Cyber Readiness Introduction
Your Cyber Readiness scores (sometimes in US federal government referred to as Command Cyber Readiness Inspection or CCRI) are weighted scores to show your risk tolerance and overall risk score based across sets of data. The cyber readiness scores are used to determine cyber hygiene and health. Sometimes the scores are used to determine if you are allowed to stay live and connected as well!
The weights are set per type of vulnerability in 1 of the 3 categories in OpenRMF® Professional for checklists, devices/patches, and other technologies (software, containers, etc.). And then there are 4 groupings for an overall rating in that particular area.
General Cyber Readiness Score Calculations (v2.0)
The scores are calculated based on your specified weights per type of data (checklist, patch, technology). Then the overall score is matched against your Excellent / Good / Poor / Fail type of scale based on minimum score, maximum score, and maximum critical vulnerabilities (if specified). You can specify different weights for the type and severity of the data. And then based on your 4 rating specifications, the overall score is shown with the data. The settings are shown at the end of this area below.
In general, the calculations are performed like this:
- the number of critical vulnerabilities for each source (device, project) are multiplied by the critical weight number for that particular vulnerability severity
- the number of high vulnerabilities for each source (checklist, device, project) are multiplied by the critical weight number for that particular vulnerability severity
- the number of medium vulnerabilities for each source (checklist, device, project) are multiplied by the critical weight number for that particular vulnerability severity
- the number of low vulnerabilities for each source (checklist, device, project) are multiplied by the critical weight number for that particular vulnerability severity
- the Readiness Score on each line is calculated by taking the totals mentioned above and dividing by the SUM of all the weights for that category of data
For example if you had 1 checklist that had 2 high, 3 medium, and 5 low open vulnerabilities using the default cyber readiness weight settings:
(2 high * weight of 7.0) + (3 medium * weight of 4.0) + (5 low * weight of 1.0)
/
sum of weights (7.0 + 4.0 + 1.0)
For this checklist, the readiness score would be (14 + 12 + 5) / 12 = 2.58.
To get a total for the checklists, you would add up all of the individual scores like above, and then divide by the number of checklists within that system package.
This scoring of Cyber Readiness is the version 2.0 method of CCRI scoring.
Cyber Readiness Settings
There is a default setting at the Administration level per installation. These settings can be updated and saved at the site-wide level in the Administration menu. Or they can be done at the individual system package level. Any system package without defined cyber readiness settings uses the installation’s site-wide settings.
If you have the settings saved at the system package level and want to remove them and go back to the default site-wide settings, click the “Delete & Use Defaults” button to reset the settings.
Notes on the cyber readiness settings:
- the weights and rating score minimum and maximum are decimal values
- the maximum criticals can be blank, or be an integer
- the colors are set using the color picker and saved for web-display only
- the settings are shown in the XLSX export to ensure the ratings and weights are known while viewing the data