a significant impact.", ) -DENIAL_OF_NON_CRITICAL_SERVICES = SsvcDecisionPointValue( +DENIAL_OF_NON_CRITICAL_SERVICES = DecisionPointValue( key="D", name="Denial of Non-Critical Services", description="A non-critical system is denied or destroyed.", ) -SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES = SsvcDecisionPointValue( +SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES = DecisionPointValue( key="T", name="Significant Impact to Critical Services", description="A critical system has a significant impact, such as local administrative account compromise.", ) -DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL = SsvcDecisionPointValue( +DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL = DecisionPointValue( key="L", name="Denial of Critical Services/Loss of Control", description="A critical system has been rendered unavailable.", diff --git a/src/ssvc/decision_points/nciss/incident_severity.py b/src/ssvc/decision_points/cisa/incident_severity.py similarity index 91% rename from src/ssvc/decision_points/nciss/incident_severity.py rename to src/ssvc/decision_points/cisa/incident_severity.py index 2964f47f..b75d9834 100644 --- a/src/ssvc/decision_points/nciss/incident_severity.py +++ b/src/ssvc/decision_points/cisa/incident_severity.py @@ -22,49 +22,49 @@ # subject to its own license. # DM24-0278 -from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs -from ssvc.decision_points.nciss.base import NcissDecisionPoint # Define the values for the Cyber Incident Severity decision point # Intentionally omitting the color codes from the original schema at this time # We can add them later if needed -LEVEL_5 = SsvcDecisionPointValue( +LEVEL_5 = DecisionPointValue( name="Emergency", key="5", description="Poses an imminent threat to the provision of wide-scale critical infrastructure services, national " "government stability, or to the lives of U.S. persons.", ) -LEVEL_4 = SsvcDecisionPointValue( +LEVEL_4 = DecisionPointValue( name="Severe", key="4", description="Likely to result in a significant impact to public health or safety, national security, economic " "security, foreign relations, or civil liberties.", ) -LEVEL_3 = SsvcDecisionPointValue( +LEVEL_3 = DecisionPointValue( name="High", key="3", description="Likely to result in a demonstrable impact to public health or safety, national security, economic " "security, foreign relations, civil liberties, or public confidence.", ) -LEVEL_2 = SsvcDecisionPointValue( +LEVEL_2 = DecisionPointValue( name="Medium", key="2", description="May impact public health or safety, national security, economic security, foreign relations, civil " "liberties, or public confidence.", ) -LEVEL_1 = SsvcDecisionPointValue( +LEVEL_1 = DecisionPointValue( name="Low", key="1", description="Unlikely to impact public health or safety, national security, economic security, foreign relations, " "civil liberties, or public confidence.", ) -LEVEL_0 = SsvcDecisionPointValue( +LEVEL_0 = DecisionPointValue( name="Baseline", key="0", description="Unsubstantiated or inconsequential event.", @@ -89,42 +89,42 @@ ), ) -LEVEL_5_1 = SsvcDecisionPointValue( +LEVEL_5_1 = DecisionPointValue( name="Emergency", key="5", description="An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure " "services, national government stability, or the lives of U.S. persons.", ) -LEVEL_4_1 = SsvcDecisionPointValue( +LEVEL_4_1 = DecisionPointValue( name="Severe", key="4", description="A Severe priority incident is likely to result in a significant impact to public health or safety, national security, " "economic security, foreign relations, or civil liberties.", ) -LEVEL_3_1 = SsvcDecisionPointValue( +LEVEL_3_1 = DecisionPointValue( name="High", key="3", description="A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, " "economic security, foreign relations, civil liberties, or public confidence.", ) -LEVEL_2_1 = SsvcDecisionPointValue( +LEVEL_2_1 = DecisionPointValue( name="Medium", key="2", description="A Medium priority incident may affect public health or safety, national security, economic security, foreign " "relations, civil liberties, or public confidence.", ) -LEVEL_1_1 = SsvcDecisionPointValue( +LEVEL_1_1 = DecisionPointValue( name="Low", key="1", description="A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign " "relations, civil liberties, or public confidence.", ) -LEVEL_0_MINOR = SsvcDecisionPointValue( +LEVEL_0_MINOR = DecisionPointValue( name="Baseline - Minor", key="0M", description="A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, " @@ -132,7 +132,7 @@ "impact, however, exists and warrants additional scrutiny.", ) -LEVEL_0_NEGLIGIBLE = SsvcDecisionPointValue( +LEVEL_0_NEGLIGIBLE = DecisionPointValue( name="Baseline - Negligible", key="0N", description="A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, " diff --git a/src/ssvc/decision_points/nciss/information_impact.py b/src/ssvc/decision_points/cisa/information_impact.py similarity index 86% rename from src/ssvc/decision_points/nciss/information_impact.py rename to src/ssvc/decision_points/cisa/information_impact.py index 131ef6d9..9d47b47f 100644 --- a/src/ssvc/decision_points/nciss/information_impact.py +++ b/src/ssvc/decision_points/cisa/information_impact.py @@ -21,30 +21,30 @@ # subject to its own license. # DM24-0278 -from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs -from ssvc.decision_points.nciss.base import NcissDecisionPoint -IMPACT_NONE = SsvcDecisionPointValue( +IMPACT_NONE = DecisionPointValue( key="N", name="None", description="No information was exfiltrated, modified, deleted, or otherwise compromised.", ) -INTEGRITY = SsvcDecisionPointValue( +INTEGRITY = DecisionPointValue( key="I", name="Integrity", description="The necessary integrity of information was modified without authorization.", ) -PRIVACY = SsvcDecisionPointValue( +PRIVACY = DecisionPointValue( key="P", name="Privacy", description="The confidentiality of personally identifiable information (PII) " "or personal health information (PHI) was compromised.", ) -PROPRIETARY = SsvcDecisionPointValue( +PROPRIETARY = DecisionPointValue( key="R", name="Proprietary", description="The confidentiality of unclassified proprietary information, such as " @@ -52,7 +52,7 @@ "trade secrets was compromised.", ) -CLASSIFIED = SsvcDecisionPointValue( +CLASSIFIED = DecisionPointValue( key="C", name="Classified", description="The confidentiality of classified information was compromised.", @@ -68,51 +68,51 @@ ) -NO_IMPACT = SsvcDecisionPointValue( +NO_IMPACT = DecisionPointValue( key="N", name="No Impact", description="No known data impact.", ) -SUSPECTED_BUT_NOT_IDENTIFIED = SsvcDecisionPointValue( +SUSPECTED_BUT_NOT_IDENTIFIED = DecisionPointValue( key="S", name="Suspected But Not Identified", description="A data loss or impact to availability is suspected, but no direct confirmation exists.", ) -PROPRIETARY_INFORMATION_BREACH = SsvcDecisionPointValue( +PROPRIETARY_INFORMATION_BREACH = DecisionPointValue( key="R", name="Proprietary Information Breach", description="The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.", ) -PRIVACY_DATA_BREACH = SsvcDecisionPointValue( +PRIVACY_DATA_BREACH = DecisionPointValue( key="P", name="Privacy Data Breach", description="The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.", ) -CRITICAL_SYSTEMS_DATA_BREACH = SsvcDecisionPointValue( +CRITICAL_SYSTEMS_DATA_BREACH = DecisionPointValue( key="C", name="Critical Systems Data Breach", description="Data pertaining to a critical system has been exfiltrated.", ) -DESTRUCTION_OF_NON_CRITICAL_SYSTEMS = SsvcDecisionPointValue( +DESTRUCTION_OF_NON_CRITICAL_SYSTEMS = DecisionPointValue( key="D", name="Destruction of Non-Critical Systems", description="Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system.", ) -CORE_CREDENTIAL_COMPROMISE = SsvcDecisionPointValue( +CORE_CREDENTIAL_COMPROMISE = DecisionPointValue( key="O", name="Core Credential Compromise", description="Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated.", ) -DESTRUCTION_OF_CRITICAL_SYSTEM = SsvcDecisionPointValue( +DESTRUCTION_OF_CRITICAL_SYSTEM = DecisionPointValue( key="E", name="Destruction of Critical System", description="Destructive techniques, such as MBR overwrite; have been used against a critical system.", diff --git a/src/ssvc/decision_points/nciss/observed_activity.py b/src/ssvc/decision_points/cisa/observed_activity.py similarity index 91% rename from src/ssvc/decision_points/nciss/observed_activity.py rename to src/ssvc/decision_points/cisa/observed_activity.py index 7368c81e..df992185 100644 --- a/src/ssvc/decision_points/nciss/observed_activity.py +++ b/src/ssvc/decision_points/cisa/observed_activity.py @@ -21,11 +21,11 @@ # subject to its own license. # DM24-0278 -from ssvc.decision_points.base import SsvcDecisionPointValue +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs -from ssvc.decision_points.nciss.base import NcissDecisionPoint -PREPARE = SsvcDecisionPointValue( +PREPARE = DecisionPointValue( key="P", name="Prepare", description="Prepare actions are actions taken to establish objectives, intent, and strategy; " @@ -34,7 +34,7 @@ "and develop capabilities.", ) -ENGAGE = SsvcDecisionPointValue( +ENGAGE = DecisionPointValue( key="E", name="Engage", description="Engage activities are actions taken against a specific target or target set prior to gaining, " @@ -42,7 +42,7 @@ "networks, and data stores.", ) -PRESENCE = SsvcDecisionPointValue( +PRESENCE = DecisionPointValue( key="R", name="Presence", description="Presence is the set of actions taken by the threat actor once access to the target physical or " @@ -52,7 +52,7 @@ "or data stores.", ) -EFFECT = SsvcDecisionPointValue( +EFFECT = DecisionPointValue( key="F", name="Effect", description="Effects are outcomes of a threat actor’s actions " diff --git a/src/ssvc/decision_points/nciss/observed_activity_location.py b/src/ssvc/decision_points/cisa/observed_activity_location.py similarity index 90% rename from src/ssvc/decision_points/nciss/observed_activity_location.py rename to src/ssvc/decision_points/cisa/observed_activity_location.py index be6584cc..013c83f8 100644 --- a/src/ssvc/decision_points/nciss/observed_activity_location.py +++ b/src/ssvc/decision_points/cisa/observed_activity_location.py @@ -22,63 +22,62 @@ # subject to its own license. # DM24-0278 -from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs -from ssvc.decision_points.nciss.base import NcissDecisionPoint - -LEVEL_0 = SsvcDecisionPointValue( +LEVEL_0 = DecisionPointValue( name="Unsuccessful", key="0", description="Existing network defenses repelled all observed activity.", ) -LEVEL_1 = SsvcDecisionPointValue( +LEVEL_1 = DecisionPointValue( name="Business Demilitarized Zone", key="1", description="Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet.", ) -LEVEL_2 = SsvcDecisionPointValue( +LEVEL_2 = DecisionPointValue( name="Business Network", key="2", description="Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems.", ) -LEVEL_3 = SsvcDecisionPointValue( +LEVEL_3 = DecisionPointValue( name="Business Network Management", key="3", description="Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores.", ) -LEVEL_4 = SsvcDecisionPointValue( +LEVEL_4 = DecisionPointValue( name="Critical System DMZ", key="4", description="Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems.", ) -LEVEL_5 = SsvcDecisionPointValue( +LEVEL_5 = DecisionPointValue( name="Critical System Management", key="5", description="Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems.", ) -LEVEL_6 = SsvcDecisionPointValue( +LEVEL_6 = DecisionPointValue( name="Critical Systems", key="6", description="Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments.", ) -LEVEL_7 = SsvcDecisionPointValue( +LEVEL_7 = DecisionPointValue( name="Safety Systems", key="7", description="Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system.", ) -UNKNOWN = SsvcDecisionPointValue( +UNKNOWN = DecisionPointValue( name="Unknown", key="U", description="Activity was observed, but the network segment could not be identified.", diff --git a/src/ssvc/decision_points/nciss/recoverability.py b/src/ssvc/decision_points/cisa/recoverability.py similarity index 89% rename from src/ssvc/decision_points/nciss/recoverability.py rename to src/ssvc/decision_points/cisa/recoverability.py index 4efcfec1..91e1df26 100644 --- a/src/ssvc/decision_points/nciss/recoverability.py +++ b/src/ssvc/decision_points/cisa/recoverability.py @@ -22,30 +22,29 @@ # subject to its own license. # DM24-0278 -from ssvc.decision_points import SsvcDecisionPointValue +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint from ssvc.decision_points.helpers import print_versions_and_diffs -from ssvc.decision_points.nciss.base import NcissDecisionPoint - -REGULAR = SsvcDecisionPointValue( +REGULAR = DecisionPointValue( name="Regular", key="R", description="Time to recovery is predictable with existing resources.", ) -SUPPLEMENTED = SsvcDecisionPointValue( +SUPPLEMENTED = DecisionPointValue( name="Supplemented", key="S", description="Time to recover is predictable with additional resources.", ) -EXTENDED = SsvcDecisionPointValue( +EXTENDED = DecisionPointValue( name="Extended", key="E", description="Time to recovery is unpredictable; additional resources and outside assistance may be required.", ) -NOT_RECOVERABLE = SsvcDecisionPointValue( +NOT_RECOVERABLE = DecisionPointValue( name="Not Recoverable", key="N", description="Recovery from the incident is not possible.", diff --git a/src/ssvc/decision_points/nciss/__init__.py b/src/ssvc/decision_points/nciss/__init__.py deleted file mode 100644 index c7d4d2be..00000000 --- a/src/ssvc/decision_points/nciss/__init__.py +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright (c) 2025 Carnegie Mellon University. -# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE -# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. -# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, -# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT -# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR -# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE -# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE -# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM -# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. -# Licensed under a MIT (SEI)-style license, please see LICENSE or contact -# permission@sei.cmu.edu for full terms. -# [DISTRIBUTION STATEMENT A] This material has been approved for -# public release and unlimited distribution. Please see Copyright notice -# for non-US Government use and distribution. -# This Software includes and/or makes use of Third-Party Software each -# subject to its own license. -# DM24-0278 -""" -This module contains decision points based on the National Cyber Incident Scoring System (NCISS). -""" diff --git a/src/ssvc/decision_points/nciss/base.py b/src/ssvc/decision_points/nciss/base.py deleted file mode 100644 index 79e7995b..00000000 --- a/src/ssvc/decision_points/nciss/base.py +++ /dev/null @@ -1,43 +0,0 @@ -#!/usr/bin/env python -""" -Provides a base class for decision points modeled after the US National Cyber Incident Scoring System -""" -# Copyright (c) 2025 Carnegie Mellon University. -# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE -# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. -# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, -# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT -# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR -# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE -# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE -# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM -# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. -# Licensed under a MIT (SEI)-style license, please see LICENSE or contact -# permission@sei.cmu.edu for full terms. -# [DISTRIBUTION STATEMENT A] This material has been approved for -# public release and unlimited distribution. Please see Copyright notice -# for non-US Government use and distribution. -# This Software includes and/or makes use of Third-Party Software each -# subject to its own license. -# DM24-0278 - -from pydantic import BaseModel - -from ssvc.decision_points import SsvcDecisionPoint -from ssvc.namespaces import NameSpace - - -class NcissDecisionPoint(SsvcDecisionPoint, BaseModel): - """ - Models a single NCISS decision point as a list of values. - """ - - namespace: str = NameSpace.NCISS - - -def main(): - pass - - -if __name__ == "__main__": - main() From 8972eac429e38b5e100c81a2f400de6c9d9ef529 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 16 Sep 2025 16:09:22 -0400 Subject: [PATCH 22/24] update namespace string --- src/ssvc/decision_points/cisa/base.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ssvc/decision_points/cisa/base.py b/src/ssvc/decision_points/cisa/base.py index b27395bb..2980f3cb 100644 --- a/src/ssvc/decision_points/cisa/base.py +++ b/src/ssvc/decision_points/cisa/base.py @@ -34,3 +34,4 @@ class NcissDecisionPoint(CisaDecisionPoint, BaseModel): """ Models a single NCISS decision point as a list of values. """ + namespace: str = NameSpace.CISA + "#nciss" From 37e408529c129261f4eff465986fa760d0964c92 Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 16 Sep 2025 16:11:00 -0400 Subject: [PATCH 23/24] update description -> definition --- .../decision_points/cisa/functional_impact.py | 28 ++++++++--------- .../decision_points/cisa/incident_severity.py | 30 +++++++++---------- .../cisa/information_impact.py | 30 +++++++++---------- .../decision_points/cisa/observed_activity.py | 10 +++---- .../cisa/observed_activity_location.py | 20 ++++++------- .../decision_points/cisa/recoverability.py | 10 +++---- 6 files changed, 64 insertions(+), 64 deletions(-) diff --git a/src/ssvc/decision_points/cisa/functional_impact.py b/src/ssvc/decision_points/cisa/functional_impact.py index 4bff8f50..8af95590 100644 --- a/src/ssvc/decision_points/cisa/functional_impact.py +++ b/src/ssvc/decision_points/cisa/functional_impact.py @@ -28,25 +28,25 @@ IMPACT_NONE = DecisionPointValue( key="N", name="No Impact", - description="Organization has experienced no loss in ability to provide all services to all users.", + definition="Organization has experienced no loss in ability to provide all services to all users.", ) LOW = DecisionPointValue( key="L", name="Low", - description="Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance.", + definition="Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance.", ) MEDIUM = DecisionPointValue( key="M", name="Medium", - description="Organization has lost the ability to provide a critical service to a subset of system users.", + definition="Organization has lost the ability to provide a critical service to a subset of system users.", ) HIGH = DecisionPointValue( key="H", name="High", - description="Organization has lost the ability to provide all critical services to all system users.", + definition="Organization has lost the ability to provide all critical services to all system users.", ) ## based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines_2015.pdf @@ -54,7 +54,7 @@ key="FI", name="Functional Impact", version="1.0.0", - description="A measure of the impact to business functionality or ability to provide services.", + definition="A measure of the impact to business functionality or ability to provide services.", values=( IMPACT_NONE, LOW, @@ -66,49 +66,49 @@ NO_IMPACT = DecisionPointValue( key="N", name="No Impact", - description="Event has no impact.", + definition="Event has no impact.", ) NO_IMPACT_TO_SERVICES = DecisionPointValue( key="S", name="No Impact to Services", - description="Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers.", + definition="Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers.", ) MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES = DecisionPointValue( key="M", name="Minimal Impact to Non-Critical Services", - description="Some small level of impact to non-critical systems and services.", + definition="Some small level of impact to non-critical systems and services.", ) MINIMAL_IMPACT_TO_CRITICAL_SERVICES = DecisionPointValue( key="C", name="Minimal Impact to Critical Services", - description="Minimal impact but to a critical system or service, such as email or active directory.", + definition="Minimal impact but to a critical system or service, such as email or active directory.", ) SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES = DecisionPointValue( key="I", name="Significant Impact to Non-Critical Services", - description="A non-critical service or system has a significant impact.", + definition="A non-critical service or system has a significant impact.", ) DENIAL_OF_NON_CRITICAL_SERVICES = DecisionPointValue( key="D", name="Denial of Non-Critical Services", - description="A non-critical system is denied or destroyed.", + definition="A non-critical system is denied or destroyed.", ) SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES = DecisionPointValue( key="T", name="Significant Impact to Critical Services", - description="A critical system has a significant impact, such as local administrative account compromise.", + definition="A critical system has a significant impact, such as local administrative account compromise.", ) DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL = DecisionPointValue( key="L", name="Denial of Critical Services/Loss of Control", - description="A critical system has been rendered unavailable.", + definition="A critical system has been rendered unavailable.", ) # based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf @@ -116,7 +116,7 @@ key="FI", name="Functional Impact", version="2.0.0", - description="A measure of the impact to business functionality or ability to provide services.", + definition="A measure of the impact to business functionality or ability to provide services.", values=( NO_IMPACT, NO_IMPACT_TO_SERVICES, diff --git a/src/ssvc/decision_points/cisa/incident_severity.py b/src/ssvc/decision_points/cisa/incident_severity.py index b75d9834..a7faaa09 100644 --- a/src/ssvc/decision_points/cisa/incident_severity.py +++ b/src/ssvc/decision_points/cisa/incident_severity.py @@ -32,48 +32,48 @@ LEVEL_5 = DecisionPointValue( name="Emergency", key="5", - description="Poses an imminent threat to the provision of wide-scale critical infrastructure services, national " + definition="Poses an imminent threat to the provision of wide-scale critical infrastructure services, national " "government stability, or to the lives of U.S. persons.", ) LEVEL_4 = DecisionPointValue( name="Severe", key="4", - description="Likely to result in a significant impact to public health or safety, national security, economic " + definition="Likely to result in a significant impact to public health or safety, national security, economic " "security, foreign relations, or civil liberties.", ) LEVEL_3 = DecisionPointValue( name="High", key="3", - description="Likely to result in a demonstrable impact to public health or safety, national security, economic " + definition="Likely to result in a demonstrable impact to public health or safety, national security, economic " "security, foreign relations, civil liberties, or public confidence.", ) LEVEL_2 = DecisionPointValue( name="Medium", key="2", - description="May impact public health or safety, national security, economic security, foreign relations, civil " + definition="May impact public health or safety, national security, economic security, foreign relations, civil " "liberties, or public confidence.", ) LEVEL_1 = DecisionPointValue( name="Low", key="1", - description="Unlikely to impact public health or safety, national security, economic security, foreign relations, " + definition="Unlikely to impact public health or safety, national security, economic security, foreign relations, " "civil liberties, or public confidence.", ) LEVEL_0 = DecisionPointValue( name="Baseline", key="0", - description="Unsubstantiated or inconsequential event.", + definition="Unsubstantiated or inconsequential event.", ) # Define the Cyber Incident Severity decision point INCIDENT_SEVERITY = NcissDecisionPoint( name="Incident Severity", - description="The United States Federal Cybersecurity Centers, in coordination " + definition="The United States Federal Cybersecurity Centers, in coordination " "with departments and agencies with a cybersecurity or cyber operations mission, " "adopted a common schema for describing the severity of cyber incidents affecting " "the homeland, U.S. capabilities, or U.S. interests.", @@ -92,42 +92,42 @@ LEVEL_5_1 = DecisionPointValue( name="Emergency", key="5", - description="An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure " + definition="An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure " "services, national government stability, or the lives of U.S. persons.", ) LEVEL_4_1 = DecisionPointValue( name="Severe", key="4", - description="A Severe priority incident is likely to result in a significant impact to public health or safety, national security, " + definition="A Severe priority incident is likely to result in a significant impact to public health or safety, national security, " "economic security, foreign relations, or civil liberties.", ) LEVEL_3_1 = DecisionPointValue( name="High", key="3", - description="A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, " + definition="A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, " "economic security, foreign relations, civil liberties, or public confidence.", ) LEVEL_2_1 = DecisionPointValue( name="Medium", key="2", - description="A Medium priority incident may affect public health or safety, national security, economic security, foreign " + definition="A Medium priority incident may affect public health or safety, national security, economic security, foreign " "relations, civil liberties, or public confidence.", ) LEVEL_1_1 = DecisionPointValue( name="Low", key="1", - description="A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign " + definition="A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign " "relations, civil liberties, or public confidence.", ) LEVEL_0_MINOR = DecisionPointValue( name="Baseline - Minor", key="0M", - description="A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, " + definition="A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, " "national security, economic security, foreign relations, civil liberties, or public confidence. The potential for " "impact, however, exists and warrants additional scrutiny.", ) @@ -135,14 +135,14 @@ LEVEL_0_NEGLIGIBLE = DecisionPointValue( name="Baseline - Negligible", key="0N", - description="A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, " + definition="A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, " "national security, economic security, foreign relations, civil liberties, or public confidence. The potential for " "impact, however, exists and warrants additional scrutiny.", ) INCIDENT_SEVERITY_2 = NcissDecisionPoint( name="Incident Severity", - description="After an incident is scored, it is assigned a priority level. " + definition="After an incident is scored, it is assigned a priority level. " "The six levels listed below are aligned with CISA, " "the Department of Homeland Security (DHS), " "and the CISS to help provide a common lexicon when discussing incidents. " diff --git a/src/ssvc/decision_points/cisa/information_impact.py b/src/ssvc/decision_points/cisa/information_impact.py index 9d47b47f..12447d69 100644 --- a/src/ssvc/decision_points/cisa/information_impact.py +++ b/src/ssvc/decision_points/cisa/information_impact.py @@ -28,26 +28,26 @@ IMPACT_NONE = DecisionPointValue( key="N", name="None", - description="No information was exfiltrated, modified, deleted, or otherwise compromised.", + definition="No information was exfiltrated, modified, deleted, or otherwise compromised.", ) INTEGRITY = DecisionPointValue( key="I", name="Integrity", - description="The necessary integrity of information was modified without authorization.", + definition="The necessary integrity of information was modified without authorization.", ) PRIVACY = DecisionPointValue( key="P", name="Privacy", - description="The confidentiality of personally identifiable information (PII) " + definition="The confidentiality of personally identifiable information (PII) " "or personal health information (PHI) was compromised.", ) PROPRIETARY = DecisionPointValue( key="R", name="Proprietary", - description="The confidentiality of unclassified proprietary information, such as " + definition="The confidentiality of unclassified proprietary information, such as " "protected critical infrastructure information (PCII), intellectual property, or " "trade secrets was compromised.", ) @@ -55,7 +55,7 @@ CLASSIFIED = DecisionPointValue( key="C", name="Classified", - description="The confidentiality of classified information was compromised.", + definition="The confidentiality of classified information was compromised.", ) # based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines_2015.pdf @@ -63,7 +63,7 @@ key="II", name="Information Impact", version="1.0.0", - description="Describes the type of information lost, compromised, or corrupted.", + definition="Describes the type of information lost, compromised, or corrupted.", values=(IMPACT_NONE, INTEGRITY, PRIVACY, PROPRIETARY, CLASSIFIED), ) @@ -71,51 +71,51 @@ NO_IMPACT = DecisionPointValue( key="N", name="No Impact", - description="No known data impact.", + definition="No known data impact.", ) SUSPECTED_BUT_NOT_IDENTIFIED = DecisionPointValue( key="S", name="Suspected But Not Identified", - description="A data loss or impact to availability is suspected, but no direct confirmation exists.", + definition="A data loss or impact to availability is suspected, but no direct confirmation exists.", ) PROPRIETARY_INFORMATION_BREACH = DecisionPointValue( key="R", name="Proprietary Information Breach", - description="The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.", + definition="The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.", ) PRIVACY_DATA_BREACH = DecisionPointValue( key="P", name="Privacy Data Breach", - description="The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.", + definition="The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.", ) CRITICAL_SYSTEMS_DATA_BREACH = DecisionPointValue( key="C", name="Critical Systems Data Breach", - description="Data pertaining to a critical system has been exfiltrated.", + definition="Data pertaining to a critical system has been exfiltrated.", ) DESTRUCTION_OF_NON_CRITICAL_SYSTEMS = DecisionPointValue( key="D", name="Destruction of Non-Critical Systems", - description="Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system.", + definition="Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system.", ) CORE_CREDENTIAL_COMPROMISE = DecisionPointValue( key="O", name="Core Credential Compromise", - description="Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated.", + definition="Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated.", ) DESTRUCTION_OF_CRITICAL_SYSTEM = DecisionPointValue( key="E", name="Destruction of Critical System", - description="Destructive techniques, such as MBR overwrite; have been used against a critical system.", + definition="Destructive techniques, such as MBR overwrite; have been used against a critical system.", ) # based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf @@ -123,7 +123,7 @@ key="II", name="Information Impact", version="2.0.0", - description="Describes the type of information lost, compromised, or corrupted.", + definition="Describes the type of information lost, compromised, or corrupted.", values=( NO_IMPACT, SUSPECTED_BUT_NOT_IDENTIFIED, diff --git a/src/ssvc/decision_points/cisa/observed_activity.py b/src/ssvc/decision_points/cisa/observed_activity.py index df992185..58dae56e 100644 --- a/src/ssvc/decision_points/cisa/observed_activity.py +++ b/src/ssvc/decision_points/cisa/observed_activity.py @@ -28,7 +28,7 @@ PREPARE = DecisionPointValue( key="P", name="Prepare", - description="Prepare actions are actions taken to establish objectives, intent, and strategy; " + definition="Prepare actions are actions taken to establish objectives, intent, and strategy; " "identify potential targets and attack vectors; " "identify resource requirements; " "and develop capabilities.", @@ -37,7 +37,7 @@ ENGAGE = DecisionPointValue( key="E", name="Engage", - description="Engage activities are actions taken against a specific target or target set prior to gaining, " + definition="Engage activities are actions taken against a specific target or target set prior to gaining, " "but with the intent to gain access to the victim's physical or virtual computer or information systems, " "networks, and data stores.", ) @@ -45,7 +45,7 @@ PRESENCE = DecisionPointValue( key="R", name="Presence", - description="Presence is the set of actions taken by the threat actor once access to the target physical or " + definition="Presence is the set of actions taken by the threat actor once access to the target physical or " "virtual computer or information system has been achieved. " "These actions establish and maintain conditions for the threat actor to perform intended actions " "or operate at will against the host physical or virtual computer or information system, network, " @@ -55,7 +55,7 @@ EFFECT = DecisionPointValue( key="F", name="Effect", - description="Effects are outcomes of a threat actor’s actions " + definition="Effects are outcomes of a threat actor’s actions " "on a victim’s physical or virtual computer or information systems, networks, and data stores.", ) @@ -63,7 +63,7 @@ OBSERVED_ACTIVITY = NcissDecisionPoint( key="OA", name="Observed Activity", - description="Observed activity describes what is known about threat actor activity on the network.", + definition="Observed activity describes what is known about threat actor activity on the network.", values=(PREPARE, ENGAGE, PRESENCE, EFFECT), ) diff --git a/src/ssvc/decision_points/cisa/observed_activity_location.py b/src/ssvc/decision_points/cisa/observed_activity_location.py index 013c83f8..6ddbf374 100644 --- a/src/ssvc/decision_points/cisa/observed_activity_location.py +++ b/src/ssvc/decision_points/cisa/observed_activity_location.py @@ -29,63 +29,63 @@ LEVEL_0 = DecisionPointValue( name="Unsuccessful", key="0", - description="Existing network defenses repelled all observed activity.", + definition="Existing network defenses repelled all observed activity.", ) LEVEL_1 = DecisionPointValue( name="Business Demilitarized Zone", key="1", - description="Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet.", + definition="Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet.", ) LEVEL_2 = DecisionPointValue( name="Business Network", key="2", - description="Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems.", + definition="Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems.", ) LEVEL_3 = DecisionPointValue( name="Business Network Management", key="3", - description="Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores.", + definition="Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores.", ) LEVEL_4 = DecisionPointValue( name="Critical System DMZ", key="4", - description="Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems.", + definition="Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems.", ) LEVEL_5 = DecisionPointValue( name="Critical System Management", key="5", - description="Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems.", + definition="Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems.", ) LEVEL_6 = DecisionPointValue( name="Critical Systems", key="6", - description="Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments.", + definition="Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments.", ) LEVEL_7 = DecisionPointValue( name="Safety Systems", key="7", - description="Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system.", + definition="Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system.", ) UNKNOWN = DecisionPointValue( name="Unknown", key="U", - description="Activity was observed, but the network segment could not be identified.", + definition="Activity was observed, but the network segment could not be identified.", ) OBSERVED_ACTIVITY_LOCATION = NcissDecisionPoint( name="Observed Activity Location", - description="The location of observed activity describes where the observed activity was detected in the network. ", + definition="The location of observed activity describes where the observed activity was detected in the network. ", key="OAL", version="1.0.0", values=( diff --git a/src/ssvc/decision_points/cisa/recoverability.py b/src/ssvc/decision_points/cisa/recoverability.py index 91e1df26..ff89d099 100644 --- a/src/ssvc/decision_points/cisa/recoverability.py +++ b/src/ssvc/decision_points/cisa/recoverability.py @@ -29,30 +29,30 @@ REGULAR = DecisionPointValue( name="Regular", key="R", - description="Time to recovery is predictable with existing resources.", + definition="Time to recovery is predictable with existing resources.", ) SUPPLEMENTED = DecisionPointValue( name="Supplemented", key="S", - description="Time to recover is predictable with additional resources.", + definition="Time to recover is predictable with additional resources.", ) EXTENDED = DecisionPointValue( name="Extended", key="E", - description="Time to recovery is unpredictable; additional resources and outside assistance may be required.", + definition="Time to recovery is unpredictable; additional resources and outside assistance may be required.", ) NOT_RECOVERABLE = DecisionPointValue( name="Not Recoverable", key="N", - description="Recovery from the incident is not possible.", + definition="Recovery from the incident is not possible.", ) RECOVERABILITY = NcissDecisionPoint( name="Recoverability", - description="Represents the scope of resources needed to recover from the incident.", + definition="Represents the scope of resources needed to recover from the incident.", key="RECOVERABILITY", version="1.0.0", values=(REGULAR, SUPPLEMENTED, EXTENDED, NOT_RECOVERABLE), From b420809019c9cc7ee2ca143b9652005576c32c7a Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Tue, 16 Sep 2025 16:14:08 -0400 Subject: [PATCH 24/24] regenerate json --- .../cisa/functional_impact_1_0_0.json | 30 -- .../cisa/functional_impact_2_0_0.json | 50 -- .../cisa/incident_severity_1_0_0.json | 40 -- .../cisa/incident_severity_2_0_0.json | 45 -- .../cisa/information_impact_1_0_0.json | 35 -- .../cisa/information_impact_2_0_0.json | 50 -- .../cisa/observed_activity_0_0_1.json | 30 -- .../observed_activity_location_1_0_0.json | 55 --- .../cisa/recoverability_1_0_0.json | 30 -- .../cisa_nciss/functional_impact_1_0_0.json | 30 ++ .../cisa_nciss/functional_impact_2_0_0.json | 50 ++ .../cisa_nciss/incident_severity_1_0_0.json | 40 ++ .../cisa_nciss/incident_severity_2_0_0.json | 45 ++ .../cisa_nciss/information_impact_1_0_0.json | 35 ++ .../cisa_nciss/information_impact_2_0_0.json | 50 ++ .../cisa_nciss/observed_activity_0_0_1.json | 30 ++ .../observed_activity_location_1_0_0.json | 55 +++ .../cisa_nciss/recoverability_1_0_0.json | 30 ++ data/json/ssvc_object_registry.json | 445 +++++++++--------- 19 files changed, 590 insertions(+), 585 deletions(-) delete mode 100644 data/json/decision_points/cisa/functional_impact_1_0_0.json delete mode 100644 data/json/decision_points/cisa/functional_impact_2_0_0.json delete mode 100644 data/json/decision_points/cisa/incident_severity_1_0_0.json delete mode 100644 data/json/decision_points/cisa/incident_severity_2_0_0.json delete mode 100644 data/json/decision_points/cisa/information_impact_1_0_0.json delete mode 100644 data/json/decision_points/cisa/information_impact_2_0_0.json delete mode 100644 data/json/decision_points/cisa/observed_activity_0_0_1.json delete mode 100644 data/json/decision_points/cisa/observed_activity_location_1_0_0.json delete mode 100644 data/json/decision_points/cisa/recoverability_1_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/information_impact_1_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/information_impact_2_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json create mode 100644 data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json create mode 100644 data/json/decision_points/cisa_nciss/recoverability_1_0_0.json diff --git a/data/json/decision_points/cisa/functional_impact_1_0_0.json b/data/json/decision_points/cisa/functional_impact_1_0_0.json deleted file mode 100644 index 12273486..00000000 --- a/data/json/decision_points/cisa/functional_impact_1_0_0.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "namespace": "cisa", - "key": "FI", - "version": "1.0.0", - "name": "Functional Impact", - "description": "A measure of the impact to business functionality or ability to provide services.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No Impact", - "description": "Organization has experienced no loss in ability to provide all services to all users." - }, - { - "key": "L", - "name": "Low", - "description": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." - }, - { - "key": "M", - "name": "Medium", - "description": "Organization has lost the ability to provide a critical service to a subset of system users." - }, - { - "key": "H", - "name": "High", - "description": "Organization has lost the ability to provide all critical services to all system users." - } - ] -} diff --git a/data/json/decision_points/cisa/functional_impact_2_0_0.json b/data/json/decision_points/cisa/functional_impact_2_0_0.json deleted file mode 100644 index bda26d3a..00000000 --- a/data/json/decision_points/cisa/functional_impact_2_0_0.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "namespace": "cisa", - "key": "FI", - "version": "2.0.0", - "name": "Functional Impact", - "description": "A measure of the impact to business functionality or ability to provide services.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No Impact", - "description": "Event has no impact." - }, - { - "key": "S", - "name": "No Impact to Services", - "description": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." - }, - { - "key": "M", - "name": "Minimal Impact to Non-Critical Services", - "description": "Some small level of impact to non-critical systems and services." - }, - { - "key": "C", - "name": "Minimal Impact to Critical Services", - "description": "Minimal impact but to a critical system or service, such as email or active directory." - }, - { - "key": "I", - "name": "Significant Impact to Non-Critical Services", - "description": "A non-critical service or system has a significant impact." - }, - { - "key": "D", - "name": "Denial of Non-Critical Services", - "description": "A non-critical system is denied or destroyed." - }, - { - "key": "T", - "name": "Significant Impact to Critical Services", - "description": "A critical system has a significant impact, such as local administrative account compromise." - }, - { - "key": "L", - "name": "Denial of Critical Services/Loss of Control", - "description": "A critical system has been rendered unavailable." - } - ] -} diff --git a/data/json/decision_points/cisa/incident_severity_1_0_0.json b/data/json/decision_points/cisa/incident_severity_1_0_0.json deleted file mode 100644 index 41921928..00000000 --- a/data/json/decision_points/cisa/incident_severity_1_0_0.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "namespace": "cisa", - "key": "IS", - "version": "1.0.0", - "name": "Incident Severity", - "description": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "0", - "name": "Baseline", - "description": "Unsubstantiated or inconsequential event." - }, - { - "key": "1", - "name": "Low", - "description": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." - }, - { - "key": "2", - "name": "Medium", - "description": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." - }, - { - "key": "3", - "name": "High", - "description": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." - }, - { - "key": "4", - "name": "Severe", - "description": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." - }, - { - "key": "5", - "name": "Emergency", - "description": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." - } - ] -} diff --git a/data/json/decision_points/cisa/incident_severity_2_0_0.json b/data/json/decision_points/cisa/incident_severity_2_0_0.json deleted file mode 100644 index 65a28a88..00000000 --- a/data/json/decision_points/cisa/incident_severity_2_0_0.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "namespace": "cisa", - "key": "IS", - "version": "2.0.0", - "name": "Incident Severity", - "description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "0M", - "name": "Baseline - Minor", - "description": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." - }, - { - "key": "0N", - "name": "Baseline - Negligible", - "description": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." - }, - { - "key": "1", - "name": "Low", - "description": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." - }, - { - "key": "2", - "name": "Medium", - "description": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." - }, - { - "key": "3", - "name": "High", - "description": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." - }, - { - "key": "4", - "name": "Severe", - "description": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." - }, - { - "key": "5", - "name": "Emergency", - "description": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." - } - ] -} diff --git a/data/json/decision_points/cisa/information_impact_1_0_0.json b/data/json/decision_points/cisa/information_impact_1_0_0.json deleted file mode 100644 index 74d23703..00000000 --- a/data/json/decision_points/cisa/information_impact_1_0_0.json +++ /dev/null @@ -1,35 +0,0 @@ -{ - "namespace": "cisa", - "key": "II", - "version": "1.0.0", - "name": "Information Impact", - "description": "Describes the type of information lost, compromised, or corrupted.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "None", - "description": "No information was exfiltrated, modified, deleted, or otherwise compromised." - }, - { - "key": "I", - "name": "Integrity", - "description": "The necessary integrity of information was modified without authorization." - }, - { - "key": "P", - "name": "Privacy", - "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." - }, - { - "key": "R", - "name": "Proprietary", - "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." - }, - { - "key": "C", - "name": "Classified", - "description": "The confidentiality of classified information was compromised." - } - ] -} diff --git a/data/json/decision_points/cisa/information_impact_2_0_0.json b/data/json/decision_points/cisa/information_impact_2_0_0.json deleted file mode 100644 index 487e853e..00000000 --- a/data/json/decision_points/cisa/information_impact_2_0_0.json +++ /dev/null @@ -1,50 +0,0 @@ -{ - "namespace": "cisa", - "key": "II", - "version": "2.0.0", - "name": "Information Impact", - "description": "Describes the type of information lost, compromised, or corrupted.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No Impact", - "description": "No known data impact." - }, - { - "key": "S", - "name": "Suspected But Not Identified", - "description": "A data loss or impact to availability is suspected, but no direct confirmation exists." - }, - { - "key": "P", - "name": "Privacy Data Breach", - "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." - }, - { - "key": "R", - "name": "Proprietary Information Breach", - "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." - }, - { - "key": "D", - "name": "Destruction of Non-Critical Systems", - "description": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." - }, - { - "key": "C", - "name": "Critical Systems Data Breach", - "description": "Data pertaining to a critical system has been exfiltrated." - }, - { - "key": "O", - "name": "Core Credential Compromise", - "description": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." - }, - { - "key": "E", - "name": "Destruction of Critical System", - "description": "Destructive techniques, such as MBR overwrite; have been used against a critical system." - } - ] -} diff --git a/data/json/decision_points/cisa/observed_activity_0_0_1.json b/data/json/decision_points/cisa/observed_activity_0_0_1.json deleted file mode 100644 index 2bd2b615..00000000 --- a/data/json/decision_points/cisa/observed_activity_0_0_1.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "namespace": "cisa", - "key": "OA", - "version": "0.0.1", - "name": "Observed Activity", - "description": "Observed activity describes what is known about threat actor activity on the network.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "P", - "name": "Prepare", - "description": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." - }, - { - "key": "E", - "name": "Engage", - "description": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." - }, - { - "key": "R", - "name": "Presence", - "description": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." - }, - { - "key": "F", - "name": "Effect", - "description": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." - } - ] -} diff --git a/data/json/decision_points/cisa/observed_activity_location_1_0_0.json b/data/json/decision_points/cisa/observed_activity_location_1_0_0.json deleted file mode 100644 index 6aa617c0..00000000 --- a/data/json/decision_points/cisa/observed_activity_location_1_0_0.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "namespace": "cisa", - "key": "OAL", - "version": "1.0.0", - "name": "Observed Activity Location", - "description": "The location of observed activity describes where the observed activity was detected in the network. ", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "0", - "name": "Unsuccessful", - "description": "Existing network defenses repelled all observed activity." - }, - { - "key": "1", - "name": "Business Demilitarized Zone", - "description": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." - }, - { - "key": "2", - "name": "Business Network", - "description": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." - }, - { - "key": "3", - "name": "Business Network Management", - "description": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." - }, - { - "key": "4", - "name": "Critical System DMZ", - "description": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." - }, - { - "key": "5", - "name": "Critical System Management", - "description": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." - }, - { - "key": "6", - "name": "Critical Systems", - "description": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." - }, - { - "key": "7", - "name": "Safety Systems", - "description": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." - }, - { - "key": "U", - "name": "Unknown", - "description": "Activity was observed, but the network segment could not be identified." - } - ] -} diff --git a/data/json/decision_points/cisa/recoverability_1_0_0.json b/data/json/decision_points/cisa/recoverability_1_0_0.json deleted file mode 100644 index 56018aa7..00000000 --- a/data/json/decision_points/cisa/recoverability_1_0_0.json +++ /dev/null @@ -1,30 +0,0 @@ -{ - "namespace": "cisa", - "key": "RECOVERABILITY", - "version": "1.0.0", - "name": "Recoverability", - "description": "Represents the scope of resources needed to recover from the incident.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "R", - "name": "Regular", - "description": "Time to recovery is predictable with existing resources." - }, - { - "key": "S", - "name": "Supplemented", - "description": "Time to recover is predictable with additional resources." - }, - { - "key": "E", - "name": "Extended", - "description": "Time to recovery is unpredictable; additional resources and outside assistance may be required." - }, - { - "key": "N", - "name": "Not Recoverable", - "description": "Recovery from the incident is not possible." - } - ] -} diff --git a/data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json b/data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json new file mode 100644 index 00000000..cc6d14ee --- /dev/null +++ b/data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa#nciss", + "key": "FI", + "version": "1.0.0", + "name": "Functional Impact", + "definition": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "Organization has experienced no loss in ability to provide all services to all users." + }, + { + "key": "L", + "name": "Low", + "definition": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + { + "key": "M", + "name": "Medium", + "definition": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + { + "key": "H", + "name": "High", + "definition": "Organization has lost the ability to provide all critical services to all system users." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json b/data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json new file mode 100644 index 00000000..ec60ebcb --- /dev/null +++ b/data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json @@ -0,0 +1,50 @@ +{ + "namespace": "cisa#nciss", + "key": "FI", + "version": "2.0.0", + "name": "Functional Impact", + "definition": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "Event has no impact." + }, + { + "key": "S", + "name": "No Impact to Services", + "definition": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "definition": "Some small level of impact to non-critical systems and services." + }, + { + "key": "C", + "name": "Minimal Impact to Critical Services", + "definition": "Minimal impact but to a critical system or service, such as email or active directory." + }, + { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "definition": "A non-critical service or system has a significant impact." + }, + { + "key": "D", + "name": "Denial of Non-Critical Services", + "definition": "A non-critical system is denied or destroyed." + }, + { + "key": "T", + "name": "Significant Impact to Critical Services", + "definition": "A critical system has a significant impact, such as local administrative account compromise." + }, + { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "definition": "A critical system has been rendered unavailable." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json b/data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json new file mode 100644 index 00000000..f250fb7a --- /dev/null +++ b/data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json @@ -0,0 +1,40 @@ +{ + "namespace": "cisa#nciss", + "key": "IS", + "version": "1.0.0", + "name": "Incident Severity", + "definition": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Baseline", + "definition": "Unsubstantiated or inconsequential event." + }, + { + "key": "1", + "name": "Low", + "definition": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "definition": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "definition": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "definition": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "definition": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json b/data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json new file mode 100644 index 00000000..bb0b785e --- /dev/null +++ b/data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json @@ -0,0 +1,45 @@ +{ + "namespace": "cisa#nciss", + "key": "IS", + "version": "2.0.0", + "name": "Incident Severity", + "definition": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0M", + "name": "Baseline - Minor", + "definition": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "0N", + "name": "Baseline - Negligible", + "definition": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "1", + "name": "Low", + "definition": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "definition": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "definition": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "definition": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "definition": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/information_impact_1_0_0.json b/data/json/decision_points/cisa_nciss/information_impact_1_0_0.json new file mode 100644 index 00000000..7a2036be --- /dev/null +++ b/data/json/decision_points/cisa_nciss/information_impact_1_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cisa#nciss", + "key": "II", + "version": "1.0.0", + "name": "Information Impact", + "definition": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + { + "key": "I", + "name": "Integrity", + "definition": "The necessary integrity of information was modified without authorization." + }, + { + "key": "P", + "name": "Privacy", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "C", + "name": "Classified", + "definition": "The confidentiality of classified information was compromised." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/information_impact_2_0_0.json b/data/json/decision_points/cisa_nciss/information_impact_2_0_0.json new file mode 100644 index 00000000..09047c79 --- /dev/null +++ b/data/json/decision_points/cisa_nciss/information_impact_2_0_0.json @@ -0,0 +1,50 @@ +{ + "namespace": "cisa#nciss", + "key": "II", + "version": "2.0.0", + "name": "Information Impact", + "definition": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "No known data impact." + }, + { + "key": "S", + "name": "Suspected But Not Identified", + "definition": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + { + "key": "P", + "name": "Privacy Data Breach", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary Information Breach", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "definition": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + { + "key": "C", + "name": "Critical Systems Data Breach", + "definition": "Data pertaining to a critical system has been exfiltrated." + }, + { + "key": "O", + "name": "Core Credential Compromise", + "definition": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + { + "key": "E", + "name": "Destruction of Critical System", + "definition": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json b/data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json new file mode 100644 index 00000000..08adb30e --- /dev/null +++ b/data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa#nciss", + "key": "OA", + "version": "0.0.1", + "name": "Observed Activity", + "definition": "Observed activity describes what is known about threat actor activity on the network.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Prepare", + "definition": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + { + "key": "E", + "name": "Engage", + "definition": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + { + "key": "R", + "name": "Presence", + "definition": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + { + "key": "F", + "name": "Effect", + "definition": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json b/data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json new file mode 100644 index 00000000..fec613dc --- /dev/null +++ b/data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json @@ -0,0 +1,55 @@ +{ + "namespace": "cisa#nciss", + "key": "OAL", + "version": "1.0.0", + "name": "Observed Activity Location", + "definition": "The location of observed activity describes where the observed activity was detected in the network. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Unsuccessful", + "definition": "Existing network defenses repelled all observed activity." + }, + { + "key": "1", + "name": "Business Demilitarized Zone", + "definition": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + { + "key": "2", + "name": "Business Network", + "definition": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + { + "key": "3", + "name": "Business Network Management", + "definition": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + { + "key": "4", + "name": "Critical System DMZ", + "definition": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + { + "key": "5", + "name": "Critical System Management", + "definition": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + { + "key": "6", + "name": "Critical Systems", + "definition": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + { + "key": "7", + "name": "Safety Systems", + "definition": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + { + "key": "U", + "name": "Unknown", + "definition": "Activity was observed, but the network segment could not be identified." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/recoverability_1_0_0.json b/data/json/decision_points/cisa_nciss/recoverability_1_0_0.json new file mode 100644 index 00000000..a3a43543 --- /dev/null +++ b/data/json/decision_points/cisa_nciss/recoverability_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa#nciss", + "key": "RECOVERABILITY", + "version": "1.0.0", + "name": "Recoverability", + "definition": "Represents the scope of resources needed to recover from the incident.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Regular", + "definition": "Time to recovery is predictable with existing resources." + }, + { + "key": "S", + "name": "Supplemented", + "definition": "Time to recover is predictable with additional resources." + }, + { + "key": "E", + "name": "Extended", + "definition": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + { + "key": "N", + "name": "Not Recoverable", + "definition": "Recovery from the incident is not possible." + } + ] +} diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index b7ec6138..8bb5b7b1 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -771,8 +771,8 @@ } } }, - "cisa": { - "namespace": "cisa", + "cisa#nciss": { + "namespace": "cisa#nciss", "keys": { "FI": { "key": "FI", @@ -780,32 +780,32 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "FI", "version": "1.0.0", "name": "Functional Impact", - "description": "A measure of the impact to business functionality or ability to provide services.", + "definition": "A measure of the impact to business functionality or ability to provide services.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "No Impact", - "description": "Organization has experienced no loss in ability to provide all services to all users." + "definition": "Organization has experienced no loss in ability to provide all services to all users." }, { "key": "L", "name": "Low", - "description": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + "definition": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." }, { "key": "M", "name": "Medium", - "description": "Organization has lost the ability to provide a critical service to a subset of system users." + "definition": "Organization has lost the ability to provide a critical service to a subset of system users." }, { "key": "H", "name": "High", - "description": "Organization has lost the ability to provide all critical services to all system users." + "definition": "Organization has lost the ability to provide all critical services to all system users." } ] }, @@ -813,74 +813,74 @@ "N": { "key": "N", "name": "No Impact", - "description": "Organization has experienced no loss in ability to provide all services to all users." + "definition": "Organization has experienced no loss in ability to provide all services to all users." }, "L": { "key": "L", "name": "Low", - "description": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + "definition": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." }, "M": { "key": "M", "name": "Medium", - "description": "Organization has lost the ability to provide a critical service to a subset of system users." + "definition": "Organization has lost the ability to provide a critical service to a subset of system users." }, "H": { "key": "H", "name": "High", - "description": "Organization has lost the ability to provide all critical services to all system users." + "definition": "Organization has lost the ability to provide all critical services to all system users." } } }, "2.0.0": { "version": "2.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "FI", "version": "2.0.0", "name": "Functional Impact", - "description": "A measure of the impact to business functionality or ability to provide services.", + "definition": "A measure of the impact to business functionality or ability to provide services.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "No Impact", - "description": "Event has no impact." + "definition": "Event has no impact." }, { "key": "S", "name": "No Impact to Services", - "description": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + "definition": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." }, { "key": "M", "name": "Minimal Impact to Non-Critical Services", - "description": "Some small level of impact to non-critical systems and services." + "definition": "Some small level of impact to non-critical systems and services." }, { "key": "C", "name": "Minimal Impact to Critical Services", - "description": "Minimal impact but to a critical system or service, such as email or active directory." + "definition": "Minimal impact but to a critical system or service, such as email or active directory." }, { "key": "I", "name": "Significant Impact to Non-Critical Services", - "description": "A non-critical service or system has a significant impact." + "definition": "A non-critical service or system has a significant impact." }, { "key": "D", "name": "Denial of Non-Critical Services", - "description": "A non-critical system is denied or destroyed." + "definition": "A non-critical system is denied or destroyed." }, { "key": "T", "name": "Significant Impact to Critical Services", - "description": "A critical system has a significant impact, such as local administrative account compromise." + "definition": "A critical system has a significant impact, such as local administrative account compromise." }, { "key": "L", "name": "Denial of Critical Services/Loss of Control", - "description": "A critical system has been rendered unavailable." + "definition": "A critical system has been rendered unavailable." } ] }, @@ -888,82 +888,42 @@ "N": { "key": "N", "name": "No Impact", - "description": "Event has no impact." + "definition": "Event has no impact." }, "S": { "key": "S", "name": "No Impact to Services", - "description": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + "definition": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." }, "M": { "key": "M", "name": "Minimal Impact to Non-Critical Services", - "description": "Some small level of impact to non-critical systems and services." + "definition": "Some small level of impact to non-critical systems and services." }, "C": { "key": "C", "name": "Minimal Impact to Critical Services", - "description": "Minimal impact but to a critical system or service, such as email or active directory." + "definition": "Minimal impact but to a critical system or service, such as email or active directory." }, "I": { "key": "I", "name": "Significant Impact to Non-Critical Services", - "description": "A non-critical service or system has a significant impact." + "definition": "A non-critical service or system has a significant impact." }, "D": { "key": "D", "name": "Denial of Non-Critical Services", - "description": "A non-critical system is denied or destroyed." + "definition": "A non-critical system is denied or destroyed." }, "T": { "key": "T", "name": "Significant Impact to Critical Services", - "description": "A critical system has a significant impact, such as local administrative account compromise." + "definition": "A critical system has a significant impact, such as local administrative account compromise." }, "L": { "key": "L", "name": "Denial of Critical Services/Loss of Control", - "description": "A critical system has been rendered unavailable." - } - } - } - } - }, - "KEV": { - "key": "KEV", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "cisa", - "key": "KEV", - "version": "1.0.0", - "name": "In KEV", - "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "N", - "name": "No", - "definition": "Vulnerability is not listed in KEV." - }, - { - "key": "Y", - "name": "Yes", - "definition": "Vulnerability is listed in KEV." - } - ] - }, - "values": { - "N": { - "key": "N", - "name": "No", - "definition": "Vulnerability is not listed in KEV." - }, - "Y": { - "key": "Y", - "name": "Yes", - "definition": "Vulnerability is listed in KEV." + "definition": "A critical system has been rendered unavailable." } } } @@ -975,42 +935,42 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "IS", "version": "1.0.0", "name": "Incident Severity", - "description": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", + "definition": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", "schemaVersion": "2.0.0", "values": [ { "key": "0", "name": "Baseline", - "description": "Unsubstantiated or inconsequential event." + "definition": "Unsubstantiated or inconsequential event." }, { "key": "1", "name": "Low", - "description": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, { "key": "2", "name": "Medium", - "description": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, { "key": "3", "name": "High", - "description": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, { "key": "4", "name": "Severe", - "description": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + "definition": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." }, { "key": "5", "name": "Emergency", - "description": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + "definition": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." } ] }, @@ -1018,79 +978,79 @@ "0": { "key": "0", "name": "Baseline", - "description": "Unsubstantiated or inconsequential event." + "definition": "Unsubstantiated or inconsequential event." }, "1": { "key": "1", "name": "Low", - "description": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, "2": { "key": "2", "name": "Medium", - "description": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, "3": { "key": "3", "name": "High", - "description": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, "4": { "key": "4", "name": "Severe", - "description": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + "definition": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." }, "5": { "key": "5", "name": "Emergency", - "description": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + "definition": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." } } }, "2.0.0": { "version": "2.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "IS", "version": "2.0.0", "name": "Incident Severity", - "description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", + "definition": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", "schemaVersion": "2.0.0", "values": [ { "key": "0M", "name": "Baseline - Minor", - "description": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + "definition": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." }, { "key": "0N", "name": "Baseline - Negligible", - "description": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + "definition": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." }, { "key": "1", "name": "Low", - "description": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, { "key": "2", "name": "Medium", - "description": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, { "key": "3", "name": "High", - "description": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, { "key": "4", "name": "Severe", - "description": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + "definition": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." }, { "key": "5", "name": "Emergency", - "description": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + "definition": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." } ] }, @@ -1098,37 +1058,37 @@ "0M": { "key": "0M", "name": "Baseline - Minor", - "description": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + "definition": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." }, "0N": { "key": "0N", "name": "Baseline - Negligible", - "description": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + "definition": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." }, "1": { "key": "1", "name": "Low", - "description": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, "2": { "key": "2", "name": "Medium", - "description": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, "3": { "key": "3", "name": "High", - "description": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + "definition": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." }, "4": { "key": "4", "name": "Severe", - "description": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + "definition": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." }, "5": { "key": "5", "name": "Emergency", - "description": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + "definition": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." } } } @@ -1140,37 +1100,37 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "II", "version": "1.0.0", "name": "Information Impact", - "description": "Describes the type of information lost, compromised, or corrupted.", + "definition": "Describes the type of information lost, compromised, or corrupted.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "None", - "description": "No information was exfiltrated, modified, deleted, or otherwise compromised." + "definition": "No information was exfiltrated, modified, deleted, or otherwise compromised." }, { "key": "I", "name": "Integrity", - "description": "The necessary integrity of information was modified without authorization." + "definition": "The necessary integrity of information was modified without authorization." }, { "key": "P", "name": "Privacy", - "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." }, { "key": "R", "name": "Proprietary", - "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." }, { "key": "C", "name": "Classified", - "description": "The confidentiality of classified information was compromised." + "definition": "The confidentiality of classified information was compromised." } ] }, @@ -1178,79 +1138,79 @@ "N": { "key": "N", "name": "None", - "description": "No information was exfiltrated, modified, deleted, or otherwise compromised." + "definition": "No information was exfiltrated, modified, deleted, or otherwise compromised." }, "I": { "key": "I", "name": "Integrity", - "description": "The necessary integrity of information was modified without authorization." + "definition": "The necessary integrity of information was modified without authorization." }, "P": { "key": "P", "name": "Privacy", - "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." }, "R": { "key": "R", "name": "Proprietary", - "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." }, "C": { "key": "C", "name": "Classified", - "description": "The confidentiality of classified information was compromised." + "definition": "The confidentiality of classified information was compromised." } } }, "2.0.0": { "version": "2.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "II", "version": "2.0.0", "name": "Information Impact", - "description": "Describes the type of information lost, compromised, or corrupted.", + "definition": "Describes the type of information lost, compromised, or corrupted.", "schemaVersion": "2.0.0", "values": [ { "key": "N", "name": "No Impact", - "description": "No known data impact." + "definition": "No known data impact." }, { "key": "S", "name": "Suspected But Not Identified", - "description": "A data loss or impact to availability is suspected, but no direct confirmation exists." + "definition": "A data loss or impact to availability is suspected, but no direct confirmation exists." }, { "key": "P", "name": "Privacy Data Breach", - "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." }, { "key": "R", "name": "Proprietary Information Breach", - "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." }, { "key": "D", "name": "Destruction of Non-Critical Systems", - "description": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + "definition": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." }, { "key": "C", "name": "Critical Systems Data Breach", - "description": "Data pertaining to a critical system has been exfiltrated." + "definition": "Data pertaining to a critical system has been exfiltrated." }, { "key": "O", "name": "Core Credential Compromise", - "description": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + "definition": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." }, { "key": "E", "name": "Destruction of Critical System", - "description": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + "definition": "Destructive techniques, such as MBR overwrite; have been used against a critical system." } ] }, @@ -1258,92 +1218,42 @@ "N": { "key": "N", "name": "No Impact", - "description": "No known data impact." + "definition": "No known data impact." }, "S": { "key": "S", "name": "Suspected But Not Identified", - "description": "A data loss or impact to availability is suspected, but no direct confirmation exists." + "definition": "A data loss or impact to availability is suspected, but no direct confirmation exists." }, "P": { "key": "P", "name": "Privacy Data Breach", - "description": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." }, "R": { "key": "R", "name": "Proprietary Information Breach", - "description": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." }, "D": { "key": "D", "name": "Destruction of Non-Critical Systems", - "description": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + "definition": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." }, "C": { "key": "C", "name": "Critical Systems Data Breach", - "description": "Data pertaining to a critical system has been exfiltrated." + "definition": "Data pertaining to a critical system has been exfiltrated." }, "O": { "key": "O", "name": "Core Credential Compromise", - "description": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + "definition": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." }, "E": { "key": "E", "name": "Destruction of Critical System", - "description": "Destructive techniques, such as MBR overwrite; have been used against a critical system." - } - } - } - } - }, - "MP": { - "key": "MP", - "versions": { - "1.0.0": { - "version": "1.0.0", - "obj": { - "namespace": "cisa", - "key": "MP", - "version": "1.0.0", - "name": "Mission Prevalence", - "definition": "Prevalence of the mission essential functions", - "schemaVersion": "2.0.0", - "values": [ - { - "key": "M", - "name": "Minimal", - "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." - }, - { - "key": "S", - "name": "Support", - "definition": "The vulnerable component only supports MEFs for two or more entities." - }, - { - "key": "E", - "name": "Essential", - "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." - } - ] - }, - "values": { - "M": { - "key": "M", - "name": "Minimal", - "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." - }, - "S": { - "key": "S", - "name": "Support", - "definition": "The vulnerable component only supports MEFs for two or more entities." - }, - "E": { - "key": "E", - "name": "Essential", - "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." + "definition": "Destructive techniques, such as MBR overwrite; have been used against a critical system." } } } @@ -1355,32 +1265,32 @@ "0.0.1": { "version": "0.0.1", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "OA", "version": "0.0.1", "name": "Observed Activity", - "description": "Observed activity describes what is known about threat actor activity on the network.", + "definition": "Observed activity describes what is known about threat actor activity on the network.", "schemaVersion": "2.0.0", "values": [ { "key": "P", "name": "Prepare", - "description": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + "definition": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." }, { "key": "E", "name": "Engage", - "description": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + "definition": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." }, { "key": "R", "name": "Presence", - "description": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + "definition": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." }, { "key": "F", "name": "Effect", - "description": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + "definition": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." } ] }, @@ -1388,22 +1298,22 @@ "P": { "key": "P", "name": "Prepare", - "description": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + "definition": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." }, "E": { "key": "E", "name": "Engage", - "description": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + "definition": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." }, "R": { "key": "R", "name": "Presence", - "description": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + "definition": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." }, "F": { "key": "F", "name": "Effect", - "description": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + "definition": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." } } } @@ -1415,57 +1325,57 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "OAL", "version": "1.0.0", "name": "Observed Activity Location", - "description": "The location of observed activity describes where the observed activity was detected in the network. ", + "definition": "The location of observed activity describes where the observed activity was detected in the network. ", "schemaVersion": "2.0.0", "values": [ { "key": "0", "name": "Unsuccessful", - "description": "Existing network defenses repelled all observed activity." + "definition": "Existing network defenses repelled all observed activity." }, { "key": "1", "name": "Business Demilitarized Zone", - "description": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + "definition": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." }, { "key": "2", "name": "Business Network", - "description": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + "definition": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." }, { "key": "3", "name": "Business Network Management", - "description": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + "definition": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." }, { "key": "4", "name": "Critical System DMZ", - "description": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + "definition": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." }, { "key": "5", "name": "Critical System Management", - "description": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + "definition": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." }, { "key": "6", "name": "Critical Systems", - "description": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + "definition": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." }, { "key": "7", "name": "Safety Systems", - "description": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + "definition": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." }, { "key": "U", "name": "Unknown", - "description": "Activity was observed, but the network segment could not be identified." + "definition": "Activity was observed, but the network segment could not be identified." } ] }, @@ -1473,47 +1383,47 @@ "0": { "key": "0", "name": "Unsuccessful", - "description": "Existing network defenses repelled all observed activity." + "definition": "Existing network defenses repelled all observed activity." }, "1": { "key": "1", "name": "Business Demilitarized Zone", - "description": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + "definition": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." }, "2": { "key": "2", "name": "Business Network", - "description": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + "definition": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." }, "3": { "key": "3", "name": "Business Network Management", - "description": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + "definition": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." }, "4": { "key": "4", "name": "Critical System DMZ", - "description": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + "definition": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." }, "5": { "key": "5", "name": "Critical System Management", - "description": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + "definition": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." }, "6": { "key": "6", "name": "Critical Systems", - "description": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + "definition": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." }, "7": { "key": "7", "name": "Safety Systems", - "description": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + "definition": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." }, "U": { "key": "U", "name": "Unknown", - "description": "Activity was observed, but the network segment could not be identified." + "definition": "Activity was observed, but the network segment could not be identified." } } } @@ -1525,32 +1435,32 @@ "1.0.0": { "version": "1.0.0", "obj": { - "namespace": "cisa", + "namespace": "cisa#nciss", "key": "RECOVERABILITY", "version": "1.0.0", "name": "Recoverability", - "description": "Represents the scope of resources needed to recover from the incident.", + "definition": "Represents the scope of resources needed to recover from the incident.", "schemaVersion": "2.0.0", "values": [ { "key": "R", "name": "Regular", - "description": "Time to recovery is predictable with existing resources." + "definition": "Time to recovery is predictable with existing resources." }, { "key": "S", "name": "Supplemented", - "description": "Time to recover is predictable with additional resources." + "definition": "Time to recover is predictable with additional resources." }, { "key": "E", "name": "Extended", - "description": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + "definition": "Time to recovery is unpredictable; additional resources and outside assistance may be required." }, { "key": "N", "name": "Not Recoverable", - "description": "Recovery from the incident is not possible." + "definition": "Recovery from the incident is not possible." } ] }, @@ -1558,22 +1468,117 @@ "R": { "key": "R", "name": "Regular", - "description": "Time to recovery is predictable with existing resources." + "definition": "Time to recovery is predictable with existing resources." }, "S": { "key": "S", "name": "Supplemented", - "description": "Time to recover is predictable with additional resources." + "definition": "Time to recover is predictable with additional resources." }, "E": { "key": "E", "name": "Extended", - "description": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + "definition": "Time to recovery is unpredictable; additional resources and outside assistance may be required." }, "N": { "key": "N", "name": "Not Recoverable", - "description": "Recovery from the incident is not possible." + "definition": "Recovery from the incident is not possible." + } + } + } + } + } + } + }, + "cisa": { + "namespace": "cisa", + "keys": { + "KEV": { + "key": "KEV", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "KEV", + "version": "1.0.0", + "name": "In KEV", + "definition": "Denotes whether a vulnerability is in the CISA Known Exploited Vulnerabilities (KEV) list.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No", + "definition": "Vulnerability is not listed in KEV." + }, + { + "key": "Y", + "name": "Yes", + "definition": "Vulnerability is listed in KEV." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No", + "definition": "Vulnerability is not listed in KEV." + }, + "Y": { + "key": "Y", + "name": "Yes", + "definition": "Vulnerability is listed in KEV." + } + } + } + } + }, + "MP": { + "key": "MP", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa", + "key": "MP", + "version": "1.0.0", + "name": "Mission Prevalence", + "definition": "Prevalence of the mission essential functions", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "M", + "name": "Minimal", + "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." + }, + { + "key": "S", + "name": "Support", + "definition": "The vulnerable component only supports MEFs for two or more entities." + }, + { + "key": "E", + "name": "Essential", + "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." + } + ] + }, + "values": { + "M": { + "key": "M", + "name": "Minimal", + "definition": "Neither Support nor Essential apply. The vulnerable component may be used within the entities, but it is not used as a mission-essential component, nor does it provide impactful support to mission-essential functions." + }, + "S": { + "key": "S", + "name": "Support", + "definition": "The vulnerable component only supports MEFs for two or more entities." + }, + "E": { + "key": "E", + "name": "Essential", + "definition": "The vulnerable component directly provides capabilities that constitute at least one MEF for at least one entity; component failure may (but does not necessarily) lead to overall mission failure." } } }