Calculate and display the Weighted Value Index (WVI) #898
Comments
Do the expressions [{10 * (#Cat 1 findings) / (#Cat 1 checks)} + {4 * (#Cat 2 findings) / (#Cat 2 checks)} + {(#Cat 3 findings) / (#Cat 3 checks)}] / 15 |
|
That is correct - (# Cat 1) represents the number of Category 1 findings.
I think the tricky part is finding the total number of CAT 1 (or 2, or 3) checks for the asset category (collection)
For example, we might have 1000 Windows 10 laptops on site. We create a collection that includes the STIG checklists for Windows 10, Adobe Acrobat, Chrome, IE11, and various Microsoft office products. To get the Weighted Findings Average, STIG manager would need to calculate the percent open by dividing the total number of open CAT 1 findings by the total possible CAT 1 checks for each unique STIG represented in the collection. The repeat for CAT 2 & CAT 3 findings.
Hope this makes sense!
I appreciate you taking a look at my request so quickly.
Feel free to contact me if there are questions.
Keith Ramsey
Cybersecurity Officer
AEDC/TSDIC Cyber Security Section
DSN: 312-340-5058
COM: 931-454-5058
***@***.***
***@***.***
…-----Original Message-----
From: csmig ***@***.***>
Sent: Wednesday, January 18, 2023 11:40
To: NUWCDIVNPT/stig-manager ***@***.***>
Cc: RAMSEY, KEITH W CIV USAF AFMC AEDC/TSDIC ***@***.***>; Author ***@***.***>
Subject: [URL Verdict: Neutral][Non-DoD Source] Re: [NUWCDIVNPT/stig-manager] FEATURE REQUEST: (Issue #898)
[{10 * (#Cat 1) / (#Cat 1 checks)} + {4 * (#Cat 2) / (#Cat 2 checks)} + {(#Cat 3) / (#Cat 3 checks)}] / 15
Do the expressions (#Cat 1) etc. represent the count of findings at that severity? In other words, can we write:
[{10 * (#Cat 1 findings) / (#Cat 1 checks)} + {4 * (#Cat 2 findings) / (#Cat 2 checks)} + {(#Cat 3 findings) / (#Cat 3 checks)}] / 15
—
Reply to this email directly, view it on GitHub <#898 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5J4FXFNRZ4D5ZRMNC4GYGTWTATHFANCNFSM6AAAAAAT6ITMWQ> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/A5J4FXH6A2XF5ODCAO7Y25TWTATHFA5CNFSM6AAAAAAT6ITMWSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSSWMDM2.gif> Message ID: ***@***.***>
|
|
Yes, the calculation makes sense. Our sponsor is considering whether to incorporate scoring models directly in the tool, so I can't say for sure this exact calculation would end up in the bundled UI. But we would like our API endpoints to support third-party tools that implement scoring systems. To support this calculation efficiently, we would need to make some adjustments. Currently the API allows clients to fetch metrics aggregated by many parameters, including the ones you mention. However, these endpoints only report the total count of checks applicable to the aggregation. I think we should break out those numbers by severity (low, medium, high, aka Cat 3, 2, 1). This aligns with some of our current efforts, so the API changes will probably happen fairly soon. I'll tag this issue as things progress. |
csmig
changed the title
|
Thanks! Looking forward to the updates!
v/r
Keith
Keith Ramsey
Cybersecurity Officer
AEDC/TSDIC Cyber Security Section
DSN: 312-340-5058
COM: 931-454-5058
***@***.***
***@***.***
…-----Original Message-----
From: csmig ***@***.***>
Sent: Wednesday, January 18, 2023 17:11
To: NUWCDIVNPT/stig-manager ***@***.***>
Cc: RAMSEY, KEITH W CIV USAF AFMC AEDC/TSDIC ***@***.***>;
Author ***@***.***>
Subject: [URL Verdict: Neutral][Non-DoD Source] Re:
[NUWCDIVNPT/stig-manager] FEATURE REQUEST: (Issue #898)
Yes, the calculation makes sense.
Our sponsor is considering whether to incorporate scoring models directly in
the tool, so I can't say for sure this exact calculation would end up in the
bundled UI. But we would like our API endpoints to support third-party tools
that implement scoring systems. To support this calculation efficiently, we
would need to make some adjustments.
Currently the API allows clients to fetch metrics aggregated by many
parameters, including the ones you mention. However, these endpoints only
report the total count of checks applicable to the aggregation. I think we
should break out those numbers by severity (low, medium, high, aka Cat 3, 2,
1).
This aligns with some of our current efforts, so the API changes will
probably happen fairly soon. I'll tag this issue as things progress.
�
Reply to this email directly, view it on GitHub
<#898 (comment)
31> , or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5J4FXG4SYLYJ2KTWYILGLDWT
BZ7FANCNFSM6AAAAAAT6ITMWQ> .
You are receiving this because you authored the thread.
<https://github.com/notifications/beacon/A5J4FXFROULW544CSII2O33WTBZ7FA5CNFS
M6AAAAAAT6ITMWSWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTS
THCGJG.gif> Message ID:
***@***.***>
|
Request that STIG Manager calculate and display the Weighter Value Index (WVI) used by Joint Force Headquarters DODIN (JFHQ-DODIN) Command Cyber Readiness Inspections (CCRI).
The calculation is:
[{10 * (#Cat 1) / (#Cat 1 checks)} + {4 * (#Cat 2) / (#Cat 2 checks)} + {(#Cat 3) / (#Cat 3 checks)}] / 15
The calculation can be run against a particular STIG checklist (e.g. Windows 10) or an aggregate of checklists (e.g. Layer 2 switch using L2S and NDM STIGS)
Thanks
v/r
Keith Ramsey
Cybersecurity Officer
Arnold AFB, TN
The text was updated successfully, but these errors were encountered: