Merge pull request #347 from intuitem/hotfix/score_nist_csf_1.1

add score migration for NIST CSF 1.1

backend/app_tests/api/test_api_compliance_assessments.py

@@ -124,8 +124,8 @@ def test_get_compliance_assessments(self, test):
                 "framework": {
                     "id": str(Framework.objects.all()[0].id),
                     "str": str(Framework.objects.all()[0]),
-                    "min_score": 0,
-                    "max_score": 100,
+                    "min_score": 1,
+                    "max_score": 4,
                 },
             },
             user_group=test.user_group,

backend/app_tests/api/test_api_requirement_assessments.py

@@ -202,7 +202,7 @@ def test_update_requirement_assessments(self, test):
                 "compliance_assessment": str(compliance_assessment2.id),
                 "requirement": str(RequirementNode.objects.all()[1].id),
                 "applied_controls": [str(applied_control.id)],
-                "score": 50,
+                "score": 3,
             },
             {
                 "folder": {"id": str(test.folder.id), "str": test.folder.name},

backend/core/migrations/0011_auto_20240501_1342.py

@@ -0,0 +1,44 @@
+# Generated by Django 5.0.4 on 2024-05-01 13:42
+# well-known scores added manually
+
+from django.db import migrations
+
+
+WELL_KNOWN_SCORES = {
+    "urn:intuitem:risk:framework:tisax-v6.0.2": (0, 5),
+    "urn:intuitem:risk:framework:ccb-cff-2023-03-01": (1, 5),
+    "urn:intuitem:risk:framework:nist-csf-2.0": (1, 4),
+    "urn:intuitem:risk:framework:nist-csf-1.1": (1, 4),
+}
+
+
+def fix_well_known_scores(apps, schema_editor):
+    Framework = apps.get_model("core", "Framework")
+    ComplianceAssessment = apps.get_model("core", "ComplianceAssessment")
+    for framework in Framework.objects.all():
+        if framework.urn in WELL_KNOWN_SCORES:
+            (framework.min_score, framework.max_score) = WELL_KNOWN_SCORES[
+                framework.urn
+            ]
+            framework.save()
+            print("custom migration for", framework.urn)
+    for assessment in ComplianceAssessment.objects.all():
+        if assessment.framework.urn in WELL_KNOWN_SCORES:
+            (assessment.min_score, assessment.max_score) = WELL_KNOWN_SCORES[
+                assessment.framework.urn
+            ]
+            print("custom migration for", assessment.framework.urn)
+        else:
+            # no default value, so fix it now
+            (assessment.min_score, assessment.max_score) = (0, 100)
+        assessment.save()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("core", "0010_rename_score_definition_framework_scores_definition_and_more"),
+    ]
+
+    operations = [
+        migrations.RunPython(fix_well_known_scores),
+    ]

backend/library/libraries/nist-csf-1.1.yaml

@@ -5,7 +5,7 @@ name: NIST CSF version 1.1
 description: National Institute of Standards and Technology - Cybersecurity Framework
 copyright: With the exception of material marked as copyrighted, information presented
   on NIST sites are considered public information and may be distributed or copied.
-version: 1
+version: 2
 provider: NIST
 packager: intuitem
 objects:
@@ -14,6 +14,39 @@ objects:
     ref_id: NIST-CSF-1.1
     name: NIST CSF v1.1
     description: NIST Cybersecurity Framework
+    min_score: 1
+    max_score: 4
+    scores_definition:
+    - score: 1
+      name: Partial
+      description: 'Application of the organizational cybersecurity risk strategy
+        is managed in an ad hoc manner.
+
+        There is limited awareness of cybersecurity risks at the organizational level.'
+    - score: 2
+      name: Risk informed
+      description: 'Risk management practices are approved by management but may not
+        be established as organization-wide policy.
+
+        There is an awareness of cybersecurity risks at the organizational level,
+        but an organization-wide approach to managing cybersecurity risks has not
+        been established.'
+    - score: 3
+      name: Repeatable
+      description: "The organization\u2019s risk management practices are formally\
+        \ approved and expressed as policy.\nOrganizational cybersecurity practices\
+        \ are regularly updated based on the application of risk management processes\
+        \ to changes in business/mission requirements, threats, and technological\
+        \ landscape."
+    - score: 4
+      name: Adaptive
+      description: 'There is an organization-wide approach to managing cybersecurity
+        risks that uses risk-informed policies, processes, and procedures to address
+        potential cybersecurity events.
+
+        The organization adapts its cybersecurity practices based on previous and
+        current cybersecurity activities, including lessons learned and predictive
+        indicators.'
     requirement_nodes:
     - urn: urn:intuitem:risk:req_node:nist-csf-1.1:id
       assessable: false

backend/library/utils.py

@@ -315,11 +315,6 @@ def import_framework(self, library_object: Library):
             default_locale=library_object.default_locale,  # Change this in the future ?
             is_published=True,
         )
-        print("framework_object1", self.framework_data.get("scores_definition"))
-        print(
-            "framework_object2",
-            self.framework_data.get("implementation_groups_definition"),
-        )
         for requirement_node in self._requirement_nodes:
             requirement_node.import_requirement_node(framework_object)