Model National Cyber Incident Scoring System (NCISS)

[ahouseholder]

Describe the solution you'd like

CISA has developed a National Cyber Incident Scoring System. It's a numerical function, but its spec contains a number of ordered categorical lists that could be useful to include in the SSVC vocabulary.

Additional context

This could help us expand applicability of SSVC beyond pure vulnerability response and increase its ability to model vulnerability response in the face of adversarial activity as expressed in incident data.

[ahouseholder]

I have a work-in-progress branch that models a few of the NCISS parameters as decision points. Without more detail on the other criteria it's hard to know how to model them. The unmodeled categories include:

• Functional Impact
• Observed Activity
• Actor Characterization
• Information Impact
• Cross-Sector Dependency
• Potential Impact

There may be resources other than the NICSS PDF that provide more details, but I'm unaware of any at the moment.

Meanwhile, here are some screenshots of what is in the current branch.

[ahouseholder]

Additional references:

• US-CERT Federal Incident Notification Guidelines contains additional details on Functional Impact and Information Impact https://www.cisa.gov/sites/default/files/publications/Federal_Incident_Notification_Guidelines.pdf
• Cyber Threat Framework describes Observed Activity categories e.g., https://info.publicintelligence.net/ODNI-CyberThreatFramework.pdf