diff --git a/data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json b/data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json new file mode 100644 index 00000000..cc6d14ee --- /dev/null +++ b/data/json/decision_points/cisa_nciss/functional_impact_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa#nciss", + "key": "FI", + "version": "1.0.0", + "name": "Functional Impact", + "definition": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "Organization has experienced no loss in ability to provide all services to all users." + }, + { + "key": "L", + "name": "Low", + "definition": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + { + "key": "M", + "name": "Medium", + "definition": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + { + "key": "H", + "name": "High", + "definition": "Organization has lost the ability to provide all critical services to all system users." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json b/data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json new file mode 100644 index 00000000..ec60ebcb --- /dev/null +++ b/data/json/decision_points/cisa_nciss/functional_impact_2_0_0.json @@ -0,0 +1,50 @@ +{ + "namespace": "cisa#nciss", + "key": "FI", + "version": "2.0.0", + "name": "Functional Impact", + "definition": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "Event has no impact." + }, + { + "key": "S", + "name": "No Impact to Services", + "definition": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "definition": "Some small level of impact to non-critical systems and services." + }, + { + "key": "C", + "name": "Minimal Impact to Critical Services", + "definition": "Minimal impact but to a critical system or service, such as email or active directory." + }, + { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "definition": "A non-critical service or system has a significant impact." + }, + { + "key": "D", + "name": "Denial of Non-Critical Services", + "definition": "A non-critical system is denied or destroyed." + }, + { + "key": "T", + "name": "Significant Impact to Critical Services", + "definition": "A critical system has a significant impact, such as local administrative account compromise." + }, + { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "definition": "A critical system has been rendered unavailable." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json b/data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json new file mode 100644 index 00000000..f250fb7a --- /dev/null +++ b/data/json/decision_points/cisa_nciss/incident_severity_1_0_0.json @@ -0,0 +1,40 @@ +{ + "namespace": "cisa#nciss", + "key": "IS", + "version": "1.0.0", + "name": "Incident Severity", + "definition": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Baseline", + "definition": "Unsubstantiated or inconsequential event." + }, + { + "key": "1", + "name": "Low", + "definition": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "definition": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "definition": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "definition": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "definition": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json b/data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json new file mode 100644 index 00000000..bb0b785e --- /dev/null +++ b/data/json/decision_points/cisa_nciss/incident_severity_2_0_0.json @@ -0,0 +1,45 @@ +{ + "namespace": "cisa#nciss", + "key": "IS", + "version": "2.0.0", + "name": "Incident Severity", + "definition": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0M", + "name": "Baseline - Minor", + "definition": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "0N", + "name": "Baseline - Negligible", + "definition": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "1", + "name": "Low", + "definition": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "definition": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "definition": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "definition": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "definition": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/information_impact_1_0_0.json b/data/json/decision_points/cisa_nciss/information_impact_1_0_0.json new file mode 100644 index 00000000..7a2036be --- /dev/null +++ b/data/json/decision_points/cisa_nciss/information_impact_1_0_0.json @@ -0,0 +1,35 @@ +{ + "namespace": "cisa#nciss", + "key": "II", + "version": "1.0.0", + "name": "Information Impact", + "definition": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + { + "key": "I", + "name": "Integrity", + "definition": "The necessary integrity of information was modified without authorization." + }, + { + "key": "P", + "name": "Privacy", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "C", + "name": "Classified", + "definition": "The confidentiality of classified information was compromised." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/information_impact_2_0_0.json b/data/json/decision_points/cisa_nciss/information_impact_2_0_0.json new file mode 100644 index 00000000..09047c79 --- /dev/null +++ b/data/json/decision_points/cisa_nciss/information_impact_2_0_0.json @@ -0,0 +1,50 @@ +{ + "namespace": "cisa#nciss", + "key": "II", + "version": "2.0.0", + "name": "Information Impact", + "definition": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "No known data impact." + }, + { + "key": "S", + "name": "Suspected But Not Identified", + "definition": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + { + "key": "P", + "name": "Privacy Data Breach", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary Information Breach", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "definition": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + { + "key": "C", + "name": "Critical Systems Data Breach", + "definition": "Data pertaining to a critical system has been exfiltrated." + }, + { + "key": "O", + "name": "Core Credential Compromise", + "definition": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + { + "key": "E", + "name": "Destruction of Critical System", + "definition": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json b/data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json new file mode 100644 index 00000000..08adb30e --- /dev/null +++ b/data/json/decision_points/cisa_nciss/observed_activity_0_0_1.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa#nciss", + "key": "OA", + "version": "0.0.1", + "name": "Observed Activity", + "definition": "Observed activity describes what is known about threat actor activity on the network.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Prepare", + "definition": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + { + "key": "E", + "name": "Engage", + "definition": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + { + "key": "R", + "name": "Presence", + "definition": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + { + "key": "F", + "name": "Effect", + "definition": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json b/data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json new file mode 100644 index 00000000..fec613dc --- /dev/null +++ b/data/json/decision_points/cisa_nciss/observed_activity_location_1_0_0.json @@ -0,0 +1,55 @@ +{ + "namespace": "cisa#nciss", + "key": "OAL", + "version": "1.0.0", + "name": "Observed Activity Location", + "definition": "The location of observed activity describes where the observed activity was detected in the network. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Unsuccessful", + "definition": "Existing network defenses repelled all observed activity." + }, + { + "key": "1", + "name": "Business Demilitarized Zone", + "definition": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + { + "key": "2", + "name": "Business Network", + "definition": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + { + "key": "3", + "name": "Business Network Management", + "definition": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + { + "key": "4", + "name": "Critical System DMZ", + "definition": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + { + "key": "5", + "name": "Critical System Management", + "definition": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + { + "key": "6", + "name": "Critical Systems", + "definition": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + { + "key": "7", + "name": "Safety Systems", + "definition": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + { + "key": "U", + "name": "Unknown", + "definition": "Activity was observed, but the network segment could not be identified." + } + ] +} diff --git a/data/json/decision_points/cisa_nciss/recoverability_1_0_0.json b/data/json/decision_points/cisa_nciss/recoverability_1_0_0.json new file mode 100644 index 00000000..a3a43543 --- /dev/null +++ b/data/json/decision_points/cisa_nciss/recoverability_1_0_0.json @@ -0,0 +1,30 @@ +{ + "namespace": "cisa#nciss", + "key": "RECOVERABILITY", + "version": "1.0.0", + "name": "Recoverability", + "definition": "Represents the scope of resources needed to recover from the incident.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Regular", + "definition": "Time to recovery is predictable with existing resources." + }, + { + "key": "S", + "name": "Supplemented", + "definition": "Time to recover is predictable with additional resources." + }, + { + "key": "E", + "name": "Extended", + "definition": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + { + "key": "N", + "name": "Not Recoverable", + "definition": "Recovery from the incident is not possible." + } + ] +} diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json index da406f0e..8bb5b7b1 100644 --- a/data/json/ssvc_object_registry.json +++ b/data/json/ssvc_object_registry.json @@ -771,6 +771,726 @@ } } }, + "cisa#nciss": { + "namespace": "cisa#nciss", + "keys": { + "FI": { + "key": "FI", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "FI", + "version": "1.0.0", + "name": "Functional Impact", + "definition": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "Organization has experienced no loss in ability to provide all services to all users." + }, + { + "key": "L", + "name": "Low", + "definition": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + { + "key": "M", + "name": "Medium", + "definition": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + { + "key": "H", + "name": "High", + "definition": "Organization has lost the ability to provide all critical services to all system users." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No Impact", + "definition": "Organization has experienced no loss in ability to provide all services to all users." + }, + "L": { + "key": "L", + "name": "Low", + "definition": "Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance." + }, + "M": { + "key": "M", + "name": "Medium", + "definition": "Organization has lost the ability to provide a critical service to a subset of system users." + }, + "H": { + "key": "H", + "name": "High", + "definition": "Organization has lost the ability to provide all critical services to all system users." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "FI", + "version": "2.0.0", + "name": "Functional Impact", + "definition": "A measure of the impact to business functionality or ability to provide services.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "Event has no impact." + }, + { + "key": "S", + "name": "No Impact to Services", + "definition": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "definition": "Some small level of impact to non-critical systems and services." + }, + { + "key": "C", + "name": "Minimal Impact to Critical Services", + "definition": "Minimal impact but to a critical system or service, such as email or active directory." + }, + { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "definition": "A non-critical service or system has a significant impact." + }, + { + "key": "D", + "name": "Denial of Non-Critical Services", + "definition": "A non-critical system is denied or destroyed." + }, + { + "key": "T", + "name": "Significant Impact to Critical Services", + "definition": "A critical system has a significant impact, such as local administrative account compromise." + }, + { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "definition": "A critical system has been rendered unavailable." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No Impact", + "definition": "Event has no impact." + }, + "S": { + "key": "S", + "name": "No Impact to Services", + "definition": "Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers." + }, + "M": { + "key": "M", + "name": "Minimal Impact to Non-Critical Services", + "definition": "Some small level of impact to non-critical systems and services." + }, + "C": { + "key": "C", + "name": "Minimal Impact to Critical Services", + "definition": "Minimal impact but to a critical system or service, such as email or active directory." + }, + "I": { + "key": "I", + "name": "Significant Impact to Non-Critical Services", + "definition": "A non-critical service or system has a significant impact." + }, + "D": { + "key": "D", + "name": "Denial of Non-Critical Services", + "definition": "A non-critical system is denied or destroyed." + }, + "T": { + "key": "T", + "name": "Significant Impact to Critical Services", + "definition": "A critical system has a significant impact, such as local administrative account compromise." + }, + "L": { + "key": "L", + "name": "Denial of Critical Services/Loss of Control", + "definition": "A critical system has been rendered unavailable." + } + } + } + } + }, + "IS": { + "key": "IS", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "IS", + "version": "1.0.0", + "name": "Incident Severity", + "definition": "The United States Federal Cybersecurity Centers, in coordination with departments and agencies with a cybersecurity or cyber operations mission, adopted a common schema for describing the severity of cyber incidents affecting the homeland, U.S. capabilities, or U.S. interests.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Baseline", + "definition": "Unsubstantiated or inconsequential event." + }, + { + "key": "1", + "name": "Low", + "definition": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "definition": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "definition": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "definition": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "definition": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + ] + }, + "values": { + "0": { + "key": "0", + "name": "Baseline", + "definition": "Unsubstantiated or inconsequential event." + }, + "1": { + "key": "1", + "name": "Low", + "definition": "Unlikely to impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "2": { + "key": "2", + "name": "Medium", + "definition": "May impact public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "3": { + "key": "3", + "name": "High", + "definition": "Likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "4": { + "key": "4", + "name": "Severe", + "definition": "Likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + "5": { + "key": "5", + "name": "Emergency", + "definition": "Poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of U.S. persons." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "IS", + "version": "2.0.0", + "name": "Incident Severity", + "definition": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with CISA, the Department of Homeland Security (DHS), and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives CISA urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0M", + "name": "Baseline - Minor", + "definition": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "0N", + "name": "Baseline - Negligible", + "definition": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + { + "key": "1", + "name": "Low", + "definition": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "2", + "name": "Medium", + "definition": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "3", + "name": "High", + "definition": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + { + "key": "4", + "name": "Severe", + "definition": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + { + "key": "5", + "name": "Emergency", + "definition": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + ] + }, + "values": { + "0M": { + "key": "0M", + "name": "Baseline - Minor", + "definition": "A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + "0N": { + "key": "0N", + "name": "Baseline - Negligible", + "definition": "A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence. The potential for impact, however, exists and warrants additional scrutiny." + }, + "1": { + "key": "1", + "name": "Low", + "definition": "A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "2": { + "key": "2", + "name": "Medium", + "definition": "A Medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "3": { + "key": "3", + "name": "High", + "definition": "A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence." + }, + "4": { + "key": "4", + "name": "Severe", + "definition": "A Severe priority incident is likely to result in a significant impact to public health or safety, national security, economic security, foreign relations, or civil liberties." + }, + "5": { + "key": "5", + "name": "Emergency", + "definition": "An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or the lives of U.S. persons." + } + } + } + } + }, + "II": { + "key": "II", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "II", + "version": "1.0.0", + "name": "Information Impact", + "definition": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "None", + "definition": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + { + "key": "I", + "name": "Integrity", + "definition": "The necessary integrity of information was modified without authorization." + }, + { + "key": "P", + "name": "Privacy", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "C", + "name": "Classified", + "definition": "The confidentiality of classified information was compromised." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "None", + "definition": "No information was exfiltrated, modified, deleted, or otherwise compromised." + }, + "I": { + "key": "I", + "name": "Integrity", + "definition": "The necessary integrity of information was modified without authorization." + }, + "P": { + "key": "P", + "name": "Privacy", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + "R": { + "key": "R", + "name": "Proprietary", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + "C": { + "key": "C", + "name": "Classified", + "definition": "The confidentiality of classified information was compromised." + } + } + }, + "2.0.0": { + "version": "2.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "II", + "version": "2.0.0", + "name": "Information Impact", + "definition": "Describes the type of information lost, compromised, or corrupted.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "N", + "name": "No Impact", + "definition": "No known data impact." + }, + { + "key": "S", + "name": "Suspected But Not Identified", + "definition": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + { + "key": "P", + "name": "Privacy Data Breach", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + { + "key": "R", + "name": "Proprietary Information Breach", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "definition": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + { + "key": "C", + "name": "Critical Systems Data Breach", + "definition": "Data pertaining to a critical system has been exfiltrated." + }, + { + "key": "O", + "name": "Core Credential Compromise", + "definition": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + { + "key": "E", + "name": "Destruction of Critical System", + "definition": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + ] + }, + "values": { + "N": { + "key": "N", + "name": "No Impact", + "definition": "No known data impact." + }, + "S": { + "key": "S", + "name": "Suspected But Not Identified", + "definition": "A data loss or impact to availability is suspected, but no direct confirmation exists." + }, + "P": { + "key": "P", + "name": "Privacy Data Breach", + "definition": "The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised." + }, + "R": { + "key": "R", + "name": "Proprietary Information Breach", + "definition": "The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised." + }, + "D": { + "key": "D", + "name": "Destruction of Non-Critical Systems", + "definition": "Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system." + }, + "C": { + "key": "C", + "name": "Critical Systems Data Breach", + "definition": "Data pertaining to a critical system has been exfiltrated." + }, + "O": { + "key": "O", + "name": "Core Credential Compromise", + "definition": "Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated." + }, + "E": { + "key": "E", + "name": "Destruction of Critical System", + "definition": "Destructive techniques, such as MBR overwrite; have been used against a critical system." + } + } + } + } + }, + "OA": { + "key": "OA", + "versions": { + "0.0.1": { + "version": "0.0.1", + "obj": { + "namespace": "cisa#nciss", + "key": "OA", + "version": "0.0.1", + "name": "Observed Activity", + "definition": "Observed activity describes what is known about threat actor activity on the network.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "P", + "name": "Prepare", + "definition": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + { + "key": "E", + "name": "Engage", + "definition": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + { + "key": "R", + "name": "Presence", + "definition": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + { + "key": "F", + "name": "Effect", + "definition": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + ] + }, + "values": { + "P": { + "key": "P", + "name": "Prepare", + "definition": "Prepare actions are actions taken to establish objectives, intent, and strategy; identify potential targets and attack vectors; identify resource requirements; and develop capabilities." + }, + "E": { + "key": "E", + "name": "Engage", + "definition": "Engage activities are actions taken against a specific target or target set prior to gaining, but with the intent to gain access to the victim's physical or virtual computer or information systems, networks, and data stores." + }, + "R": { + "key": "R", + "name": "Presence", + "definition": "Presence is the set of actions taken by the threat actor once access to the target physical or virtual computer or information system has been achieved. These actions establish and maintain conditions for the threat actor to perform intended actions or operate at will against the host physical or virtual computer or information system, network, or data stores." + }, + "F": { + "key": "F", + "name": "Effect", + "definition": "Effects are outcomes of a threat actor’s actions on a victim’s physical or virtual computer or information systems, networks, and data stores." + } + } + } + } + }, + "OAL": { + "key": "OAL", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "OAL", + "version": "1.0.0", + "name": "Observed Activity Location", + "definition": "The location of observed activity describes where the observed activity was detected in the network. ", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "0", + "name": "Unsuccessful", + "definition": "Existing network defenses repelled all observed activity." + }, + { + "key": "1", + "name": "Business Demilitarized Zone", + "definition": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + { + "key": "2", + "name": "Business Network", + "definition": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + { + "key": "3", + "name": "Business Network Management", + "definition": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + { + "key": "4", + "name": "Critical System DMZ", + "definition": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + { + "key": "5", + "name": "Critical System Management", + "definition": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + { + "key": "6", + "name": "Critical Systems", + "definition": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + { + "key": "7", + "name": "Safety Systems", + "definition": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + { + "key": "U", + "name": "Unknown", + "definition": "Activity was observed, but the network segment could not be identified." + } + ] + }, + "values": { + "0": { + "key": "0", + "name": "Unsuccessful", + "definition": "Existing network defenses repelled all observed activity." + }, + "1": { + "key": "1", + "name": "Business Demilitarized Zone", + "definition": "Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet." + }, + "2": { + "key": "2", + "name": "Business Network", + "definition": "Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems." + }, + "3": { + "key": "3", + "name": "Business Network Management", + "definition": "Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores." + }, + "4": { + "key": "4", + "name": "Critical System DMZ", + "definition": "Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems." + }, + "5": { + "key": "5", + "name": "Critical System Management", + "definition": "Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems." + }, + "6": { + "key": "6", + "name": "Critical Systems", + "definition": "Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments." + }, + "7": { + "key": "7", + "name": "Safety Systems", + "definition": "Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system." + }, + "U": { + "key": "U", + "name": "Unknown", + "definition": "Activity was observed, but the network segment could not be identified." + } + } + } + } + }, + "RECOVERABILITY": { + "key": "RECOVERABILITY", + "versions": { + "1.0.0": { + "version": "1.0.0", + "obj": { + "namespace": "cisa#nciss", + "key": "RECOVERABILITY", + "version": "1.0.0", + "name": "Recoverability", + "definition": "Represents the scope of resources needed to recover from the incident.", + "schemaVersion": "2.0.0", + "values": [ + { + "key": "R", + "name": "Regular", + "definition": "Time to recovery is predictable with existing resources." + }, + { + "key": "S", + "name": "Supplemented", + "definition": "Time to recover is predictable with additional resources." + }, + { + "key": "E", + "name": "Extended", + "definition": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + { + "key": "N", + "name": "Not Recoverable", + "definition": "Recovery from the incident is not possible." + } + ] + }, + "values": { + "R": { + "key": "R", + "name": "Regular", + "definition": "Time to recovery is predictable with existing resources." + }, + "S": { + "key": "S", + "name": "Supplemented", + "definition": "Time to recover is predictable with additional resources." + }, + "E": { + "key": "E", + "name": "Extended", + "definition": "Time to recovery is unpredictable; additional resources and outside assistance may be required." + }, + "N": { + "key": "N", + "name": "Not Recoverable", + "definition": "Recovery from the incident is not possible." + } + } + } + } + } + } + }, "cisa": { "namespace": "cisa", "keys": { diff --git a/docs/reference/decision_points/nciss/functional_impact.md b/docs/reference/decision_points/nciss/functional_impact.md new file mode 100644 index 00000000..3d10e93a --- /dev/null +++ b/docs/reference/decision_points/nciss/functional_impact.md @@ -0,0 +1,8 @@ +# Functional Impact + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.functional_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/nciss/incident_severity.md b/docs/reference/decision_points/nciss/incident_severity.md new file mode 100644 index 00000000..fcd255a8 --- /dev/null +++ b/docs/reference/decision_points/nciss/incident_severity.md @@ -0,0 +1,28 @@ +# Incident Severity + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.incident_severity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` + +Version 2.0.0 is based on the +[National Cyber Incident Scoring System](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +developed by the Cybersecurity and Infrastructure Security Agency (CISA). + +## Previous Versions + +Version 1.0.0 is based on the +[Cyber Incident Severity Schema](https://obamawhitehouse.archives.gov/sites/whitehouse.gov/files/documents/Cyber%2BIncident%2BSeverity%2BSchema.pdf) +adopted by the United States Federal Cybersecurity Centers, in coordination with departments and agencies with a +cybersecurity or cyber operations mission. + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.incident_severity import VERSIONS +from ssvc.doc_helpers import example_block + +versions = VERSIONS[:-1] +for version in versions: + print(example_block(version)) +``` diff --git a/docs/reference/decision_points/nciss/index.md b/docs/reference/decision_points/nciss/index.md new file mode 100644 index 00000000..c849b698 --- /dev/null +++ b/docs/reference/decision_points/nciss/index.md @@ -0,0 +1,21 @@ +# National Cybersecurity Incident Scoring System (NCISS) Decision Points + +The [National Cyber Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +was developed by the Cybersecurity and Infrastructure Security Agency (CISA). + +Although the NCISS is implemented as a numerical scoring system, a number of +its criteria are amenable to modeling using SSVC decision points. We have +included a few examples here. + +## Decision Points + +
+ +- [Functional Impact](functional_impact.md) +- [Incident Severity](incident_severity.md) +- [Information Impact](information_impact.md) +- [Observed Activity](observed_activity.md) +- [Observed Location of Activity](observed_activity_location.md) +- [Recoverability](recoverability.md) + +
diff --git a/docs/reference/decision_points/nciss/information_impact.md b/docs/reference/decision_points/nciss/information_impact.md new file mode 100644 index 00000000..67b25a78 --- /dev/null +++ b/docs/reference/decision_points/nciss/information_impact.md @@ -0,0 +1,8 @@ +# Information Impact + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.information_impact import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/nciss/observed_activity.md b/docs/reference/decision_points/nciss/observed_activity.md new file mode 100644 index 00000000..1e959adb --- /dev/null +++ b/docs/reference/decision_points/nciss/observed_activity.md @@ -0,0 +1,8 @@ +# Observed Activity + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.observed_activity import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/nciss/observed_activity_location.md b/docs/reference/decision_points/nciss/observed_activity_location.md new file mode 100644 index 00000000..239ffa8a --- /dev/null +++ b/docs/reference/decision_points/nciss/observed_activity_location.md @@ -0,0 +1,8 @@ +# Observed Location of Activity + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.observed_activity_location import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/docs/reference/decision_points/nciss/recoverability.md b/docs/reference/decision_points/nciss/recoverability.md new file mode 100644 index 00000000..a0ad8b70 --- /dev/null +++ b/docs/reference/decision_points/nciss/recoverability.md @@ -0,0 +1,8 @@ +# Recoverability + +```python exec="true" idprefix="" +from ssvc.decision_points.cisa.recoverability import LATEST +from ssvc.doc_helpers import example_block + +print(example_block(LATEST)) +``` diff --git a/mkdocs.yml b/mkdocs.yml index 3fa4a8ab..d1da967e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -119,6 +119,14 @@ nav: - Report Confidence: 'reference/decision_points/cvss/report_confidence.md' - Scope: 'reference/decision_points/cvss/scope.md' - Target Distribution: 'reference/decision_points/cvss/target_distribution.md' + - NCISS Decision Points: + - 'reference/decision_points/nciss/index.md' + - Functional Impact: 'reference/decision_points/nciss/functional_impact.md' + - Incident Severity: 'reference/decision_points/nciss/incident_severity.md' + - Information Impact: 'reference/decision_points/nciss/information_impact.md' + - Observed Activity: 'reference/decision_points/nciss/observed_activity.md' + - Observed Activity Location: 'reference/decision_points/nciss/observed_activity_location.md' + - Recoverability: 'reference/decision_points/nciss/recoverability.md' - Code: - Intro: 'reference/code/index.md' - Decision Points: 'reference/code/decision_points.md' diff --git a/src/ssvc/decision_points/cisa/base.py b/src/ssvc/decision_points/cisa/base.py index 342c37a9..2980f3cb 100644 --- a/src/ssvc/decision_points/cisa/base.py +++ b/src/ssvc/decision_points/cisa/base.py @@ -28,3 +28,10 @@ class CisaDecisionPoint(DecisionPoint, BaseModel): namespace: str = NameSpace.CISA + + +class NcissDecisionPoint(CisaDecisionPoint, BaseModel): + """ + Models a single NCISS decision point as a list of values. + """ + namespace: str = NameSpace.CISA + "#nciss" diff --git a/src/ssvc/decision_points/cisa/functional_impact.py b/src/ssvc/decision_points/cisa/functional_impact.py new file mode 100644 index 00000000..8af95590 --- /dev/null +++ b/src/ssvc/decision_points/cisa/functional_impact.py @@ -0,0 +1,144 @@ +#!/usr/bin/env python +""" +Provides the NCISS Functional Impact decision point and values. +""" +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +IMPACT_NONE = DecisionPointValue( + key="N", + name="No Impact", + definition="Organization has experienced no loss in ability to provide all services to all users.", +) + +LOW = DecisionPointValue( + key="L", + name="Low", + definition="Organization has experienced a loss of efficiency, but can still provide all critical services to all users with minimal effect on performance.", +) + +MEDIUM = DecisionPointValue( + key="M", + name="Medium", + definition="Organization has lost the ability to provide a critical service to a subset of system users.", +) + +HIGH = DecisionPointValue( + key="H", + name="High", + definition="Organization has lost the ability to provide all critical services to all system users.", +) + +## based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines_2015.pdf +FUNCTIONAL_IMPACT_1 = NcissDecisionPoint( + key="FI", + name="Functional Impact", + version="1.0.0", + definition="A measure of the impact to business functionality or ability to provide services.", + values=( + IMPACT_NONE, + LOW, + MEDIUM, + HIGH, + ), +) + +NO_IMPACT = DecisionPointValue( + key="N", + name="No Impact", + definition="Event has no impact.", +) + +NO_IMPACT_TO_SERVICES = DecisionPointValue( + key="S", + name="No Impact to Services", + definition="Event has no impact to any business or Industrial Control Systems (ICS) services or delivery to entity customers.", +) + +MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES = DecisionPointValue( + key="M", + name="Minimal Impact to Non-Critical Services", + definition="Some small level of impact to non-critical systems and services.", +) + +MINIMAL_IMPACT_TO_CRITICAL_SERVICES = DecisionPointValue( + key="C", + name="Minimal Impact to Critical Services", + definition="Minimal impact but to a critical system or service, such as email or active directory.", +) + +SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES = DecisionPointValue( + key="I", + name="Significant Impact to Non-Critical Services", + definition="A non-critical service or system has a significant impact.", +) + +DENIAL_OF_NON_CRITICAL_SERVICES = DecisionPointValue( + key="D", + name="Denial of Non-Critical Services", + definition="A non-critical system is denied or destroyed.", +) + +SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES = DecisionPointValue( + key="T", + name="Significant Impact to Critical Services", + definition="A critical system has a significant impact, such as local administrative account compromise.", +) + +DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL = DecisionPointValue( + key="L", + name="Denial of Critical Services/Loss of Control", + definition="A critical system has been rendered unavailable.", +) + +# based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf +FUNCTIONAL_IMPACT_2 = NcissDecisionPoint( + key="FI", + name="Functional Impact", + version="2.0.0", + definition="A measure of the impact to business functionality or ability to provide services.", + values=( + NO_IMPACT, + NO_IMPACT_TO_SERVICES, + MINIMAL_IMPACT_TO_NON_CRITICAL_SERVICES, + MINIMAL_IMPACT_TO_CRITICAL_SERVICES, + SIGNIFICANT_IMPACT_TO_NON_CRITICAL_SERVICES, + DENIAL_OF_NON_CRITICAL_SERVICES, + SIGNIFICANT_IMPACT_TO_CRITICAL_SERVICES, + DENIAL_OF_CRITICAL_SERVICES_LOSS_OF_CONTROL, + ), +) + +VERSIONS = ( + FUNCTIONAL_IMPACT_1, + FUNCTIONAL_IMPACT_2, +) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cisa/incident_severity.py b/src/ssvc/decision_points/cisa/incident_severity.py new file mode 100644 index 00000000..a7faaa09 --- /dev/null +++ b/src/ssvc/decision_points/cisa/incident_severity.py @@ -0,0 +1,174 @@ +#!/usr/bin/env python +""" +Provides a decision point for Incident Severity. +Based on [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +""" +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +# Define the values for the Cyber Incident Severity decision point +# Intentionally omitting the color codes from the original schema at this time +# We can add them later if needed +LEVEL_5 = DecisionPointValue( + name="Emergency", + key="5", + definition="Poses an imminent threat to the provision of wide-scale critical infrastructure services, national " + "government stability, or to the lives of U.S. persons.", +) + +LEVEL_4 = DecisionPointValue( + name="Severe", + key="4", + definition="Likely to result in a significant impact to public health or safety, national security, economic " + "security, foreign relations, or civil liberties.", +) + +LEVEL_3 = DecisionPointValue( + name="High", + key="3", + definition="Likely to result in a demonstrable impact to public health or safety, national security, economic " + "security, foreign relations, civil liberties, or public confidence.", +) + +LEVEL_2 = DecisionPointValue( + name="Medium", + key="2", + definition="May impact public health or safety, national security, economic security, foreign relations, civil " + "liberties, or public confidence.", +) + +LEVEL_1 = DecisionPointValue( + name="Low", + key="1", + definition="Unlikely to impact public health or safety, national security, economic security, foreign relations, " + "civil liberties, or public confidence.", +) + +LEVEL_0 = DecisionPointValue( + name="Baseline", + key="0", + definition="Unsubstantiated or inconsequential event.", +) + +# Define the Cyber Incident Severity decision point +INCIDENT_SEVERITY = NcissDecisionPoint( + name="Incident Severity", + definition="The United States Federal Cybersecurity Centers, in coordination " + "with departments and agencies with a cybersecurity or cyber operations mission, " + "adopted a common schema for describing the severity of cyber incidents affecting " + "the homeland, U.S. capabilities, or U.S. interests.", + key="IS", + version="1.0.0", + values=( + LEVEL_0, + LEVEL_1, + LEVEL_2, + LEVEL_3, + LEVEL_4, + LEVEL_5, + ), +) + +LEVEL_5_1 = DecisionPointValue( + name="Emergency", + key="5", + definition="An Emergency priority incident poses an imminent threat to the provision of wide-scale critical infrastructure " + "services, national government stability, or the lives of U.S. persons.", +) + +LEVEL_4_1 = DecisionPointValue( + name="Severe", + key="4", + definition="A Severe priority incident is likely to result in a significant impact to public health or safety, national security, " + "economic security, foreign relations, or civil liberties.", +) + +LEVEL_3_1 = DecisionPointValue( + name="High", + key="3", + definition="A High priority incident is likely to result in a demonstrable impact to public health or safety, national security, " + "economic security, foreign relations, civil liberties, or public confidence.", +) + +LEVEL_2_1 = DecisionPointValue( + name="Medium", + key="2", + definition="A Medium priority incident may affect public health or safety, national security, economic security, foreign " + "relations, civil liberties, or public confidence.", +) + +LEVEL_1_1 = DecisionPointValue( + name="Low", + key="1", + definition="A Low priority incident is unlikely to affect public health or safety, national security, economic security, foreign " + "relations, civil liberties, or public confidence.", +) + +LEVEL_0_MINOR = DecisionPointValue( + name="Baseline - Minor", + key="0M", + definition="A Baseline–Minor priority incident is an incident that is highly unlikely to affect public health or safety, " + "national security, economic security, foreign relations, civil liberties, or public confidence. The potential for " + "impact, however, exists and warrants additional scrutiny.", +) + +LEVEL_0_NEGLIGIBLE = DecisionPointValue( + name="Baseline - Negligible", + key="0N", + definition="A Baseline–Negligible priority incident is an incident that is highly unlikely to affect public health or safety, " + "national security, economic security, foreign relations, civil liberties, or public confidence. The potential for " + "impact, however, exists and warrants additional scrutiny.", +) + +INCIDENT_SEVERITY_2 = NcissDecisionPoint( + name="Incident Severity", + definition="After an incident is scored, it is assigned a priority level. " + "The six levels listed below are aligned with CISA, " + "the Department of Homeland Security (DHS), " + "and the CISS to help provide a common lexicon when discussing incidents. " + "This priority assignment drives CISA urgency, " + "pre-approved incident response offerings, " + "reporting requirements, and recommendations for leadership escalation.", + key="IS", + version="2.0.0", + values=( + LEVEL_0_MINOR, + LEVEL_0_NEGLIGIBLE, + LEVEL_1_1, + LEVEL_2_1, + LEVEL_3_1, + LEVEL_4_1, + LEVEL_5_1, + ), +) + +VERSIONS = (INCIDENT_SEVERITY, INCIDENT_SEVERITY_2) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cisa/information_impact.py b/src/ssvc/decision_points/cisa/information_impact.py new file mode 100644 index 00000000..12447d69 --- /dev/null +++ b/src/ssvc/decision_points/cisa/information_impact.py @@ -0,0 +1,151 @@ +#!/usr/bin/env python +""" +Provides the NCISS Information Impact Decision Point. +""" +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +IMPACT_NONE = DecisionPointValue( + key="N", + name="None", + definition="No information was exfiltrated, modified, deleted, or otherwise compromised.", +) + +INTEGRITY = DecisionPointValue( + key="I", + name="Integrity", + definition="The necessary integrity of information was modified without authorization.", +) + +PRIVACY = DecisionPointValue( + key="P", + name="Privacy", + definition="The confidentiality of personally identifiable information (PII) " + "or personal health information (PHI) was compromised.", +) + +PROPRIETARY = DecisionPointValue( + key="R", + name="Proprietary", + definition="The confidentiality of unclassified proprietary information, such as " + "protected critical infrastructure information (PCII), intellectual property, or " + "trade secrets was compromised.", +) + +CLASSIFIED = DecisionPointValue( + key="C", + name="Classified", + definition="The confidentiality of classified information was compromised.", +) + +# based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines_2015.pdf +INFORMATION_IMPACT_1 = NcissDecisionPoint( + key="II", + name="Information Impact", + version="1.0.0", + definition="Describes the type of information lost, compromised, or corrupted.", + values=(IMPACT_NONE, INTEGRITY, PRIVACY, PROPRIETARY, CLASSIFIED), +) + + +NO_IMPACT = DecisionPointValue( + key="N", + name="No Impact", + definition="No known data impact.", +) + +SUSPECTED_BUT_NOT_IDENTIFIED = DecisionPointValue( + key="S", + name="Suspected But Not Identified", + definition="A data loss or impact to availability is suspected, but no direct confirmation exists.", +) + +PROPRIETARY_INFORMATION_BREACH = DecisionPointValue( + key="R", + name="Proprietary Information Breach", + definition="The confidentiality of unclassified proprietary information, such as protected critical infrastructure information (PCII), intellectual property, or trade secrets was compromised.", +) + +PRIVACY_DATA_BREACH = DecisionPointValue( + key="P", + name="Privacy Data Breach", + definition="The confidentiality of personally identifiable information (PII) or personal health information (PHI) was compromised.", +) + + +CRITICAL_SYSTEMS_DATA_BREACH = DecisionPointValue( + key="C", + name="Critical Systems Data Breach", + definition="Data pertaining to a critical system has been exfiltrated.", +) + +DESTRUCTION_OF_NON_CRITICAL_SYSTEMS = DecisionPointValue( + key="D", + name="Destruction of Non-Critical Systems", + definition="Destructive techniques, such as master boot record (MBR) overwrite; have been used against a non-critical system.", +) + + +CORE_CREDENTIAL_COMPROMISE = DecisionPointValue( + key="O", + name="Core Credential Compromise", + definition="Core system credentials (such as domain or enterprise administrative credentials) or credentials for critical systems have been exfiltrated.", +) + +DESTRUCTION_OF_CRITICAL_SYSTEM = DecisionPointValue( + key="E", + name="Destruction of Critical System", + definition="Destructive techniques, such as MBR overwrite; have been used against a critical system.", +) + +# based on https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf +INFORMATION_IMPACT_2 = NcissDecisionPoint( + key="II", + name="Information Impact", + version="2.0.0", + definition="Describes the type of information lost, compromised, or corrupted.", + values=( + NO_IMPACT, + SUSPECTED_BUT_NOT_IDENTIFIED, + PRIVACY_DATA_BREACH, + PROPRIETARY_INFORMATION_BREACH, + DESTRUCTION_OF_NON_CRITICAL_SYSTEMS, + CRITICAL_SYSTEMS_DATA_BREACH, + CORE_CREDENTIAL_COMPROMISE, + DESTRUCTION_OF_CRITICAL_SYSTEM, + ), +) + +VERSIONS = ( + INFORMATION_IMPACT_1, + INFORMATION_IMPACT_2, +) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cisa/observed_activity.py b/src/ssvc/decision_points/cisa/observed_activity.py new file mode 100644 index 00000000..58dae56e --- /dev/null +++ b/src/ssvc/decision_points/cisa/observed_activity.py @@ -0,0 +1,79 @@ +#!/usr/bin/env python +""" +Provides the NCISS Observed Activity Decision Point. +""" +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +PREPARE = DecisionPointValue( + key="P", + name="Prepare", + definition="Prepare actions are actions taken to establish objectives, intent, and strategy; " + "identify potential targets and attack vectors; " + "identify resource requirements; " + "and develop capabilities.", +) + +ENGAGE = DecisionPointValue( + key="E", + name="Engage", + definition="Engage activities are actions taken against a specific target or target set prior to gaining, " + "but with the intent to gain access to the victim's physical or virtual computer or information systems, " + "networks, and data stores.", +) + +PRESENCE = DecisionPointValue( + key="R", + name="Presence", + definition="Presence is the set of actions taken by the threat actor once access to the target physical or " + "virtual computer or information system has been achieved. " + "These actions establish and maintain conditions for the threat actor to perform intended actions " + "or operate at will against the host physical or virtual computer or information system, network, " + "or data stores.", +) + +EFFECT = DecisionPointValue( + key="F", + name="Effect", + definition="Effects are outcomes of a threat actor’s actions " + "on a victim’s physical or virtual computer or information systems, networks, and data stores.", +) + + +OBSERVED_ACTIVITY = NcissDecisionPoint( + key="OA", + name="Observed Activity", + definition="Observed activity describes what is known about threat actor activity on the network.", + values=(PREPARE, ENGAGE, PRESENCE, EFFECT), +) + +VERSIONS = (OBSERVED_ACTIVITY,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cisa/observed_activity_location.py b/src/ssvc/decision_points/cisa/observed_activity_location.py new file mode 100644 index 00000000..6ddbf374 --- /dev/null +++ b/src/ssvc/decision_points/cisa/observed_activity_location.py @@ -0,0 +1,113 @@ +#!/usr/bin/env python +""" +Provides a decision point for the location of observed activity. +Based on [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +""" +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +LEVEL_0 = DecisionPointValue( + name="Unsuccessful", + key="0", + definition="Existing network defenses repelled all observed activity.", +) + + +LEVEL_1 = DecisionPointValue( + name="Business Demilitarized Zone", + key="1", + definition="Activity was observed in the business network’s demilitarized zone (DMZ). These systems are generally untrusted and are designed to be exposed to the Internet.", +) + + +LEVEL_2 = DecisionPointValue( + name="Business Network", + key="2", + definition="Activity was observed in the business or corporate network of the victim. These systems would be corporate user workstations, application servers, and other non-core management systems.", +) + + +LEVEL_3 = DecisionPointValue( + name="Business Network Management", + key="3", + definition="Activity was observed in business network management systems such as administrative user workstations, active directory servers, or other trust stores.", +) + +LEVEL_4 = DecisionPointValue( + name="Critical System DMZ", + key="4", + definition="Activity was observed in the DMZ that exists between the business network and a critical system network. These systems may be internally facing services such as SharePoint sites, financial systems, or relay “jump” boxes into more critical systems.", +) + +LEVEL_5 = DecisionPointValue( + name="Critical System Management", + key="5", + definition="Activity was observed in high-level critical systems management such as human-machine interfaces (HMIs) in industrial control systems.", +) + +LEVEL_6 = DecisionPointValue( + name="Critical Systems", + key="6", + definition="Activity was observed in the critical systems that operate critical processes, such as programmable logic controllers in industrial control system environments.", +) + +LEVEL_7 = DecisionPointValue( + name="Safety Systems", + key="7", + definition="Activity was observed in critical safety systems that ensure the safe operation of an environment. One example of a critical safety system is a fire suppression system.", +) + +UNKNOWN = DecisionPointValue( + name="Unknown", + key="U", + definition="Activity was observed, but the network segment could not be identified.", +) + +OBSERVED_ACTIVITY_LOCATION = NcissDecisionPoint( + name="Observed Activity Location", + definition="The location of observed activity describes where the observed activity was detected in the network. ", + key="OAL", + version="1.0.0", + values=( + LEVEL_0, + LEVEL_1, + LEVEL_2, + LEVEL_3, + LEVEL_4, + LEVEL_5, + LEVEL_6, + LEVEL_7, + UNKNOWN, + ), +) + +VERSIONS = (OBSERVED_ACTIVITY_LOCATION,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main() diff --git a/src/ssvc/decision_points/cisa/recoverability.py b/src/ssvc/decision_points/cisa/recoverability.py new file mode 100644 index 00000000..ff89d099 --- /dev/null +++ b/src/ssvc/decision_points/cisa/recoverability.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python +""" +Provides a decision point to represent the recoverability of a system. +Based on the [National Cybersecurity Incident Scoring System (NCISS)](https://www.cisa.gov/sites/default/files/2023-01/cisa_national_cyber_incident_scoring_system_s508c.pdf) +""" +# Copyright (c) 2025 Carnegie Mellon University. +# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE +# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. +# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, +# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT +# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR +# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE +# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE +# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM +# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. +# Licensed under a MIT (SEI)-style license, please see LICENSE or contact +# permission@sei.cmu.edu for full terms. +# [DISTRIBUTION STATEMENT A] This material has been approved for +# public release and unlimited distribution. Please see Copyright notice +# for non-US Government use and distribution. +# This Software includes and/or makes use of Third-Party Software each +# subject to its own license. +# DM24-0278 + +from ssvc.decision_points.base import DecisionPointValue +from ssvc.decision_points.cisa.base import NcissDecisionPoint +from ssvc.decision_points.helpers import print_versions_and_diffs + +REGULAR = DecisionPointValue( + name="Regular", + key="R", + definition="Time to recovery is predictable with existing resources.", +) + +SUPPLEMENTED = DecisionPointValue( + name="Supplemented", + key="S", + definition="Time to recover is predictable with additional resources.", +) + +EXTENDED = DecisionPointValue( + name="Extended", + key="E", + definition="Time to recovery is unpredictable; additional resources and outside assistance may be required.", +) + +NOT_RECOVERABLE = DecisionPointValue( + name="Not Recoverable", + key="N", + definition="Recovery from the incident is not possible.", +) + +RECOVERABILITY = NcissDecisionPoint( + name="Recoverability", + definition="Represents the scope of resources needed to recover from the incident.", + key="RECOVERABILITY", + version="1.0.0", + values=(REGULAR, SUPPLEMENTED, EXTENDED, NOT_RECOVERABLE), +) + +VERSIONS = (RECOVERABILITY,) +LATEST = VERSIONS[-1] + + +def main(): + print_versions_and_diffs(VERSIONS) + + +if __name__ == "__main__": + main()