diff --git a/data/json/decision_points/cisa/cisa_levels_1_0_0.json b/data/json/decision_points/cisa/cisa_levels_1_1_0.json
similarity index 96%
rename from data/json/decision_points/cisa/cisa_levels_1_0_0.json
rename to data/json/decision_points/cisa/cisa_levels_1_1_0.json
index fcbd7061..965874bb 100644
--- a/data/json/decision_points/cisa/cisa_levels_1_0_0.json
+++ b/data/json/decision_points/cisa/cisa_levels_1_1_0.json
@@ -1,7 +1,7 @@
{
"namespace": "cisa",
"key": "CISA",
- "version": "1.0.0",
+ "version": "1.1.0",
"name": "CISA Levels",
"description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
@@ -17,12 +17,12 @@
"description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
- "key": "A",
+ "key": "AT",
"name": "Attend",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
- "key": "A",
+ "key": "AC",
"name": "Act",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
diff --git a/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json b/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json
new file mode 100644
index 00000000..c3f4e72c
--- /dev/null
+++ b/data/json/decision_points/cvss/exploit_maturity_without_not_defined__2_0_0.json
@@ -0,0 +1,25 @@
+{
+ "namespace": "cvss",
+ "key": "E_NoX",
+ "version": "2.0.0",
+ "name": "Exploit Maturity (without Not Defined)",
+ "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "U",
+ "name": "Unreported",
+ "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ },
+ {
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ },
+ {
+ "key": "A",
+ "name": "Attacked",
+ "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ }
+ ]
+}
diff --git a/data/json/decision_points/ssvc/human_impact_2_0_2.json b/data/json/decision_points/ssvc/human_impact_2_0_2.json
new file mode 100644
index 00000000..f6164b6b
--- /dev/null
+++ b/data/json/decision_points/ssvc/human_impact_2_0_2.json
@@ -0,0 +1,30 @@
+{
+ "namespace": "ssvc",
+ "key": "HI",
+ "version": "2.0.2",
+ "name": "Human Impact",
+ "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ }
+ ]
+}
diff --git a/data/json/decision_points/ssvc/public_well_being_impact_1_0_0.json b/data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json
similarity index 97%
rename from data/json/decision_points/ssvc/public_well_being_impact_1_0_0.json
rename to data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json
index 2d1adc9c..38780b34 100644
--- a/data/json/decision_points/ssvc/public_well_being_impact_1_0_0.json
+++ b/data/json/decision_points/ssvc/public_well_being_impact_1_1_0.json
@@ -1,7 +1,7 @@
{
"namespace": "ssvc",
"key": "PWI",
- "version": "1.0.0",
+ "version": "1.1.0",
"name": "Public Well-Being Impact",
"description": "A coarse-grained representation of impact to public well-being.",
"schemaVersion": "2.0.0",
@@ -12,7 +12,7 @@
"description": "The effect is below the threshold for all aspects described in material. "
},
{
- "key": "M",
+ "key": "MA",
"name": "Material",
"description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
diff --git a/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json b/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json
index ecd2103b..92c7fac7 100644
--- a/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json
+++ b/data/json/decision_tables/cisa/cisa_coordinator_2_0_3.json
@@ -71,40 +71,35 @@
}
]
},
- "ssvc:HI:2.0.1": {
+ "ssvc:MWI:1.0.0": {
"namespace": "ssvc",
- "key": "HI",
- "version": "2.0.1",
- "name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "key": "MWI",
+ "version": "1.0.0",
+ "name": "Mission and Well-Being Impact",
+ "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
- },
- {
- "key": "VH",
- "name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
},
- "cisa:CISA:1.0.0": {
+ "cisa:CISA:1.1.0": {
"namespace": "cisa",
"key": "CISA",
- "version": "1.0.0",
+ "version": "1.1.0",
"name": "CISA Levels",
"description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
@@ -120,271 +115,271 @@
"description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
- "key": "A",
+ "key": "AT",
"name": "Attend",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
- "key": "A",
+ "key": "AC",
"name": "Act",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
}
},
- "outcome": "cisa:CISA:1.0.0",
+ "outcome": "cisa:CISA:1.1.0",
"mapping": [
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AC"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC"
}
]
}
diff --git a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json
index f6386ff2..dc517df1 100644
--- a/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json
+++ b/data/json/decision_tables/cvss/cvss_v4_equivalence_set_5_1_0_0.json
@@ -6,12 +6,12 @@
"description": "CVSS Equivalence Set 5 Decision Table",
"schemaVersion": "2.0.0",
"decision_points": {
- "cvss:E:2.0.0": {
+ "cvss:E_NoX:2.0.0": {
"namespace": "cvss",
- "key": "E",
+ "key": "E_NoX",
"version": "2.0.0",
- "name": "Exploit Maturity",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+ "name": "Exploit Maturity (without Not Defined)",
+ "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
@@ -28,11 +28,6 @@
"key": "A",
"name": "Attacked",
"description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
- },
- {
- "key": "X",
- "name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -65,15 +60,15 @@
"outcome": "cvss:EQ5:1.0.0",
"mapping": [
{
- "cvss:E:2.0.0": "U",
+ "cvss:E_NoX:2.0.0": "U",
"cvss:EQ5:1.0.0": "L"
},
{
- "cvss:E:2.0.0": "P",
+ "cvss:E_NoX:2.0.0": "P",
"cvss:EQ5:1.0.0": "M"
},
{
- "cvss:E:2.0.0": "A",
+ "cvss:E_NoX:2.0.0": "A",
"cvss:EQ5:1.0.0": "H"
}
]
diff --git a/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json b/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json
index 2087649b..19cb05ab 100644
--- a/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json
+++ b/data/json/decision_tables/ssvc/deployer_patch_application_priority_1_0_0.json
@@ -76,10 +76,10 @@
}
]
},
- "ssvc:HI:2.0.1": {
+ "ssvc:HI:2.0.2": {
"namespace": "ssvc",
"key": "HI",
- "version": "2.0.1",
+ "version": "2.0.2",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
@@ -87,17 +87,17 @@
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
@@ -143,504 +143,504 @@
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "I"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "I"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "I"
}
]
diff --git a/data/json/decision_tables/ssvc/human_impact_1_0_0.json b/data/json/decision_tables/ssvc/human_impact_1_0_0.json
index ea714a23..e7f20d6b 100644
--- a/data/json/decision_tables/ssvc/human_impact_1_0_0.json
+++ b/data/json/decision_tables/ssvc/human_impact_1_0_0.json
@@ -6,38 +6,33 @@
"description": "Human Impact decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
- "ssvc:SI:1.0.0": {
+ "ssvc:SI:2.0.0": {
"namespace": "ssvc",
"key": "SI",
- "version": "1.0.0",
+ "version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability.",
+ "description": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "None",
- "description": "The effect is below the threshold for all aspects described in Minor."
+ "name": "Negligible",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
- "name": "Minor",
- "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
- },
- {
- "key": "J",
- "name": "Major",
- "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
+ "name": "Marginal",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
- "key": "H",
- "name": "Hazardous",
- "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "key": "R",
+ "name": "Critical",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -71,10 +66,10 @@
}
]
},
- "ssvc:HI:2.0.1": {
+ "ssvc:HI:2.0.2": {
"namespace": "ssvc",
"key": "HI",
- "version": "2.0.1",
+ "version": "2.0.2",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
@@ -82,17 +77,17 @@
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
@@ -102,107 +97,87 @@
]
}
},
- "outcome": "ssvc:HI:2.0.1",
+ "outcome": "ssvc:HI:2.0.2",
"mapping": [
{
- "ssvc:SI:1.0.0": "N",
- "ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "L"
- },
- {
- "ssvc:SI:1.0.0": "N",
- "ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "L"
- },
- {
- "ssvc:SI:1.0.0": "N",
- "ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "M"
- },
- {
- "ssvc:SI:1.0.0": "N",
- "ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
- },
- {
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "L"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "L"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "M"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "M"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "M"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "H"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "H"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "C",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "C",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "C",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "C",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
}
]
}
diff --git a/data/json/ssvc_object_registry.json b/data/json/ssvc_object_registry.json
index 2243f523..0f39238f 100644
--- a/data/json/ssvc_object_registry.json
+++ b/data/json/ssvc_object_registry.json
@@ -102,12 +102,12 @@
"CISA": {
"key": "CISA",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "cisa",
"key": "CISA",
- "version": "1.0.0",
+ "version": "1.1.0",
"name": "CISA Levels",
"description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
@@ -123,12 +123,12 @@
"description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
- "key": "A",
+ "key": "AT",
"name": "Attend",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
- "key": "A",
+ "key": "AC",
"name": "Act",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
@@ -145,8 +145,13 @@
"name": "Track*",
"description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
- "A": {
- "key": "A",
+ "AT": {
+ "key": "AT",
+ "name": "Attend",
+ "description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
+ },
+ "AC": {
+ "key": "AC",
"name": "Act",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
@@ -2014,6 +2019,56 @@
}
}
},
+ "E_NoX": {
+ "key": "E_NoX",
+ "versions": {
+ "2.0.0": {
+ "version": "2.0.0",
+ "obj": {
+ "namespace": "cvss",
+ "key": "E_NoX",
+ "version": "2.0.0",
+ "name": "Exploit Maturity (without Not Defined)",
+ "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "U",
+ "name": "Unreported",
+ "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ },
+ {
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ },
+ {
+ "key": "A",
+ "name": "Attacked",
+ "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ }
+ ]
+ },
+ "values": {
+ "U": {
+ "key": "U",
+ "name": "Unreported",
+ "description": "Based on available threat intelligence each of the following must apply: No knowledge of publicly available proof-of-concept exploit code No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., neither the “POC” nor “Attacked” values apply)"
+ },
+ "P": {
+ "key": "P",
+ "name": "Proof-of-Concept",
+ "description": "Based on available threat intelligence each of the following must apply: Proof-of-concept exploit code is publicly available No knowledge of reported attempts to exploit this vulnerability No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability (i.e., the “Attacked” value does not apply)"
+ },
+ "A": {
+ "key": "A",
+ "name": "Attacked",
+ "description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
+ }
+ }
+ }
+ }
+ },
"IB": {
"key": "IB",
"versions": {
@@ -5516,6 +5571,61 @@
"description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
}
}
+ },
+ "2.0.2": {
+ "version": "2.0.2",
+ "obj": {
+ "namespace": "ssvc",
+ "key": "HI",
+ "version": "2.0.2",
+ "name": "Human Impact",
+ "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "schemaVersion": "2.0.0",
+ "values": [
+ {
+ "key": "L",
+ "name": "Low",
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ },
+ {
+ "key": "M",
+ "name": "Medium",
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ },
+ {
+ "key": "H",
+ "name": "High",
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ {
+ "key": "VH",
+ "name": "Very High",
+ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ }
+ ]
+ },
+ "values": {
+ "L": {
+ "key": "L",
+ "name": "Low",
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
+ },
+ "M": {
+ "key": "M",
+ "name": "Medium",
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
+ },
+ "H": {
+ "key": "H",
+ "name": "High",
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ },
+ "VH": {
+ "key": "VH",
+ "name": "Very High",
+ "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ }
+ }
}
}
},
@@ -5647,12 +5757,12 @@
"PWI": {
"key": "PWI",
"versions": {
- "1.0.0": {
- "version": "1.0.0",
+ "1.1.0": {
+ "version": "1.1.0",
"obj": {
"namespace": "ssvc",
"key": "PWI",
- "version": "1.0.0",
+ "version": "1.1.0",
"name": "Public Well-Being Impact",
"description": "A coarse-grained representation of impact to public well-being.",
"schemaVersion": "2.0.0",
@@ -5663,7 +5773,7 @@
"description": "The effect is below the threshold for all aspects described in material. "
},
{
- "key": "M",
+ "key": "MA",
"name": "Material",
"description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
@@ -5677,6 +5787,11 @@
"values": {
"M": {
"key": "M",
+ "name": "Minimal",
+ "description": "The effect is below the threshold for all aspects described in material. "
+ },
+ "MA": {
+ "key": "MA",
"name": "Material",
"description": "Any one or more of these conditions hold. Physical harm: Does one or more of the following: (a) Causes physical distress or injury to system users. (b) Introduces occupational safety hazards. (c) Reduces and/or results in failure of cyber-physical system safety margins. Environment: Major externalities (property damage, environmental damage, etc.) are imposed on other parties. Financial: Financial losses likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to necessitate counseling or therapy, impact populations of people. "
},
@@ -6992,12 +7107,12 @@
"description": "CVSS Equivalence Set 5 Decision Table",
"schemaVersion": "2.0.0",
"decision_points": {
- "cvss:E:2.0.0": {
+ "cvss:E_NoX:2.0.0": {
"namespace": "cvss",
- "key": "E",
+ "key": "E_NoX",
"version": "2.0.0",
- "name": "Exploit Maturity",
- "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation.",
+ "name": "Exploit Maturity (without Not Defined)",
+ "description": "This metric measures the likelihood of the vulnerability being attacked, and is based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation. This version does not include the Not Defined (X) option.",
"schemaVersion": "2.0.0",
"values": [
{
@@ -7014,11 +7129,6 @@
"key": "A",
"name": "Attacked",
"description": "Based on available threat intelligence either of the following must apply: Attacks targeting this vulnerability (attempted or successful) have been reported Solutions to simplify attempts to exploit the vulnerability are publicly or privately available (such as exploit toolkits)"
- },
- {
- "key": "X",
- "name": "Not Defined",
- "description": "This metric value is not defined. See CVSS documentation for details."
}
]
},
@@ -7051,15 +7161,15 @@
"outcome": "cvss:EQ5:1.0.0",
"mapping": [
{
- "cvss:E:2.0.0": "U",
+ "cvss:E_NoX:2.0.0": "U",
"cvss:EQ5:1.0.0": "L"
},
{
- "cvss:E:2.0.0": "P",
+ "cvss:E_NoX:2.0.0": "P",
"cvss:EQ5:1.0.0": "M"
},
{
- "cvss:E:2.0.0": "A",
+ "cvss:E_NoX:2.0.0": "A",
"cvss:EQ5:1.0.0": "H"
}
]
@@ -17441,10 +17551,10 @@
}
]
},
- "ssvc:HI:2.0.1": {
+ "ssvc:HI:2.0.2": {
"namespace": "ssvc",
"key": "HI",
- "version": "2.0.1",
+ "version": "2.0.2",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
@@ -17452,17 +17562,17 @@
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
@@ -17508,504 +17618,504 @@
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "I"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "I"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "I"
}
]
@@ -18026,38 +18136,33 @@
"description": "Human Impact decision table for SSVC",
"schemaVersion": "2.0.0",
"decision_points": {
- "ssvc:SI:1.0.0": {
+ "ssvc:SI:2.0.0": {
"namespace": "ssvc",
"key": "SI",
- "version": "1.0.0",
+ "version": "2.0.0",
"name": "Safety Impact",
- "description": "The safety impact of the vulnerability.",
+ "description": "The safety impact of the vulnerability. (based on IEC 61508)",
"schemaVersion": "2.0.0",
"values": [
{
"key": "N",
- "name": "None",
- "description": "The effect is below the threshold for all aspects described in Minor."
+ "name": "Negligible",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Minor injuries at worst (IEC 61508 Negligible).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard.
- *System resiliency*: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation.
- *Environment*: Minor externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses, which are not readily absorbable, to multiple persons.
- *Psychological*: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
},
{
"key": "M",
- "name": "Minor",
- "description": "Any one or more of these conditions hold. Physical harm: Physical discomfort for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be well within expected operator abilities; OR causes a minor occupational safety hazard. System resiliency: Small reduction in built-in system safety margins; OR small reduction in system functional capabilities that support safe operation. Environment: Minor externalities (property damage, environmental damage, etc.) imposed on other parties. Financial Financial losses, which are not readily absorbable, to multiple persons. Psychological: Emotional or psychological harm, sufficient to be cause for counselling or therapy, to multiple persons."
+ "name": "Marginal",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Major injuries to one or more persons (IEC 61508 Marginal).
- *Operator resiliency*: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard.
- *System resiliency*: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation.
- *Environment*: Major externalities (property damage, environmental damage, etc.) imposed on other parties.
- *Financial*: Financial losses that likely lead to bankruptcy of multiple persons.
- *Psychological*: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
},
{
- "key": "J",
- "name": "Major",
- "description": "Any one or more of these conditions hold. Physical harm: Physical distress and injuries for users (not operators) of the system. Operator resiliency: Requires action by system operator to maintain safe system state as a result of exploitation of the vulnerability where operator actions would be within their capabilities but the actions require their full attention and effort; OR significant distraction or discomfort to operators; OR causes significant occupational safety hazard. System resiliency: System safety margin effectively eliminated but no actual harm; OR failure of system functional capabilities that support safe operation. Environment: Major externalities (property damage, environmental damage, etc.) imposed on other parties. Financial: Financial losses that likely lead to bankruptcy of multiple persons. Psychological: Widespread emotional or psychological harm, sufficient to be cause for counselling or therapy, to populations of people."
- },
- {
- "key": "H",
- "name": "Hazardous",
- "description": "Any one or more of these conditions hold. Physical harm: Serious or fatal injuries, where fatalities are plausibly preventable via emergency services or other measures. Operator resiliency: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly. System resiliency: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact. Environment: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties. Financial: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state. Psychological: N/A."
+ "key": "R",
+ "name": "Critical",
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Loss of life (IEC 61508 Critical).
- *Operator resiliency*: Actions that would keep the system in a safe state are beyond system operator capabilities, resulting in adverse conditions; OR great physical distress to system operators such that they cannot be expected to operate the system properly.
- *System resiliency*: Parts of the cyber-physical system break; system’s ability to recover lost functionality remains intact.
- *Environment*: Serious externalities (threat to life as well as property, widespread environmental damage, measurable public health risks, etc.) imposed on other parties.
- *Financial*: Socio-technical system (elections, financial grid, etc.) of which the affected component is a part is actively destabilized and enters unsafe state.
- *Psychological*: N/A."
},
{
"key": "C",
"name": "Catastrophic",
- "description": "Any one or more of these conditions hold. Physical harm: Multiple immediate fatalities (Emergency response probably cannot save the victims.) Operator resiliency: Operator incapacitated (includes fatality or otherwise incapacitated). System resiliency: Total loss of whole cyber-physical system, of which the software is a part. Environment: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties. Financial: Social systems (elections, financial grid, etc.) supported by the software collapse. Psychological: N/A."
+ "description": "Any one or more of these conditions hold.
- *Physical harm*: Multiple loss of life (IEC 61508 Catastrophic).
- *Operator resiliency*: Operator incapacitated (includes fatality or otherwise incapacitated).
- *System resiliency*: Total loss of whole cyber-physical system, of which the software is a part.
- *Environment*: Extreme externalities (immediate public health threat, environmental damage leading to small ecosystem collapse, etc.) imposed on other parties.
- *Financial*: Social systems (elections, financial grid, etc.) supported by the software collapse.
- *Psychological*: N/A."
}
]
},
@@ -18091,10 +18196,10 @@
}
]
},
- "ssvc:HI:2.0.1": {
+ "ssvc:HI:2.0.2": {
"namespace": "ssvc",
"key": "HI",
- "version": "2.0.1",
+ "version": "2.0.2",
"name": "Human Impact",
"description": "Human Impact is a combination of Safety and Mission impacts.",
"schemaVersion": "2.0.0",
@@ -18102,17 +18207,17 @@
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "description": "Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
+ "description": "(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
},
{
"key": "VH",
@@ -18122,107 +18227,87 @@
]
}
},
- "outcome": "ssvc:HI:2.0.1",
+ "outcome": "ssvc:HI:2.0.2",
"mapping": [
{
- "ssvc:SI:1.0.0": "N",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "L"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "N",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "L"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "N",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "M"
},
{
- "ssvc:SI:1.0.0": "N",
+ "ssvc:SI:2.0.0": "N",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "L"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "L"
+ "ssvc:HI:2.0.2": "L"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "M"
},
{
- "ssvc:SI:1.0.0": "M",
+ "ssvc:SI:2.0.0": "M",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "M"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "M"
+ "ssvc:HI:2.0.2": "H"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "H"
},
{
- "ssvc:SI:1.0.0": "J",
+ "ssvc:SI:2.0.0": "R",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "H"
+ "ssvc:HI:2.0.2": "VH"
},
{
- "ssvc:SI:1.0.0": "H",
+ "ssvc:SI:2.0.0": "C",
"ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
- },
- {
- "ssvc:SI:1.0.0": "C",
- "ssvc:MI:2.0.0": "D",
- "ssvc:HI:2.0.1": "VH"
- },
- {
- "ssvc:SI:1.0.0": "C",
- "ssvc:MI:2.0.0": "MSC",
- "ssvc:HI:2.0.1": "VH"
- },
- {
- "ssvc:SI:1.0.0": "C",
- "ssvc:MI:2.0.0": "MEF",
- "ssvc:HI:2.0.1": "VH"
- },
- {
- "ssvc:SI:1.0.0": "C",
- "ssvc:MI:2.0.0": "MF",
- "ssvc:HI:2.0.1": "VH"
+ "ssvc:HI:2.0.2": "VH"
}
]
}
@@ -18811,40 +18896,35 @@
}
]
},
- "ssvc:HI:2.0.1": {
+ "ssvc:MWI:1.0.0": {
"namespace": "ssvc",
- "key": "HI",
- "version": "2.0.1",
- "name": "Human Impact",
- "description": "Human Impact is a combination of Safety and Mission impacts.",
+ "key": "MWI",
+ "version": "1.0.0",
+ "name": "Mission and Well-Being Impact",
+ "description": "Mission and Well-Being Impact is a combination of Mission Prevalence and Public Well-Being Impact.",
"schemaVersion": "2.0.0",
"values": [
{
"key": "L",
"name": "Low",
- "description": "Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)"
+ "description": "Mission Prevalence:Minimal AND Public Well-Being Impact:Minimal"
},
{
"key": "M",
"name": "Medium",
- "description": "(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))"
+ "description": "Mission Prevalence:Support AND Public Well-Being Impact:(Minimal OR Material)"
},
{
"key": "H",
"name": "High",
- "description": "(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)"
- },
- {
- "key": "VH",
- "name": "Very High",
- "description": "Safety Impact:Catastrophic OR Mission Impact:Mission Failure"
+ "description": "Mission Prevalence:Essential OR Public Well-Being Impact:(Irreversible)"
}
]
},
- "cisa:CISA:1.0.0": {
+ "cisa:CISA:1.1.0": {
"namespace": "cisa",
"key": "CISA",
- "version": "1.0.0",
+ "version": "1.1.0",
"name": "CISA Levels",
"description": "The CISA outcome group. CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
"schemaVersion": "2.0.0",
@@ -18860,271 +18940,271 @@
"description": "The vulnerability contains specific characteristics that may require closer monitoring for changes. CISA recommends remediating Track* vulnerabilities within standard update timelines."
},
{
- "key": "A",
+ "key": "AT",
"name": "Attend",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level individuals. Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. CISA recommends remediating Attend vulnerabilities sooner than standard update timelines."
},
{
- "key": "A",
+ "key": "AC",
"name": "Act",
"description": "The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. CISA recommends remediating Act vulnerabilities as soon as possible."
}
]
}
},
- "outcome": "cisa:CISA:1.0.0",
+ "outcome": "cisa:CISA:1.1.0",
"mapping": [
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T*"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T*"
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "AT"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AC"
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A"
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC"
}
]
}
diff --git a/src/ssvc/decision_points/base.py b/src/ssvc/decision_points/base.py
index f239c7e0..f5ee3931 100644
--- a/src/ssvc/decision_points/base.py
+++ b/src/ssvc/decision_points/base.py
@@ -133,6 +133,21 @@ def _set_schema_version(cls, data: dict) -> dict:
data["schemaVersion"] = SCHEMA_VERSION
return data
+ @model_validator(mode="after")
+ def _validate_values(self):
+ # confirm that value keys are unique
+ seen = dict()
+ for value in self.values:
+ if value.key in seen:
+ raise ValueError(
+ f"Duplicate key found in {self.id}: {value.key} ({value.name} and {seen[value.key]})"
+ )
+ else:
+ seen[value.key] = value.name
+
+ # if we got here, all good
+ return self
+
@property
def value_summaries(self) -> list[str]:
"""
diff --git a/src/ssvc/decision_points/cvss/exploit_maturity.py b/src/ssvc/decision_points/cvss/exploit_maturity.py
index 66a6e758..e19464fe 100644
--- a/src/ssvc/decision_points/cvss/exploit_maturity.py
+++ b/src/ssvc/decision_points/cvss/exploit_maturity.py
@@ -28,6 +28,7 @@
NOT_DEFINED_X,
)
from ssvc.decision_points.cvss.base import CvssDecisionPoint
+from ssvc.decision_points.cvss.helpers import no_x
from ssvc.decision_points.helpers import print_versions_and_diffs
_HIGH_2 = DecisionPointValue(
@@ -186,6 +187,8 @@
),
)
+EXPLOIT_MATURITY_2_NoX = no_x(EXPLOIT_MATURITY_2)
+
VERSIONS = (
EXPLOITABILITY_1,
EXPLOITABILITY_1_1,
diff --git a/src/ssvc/decision_points/ssvc/human_impact.py b/src/ssvc/decision_points/ssvc/human_impact.py
index a5a583bf..b22819e0 100644
--- a/src/ssvc/decision_points/ssvc/human_impact.py
+++ b/src/ssvc/decision_points/ssvc/human_impact.py
@@ -44,6 +44,13 @@
description="Safety Impact:(Negligible) AND Mission Impact:(None OR Degraded OR Crippled)",
)
+LOW_4 = DecisionPointValue(
+ name="Low",
+ key="L",
+ description="Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)",
+)
+
+
MEDIUM_1 = DecisionPointValue(
name="Medium",
key="M",
@@ -62,6 +69,13 @@
description="(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(None OR Degraded OR Crippled))",
)
+MEDIUM_4 = DecisionPointValue(
+ name="Medium",
+ key="M",
+ description="(Safety Impact:Negligible AND Mission Impact:MEF Failure) OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))",
+)
+
+
HIGH_1 = DecisionPointValue(
name="High",
key="H",
@@ -81,6 +95,12 @@
description="(Safety Impact:Critical AND Mission Impact:(None OR Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)",
)
+HIGH_4 = DecisionPointValue(
+ name="High",
+ key="H",
+ description="(Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled)) OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)",
+)
+
VERY_HIGH_1 = DecisionPointValue(
name="Very High",
key="VH",
@@ -127,10 +147,25 @@
),
)
+HUMAN_IMPACT_2_0_2 = SsvcDecisionPoint(
+ name="Human Impact",
+ description="Human Impact is a combination of Safety and Mission impacts.",
+ key="HI",
+ version="2.0.2",
+ values=(
+ LOW_4,
+ MEDIUM_4,
+ HIGH_4,
+ VERY_HIGH_1,
+ ),
+)
+
+
VERSIONS = (
MISSION_AND_WELL_BEING_IMPACT_1,
HUMAN_IMPACT_2,
HUMAN_IMPACT_2_0_1,
+ HUMAN_IMPACT_2_0_2,
)
LATEST = VERSIONS[-1]
diff --git a/src/ssvc/decision_points/ssvc/public_safety_impact.py b/src/ssvc/decision_points/ssvc/public_safety_impact.py
index 449c8938..46f22a94 100644
--- a/src/ssvc/decision_points/ssvc/public_safety_impact.py
+++ b/src/ssvc/decision_points/ssvc/public_safety_impact.py
@@ -48,6 +48,22 @@
key="M",
)
+MATERIAL_1 = DecisionPointValue(
+ name="Material",
+ description="Any one or more of these conditions hold. "
+ "Physical harm: Does one or more of the following: "
+ "(a) Causes physical distress or injury to system users. "
+ "(b) Introduces occupational safety hazards. "
+ "(c) Reduces and/or results in failure of cyber-physical system safety margins. "
+ "Environment: Major externalities (property damage, environmental damage, etc.) are "
+ "imposed on other parties. "
+ "Financial: Financial losses likely lead to bankruptcy of multiple persons. "
+ "Psychological: Widespread emotional or psychological harm, sufficient to necessitate "
+ "counseling or therapy, impact populations of people. ",
+ key="MA",
+)
+
+
IRREVERSIBLE = DecisionPointValue(
name="Irreversible",
description="Any one or more of these conditions hold. "
@@ -81,19 +97,33 @@
name="Minimal", description="Safety Impact:Negligible", key="M"
)
-
-PUBLIC_WELL_BEING_IMPACT_1 = SsvcDecisionPoint(
+# This version is deprecated because it had two values with the same key.
+# It is kept here for reference, but should not be used in new code.
+# PUBLIC_WELL_BEING_IMPACT_1 = SsvcDecisionPoint(
+# name="Public Well-Being Impact",
+# description="A coarse-grained representation of impact to public well-being.",
+# key="PWI",
+# version="1.0.0",
+# values=(
+# MINIMAL_1,
+# MATERIAL,
+# IRREVERSIBLE,
+# ),
+# )
+
+PUBLIC_WELL_BEING_IMPACT_1_1 = SsvcDecisionPoint(
name="Public Well-Being Impact",
description="A coarse-grained representation of impact to public well-being.",
key="PWI",
- version="1.0.0",
+ version="1.1.0",
values=(
MINIMAL_1,
- MATERIAL,
+ MATERIAL_1,
IRREVERSIBLE,
),
)
+
PUBLIC_SAFETY_IMPACT_2 = SsvcDecisionPoint(
name="Public Safety Impact",
description="A coarse-grained representation of impact to public safety.",
@@ -117,7 +147,8 @@
)
VERSIONS = (
- PUBLIC_WELL_BEING_IMPACT_1,
+ # PUBLIC_WELL_BEING_IMPACT_1,
+ PUBLIC_WELL_BEING_IMPACT_1_1,
PUBLIC_SAFETY_IMPACT_2,
PUBLIC_SAFETY_IMPACT_2_0_1,
)
diff --git a/src/ssvc/decision_tables/base.py b/src/ssvc/decision_tables/base.py
index 5e2bcffc..eeb01e1b 100644
--- a/src/ssvc/decision_tables/base.py
+++ b/src/ssvc/decision_tables/base.py
@@ -195,6 +195,73 @@ def check_mapping_keys(self):
)
return self
+ @model_validator(mode="after")
+ def remove_duplicate_mapping_rows(self):
+ seen = dict()
+ new_mapping = []
+ for row in self.mapping:
+ value_tuple = tuple(v for k, v in row.items() if k != self.outcome)
+ if value_tuple in seen:
+ # we have a duplicate, but is it same or different?
+ if seen[value_tuple][self.outcome] == row[self.outcome]:
+ # if it's a match, just log it and move on
+ logger.warning(
+ f"Duplicate mapping found (removed automatically): {row}"
+ )
+ else:
+ # they don't match
+ raise ValueError(
+ f"Conflicting mappings found: {seen[value_tuple]} != {row}"
+ )
+ else:
+ # not a duplicate, add it to the new mapping
+ seen[value_tuple] = row
+ new_mapping.append(row)
+ # set the new mapping (with duplicates removed)
+ self.mapping = new_mapping
+ return self
+
+ @model_validator(mode="after")
+ def check_mapping_coverage(self):
+ counts = {}
+ all_combos = dpdict_to_combination_list(
+ self.decision_points, exclude=[self.outcome]
+ )
+ # all_combos is a dict of all possible combinations of decision point values
+ # keyed by decision point ID, with value keys as values.
+ # initialize counts for all input combinations to 0
+ for combo in all_combos:
+ value_tuple = tuple(combo.values())
+ counts[value_tuple] = counts.get(value_tuple, 0)
+
+ # counts now has all possible input combinations set to count 0
+
+ for row in self.mapping:
+ value_tuple = tuple(v for k, v in row.items() if k != self.outcome)
+ counts[value_tuple] += 1
+
+ # check if all combinations are covered
+ for k, v in counts.items():
+ if v == 1:
+ # ok, proceed
+ continue
+ elif v == 0:
+ # missing combination
+ raise ValueError(
+ f"Mapping is incomplete: No mapping found for decision point combination: {k}."
+ )
+ elif v > 1:
+ # duplicate. remove duplicate mapping rows should have caught this already
+ raise ValueError(
+ f"Duplicate mapping found for decision point combination: {k}."
+ )
+ else:
+ raise ValueError(f"Unexpected count in mapping coverage check.{k}: {v}")
+
+ # if you made it to here, all the counts were 1, so we're good
+
+ return self
+
@model_validator(mode="after")
def validate_mapping(self):
"""
diff --git a/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py b/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py
index 04004186..0e4503a9 100644
--- a/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py
+++ b/src/ssvc/decision_tables/cisa/cisa_coordinate_dt.py
@@ -22,10 +22,14 @@
# subject to its own license.
# DM24-0278
-from ssvc.decision_points.ssvc.automatable import LATEST as Automatable
-from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation
-from ssvc.decision_points.ssvc.human_impact import LATEST as HumanImpact
-from ssvc.decision_points.ssvc.technical_impact import LATEST as TechnicalImpact
+from ssvc.decision_points.ssvc.automatable import AUTOMATABLE_2 as Automatable
+from ssvc.decision_points.ssvc.exploitation import EXPLOITATION_1_1_0 as Exploitation
+from ssvc.decision_points.ssvc.human_impact import (
+ MISSION_AND_WELL_BEING_IMPACT_1 as MissionAndWellBeingImpact,
+)
+from ssvc.decision_points.ssvc.technical_impact import (
+ TECHNICAL_IMPACT_1 as TechnicalImpact,
+)
from ssvc.decision_tables.base import DecisionTable, decision_table_to_longform_df
from ssvc.namespaces import NameSpace
from ssvc.outcomes.cisa.scoring import CISA as Priority
@@ -39,260 +43,266 @@
outcome=Priority.id,
decision_points={
dp.id: dp
- for dp in [Exploitation, Automatable, TechnicalImpact, HumanImpact, Priority]
+ for dp in [
+ Exploitation,
+ Automatable,
+ TechnicalImpact,
+ MissionAndWellBeingImpact,
+ Priority,
+ ]
},
mapping=[
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T*",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T*",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "T*",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "T*",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T*",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T*",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T*",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T*",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "T",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "T",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "N",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "P",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "L",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "L",
+ "cisa:CISA:1.1.0": "AT",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "M",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "M",
+ "cisa:CISA:1.1.0": "AC",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:A:2.0.0": "Y",
"ssvc:TI:1.0.0": "T",
- "ssvc:HI:2.0.1": "H",
- "cisa:CISA:1.0.0": "A",
+ "ssvc:MWI:1.0.0": "H",
+ "cisa:CISA:1.1.0": "AC",
},
],
)
diff --git a/src/ssvc/decision_tables/cvss/equivalence_set_five.py b/src/ssvc/decision_tables/cvss/equivalence_set_five.py
index d0ed510f..67557fd9 100644
--- a/src/ssvc/decision_tables/cvss/equivalence_set_five.py
+++ b/src/ssvc/decision_tables/cvss/equivalence_set_five.py
@@ -30,7 +30,7 @@
from ssvc.decision_points.cvss.equivalence_set_5 import EQ5
-from ssvc.decision_points.cvss.exploit_maturity import EXPLOIT_MATURITY_2 as E
+from ssvc.decision_points.cvss.exploit_maturity import EXPLOIT_MATURITY_2_NoX as E
from ssvc.decision_tables.base import DecisionTable
from ssvc.namespaces import NameSpace
@@ -43,9 +43,9 @@
decision_points={dp.id: dp for dp in [E, EQ5]},
outcome=EQ5.id,
mapping=[
- {"cvss:E:2.0.0": "U", "cvss:EQ5:1.0.0": "L"},
- {"cvss:E:2.0.0": "P", "cvss:EQ5:1.0.0": "M"},
- {"cvss:E:2.0.0": "A", "cvss:EQ5:1.0.0": "H"},
+ {"cvss:E_NoX:2.0.0": "U", "cvss:EQ5:1.0.0": "L"},
+ {"cvss:E_NoX:2.0.0": "P", "cvss:EQ5:1.0.0": "M"},
+ {"cvss:E_NoX:2.0.0": "A", "cvss:EQ5:1.0.0": "H"},
],
)
diff --git a/src/ssvc/decision_tables/ssvc/deployer_dt.py b/src/ssvc/decision_tables/ssvc/deployer_dt.py
index b93ca0fe..9b46bf42 100644
--- a/src/ssvc/decision_tables/ssvc/deployer_dt.py
+++ b/src/ssvc/decision_tables/ssvc/deployer_dt.py
@@ -22,13 +22,13 @@
# subject to its own license.
# DM24-0278
-from ssvc.decision_points.ssvc.automatable import LATEST as Automatable
-from ssvc.decision_points.ssvc.exploitation import LATEST as Exploitation
-from ssvc.decision_points.ssvc.human_impact import LATEST as HumanImpact
-from ssvc.decision_points.ssvc.system_exposure import LATEST as Exposure
+from ssvc.decision_points.ssvc.automatable import AUTOMATABLE_2 as Automatable
+from ssvc.decision_points.ssvc.exploitation import EXPLOITATION_1_1_0 as Exploitation
+from ssvc.decision_points.ssvc.human_impact import HUMAN_IMPACT_2_0_2 as HumanImpact
+from ssvc.decision_points.ssvc.system_exposure import SYSTEM_EXPOSURE_1_0_1 as Exposure
from ssvc.decision_tables.base import DecisionTable, decision_table_to_longform_df
from ssvc.namespaces import NameSpace
-from ssvc.outcomes.ssvc.dsoi import LATEST as DSOI
+from ssvc.outcomes.ssvc.dsoi import DSOI as DSOI
DEPLOYER_1 = DecisionTable(
namespace=NameSpace.SSVC,
@@ -45,504 +45,504 @@
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "N",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "D",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "P",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "S",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "C",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "S",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "N",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "I",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "L",
+ "ssvc:HI:2.0.2": "L",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "M",
+ "ssvc:HI:2.0.2": "M",
"ssvc:DSOI:1.0.0": "O",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "H",
+ "ssvc:HI:2.0.2": "H",
"ssvc:DSOI:1.0.0": "I",
},
{
"ssvc:E:1.1.0": "A",
"ssvc:EXP:1.0.1": "O",
"ssvc:A:2.0.0": "Y",
- "ssvc:HI:2.0.1": "VH",
+ "ssvc:HI:2.0.2": "VH",
"ssvc:DSOI:1.0.0": "I",
},
],
diff --git a/src/ssvc/decision_tables/ssvc/human_impact.py b/src/ssvc/decision_tables/ssvc/human_impact.py
index 71bea5a5..c20436ed 100644
--- a/src/ssvc/decision_tables/ssvc/human_impact.py
+++ b/src/ssvc/decision_tables/ssvc/human_impact.py
@@ -21,10 +21,10 @@
# subject to its own license.
# DM24-0278
-from ssvc.decision_points.ssvc.human_impact import LATEST as HumanImpact
-from ssvc.decision_points.ssvc.mission_impact import LATEST as MissionImpact
+from ssvc.decision_points.ssvc.human_impact import HUMAN_IMPACT_2_0_2 as HumanImpact
+from ssvc.decision_points.ssvc.mission_impact import MISSION_IMPACT_2 as MissionImpact
from ssvc.decision_points.ssvc.safety_impact import (
- SAFETY_IMPACT_1 as SituatedSafetyImpact,
+ SAFETY_IMPACT_2 as SituatedSafetyImpact,
)
from ssvc.decision_tables.base import DecisionTable
from ssvc.namespaces import NameSpace
@@ -42,26 +42,22 @@
},
outcome=HumanImpact.id,
mapping=[
- {"ssvc:SI:1.0.0": "N", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.1": "L"},
- {"ssvc:SI:1.0.0": "N", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.1": "L"},
- {"ssvc:SI:1.0.0": "N", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.1": "M"},
- {"ssvc:SI:1.0.0": "N", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "M", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.1": "L"},
- {"ssvc:SI:1.0.0": "M", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.1": "L"},
- {"ssvc:SI:1.0.0": "M", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.1": "M"},
- {"ssvc:SI:1.0.0": "M", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "J", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.1": "M"},
- {"ssvc:SI:1.0.0": "J", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.1": "M"},
- {"ssvc:SI:1.0.0": "J", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.1": "H"},
- {"ssvc:SI:1.0.0": "J", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "H", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.1": "H"},
- {"ssvc:SI:1.0.0": "H", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.1": "H"},
- {"ssvc:SI:1.0.0": "H", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.1": "H"},
- {"ssvc:SI:1.0.0": "H", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "C", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "C", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "C", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.1": "VH"},
- {"ssvc:SI:1.0.0": "C", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.1": "VH"},
+ {"ssvc:SI:2.0.0": "N", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.2": "L"},
+ {"ssvc:SI:2.0.0": "N", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.2": "L"},
+ {"ssvc:SI:2.0.0": "N", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.2": "M"},
+ {"ssvc:SI:2.0.0": "N", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.2": "VH"},
+ {"ssvc:SI:2.0.0": "M", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.2": "L"},
+ {"ssvc:SI:2.0.0": "M", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.2": "L"},
+ {"ssvc:SI:2.0.0": "M", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.2": "M"},
+ {"ssvc:SI:2.0.0": "M", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.2": "VH"},
+ {"ssvc:SI:2.0.0": "R", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.2": "M"},
+ {"ssvc:SI:2.0.0": "R", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.2": "H"},
+ {"ssvc:SI:2.0.0": "R", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.2": "H"},
+ {"ssvc:SI:2.0.0": "R", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.2": "VH"},
+ {"ssvc:SI:2.0.0": "C", "ssvc:MI:2.0.0": "D", "ssvc:HI:2.0.2": "VH"},
+ {"ssvc:SI:2.0.0": "C", "ssvc:MI:2.0.0": "MSC", "ssvc:HI:2.0.2": "VH"},
+ {"ssvc:SI:2.0.0": "C", "ssvc:MI:2.0.0": "MEF", "ssvc:HI:2.0.2": "VH"},
+ {"ssvc:SI:2.0.0": "C", "ssvc:MI:2.0.0": "MF", "ssvc:HI:2.0.2": "VH"},
],
)
diff --git a/src/ssvc/outcomes/cisa/scoring.py b/src/ssvc/outcomes/cisa/scoring.py
index 6b64bac1..3097061a 100644
--- a/src/ssvc/outcomes/cisa/scoring.py
+++ b/src/ssvc/outcomes/cisa/scoring.py
@@ -1,15 +1,21 @@
-# Copyright (c) 2025 Carnegie Mellon University and Contributors.
-# - see Contributors.md for a full list of Contributors
-# - see ContributionInstructions.md for information on how you can Contribute to this project
-# Stakeholder Specific Vulnerability Categorization (SSVC) is
-# licensed under a MIT (SEI)-style license, please see LICENSE.md distributed
-# with this Software or contact permission@sei.cmu.edu for full terms.
-# Created, in part, with funding and support from the United States Government
-# (see Acknowledgments file). This program may include and/or can make use of
-# certain third party source code, object code, documentation and other files
-# (“Third Party Software”). See LICENSE.md for more details.
-# Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the
-# U.S. Patent and Trademark Office by Carnegie Mellon University
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
"""
Provides the CISA Levels outcome group for use in SSVC.
"""
@@ -35,7 +41,7 @@
_ATTEND = DecisionPointValue(
name="Attend",
- key="A",
+ key="AT",
description="The vulnerability requires attention from the organization's internal, supervisory-level individuals. "
"Necessary actions may include requesting assistance or information about the vulnerability and may involve publishing a notification, either internally and/or externally, about the vulnerability. "
"CISA recommends remediating Attend vulnerabilities sooner than standard update timelines.",
@@ -43,7 +49,7 @@
_ACT = DecisionPointValue(
name="Act",
- key="A",
+ key="AC",
description="The vulnerability requires attention from the organization's internal, supervisory-level and leadership-level individuals. "
"Necessary actions include requesting assistance or information about the vulnerability, as well as publishing a notification either internally and/or externally. "
"Typically, internal groups would meet to determine the overall response and then execute agreed upon actions. "
@@ -55,7 +61,7 @@
key="CISA",
description="The CISA outcome group. "
"CISA uses its own SSVC decision tree model to prioritize relevant vulnerabilities into four possible decisions: Track, Track*, Attend, and Act.",
- version="1.0.0",
+ version="1.1.0",
values=(
_TRACK,
_TRACK_STAR,
diff --git a/src/test/decision_tables/ssvc/test_human_impact.py b/src/test/decision_tables/ssvc/test_human_impact.py
new file mode 100644
index 00000000..94b9ce95
--- /dev/null
+++ b/src/test/decision_tables/ssvc/test_human_impact.py
@@ -0,0 +1,65 @@
+# Copyright (c) 2025 Carnegie Mellon University.
+# NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE
+# ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS.
+# CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND,
+# EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT
+# NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR
+# MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE
+# OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE
+# ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM
+# PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
+# Licensed under a MIT (SEI)-style license, please see LICENSE or contact
+# permission@sei.cmu.edu for full terms.
+# [DISTRIBUTION STATEMENT A] This material has been approved for
+# public release and unlimited distribution. Please see Copyright notice
+# for non-US Government use and distribution.
+# This Software includes and/or makes use of Third-Party Software each
+# subject to its own license.
+# DM24-0278
+
+import unittest
+
+from ssvc.decision_tables.ssvc.human_impact import HUMAN_IMPACT_1 as HI
+
+
+class MyTestCase(unittest.TestCase):
+ def setUp(self):
+ self.hi: "DecisionTable" = HI
+ self.si: str = [k for k in self.hi.decision_points.keys() if "SI" in k][0]
+ self.mi: str = [k for k in self.hi.decision_points.keys() if "MI" in k][0]
+ self.outcome: str = self.hi.outcome
+
+ def test_mapping(self):
+ for i, row in enumerate(self.hi.mapping):
+ with self.subTest(row=row):
+ self.assertIn(self.si, row)
+ self.assertIn(self.mi, row)
+ self.assertIn(self.outcome, row)
+
+ if row[self.si] == "N" and row[self.mi] in ["D", "MSC"]:
+ # Low Safety Impact:(Negligible) AND Mission Impact:(Degraded OR Crippled)
+ self.assertEqual(row[self.outcome], "L", f"row {i}: {row}")
+ elif row[self.si] == "N" and row[self.mi] == "MEF":
+ # Medium (Safety Impact:Negligible AND Mission Impact:MEF Failure)
+ self.assertEqual(row[self.outcome], "M", f"row {i}: {row}")
+ elif row[self.si] == "M" and row[self.mi] in ["D", "MSC"]:
+ # Medium OR (Safety Impact:Marginal AND Mission Impact:(Degraded OR Crippled))
+ self.assertEqual(row[self.outcome], "M", f"row {i}: {row}")
+ elif row[self.si] == "C" and row[self.mi] in ["D", "MSC"]:
+ # High (Safety Impact:Critical AND Mission Impact:(Degraded OR Crippled))
+ self.assertEqual(row[self.outcome], "H", f"row {i}: {row}")
+ elif row[self.si] == "M" and row[self.mi] == "MEF":
+ # OR (Safety Impact:Marginal AND Mission Impact:MEF Failure)
+ self.assertEqual(row[self.outcome], "H", f"row {i}: {row}")
+ elif row[self.si] == "C":
+ # Very High Safety Impact:Catastrophic
+ self.assertEqual(row[self.outcome], "VH", f"row {i}: {row}")
+ elif row[self.mi] == "MF":
+ # OR Mission Impact:Mission Failure
+ self.assertEqual(row[self.outcome], "VH", f"row {i}: {row}")
+ else:
+ self.fail(f"Unhandled combination row {i}: {row}")
+
+
+if __name__ == "__main__":
+ unittest.main()
diff --git a/src/test/decision_tables/test_base.py b/src/test/decision_tables/test_base.py
index d1efb1eb..f78d07ac 100644
--- a/src/test/decision_tables/test_base.py
+++ b/src/test/decision_tables/test_base.py
@@ -370,6 +370,56 @@ def test_single_dp_dt(self):
self.assertIn(single_dt.outcome, row)
self.assertIn(row[single_dt.outcome], [v.key for v in self.og.values])
+ def test_should_reject_duplicate_conflicting_mappings(self):
+ dt = self.dt
+
+ # dt already has a mapping, so we can just append to it
+ self.assertGreater(len(dt.mapping), 0, "Mapping should not be empty")
+
+ new_row = dict(dt.mapping[0]) # copy the first row
+ self.assertEqual(
+ new_row[dt.outcome], self.ogv1.key, "First row should have outcome o1"
+ )
+ new_row[dt.outcome] = self.ogv2.key # change the outcome to o2
+ # insert it at position 1
+ dt.mapping.insert(1, new_row)
+
+ with self.assertRaises(ValueError) as context:
+ dt.remove_duplicate_mapping_rows()
+
+ self.assertIn("Conflicting mappings found", str(context.exception))
+
+ def test_should_warn_duplicate_nonconflicting_mappings(self):
+ dt = self.dt
+
+ # dt already has a mapping, so we can just append to it
+ self.assertGreater(len(dt.mapping), 0, "Mapping should not be empty")
+
+ new_row = dict(dt.mapping[0]) # copy the first row
+ self.assertEqual(
+ new_row[dt.outcome], self.ogv1.key, "First row should have outcome o1"
+ )
+ # do not change the outcome, just duplicate the row
+ # insert it at position 1
+ dt.mapping.insert(1, new_row)
+
+ with self.assertLogs(level="WARNING") as log:
+ dt.remove_duplicate_mapping_rows()
+
+ self.assertIn("Duplicate mapping found", log.output[0])
+
+ def test_should_fail_on_incomplete_mapping(self):
+ dt = self.dt
+
+ # dt already has a mapping, so we can just remove something from it
+ self.assertGreater(len(dt.mapping), 0, "Mapping should not be empty")
+ dt.mapping = dt.mapping[:-1] # remove the last row
+
+ with self.assertRaises(ValueError) as context:
+ dt.check_mapping_coverage()
+
+ self.assertIn("Mapping is incomplete", str(context.exception))
+
if __name__ == "__main__":
unittest.main()