SSVC icon indicating copy to clipboard operation
SSVC copied to clipboard
verified publisher icon CERTCC

Model National Cyber Incident Scoring System (NCISS)

Open ahouseholder opened this issue 1 year ago • 2 comments

Describe the solution you'd like

CISA has developed a National Cyber Incident Scoring System. It's a numerical function, but its spec contains a number of ordered categorical lists that could be useful to include in the SSVC vocabulary.

Additional context

This could help us expand applicability of SSVC beyond pure vulnerability response and increase its ability to model vulnerability response in the face of adversarial activity as expressed in incident data.

ahouseholder avatar Feb 20 '25 20:02 ahouseholder

I have a work-in-progress branch that models a few of the NCISS parameters as decision points. Without more detail on the other criteria it's hard to know how to model them. The unmodeled categories include:

  • Functional Impact
  • Observed Activity
  • Actor Characterization
  • Information Impact
  • Cross-Sector Dependency
  • Potential Impact

There may be resources other than the NICSS PDF that provide more details, but I'm unaware of any at the moment.

Meanwhile, here are some screenshots of what is in the current branch.

menu screenshot incident severity observed location recoverability

ahouseholder avatar Feb 20 '25 20:02 ahouseholder

Additional references:

  • US-CERT Federal Incident Notification Guidelines contains additional details on Functional Impact and Information Impact https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf
  • Cyber Threat Framework describes Observed Activity categories e.g., https://info.publicintelligence.net/ODNI-CyberThreatFramework.pdf

ahouseholder avatar Mar 11 '25 16:03 ahouseholder