diff --git a/backend/app_tests/api/test_api_compliance_assessments.py b/backend/app_tests/api/test_api_compliance_assessments.py index fe31ea063..29982009c 100644 --- a/backend/app_tests/api/test_api_compliance_assessments.py +++ b/backend/app_tests/api/test_api_compliance_assessments.py @@ -124,8 +124,8 @@ def test_get_compliance_assessments(self, test): "framework": { "id": str(Framework.objects.all()[0].id), "str": str(Framework.objects.all()[0]), - "min_score": 0, - "max_score": 100, + "min_score": 1, + "max_score": 4, }, }, user_group=test.user_group, diff --git a/backend/app_tests/api/test_api_requirement_assessments.py b/backend/app_tests/api/test_api_requirement_assessments.py index 6f7c172c1..94523616c 100644 --- a/backend/app_tests/api/test_api_requirement_assessments.py +++ b/backend/app_tests/api/test_api_requirement_assessments.py @@ -202,7 +202,7 @@ def test_update_requirement_assessments(self, test): "compliance_assessment": str(compliance_assessment2.id), "requirement": str(RequirementNode.objects.all()[1].id), "applied_controls": [str(applied_control.id)], - "score": 50, + "score": 3, }, { "folder": {"id": str(test.folder.id), "str": test.folder.name}, diff --git a/backend/core/migrations/0011_auto_20240501_1342.py b/backend/core/migrations/0011_auto_20240501_1342.py new file mode 100644 index 000000000..ba95785f3 --- /dev/null +++ b/backend/core/migrations/0011_auto_20240501_1342.py @@ -0,0 +1,44 @@ +# Generated by Django 5.0.4 on 2024-05-01 13:42 +# well-known scores added manually + +from django.db import migrations + + +WELL_KNOWN_SCORES = { + "urn:intuitem:risk:framework:tisax-v6.0.2": (0, 5), + "urn:intuitem:risk:framework:ccb-cff-2023-03-01": (1, 5), + "urn:intuitem:risk:framework:nist-csf-2.0": (1, 4), + "urn:intuitem:risk:framework:nist-csf-1.1": (1, 4), +} + + +def fix_well_known_scores(apps, schema_editor): + Framework = apps.get_model("core", "Framework") + ComplianceAssessment = apps.get_model("core", "ComplianceAssessment") + for framework in Framework.objects.all(): + if framework.urn in WELL_KNOWN_SCORES: + (framework.min_score, framework.max_score) = WELL_KNOWN_SCORES[ + framework.urn + ] + framework.save() + print("custom migration for", framework.urn) + for assessment in ComplianceAssessment.objects.all(): + if assessment.framework.urn in WELL_KNOWN_SCORES: + (assessment.min_score, assessment.max_score) = WELL_KNOWN_SCORES[ + assessment.framework.urn + ] + print("custom migration for", assessment.framework.urn) + else: + # no default value, so fix it now + (assessment.min_score, assessment.max_score) = (0, 100) + assessment.save() + + +class Migration(migrations.Migration): + dependencies = [ + ("core", "0010_rename_score_definition_framework_scores_definition_and_more"), + ] + + operations = [ + migrations.RunPython(fix_well_known_scores), + ] diff --git a/backend/library/libraries/nist-csf-1.1.yaml b/backend/library/libraries/nist-csf-1.1.yaml index 254c9feb5..de2cefa6c 100644 --- a/backend/library/libraries/nist-csf-1.1.yaml +++ b/backend/library/libraries/nist-csf-1.1.yaml @@ -5,7 +5,7 @@ name: NIST CSF version 1.1 description: National Institute of Standards and Technology - Cybersecurity Framework copyright: With the exception of material marked as copyrighted, information presented on NIST sites are considered public information and may be distributed or copied. -version: 1 +version: 2 provider: NIST packager: intuitem objects: @@ -14,6 +14,39 @@ objects: ref_id: NIST-CSF-1.1 name: NIST CSF v1.1 description: NIST Cybersecurity Framework + min_score: 1 + max_score: 4 + scores_definition: + - score: 1 + name: Partial + description: 'Application of the organizational cybersecurity risk strategy + is managed in an ad hoc manner. + + There is limited awareness of cybersecurity risks at the organizational level.' + - score: 2 + name: Risk informed + description: 'Risk management practices are approved by management but may not + be established as organization-wide policy. + + There is an awareness of cybersecurity risks at the organizational level, + but an organization-wide approach to managing cybersecurity risks has not + been established.' + - score: 3 + name: Repeatable + description: "The organization\u2019s risk management practices are formally\ + \ approved and expressed as policy.\nOrganizational cybersecurity practices\ + \ are regularly updated based on the application of risk management processes\ + \ to changes in business/mission requirements, threats, and technological\ + \ landscape." + - score: 4 + name: Adaptive + description: 'There is an organization-wide approach to managing cybersecurity + risks that uses risk-informed policies, processes, and procedures to address + potential cybersecurity events. + + The organization adapts its cybersecurity practices based on previous and + current cybersecurity activities, including lessons learned and predictive + indicators.' requirement_nodes: - urn: urn:intuitem:risk:req_node:nist-csf-1.1:id assessable: false diff --git a/backend/library/utils.py b/backend/library/utils.py index 5ec9da18e..66a737df2 100644 --- a/backend/library/utils.py +++ b/backend/library/utils.py @@ -315,11 +315,6 @@ def import_framework(self, library_object: Library): default_locale=library_object.default_locale, # Change this in the future ? is_published=True, ) - print("framework_object1", self.framework_data.get("scores_definition")) - print( - "framework_object2", - self.framework_data.get("implementation_groups_definition"), - ) for requirement_node in self._requirement_nodes: requirement_node.import_requirement_node(framework_object) diff --git a/tools/nist/nist-csf-1.1-en.xlsx b/tools/nist/nist-csf-1.1-en.xlsx deleted file mode 100644 index 4b88d346b..000000000 Binary files a/tools/nist/nist-csf-1.1-en.xlsx and /dev/null differ diff --git a/tools/nist/nist-csf-1.1.xlsx b/tools/nist/nist-csf-1.1.xlsx new file mode 100644 index 000000000..0157cf18a Binary files /dev/null and b/tools/nist/nist-csf-1.1.xlsx differ