Generating Your Cyber Readiness Scores

From the System Package dashboard you can click the Documentation menu near the top right and choose the Cyber Readiness menu option. This takes you to the Cyber Readiness screens for your system package, showing scores and settings as well as your overall ratings per area.

Introduction

Your Cyber Readiness scores (sometimes in US federal government referred to as Command Cyber Readiness Inspection or CCRI) are weighted scores to show your risk tolerance and overall risk score based across sets of data. The cyber readiness scores are used to determine cyber hygiene and health. Sometimes the scores are used to determine if you are allowed to stay live and connected as well!

The weights are set per type of vulnerability in 1 of the 3 categories in OpenRMF^® Professional for checklists, devices/patches, and other technologies (software, containers, etc.). And then there are 4 groupings for an overall rating in that particular area.

General Cyber Readiness Score Calculations

The scores are calculated based on your specified weights per type of data (checklist, patch, technology). Then the overall score is matched against your Excellent / Good / Poor / Fail type of scale based on minimum score, maximum score, and maximum critical vulnerabilities (if specified). You can specify different weights for the type and severity of the data. And then based on your 4 rating specifications, the overall score is shown with the data. The settings are shown at the end of this area below.

In general, the calculations are performed like this:

• the number of critical vulnerabilities for each source (device, project) are multiplied by the critical weight number for that particular vulnerability severity
• the number of high vulnerabilities for each source (checklist, device, project) are multiplied by the critical weight number for that particular vulnerability severity
• the number of medium vulnerabilities for each source (checklist, device, project) are multiplied by the critical weight number for that particular vulnerability severity
• the number of low vulnerabilities for each source (checklist, device, project) are multiplied by the critical weight number for that particular vulnerability severity
• the Readiness Score on each line is calculated by taking the totals mentioned above and dividing by the SUM of all the weights for that category of data

For example if you had 1 checklist that had 2 high, 3 medium, and 5 low open vulnerabilities using the default cyber readiness weight settings:

(2 high * weight of 7.0) + (3 medium * weight of 4.0) + (5 low * weight of 1.0)
/
sum of weights (7.0 + 4.0 + 1.0)

For this checklist, the readiness score would be (14 + 12 + 5) / 12 = 2.58.

To get a total for the checklists, you would add up all of the individual scores like above, and then divide by the number of checklists within that system package.

Overall Cyber Readiness Rating

The overall cyber readiness rating will use the total calculations for that area, and then compare them to the 4 ratings allowed based on the score and maximum critical vulnerabilities allowed. (For checklists, it is the maximum number of High vulnerabilities allowed).

For each section, there is a calculated total cyber readiness score based on your most recent data for the areas being viewed. The rating is shown in decimal form and color coded to match the settings. The ratings show the label and color, background color, as well as the minimum and maximum score allowed and maximum critical items.

Checklist / Compliance Readiness

Your list of all checklists for your system package are shown, and for each one the checklist and compliance weights (High, Medium, Low) are shown with a total score per checklist. For the overall readiness score, the individual checklist scores are added together and divided by the total number of checklists in your system package.

Patch Vulnerability Readiness

Your list of all devices for your system package are shown, and for each one the patch weights (Critical, High, Medium, Low) are shown with a total score per device. For the overall readiness score, the individual device scores are added together and divided by the total number of devices in your system package.

Technology Vulnerability Readiness

Your list of all technology projects (category/source/project) for your system package are shown, and for each one the patch weights (Critical, High, Medium, Low) are shown with a total score per project. For the overall readiness score, the individual project scores are added together and divided by the total number of projects in your system package.

Exporting Your Cyber Readiness Scores

Note that the spreadsheet has multiple sheets or tabs at the bottom. This shows grouping checklist cyber readiness data by host and by checklist type. It also shows grouping patch cyber readiness data by operating system. And the technology readiness by category and source as well.

Cyber Readiness Settings

There is a default setting at the Administration level per installation. These settings can be updated and saved at the site-wide level in the Administration menu. Or they can be done at the individual system package level. Any system package without defined cyber readiness settings uses the installation’s site-wide settings.

If you have the settings saved at the system package level and want to remove them and go back to the default site-wide settings, click the “Delete & Use Defaults” button to reset the settings.

Notes on the cyber readiness settings:

• the weights and rating score minimum and maximum are decimal values
• the maximum criticals can be blank, or be an integer
• the colors are set using the color picker and saved for web-display only
• the settings are shown in the XLSX export to ensure the ratings and weights are known while viewing the data