j---
commented
10 months ago Given my understanding of the versioning rules in #350, I think I can answer these questions.
Is Public Well-Being Impact an earlier version of Public Safety Impact or is it just something distinct?
Yes, earlier version.
Is Mission Prevalence an earlier version of Mission Impact or is it something distinct?
I think the switch from prevalence to impact is semantically relevant. It could be modeled as a version of Mission Impact, but I think actually MP is the sort of thing a CSIRT or ISAC could ask about their constituents as a whole, whereas MI is something an individual organization (so, deployer) could ask about their internal processes and impacts.
Is Mission and Well-Being Impact an earlier version of Human Impact or something distinct?
The difference between mission impact and mission prevalence notwithstanding, I would say that Mission and Well-Being Impact is a version of Human Impact.
How are Minimal, System Change Difficulty, and Type reflected in a decision?
They aren't reflected in the initial triage decision. They may be used in later follow on actions (which are not formalized or discussed in the SSVC doc)
Is there a roll-up Mitigation Status decision point that somehow combines these? If so, how?
No, I don't think so.
Based on https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf
I'm not going to duplicate a few pages of that doc in this issue. But this issue is recommending that we consider modeling the following items defined in that doc as decision points:
These then get rolled into a combo named Mission and Well-Being Impact, which we could also model:
These are similar to existing SSVC decision points
Safety Impact,Mission Impact, andHuman Impact, but seem distinct enough that maybe they should be represented separately. Or, maybe I'm misremembering history but they might actually reflect earlier versions of those things and so we should maybe adjust the version numbers on our existing ones to reflect that and add these as whatever the current version is -1.So those are open questions:
Public Well-Being Impactan earlier version ofPublic Safety Impactor is it just something distinct?Mission Prevalencean earlier version ofMission Impactor is it something distinct?Mission and Well-Being Impactan earlier version ofHuman Impactor something distinct?Even if they turn out to be just older versions of the same concepts, we should probably still model them to reflect the evolution path for when anyone using CISA's decision points wants to upgrade to newer decision points representing similar concepts.
There is a section on Mitigation Status that I do not understand, as it's not represented in the decision tree later in the doc, nor does it resolve into a single dimension or combination as with Mission and Well-Being Impact. Nevertheless, for recording purposes, it appears to have three substates each with two values:
It's certainly trivial to copy and paste words out of that doc into the data structures to represent these last three as decision points, but we'd have to rename them to have clearer meaning (E.g., Minimal is not a dimension, and Type would have to at least be "Mitigation Type"). Regardless, I don't see how these three items are rolled up into something representing Mitigation Status or what its possible values are.
Perhaps we could get clarification from CISA on this.
Minimal,System Change Difficulty, andTypereflected in a decision?Mitigation Statusdecision point that somehow combines these? If so, how?My reading is that
Technical ImpactandAutomatableare used consistently with what we already have.Related issues
352 covers renaming one of the
Exploitationvalues which will make it match what CISA is using356 covers the CISA outcome set