Merge branch 'feature/fix-246' of https://github.com/CERTCC/SSVC into…

… feature/fix-246

* 'feature/fix-246' of https://github.com/CERTCC/SSVC:
  add subsubsection header for tree versioning
  Update link to SSVC_Provision.schema.json
  Update link to SSVC_Computed.schema.json
  Update 055_decision-points_2.md (#250)
  Two small typo fixes (#253)
  Replace Utility with Automatable in Deployer tree (#248)
  Add detail about customization, tree sharing, and decision point scope (#242)
  add text to point ahead to "Information Changes over Time"
  bulletize list

# Conflicts:
#	ssvc-calc/SSVC_Computed.schema.json
#	ssvc-calc/SSVC_Provision.schema.json

data/csvs/deployer-options_v2_1.csv

@@ -0,0 +1,73 @@
+row,Exploitation,Exposure,Automatable,Human Impact,Priority
+1,none,small,no,low,defer
+2,none,small,no,medium,defer
+3,none,small,no,high,scheduled
+4,none,small,no,very high,scheduled
+5,none,small,yes,low,defer
+6,none,small,yes,medium,scheduled
+7,none,small,yes,high,scheduled
+8,none,small,yes,very high,scheduled
+9,none,controlled,no,low,defer
+10,none,controlled,no,medium,scheduled
+11,none,controlled,no,high,scheduled
+12,none,controlled,no,very high,scheduled
+13,none,controlled,yes,low,scheduled
+14,none,controlled,yes,medium,scheduled
+15,none,controlled,yes,high,scheduled
+16,none,controlled,yes,very high,scheduled
+17,none,open,no,low,defer
+18,none,open,no,medium,scheduled
+19,none,open,no,high,scheduled
+20,none,open,no,very high,scheduled
+21,none,open,yes,low,scheduled
+22,none,open,yes,medium,scheduled
+23,none,open,yes,high,scheduled
+24,none,open,yes,very high,out-of-cycle
+25,PoC,small,no,low,defer
+26,PoC,small,no,medium,scheduled
+27,PoC,small,no,high,scheduled
+28,PoC,small,no,very high,scheduled
+29,PoC,small,yes,low,scheduled
+30,PoC,small,yes,medium,scheduled
+31,PoC,small,yes,high,scheduled
+32,PoC,small,yes,very high,scheduled
+33,PoC,controlled,no,low,defer
+34,PoC,controlled,no,medium,scheduled
+35,PoC,controlled,no,high,scheduled
+36,PoC,controlled,no,very high,scheduled
+37,PoC,controlled,yes,low,scheduled
+38,PoC,controlled,yes,medium,scheduled
+39,PoC,controlled,yes,high,scheduled
+40,PoC,controlled,yes,very high,out-of-cycle
+41,PoC,open,no,low,defer
+42,PoC,open,no,medium,scheduled
+43,PoC,open,no,high,scheduled
+44,PoC,open,no,very high,out-of-cycle
+45,PoC,open,yes,low,scheduled
+46,PoC,open,yes,medium,scheduled
+47,PoC,open,yes,high,out-of-cycle
+48,PoC,open,yes,very high,out-of-cycle
+49,active,small,no,low,scheduled
+50,active,small,no,medium,scheduled
+51,active,small,no,high,out-of-cycle
+52,active,small,no,very high,out-of-cycle
+53,active,small,yes,low,scheduled
+54,active,small,yes,medium,scheduled
+55,active,small,yes,high,out-of-cycle
+56,active,small,yes,very high,out-of-cycle
+57,active,controlled,no,low,scheduled
+58,active,controlled,no,medium,scheduled
+59,active,controlled,no,high,out-of-cycle
+60,active,controlled,no,very high,out-of-cycle
+61,active,controlled,yes,low,scheduled
+62,active,controlled,yes,medium,out-of-cycle
+63,active,controlled,yes,high,out-of-cycle
+64,active,controlled,yes,very high,out-of-cycle
+65,active,open,no,low,scheduled
+66,active,open,no,medium,scheduled
+67,active,open,no,high,out-of-cycle
+68,active,open,no,very high,immediate
+69,active,open,yes,low,out-of-cycle
+70,active,open,yes,medium,out-of-cycle
+71,active,open,yes,high,immediate
+72,active,open,yes,very high,immediate

doc/graphics/ssvc_2_deployer_SeEUMss.tex

@@ -46,60 +46,42 @@
 for tree={s sep*=0.33, l sep=20mm, child anchor=west, anchor=west, grow=east, calign=center, tier/.pgfmath=level()}, forked edges,
   [Exploitation, rectangle, draw,
 [Exposure, rectangle, draw, my label={active},
-[Utility, rectangle, draw, my label={open},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={open},
+[Human Impact, rectangle, draw, my label={yes},
 [, immediate, my label={very high} ]
 [, immediate, my label={high} ]
 [, out-of-cycle, my label={medium} ]
 [, out-of-cycle, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, immediate, my label={very high} ]
-[, immediate, my label={high} ]
-[, out-of-cycle, my label={medium} ]
-[, scheduled, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, immediate, my label={very high} ]
 [, out-of-cycle, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
 ] 
-[Utility, rectangle, draw, my label={controlled},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={controlled},
+[Human Impact, rectangle, draw, my label={yes},
 [, out-of-cycle, my label={very high} ]
 [, out-of-cycle, my label={high} ]
 [, out-of-cycle, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, out-of-cycle, my label={very high} ]
-[, out-of-cycle, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, out-of-cycle, my label={very high} ]
 [, out-of-cycle, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
 ] 
-[Utility, rectangle, draw, my label={small},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={small},
+[Human Impact, rectangle, draw, my label={yes},
 [, out-of-cycle, my label={very high} ]
 [, out-of-cycle, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, out-of-cycle, my label={very high} ]
-[, out-of-cycle, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, out-of-cycle, my label={very high} ]
 [, out-of-cycle, my label={high} ]
 [, scheduled, my label={medium} ]
@@ -108,60 +90,42 @@
 ] 
 ] 
 [Exposure, rectangle, draw, my label={PoC},
-[Utility, rectangle, draw, my label={open},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={open},
+[Human Impact, rectangle, draw, my label={yes},
 [, out-of-cycle, my label={very high} ]
 [, out-of-cycle, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, out-of-cycle, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, out-of-cycle, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, defer, my label={low} ]
 ] 
 ] 
-[Utility, rectangle, draw, my label={controlled},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={controlled},
+[Human Impact, rectangle, draw, my label={yes},
 [, out-of-cycle, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, defer, my label={low} ]
 ] 
 ] 
-[Utility, rectangle, draw, my label={small},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={small},
+[Human Impact, rectangle, draw, my label={yes},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, defer, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
@@ -170,60 +134,42 @@
 ] 
 ] 
 [Exposure, rectangle, draw, my label={none},
-[Utility, rectangle, draw, my label={open},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={open},
+[Human Impact, rectangle, draw, my label={yes},
 [, out-of-cycle, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, scheduled, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, defer, my label={low} ]
 ] 
 ] 
-[Utility, rectangle, draw, my label={controlled},
-[Human Impact, rectangle, draw, my label={super effective},
+[Automatable, rectangle, draw, my label={controlled},
+[Human Impact, rectangle, draw, my label={yes},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, scheduled, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={efficient},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, defer, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, defer, my label={low} ]
 ] 
 ] 
-[Utility, rectangle, draw, my label={small},
-[Human Impact, rectangle, draw, my label={super effective},
-[, scheduled, my label={very high} ]
-[, scheduled, my label={high} ]
-[, scheduled, my label={medium} ]
-[, defer, my label={low} ]
-] 
-[Human Impact, rectangle, draw, my label={efficient},
+[Automatable, rectangle, draw, my label={small},
+[Human Impact, rectangle, draw, my label={yes},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, scheduled, my label={medium} ]
 [, defer, my label={low} ]
 ] 
-[Human Impact, rectangle, draw, my label={laborious},
+[Human Impact, rectangle, draw, my label={no},
 [, scheduled, my label={very high} ]
 [, scheduled, my label={high} ]
 [, defer, my label={medium} ]

doc/md_src_files/030_representingInformation.md

@@ -3,7 +3,13 @@
 # Representing Information for Decisions About Vulnerabilities
 
 We propose that decisions about vulnerabilities—rather than their severity—are a more useful approach.
-Our design goals for the decision-making process are to clearly define whose decisions are involved; properly use evidentiary categories; be based on reliably available evidence; be transparent; and be explainable.
+Our design goals for the decision-making process are to 
+- clearly define whose decisions are involved
+- properly use evidentiary categories
+- be based on reliably available evidence
+- be transparent
+- be explainable
+
 Our inspiration and justification for these design goals are that they are the features of a satisfactory scientific enterprise [@spring2017why] adapted to the vulnerability management problem.
 
 To consider decisions about managing the vulnerability rather than just its technical severity, one must be clear about whose decisions are involved.
@@ -30,8 +36,14 @@ Quantified metrics are more useful when (1) data for decision making is availabl
 Vulnerability management does not yet meet either criterion.
 Furthermore, it is not clear to what extent measurements about a vulnerability can be informative about other vulnerabilities.
 Each vulnerability has a potentially unique relationship to the socio-technical system in which it exists, including the Internet.
+
+Vulnerability management decisions are often contextual: given what is known at the time, the decision is to do X.
+But what is known can change over time, which can and should influence the decision.
 The context of the vulnerability, and the systems it impacts, are inextricably linked to managing it.
+Some information about the context will be relatively static over time, such as the contribution of a system to an organization's mission.
+Other information can change rapidly as events occur, such as the public release of an exploit or observation of attacks. 
 Temporal and environmental considerations should be primary, not optional as they are in CVSS.
+We discuss the temporal aspects further in [Information Changes over Time](information-changes-over-time).
 
 We make the deliberation process as clear as is practical; therefore, we risk belaboring some points to ensure our assumptions and reasoning are explicit.
 Transparency should improve trust in the results.

doc/md_src_files/040_stakeholders-scope.md

@@ -150,7 +150,7 @@ The [*Mission Impact*](#mission-impact) could be increased when a disaster recov
 A mitigation that successfully changes the value of a decision point may shift the priority of further action to a reduced state. If applying a mitigation reduces the priority to *defer*, the deployer may not need to apply a remediation, if later, it becomes available. Table 3 displays the action priorities for the deployer, which are similar to the supplier case.
 
 In a later section, the different types of impacts are defined and then implemented in the decision trees as examples of how the various impacts affect the priority.
-For now, assume the decision points are ordered as: [*Exploitation*](#exploitation); [*Exposure*](#exposure); [*Utility*](#utility); and *Human Impact*](#human-impact).
+For now, assume the decision points are ordered as: [*Exploitation*](#exploitation); [*Exposure*](#exposure); [*Utility*](#utility); and [*Human Impact*](#human-impact).
 In this order, an [_active_](#exploitation) state of [*Exploitation*](#exploitation) will never result in a *defer* priority.
 A [_none_](#exploitation) state of [*Exploitation*](#exploitation) (no evidence of exploitation) will result in either *defer* or *scheduled* priority—unless the state of [*Human Impact*](#human-impact) is [_very high_](#human-impact), resulting in an *out-of-cycle* priority.
 

doc/md_src_files/055_decision-points_2.md

@@ -240,7 +240,11 @@ We defer this topic for now because we combine it with [*Mission Impact*](#missi
 ## Mission Impact
 > Impact on Mission Essential Functions of the Organization
 
-A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. Identifying MEFs is part of business continuity planning or crisis planning. The rough difference between MEFs and non-essential functions is that an organization “must perform a\[n MEF\] during a disruption to normal operations” [@FCD2_2017, page B-2]. The mission is the reason an organization exists, and MEFs are how that mission is affected. Non-essential functions do not directly support the mission per se; however, they support the smooth delivery or success of MEFs. Financial losses—especially to publicly traded for-profit corporations—are covered here as a (legally mandated) mission of such corporations is financial performance.
+A **mission essential function (MEF)** is a function “directly related to accomplishing the organization’s mission as set forth in its statutory or executive charter” [@FCD2_2017, page A-1]. Identification and prioritization of mission essential functions enables effective continuity planning or crisis planning. Mission Essential Functions are in effect critical activities within an organization that are used to identify key assets, supporting tasks, and resources that an organization requires to remain operational in a crises situation, and so must be included in its planning process. During an event, key resources may be limited and personnel may be unavailable, so organizations must consider these factors and validate assumptions when identifying, validating, and prioritizing MEFs.
+
+When reviewing the list of organizational functions, an organization must first identify whether a function is essential or non-essential. The distinction between these two categories is whether or not an organization must perform a function during a disruption to normal operations and must continue performance during emergencies [@FCD2_2017, page B-2]. Essential functions are both important and urgent. Functions that can be deferred until after an emergency are identified as non-essential.
+
+As mission essential functions are most clearly defined for government agencies, stakeholders in other sectors may be familiar with different terms of art from continuity planning. For example, infrastructure providers in the US may better align with [National Critical Functions](https://www.cisa.gov/national-critical-functions). Private sector businesses may better align with [operational and financial impacts](https://www.ready.gov/sites/default/files/2020-03/business-impact-analysis-worksheet.pdf) in a [business continuity plan](https://www.ready.gov/business-continuity-plan). While the processes, terminology, and audience for these different frameworks differ, they all can provide a sense of the criticality of an asset or assets within the scope of the stakeholder conducting the cyber vulnerability prioritization with SSVC. In that sense they all function quite similarly within SSVC. Organizations should use whatever is most appropriate for their stakeholder context, with Mission Essential Function analysis serving as a fully worked example in the SSVC documents. 
 
 Table:  Mission Impact Decision Values