Allen D. Householder
Allen D. Householder
[NISTIR 8286B](https://csrc.nist.gov/pubs/ir/8286/b/final) _Prioritizing Cybersecurity Risk for Enterprise Risk Management_ ([pdf](https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8286B.pdf)) describes a risk decision modeling workflow. We could potentially capture some aspects of this as SSVC outcome objects. For example:...
Create a direct policy mapping that resolves equivalence sets to CVSS severity levels (L/M/H/C) Follow-on to - #377 Could also be done in conjunction with - #393
Create direct policy mapping that resolves CVSSv4 vectors into equivalence sets. This is technically redundant to the CVSS v4 documentation, but it'd be nice to have an implementation in SSVC...
This issue is the next iteration of: - #336, which in turn is addressed by - #365 In #365, I mention that the `PolicyGenerator` object can be used by someone...
This issue is prompted by: > Would it be possible though to give some indication on how hard it is to gather information about certain decision points? _Originally posted by...
CVSS v4 uses the concept of macrovectors. I'm not going to explain that here, check out the [CVSS v4 spec](https://www.first.org/cvss/v4.0/specification-document#CVSS-v4-0-Scoring-using-MacroVectors-and-Interpolation) for that. It might be interesting to use SSVC to...
As a simple tutorial on how to walk through the bootstrapping process, we could write a tutorial that models the Eisenhower matrix: Importance: yes, no Urgency: yes, no Outcome set(s):...
A decision point's "key" is only intended as a convenience for example when providing a chart based on that decision point. Note: I'm creating this issue based on a conversation...
Review https://certcc.github.io/SSVC-staging/topics/representing_information/ (`docs/topics/representing_information.md`) for architecture decisions worth recording in ADR documents. Summarizing that page: - [ ] Outputs are decisions. - [ ] Pluralistic recommendations are made among a manageable...
In a side discussion around #340, we had an unresolved question about whether the `$id` field of the json schemas needs to reflect the version of the file or how...