Please fill out the Bug Form or Feature Request Below

Feature Request

Name NIST800 Impact, Likelihood and Overall Risk Ratings according to NIST800-30 publication: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Currently the NIST800 Overall and Impact ratings include "Informational" and "Critical" and should be "Very Low" and "Very High" instead, respectively.

The Likelihood ratings missing "Very Low" and "Very High".

If there is a particular reason for this that I am unaware of, please let me know as clients viewing the NIST800 ratings are asking about why they deviate from the NIST800-30 publication's ratings.

Example Use Case

Would be great to generate reports with NIST800 scoring that correlate to the NIST800-30 publication above.

Hi,

Thanks for reporting this.

The NIST800-30 scoring is the latest type of scoring to have been implemented in Serpico. The severity labels were simply reused from the other scoring methods.

This is something that might not be that hard to change in the platform itself. In the meantime, you can use the solution posted in #501 to rename the problematic labels.

Great idea, didnt think of that. That would work for most thing except the Likelihood ratings are missing 2 entries and there is the calculation in the helpers.rb file that calculates the risk based upon those two (Impact and Likelihood) ratings. Thanks.