Xylok Documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  2. /
  3. Analysis
  4. /
  5. CCI Rater

CCI Rater

Prerequisites

  • Have CIA levels selected for the client
  • Not required, but likely want to upload scans and mark the checks compliant or non-compliant.

When to Rebuild

Click the Rebuild button any time:

  • The Client CIA levels or RMF overlays change
  • Technical data is marked or changed

Existing non-technical rating information will be fully preserved across a rebuild. Existing technical comments and likelihoods will also be preserved, although the underlying data may change, which could change the Impact and Risk levels.

After a rebuild, you can filter on the updated date range to location items which were recently changed.

Default Treatment

By default, CCIs are treated as technically compliant if there are no scan items tied to that CCI. This means if there are no scans uploaded, even if benchmarks are assigned, the CCI is still treated as technically compliant.

On the flip side, all CCIs are treated as unreviewed on the non-technical side no matter what. If you want to ignore the non-technical side of a CCI, mark it as Not Applicable and add a comment along the lines of “This CCI is covered by technical checks.” This is not the default because many CCIs have both technical and policy considerations behind them.

Overall compliance takes the “worst” rating of the technical and non-technical ratings, where the worst-to-best order is:

  • Non-compliant
  • Not Applicable
  • Compliant
  • Unreviewed

That is, if either rating is Non-compliant, the CCI overall is Non-compliant. If one is Compliant and the other is N/A, the overall rating will be N/A. If one is Compliant and the other is Unreviewed, then the overall rating is still Compliant. This last scenario is done to allow easier review of the control rating roll up without having completed review of every single CCI.

Columns

The columns displayed on the main rater page are non-editable in the rater and instead reflect the statuses/comments set inside the modal (see below) for each rating. By clicking on a rating’s row, these values can be changed. All of the columns except “Definition” and “Comments” are sortable.

Individual Ratings

Each row can be selected and will redirect to an analysis page for that rating. The numbered areas are described below.

CCI Rater Overview

1. Navigation Banner

  • Above the banner is the CCI number for this rating. This doubles as a link to the reference page for this CCI for more information.
  • This banner diplays the title of the current CCI and allows navigation between the previous/next ratings (which will respect any search filters applied to the CCI Rater).
  • It also allows to “Mark Reviewed”: Note that this rating has been reviewed without actually changing anything. Hovering over the “Mark REviewed
Any changes to the Status/Risk and Comments on this page will automatically save while working, and will save before navigating away from the page!

2. Non-Technical Risk

  • Compliance Status: Do the policies/procedures of the organization fulfill the CCI? The More Info link in the rating modal may help with determining this—look at the related controls, CCIs, and Master Assessment Datasheet (MAD) information to learn more about what’s being asked.
  • Comment: For compliant controls, this comment might point to the applicable policy document or technical order that covers the CCI. For non-compliant controls, this might summarize what areas are lacking.
  • Risk: This is not manually assigned. Instead, the risk is pulled from the S6 MAD, which is periodically updated by S6 then pulled into Xylok. If you have a different authorizing authority for this, it will need to be swapped into Xylok. Contact support@xylok.io for more information.

3. Technical Risk

  • Compliance Status: This is pulled from any scans uploaded for this client. DISA and Xylok tie STIG checks to 0 or more CCIs (not all checks tie to a CCI and some tie to multiple) and any non-compliant checks will cause the technical risk to appear as non-compliant. If there are no checks under a CCI, then it appear as compliant. If there are checks, but they are underviewed, the rating will also appear as unreviewed.
  • Impact: This is pulled from the highest Non-Compliant technical finding. Cat I findings are a High impact, Cat II is Moderate, and Cat III is Low.
  • Likelihood: How likely is it these findings will be exploited, ignoring other protections that will mitigate this issue? This can be hard to determine, since typically you will know of reasons this isn’t as large of an issue as it might first appear, but the next tab will give you the opportunity to put that information in.
  • Risk: Automatically determined using NIST’s RMF risk matrix.
  • Technical Risk Summary: Summarize the findings under this CCI. When using the Xylok in our ASCA role, we typically do not leave comments for fully compliant items and we call out Cat I findings specifically in this comment.

4. Mitigations

  • Compliance Status: This the overall status—if either technical or non-technical are non-compliant, this will also be non-compliant. See “default treatment” above for more details.
  • Impact: This is pulled from the higher impact of either technical or non-technical rating.
  • Likelihood: How likely is it these findings will be exploited, taking into account other protections that will mitigate this issue? If nothing mitigates this issue you must still mark the likelihood—just make it so the mitigated risk matches the non-mitigated risk.
  • Risk: Automatically determined using NIST’s RMF risk matrix.
  • Mitigations for risk: What other considerations for this system lower the likelihood that the issues under this CCI will be exploited? For example, perhaps there’s no antivirus on the system, but there is a well-followed and documented policy of running all incoming media through a standalone AV workstation. That might be worth lowering the likelihood of this finding (and consequently the risk).

5. Recommendation

  • Comment: What should the next action on this CCI be? Add any recommendations for things that would reduce or eliminate this risk. In some cases, this could be as simple as “write the document this CCI asks for.” In others, the risk might be low and the cost of a fix too high, so the recommendation might be to accept the risk.

6. Document Reference

  • If Documents have been uploaded for this Client, this panel will automatically search for the CCI title within those documents. The algorithm removes unnecessary words (the, and, that, etc.) and searches based on all combinations of key words in the title. Very long titles can take a long time to complete the search.
  • A search bar is also provided for custom searches within documents.
  • Search results are ordered by the number of keywords found in a result and are limited to the top 15 results.
  • The “?” icon next to the “Document Reference” gives an overview of the functionality, and doubles as a link to a full search results table.
  • Displays a table which lists all checks associated with the CCI for reference.
  • Checks are ordered by Non-Compliant first and are limited to the first 15 results by default.
  • The “?” icon next to the “Document Reference” gives an overview of related data, and doubles as a link to a full related data table.

8. Copy CCI Ratings

  • This panel allows the user to search for a CCI Rating within the same Client
  • If found, the status/risk and comments for each section of the CCI Rating will be displayed within the panel. If not found, either the CCI number is incorrect or the CCI Ratings need to be rebuilt.
  • The Copy button in each section will copy the status/risk AND comment from that CCI Rating to the current CCI Rating. The Copy All button will copy every section to the current CCI Rating.

9. Compare View

  • This toggle allows switching between the standard single CCI Rating view and a “Compare” view. This second view is useful for organizations which have multiple Clients with similar machines and configurations.
  • The compare view will replace the Document Reference panel with a new “Copy CCI Ratings From Client” panel.
  • Within the new panel, select another Client. If the selected Client has data for the current CCI Rating, it will display it’s status/risk and comments for the current CCI.
  • An additional Related Data panel is displayed at the bottom of the page, with data for the selected Client displayed alongside the data for the current Client for easy comparison.

10. CCI Ratings Table (Not Pictured)

  • A small version of the main CCI Ratings table. It will display CCI Rating Numbers and Compliance Status.
  • Includes a search and filter identical to the main CCI Ratings table, allowing navigation between filtered ratings without leaving the analysis page.

Keyboard Shortcuts

Keyboard shortcuts have been added to allow efficient navigation on this page:

Action Key
Previous Rating Left Arrow
Next Rating Right Arrow
Return to Ratings Table Up Arrow
Toggle Compare View c
Focus Search /
Mark Reviewed r

Reports

Security Assessment Report

This report covers the results of an assessment from multiple levels of control review. Tabs of CCI ratings, rolled-up control ratings, top-level controls, and control families are all included. In addition, there are colored risk charts.

Before the SAR can be fully generated, the Control Rater likely needs to be rebuilt. Most rows pull data from the controls, not the CCIs directly.

Click the “Export SAR” button at the top of the page to download.

eMASS Test Results

Exports the CCI Ratings in an eMASS-compatible format. Comments from the CCI rater are directly incorporated into this report and should be importable directly into eMASS. Click the “Export eMASS” button at the top of the page to download.

gdoc_arrow_left_alt Importing STIG Viewer Checklists (CKL) Control Rater gdoc_arrow_right_alt