diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Maturity/MaturityBusiness.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Maturity/MaturityBusiness.cs index 4c61c2a264..c89fdaff18 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Maturity/MaturityBusiness.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Maturity/MaturityBusiness.cs @@ -68,7 +68,10 @@ public int GetMaturityTargetLevel(int assessmentId) { // The maturity target level is stored similar to a SAL level int targetLevel = 1; - var myLevel = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == assessmentId && x.Level_Name == "Maturity_Level").FirstOrDefault(); + var myLevel = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == assessmentId && x.Level_Name == Constants.Constants.MaturityLevel) + .FirstOrDefault(); + if (myLevel != null) { targetLevel = int.Parse(myLevel.Standard_Specific_Sal_Level); @@ -157,7 +160,9 @@ public List GetMaturityLevelsForModel(int maturityModelId, int ta /// public int GetTargetLevel(int assessmentId) { - var asl = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == assessmentId).FirstOrDefault(); + var asl = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == assessmentId && x.Level_Name == Constants.Constants.MaturityLevel) + .FirstOrDefault(); if (asl != null) { return int.Parse(asl.Standard_Specific_Sal_Level); @@ -237,9 +242,12 @@ public List GetAnswerDistributionByLevel(int assessmentId) _context.FillEmptyMaturityQuestionsForAnalysis(assessmentId); var model = _context.AVAILABLE_MATURITY_MODELS.Where(x => x.Assessment_Id == assessmentId).FirstOrDefault(); - - var selectedLevel = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == assessmentId).FirstOrDefault(); int targetLevel; + + var selectedLevel = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == assessmentId && x.Level_Name == Constants.Constants.MaturityLevel) + .FirstOrDefault(); + if (selectedLevel == null) { targetLevel = 1; @@ -377,13 +385,15 @@ public void PersistSelectedMaturityModel(int assessmentId, string modelName) // default the target level if CMMC if (mm.Model_Name == "CMMC") { - var targetLevel = _context.ASSESSMENT_SELECTED_LEVELS.Where(l => l.Assessment_Id == assessmentId && l.Level_Name == "Maturity_Level").FirstOrDefault(); + var targetLevel = _context.ASSESSMENT_SELECTED_LEVELS + .Where(l => l.Assessment_Id == assessmentId && l.Level_Name == Constants.Constants.MaturityLevel) + .FirstOrDefault(); if (targetLevel == null) { _context.ASSESSMENT_SELECTED_LEVELS.Add(new ASSESSMENT_SELECTED_LEVELS() { Assessment_Id = assessmentId, - Level_Name = "Maturity_Level", + Level_Name = Constants.Constants.MaturityLevel, Standard_Specific_Sal_Level = "1" }); } @@ -421,7 +431,9 @@ public void ClearMaturityModel(int assessmentId) /// public int GetMaturityLevel(int assessmentId) { - var result = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == assessmentId && x.Level_Name == "Maturity_Level").FirstOrDefault(); + var result = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == assessmentId && x.Level_Name == Constants.Constants.MaturityLevel) + .FirstOrDefault(); if (result != null) { if (int.TryParse(result.Standard_Specific_Sal_Level, out int level)) @@ -443,7 +455,8 @@ public void PersistMaturityLevel(int assessmentId, int level) // is more complex to allow for the different types of SALs // as well as the user's selection(s). - var result = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == assessmentId && x.Level_Name == "Maturity_Level"); + var result = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == assessmentId && x.Level_Name == Constants.Constants.MaturityLevel); if (result.Any()) { _context.ASSESSMENT_SELECTED_LEVELS.RemoveRange(result); @@ -453,7 +466,7 @@ public void PersistMaturityLevel(int assessmentId, int level) _context.ASSESSMENT_SELECTED_LEVELS.Add(new ASSESSMENT_SELECTED_LEVELS() { Assessment_Id = assessmentId, - Level_Name = "Maturity_Level", + Level_Name = Constants.Constants.MaturityLevel, Standard_Specific_Sal_Level = level.ToString() }); @@ -1449,7 +1462,8 @@ public void UpdateACETDashboardSummary(int assessmentId, Model.Acet.ACETDashboar /// public void SetDefaultTargetLevels(int assessmentId, string modelName) { - var result = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == assessmentId && x.Level_Name == "Maturity_Level"); + var result = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == assessmentId && x.Level_Name == Constants.Constants.MaturityLevel); //If any level is already selected, avoid setting default if (result.Any()) { @@ -1462,7 +1476,7 @@ public void SetDefaultTargetLevels(int assessmentId, string modelName) _context.ASSESSMENT_SELECTED_LEVELS.Add(new ASSESSMENT_SELECTED_LEVELS() { Assessment_Id = assessmentId, - Level_Name = "Maturity_Level", + Level_Name = Constants.Constants.MaturityLevel, Standard_Specific_Sal_Level = "1" }); _context.SaveChanges(); diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Reports/ReportsDataBusiness.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Reports/ReportsDataBusiness.cs index eae0275097..9a813e66a4 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Reports/ReportsDataBusiness.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/Reports/ReportsDataBusiness.cs @@ -95,7 +95,7 @@ on a.Question_Or_Requirement_Id equals m.Mat_Question_Id // if a maturity level is defined, only report on questions at or below that level int? selectedLevel = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == myModel.Assessment_Id - && x.Level_Name == "Maturity_Level").Select(x => int.Parse(x.Standard_Specific_Sal_Level)).FirstOrDefault(); + && x.Level_Name == Constants.Constants.MaturityLevel).Select(x => int.Parse(x.Standard_Specific_Sal_Level)).FirstOrDefault(); if (selectedLevel != null && selectedLevel != 0) { @@ -1097,7 +1097,7 @@ join asl in _context.ASSESSMENT_SELECTED_LEVELS on amm.Assessment_Id equals asl. where amm.Assessment_Id == _assessmentId && ans.Assessment_Id == _assessmentId && ans.Is_Maturity == true - && asl.Level_Name == "Maturity_Level" + && asl.Level_Name == Constants.Constants.MaturityLevel select new { amm, mm, mq, ans, asl } ).ToList(); var models = query.Select(x => new { x.mm, x.asl }).Distinct(); diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/User/UserBusiness.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/User/UserBusiness.cs index 1044ae0c0a..959d6bc679 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/User/UserBusiness.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.Business/User/UserBusiness.cs @@ -61,7 +61,21 @@ public UserCreateResponse CreateUser(UserDetail userDetail) PasswordResetRequired = true }; _context.USERS.Add(u); - _context.SaveChanges(); + try + { + _context.SaveChanges(); + } + catch (Microsoft.EntityFrameworkCore.DbUpdateException ex) + { + Microsoft.Data.SqlClient.SqlException sqlException = (Microsoft.Data.SqlClient.SqlException)ex.InnerException; + if (sqlException.Number != 2627) + { + throw ex; + } + //TODO: Add logging + Console.WriteLine(ex); + _context.USERS.Remove(u); + } UserCreateResponse resp = new UserCreateResponse { diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Constants/Constants.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Constants/Constants.cs index c1cd55c0ec..150bd83bdd 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWebCore.Constants/Constants.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.Constants/Constants.cs @@ -393,6 +393,7 @@ public static class Constants public const string SIMPLE_SAL = "Simple"; //Maturity Levels + public const string MaturityLevel = "Maturity_Level"; public const string IncompleteMaturity = "Incomplete"; public const string SubBaselineMaturity = "Sub-Baseline"; public const string BaselineMaturity = "Baseline"; diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.DatabaseManager/DbManager.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.DatabaseManager/DbManager.cs index 1b6bcd1741..cc49b38244 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWebCore.DatabaseManager/DbManager.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.DatabaseManager/DbManager.cs @@ -288,10 +288,10 @@ public void ExecuteNonQuery(string sql, string connectionString) public string DatabaseCode { get; private set; } = "CSETWeb"; public string ClientCode { get; private set; } = "DHS"; public string ApplicationCode { get; private set; } = "CSET"; - public string CurrentCSETConnectionString { get; private set; } = @"data source=(LocalDB)\MSSQLLocalDB;initial catalog=CSETWeb;integrated security=True;connect timeout=5;MultipleActiveResultSets=True;"; - public string OldCSETConnectionString { get; private set; } = @"data source=(localdb)\v11.0;initial catalog = CSETWeb;Integrated Security = SSPI;connect timeout=5;MultipleActiveResultSets=True"; - public string CurrentMasterConnectionString { get; private set; } = @"data source=(LocalDB)\MSSQLLocalDB;Database=Master;integrated security=True;connect timeout=5;MultipleActiveResultSets=True;"; - public string OldMasterConnectionString { get; private set; } = @"data source=(LocalDB)\v11.0;Database=Master;integrated security=True;connect timeout=5;MultipleActiveResultSets=True;"; + public string CurrentCSETConnectionString { get; private set; } = @"data source=(LocalDB)\MSSQLLocalDB;initial catalog=CSETWeb;integrated security=True;connect timeout=25;MultipleActiveResultSets=True;"; + public string OldCSETConnectionString { get; private set; } = @"data source=(localdb)\v11.0;initial catalog = CSETWeb;Integrated Security = SSPI;connect timeout=25;MultipleActiveResultSets=True"; + public string CurrentMasterConnectionString { get; private set; } = @"data source=(LocalDB)\MSSQLLocalDB;Database=Master;integrated security=True;connect timeout=25;MultipleActiveResultSets=True;"; + public string OldMasterConnectionString { get; private set; } = @"data source=(LocalDB)\v11.0;Database=Master;integrated security=True;connect timeout=25;MultipleActiveResultSets=True;"; public bool LocalDb2019Installed { get { return IsLocalDb2019Installed(); } diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/MaturityStructure.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/MaturityStructure.cs index ca0afbf6d0..63a46fc37a 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/MaturityStructure.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.Helpers/MaturityStructure.cs @@ -78,7 +78,9 @@ private void LoadStructure() // cull any questions that are above the target level (if the model supports a target) - var targetLevel = _context.ASSESSMENT_SELECTED_LEVELS.Where(x => x.Assessment_Id == this.AssessmentId && x.Level_Name == "Maturity_Level").FirstOrDefault(); + var targetLevel = _context.ASSESSMENT_SELECTED_LEVELS + .Where(x => x.Assessment_Id == this.AssessmentId && x.Level_Name == Constants.Constants.MaturityLevel) + .FirstOrDefault(); if (targetLevel != null) { questions.RemoveAll(x => x.Maturity_LevelNavigation.Level > int.Parse(targetLevel.Standard_Specific_Sal_Level)); diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Controllers/AuthController.cs b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Controllers/AuthController.cs index 1643a7ff48..c663e94c56 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Controllers/AuthController.cs +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Controllers/AuthController.cs @@ -3,6 +3,7 @@ using CSETWebCore.Model.Auth; using CSETWebCore.Model.Authentication; using Microsoft.AspNetCore.Mvc; +using System; namespace CSETWebCore.Api.Controllers { @@ -11,6 +12,8 @@ public class AuthController : ControllerBase { private readonly IUserAuthentication _userAuthentication; private readonly ITokenManager _tokenManager; + private static readonly object _locker = new object(); + static readonly log4net.ILog _logger = log4net.LogManager.GetLogger(typeof(AuthController)); public AuthController(IUserAuthentication userAuthentication, ITokenManager tokenManager) { @@ -44,17 +47,30 @@ public IActionResult Login([FromBody] Login login) [Route("api/auth/login/standalone")] public IActionResult LoginStandalone([FromBody] Login login) { - _tokenManager.GenerateSecret(); - LoginResponse resp = _userAuthentication.AuthenticateStandalone(login); - if (resp != null) + _logger.Info("Logging into standalone..."); + try { - return Ok(resp); - } + _tokenManager.GenerateSecret(); + lock (_locker) + { + LoginResponse resp = _userAuthentication.AuthenticateStandalone(login); + if (resp != null) + { + return Ok(resp); + } - resp = new LoginResponse() { - LinkerTime = new Helpers.BuildNumberHelper().GetLinkerTime() - }; - return Ok(resp); + resp = new LoginResponse() + { + LinkerTime = new Helpers.BuildNumberHelper().GetLinkerTime() + }; + return Ok(resp); + } + } + catch (Exception e) + { + _logger.Error(e.Message); + return StatusCode(500); + } } /// diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_1_crr_architecture.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_1_crr_architecture.htm index a707be6a6b..5719a1a06e 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_1_crr_architecture.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_1_crr_architecture.htm @@ -312,7 +312,7 @@
 
 
 
-
Table 1: CRR Domain Composition +
Table 1: CRR Domain Composition
@@ -423,7 +423,7 @@
 
Image shows The Cyber Resilience Review Domain Architecture
 
-
Figure 1: The Cyber Resilience Review Domain Architecture
+
Figure 1: The Cyber Resilience Review Domain Architecture
 

The contents of 2.1 CRR Architecture

diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_crr_overview.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_crr_overview.htm index 14323d9670..ec9fd4693e 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_crr_overview.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/2_crr_overview.htm @@ -300,7 +300,7 @@

2 CRR OVERVIEW

 

CRR Method

-
The CRR is a lightweight assessment method that was created by CISA for the purpose of evaluating the cybersecurity and service continuity practices of critical infrastructure owners and operators. The CRR, consisting of 299 questions, is typically delivered in a six-hour workshop led by facilitators from CISA. The facilitators elicit answers from the critical infrastructure organization’s personnel in cybersecurity, operations, physical security, and business continuity.
+
The CRR is a lightweight assessment method that was created by the Cybersecurity and Infrastructure Security Agency (CISA) for the purpose of evaluating the cybersecurity and service continuity practices of critical infrastructure owners and operators. The CRR, consisting of 299 questions, is typically delivered in a six-hour workshop led by facilitators from CISA. The facilitators elicit answers from the critical infrastructure organization’s personnel in cybersecurity, operations, physical security, and business continuity.
 
The CRR Assessment Package allows organizations to apply the same method without the participation of external facilitators. It contains the same questions, scoring mechanisms, and options for improvement as the externally facilitated CRR.
 
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_1__getting_started_with_the_crr_assessment_in_cset__.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_1__getting_started_with_the_crr_assessment_in_cset__.htm index a438c958a6..375da6a917 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_1__getting_started_with_the_crr_assessment_in_cset__.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_1__getting_started_with_the_crr_assessment_in_cset__.htm @@ -348,20 +348,20 @@
Start by clicking the New Assessment button at the top left corner of the screen. This screen also allows for importing and exporting of your assessment materials.
 
Start an Assessment Screen
-
Figure 2: Start an Assessment Screen
+
Figure 2: Start an Assessment Screen
 
 

2. Assessment Configuration Screen

The Assessment Configuration Screen collects assessment and facility information. After filling out the form, select Maturity Model from the Assessment Options section at the bottom of the page. Then click Next.
 
Assessment Configuration Screen
-
Figure 2.1: Assessment Configuration Screen
+
Figure 2.1: Assessment Configuration Screen
 

3. Assessment Information Screen

The Assessment Information screen collects demographic information. After filling out the form, click Next.
 
Assessment Information Screen
-
Figure 2.2: Assessment Information Screen
+
Figure 2.2: Assessment Information Screen
 
 

4. Maturity Model Selection Screen

@@ -369,7 +369,7 @@
 
 
Maturity Model Selection Screen
-
Figure 2.3: Maturity Model Selection Screen
+
Figure 2.3: Maturity Model Selection Screen
 
 

5. CRR Tutorial

@@ -390,7 +390,7 @@
•     Automated scoring
•     Multiple reports with Business Confidential / CUI marking options, detailed results, deficiencies, and suggested options for consideration offered in both HTML and PDF formats.
 
-

The CRR Assessment Tutorial starts in

Section 3.2

.

+

The CRR Assessment Tutorial starts in

Section 3.2

 
 
 
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_2_tutorial__using_the_cset__crr_assessment_software.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_2_tutorial__using_the_cset__crr_assessment_software.htm index 5b55a585d1..bee4ca2fba 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_2_tutorial__using_the_cset__crr_assessment_software.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_2_tutorial__using_the_cset__crr_assessment_software.htm @@ -320,7 +320,7 @@
 
 
CRR User Interface Question Structure and Icons
-
Figure 3: Assessment Question Structure
+
Figure 3: Assessment Question Structure
 
Supplemental Guidance: To aid the facilitator, each question is supported by guidance. The guidance should be referred to for background, possible examples, and artifacts, and for criteria that defines the requirements for a “Yes” and an “Incomplete” answer. The guidance is engaged by selecting the Guidance Icon containing the letter “G” located below the question.
Comments: Selecting this icon will display a text box that may be used to make comments regarding the question. For example, a facilitator, for future reference may make a note as to why an answer was marked incomplete vs. no. Note, these comments are not included in the official report and are meant to be private to the facilitator.
@@ -337,7 +337,7 @@
 
 
Domain remarks field.
-
Figure 4: Domain Remarks Field
+
Figure 4: Domain Remarks Field
 
 

Asset Types

@@ -360,7 +360,7 @@
See the Asset Types example in Figure 5.
 
Asset Types
-
Figure 5: Asset Types
+
Figure 5: Asset Types
 
 
 
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_conducting_a_crr_assessment.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_conducting_a_crr_assessment.htm index 1372f8df23..f8a53c34a9 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_conducting_a_crr_assessment.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/3_conducting_a_crr_assessment.htm @@ -390,7 +390,7 @@

Key Roles in the Assessment Process

A successful CRR Assessment requires the active participation of members of the organization who serve in a variety of roles. Table 2 summarizes the key roles involved in a typical assessment.
 
-
Table 2: Key Roles in the Assessment Process
+
Table 2: Key Roles in the Assessment Process
 
@@ -443,7 +443,7 @@

Identifying and Preparing Participants

For the CRR Assessment to be successful, participants should be knowledgeable about the organization’s cybersecurity practices in relation to both the selected critical service and the domains covered in the CRR. There should be SMEs familiar with how the organization operates in all 10 CRR domains (see Table 3). It is not necessary to have a single SME for each domain; one SME might cover multiple domains, or a single domain might require multiple SMEs.
 
-
Table 3: Identifying Participants
+
Table 3: Identifying Participants
 
@@ -519,7 +519,7 @@
 
Table 4 describes several topics that previous CRR assessments have shown deserve special emphasis prior to beginning the workshop.
 
-
Table 4: Topics for Discussion at the Start of the Workshop
+
Table 4: Topics for Discussion at the Start of the Workshop
 
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_2_how_to_interpret_the_report.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_2_how_to_interpret_the_report.htm index 70dba542dd..0706ef8ee8 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_2_how_to_interpret_the_report.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_2_how_to_interpret_the_report.htm @@ -316,7 +316,7 @@
 
CRR Performance Summary
 
-
Figure 8: CRR Performance Summary
+
Figure 8: CRR Performance Summary
 
The overview shows a linear display of an organization’s results. MIL1 reflects whether a goal has been fully achieved (green), has been partially achieved (yellow), or has not been achieved (red). For a goal to be fully achieved, all of the practices that make up the goal must be performed. MIL2 through MIL5 reflect whether each practice at a specific maturity level is performed (green), partially performed (yellow), or not performed (red).
 
@@ -326,7 +326,7 @@
 
A sampling of individual domains
 
-
Figure 9: A Sampling of Individual Domains
+
Figure 9: A Sampling of Individual Domains
 
Figure 9 shows that MIL1 is not achieved in Asset Management, Risk Management, External Dependencies Management, or Situational Awareness. Organizations should set their own path for improvement based on their organizational needs, for example:
 
@@ -337,7 +337,7 @@
 
 
Asset management individual domain report
-
Figure 10: Asset Management Individual Domain Report
+
Figure 10: Asset Management Individual Domain Report
 
In the Asset Management scenario shown in Figure 10, the organization may benefit from focusing on the prioritization, review, and resilience requirements of facilities to advance from the current MIL1 state all the way to MIL5, as all other practices are currently performed.
 
@@ -345,7 +345,7 @@
 
 
Controls management individual domain report
-
Figure 11: Controls Management Individual Domain Report
+
Figure 11: Controls Management Individual Domain Report
 
In the Controls Management scenario shown in Figure 11, all that is needed to achieve MIL2 is to implement standards and guidelines for controls management activities. This may be a relatively simple task. The organization would then achieve MIL5, as all other practices are performed.
 
@@ -355,12 +355,12 @@
 
CRR MIL-1 Performance Summary – Asset Management
 
-
Figure 12: CRR MIL-1 Performance Summary – Asset Management
+
Figure 12: CRR MIL-1 Performance Summary – Asset Management
 
Similarly, The CRR MIL1 Performance depiction shown in Figure 13 provides a finer level of operational detail. In the Vulnerability Management scenario presented in Figure 13, the organization can determine that facility assets are not managed as well as other asset types. This view can be used to aid in identifying discrepancies with how assets are being managed.
 
CRR MIL-1 Performance – Vulnerability Management
-
Figure 13: CRR MIL-1 Performance – Vulnerability Management
+
Figure 13: CRR MIL-1 Performance – Vulnerability Management
 
Additionally, the CRR Performance depiction shown in Figure 14 and located in Appendix A of the report provides a detailed operational view of the entire CRR.
 
@@ -368,7 +368,7 @@
 
CRR Performance View
 
-
Figure 14: CRR Performance View
+
Figure 14: CRR Performance View
 
 
Figure 15: Summary of CRR Results and Figure 16: Percentage of Practices Completed by Domain should be used in conjunction with each other when examining results. To illustrate this point, refer to the Asset Management portion of each depiction.
@@ -378,7 +378,7 @@
 
Summary of CRR Results
 
-
Figure 15: Summary of CRR Results
+
Figure 15: Summary of CRR Results
 
 
 
@@ -386,7 +386,7 @@
 
Percentage of Practices Completed by Domain
 
-
Figure 16: Percentage of Practices Completed by Domain
+
Figure 16: Percentage of Practices Completed by Domain
 
 
 
@@ -400,7 +400,7 @@
 
NIST Cybersecurity Framework Summary
 
-
Figure 17: NIST Cybersecurity Framework Summary
+
Figure 17: NIST Cybersecurity Framework Summary
 
Additionally, there are several NIST CSF depictions located in Appendix A that show a more detailed view of the NIST CSF Categories and Subcategories. Figure 18 depicts the performance of the Identify Function Asset Management (AM) Category based on the organization’s CRR responses.
 
@@ -410,7 +410,7 @@
 
NIST Cybersecurity Framework Category Summary
 
-
Figure 18: NIST Cybersecurity Framework Category Summary
+
Figure 18: NIST Cybersecurity Framework Category Summary
 
An organization can also use the NIST Cybersecurity Framework Category Performance depiction (Figure 19) to view the organization’s coverage of the NIST CSF Categories and Subcategories and to track its improvement efforts. The depiction acts a dynamic crosswalk for the user and can quickly be referenced to see which CRR practices are mapped to specific CSF categories and subcategories.
 
@@ -418,14 +418,14 @@
 
NIST Cybersecurity Framework Category Performance
 
-
Figure 19: NIST Cybersecurity Framework Category Performance
+
Figure 19: NIST Cybersecurity Framework Category Performance
 

Options for Consideration

The CRR Assessment Report includes a potential path toward improving the performance of each practice. These Options for Consideration are displayed in a grid below the organization’s results for each goal in each domain (Figure 20).
 
 
-
Figure 20: Options for Consideration
+
Figure 20: Options for Consideration
 
Options for Consideration are primarily sourced from the CERT-RMM and NIST special publications. Appendix C of this guide gives a full list of sources. The CERT-RMM options contain a root reference to the relevant specific goals and practices. This root reference has a standard pattern of abbreviation: process area:specific goal.specific practice. In Figure 20, the CERT-RMM reference for Question 1 (Q1) is to Service Continuity: Specific Goal 2.Specific Practice 1.
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_3_identify_gaps.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_3_identify_gaps.htm index 3c7be5045c..7bed41ac89 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_3_identify_gaps.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_3_identify_gaps.htm @@ -313,7 +313,8 @@
 
Table 5 gives a more detailed description of the process improvement activities.
 
-
Table 5: Recommended Process for Using Results
+
Table 5: Recommended Process for Using Results
+
 
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_crr_assessment_results_and_report.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_crr_assessment_results_and_report.htm index 200dc2db34..51228faddc 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_crr_assessment_results_and_report.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/4_crr_assessment_results_and_report.htm @@ -310,13 +310,13 @@
From the reports menu, a user can also view their CRR Deficiency Report and CRR Comments and Marked for Review reports.
 
Reports Screen
-
Figure 6: Reports Screen
+
Figure 6: Reports Screen
 

Generating the CRR Report

Reports can be downloaded in PDF format from the top of the sidebar menu.
 
CRR Report Menu with Download Report PDF Function
-
Figure 7: CRR Report Menu with Download Report (PDF) Function
+
Figure 7: CRR Report Menu with Download Report (PDF) Function

The contents of 4 CRR Assessment Results and Report

diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/5_making_improvements.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/5_making_improvements.htm index 05ac3c23b9..ae5fe7432b 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/5_making_improvements.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/5_making_improvements.htm @@ -305,7 +305,7 @@
Steps in a Typical Process Improvement Activity
 
 
-
Figure 21: Steps in a Typical Process Improvement Activity
+
Figure 21: Steps in a Typical Process Improvement Activity
 
This section focuses on the three phases of a process improvement project that remain after the assessment is performed:
•     Analyze Identified Gaps
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/cset_crr_user_guide_11_0.htm b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/cset_crr_user_guide_11_0.htm index e9289e4aba..9017c0150c 100644 --- a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/cset_crr_user_guide_11_0.htm +++ b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/Documents/htmlhelp_crr/cset_crr_user_guide_11_0.htm @@ -3,9 +3,7 @@ - - - + @@ -13,12 +11,12 @@ - CSET CRR User Guide 11.0 + CSET CRR User Guide 11.0 @@ -29,37 +27,38 @@ - + - -
- + +
+
+ + +
-
+
- - - - - - + + + + + + + + +
- -
+
+ +
- - - - - -
-
- × -
-
-
-
-
-
-
-
+ + + - - - - - -
+
+ × +
+
+
+
+
+
+
+
+ +
+
+
+ + + +
+ +
+ + Menu +
+ +
+ + Index +
+ +
+ + Search +
-
-
-
+
+ +
+ +
+
+
+
+
+ +
+ +
+
+
+
+
-
+ -
- - Menu -
- -
- - Index -
- -
- - Search -
- -
- -
- -
-
-
-
-
- -
- -
-
-
-
-
- - -
- - - -
-
- - - - - -
-
- - -
- 		- - - - - - -
-
-
- -
- - -
- -  
  -  
  -  
  -  
  - -
- - - - -
-
-
-
- - - - - -
-
-
- -
- -
-
- - - - - -
-
-
    -
  • CSET CRR User Guide 11.0
    • -
-
- 		-
- -
-
-
-
- -
-
- -
-
+
+
+ + + + + +
+
+ + +
+ 		+ + + + + + +
+
+
+ +
+ +
+ +  
  +  
  +  
  +  
  + +
+ -
-
-
- -
+ +
+ + + + + + + + + + 		+
+ +
+ +
+
+ + + + + +
+
+
  • CSET CRR User Guide 11.0
    • +
+ 		+
+ +
+
+
+
+ +
+
+ +
+
+ + + +
+
+ + +
- +
- -
- +
+
+
@@ -309,74 +305,73 @@
-
 
-
 
-
CYBER RESILIENCE REVIEW (CRR)
-
Assessment User Guide
-
Adapted for CSET® December 2021. Original publication April 2020.
-
 
-
 
-
 
-
 
-
 
-
-

The contents of CSET CRR User Guide 11.0

-
- - - - - - Table of Contents -
- - - - - - List of Tables -
+
 
+
 
+
CYBER RESILIENCE REVIEW (CRR)
+
Assessment User Guide
+
Adapted for CSET® December 2021. Original publication April 2020.
+
 
+
 
+
 
+
 
+
 
+
+

The contents of CSET CRR User Guide 11.0

+
+ + + + + + Table of Contents +
+ + + + + + List of Tables +
+ +
+ +