Skip to content

Adding a new guideline

Jump to bottom
Salvatore Manfredi edited this page Sep 19, 2024 · 2 revisions

In order to add a new guideline to the dataset, you have to gather all the groups of configurable elements (e.g., Protocols, Cipher Suites) and add a new column in the corresponding file located within the /markdown folder.

Each column MUST contain the following data (minus the double quotes):

  • first row: "(agency, profile)" where agency is the guideline issuer (e.g., NIST, AgID) and profile is an optional use case defined by the guideline (e.g., customer-facing, government-facing). All the pairs MUST be unique. If there are no profiles, the profile field can be left empty;
  • subsequent rows: the requirement level[^1] assigned to the entry in the first column of the table.

Additional Guideline Conditions

If the guideline has specific conditions that must be checked (e.g., "use either TLS 1.2 or 1.3"), you can add an additional column containing them. The new column has to be placed after the last column for a given agency. We have two cases:

  1. if the conditions apply to all the profiles of a given agency, the column MUST have the following structure:

    • first row: "(agency, condition)";[^2]
    • subsequent rows: the specific condition that have to be met in oder to be considered compliant. A complete explaination of the possible values can be found in the Conditions wiki page.

  2. if the conditions only apply to a specific profile, the first row MUST contain: "(agency, condition [N-th])".[^3]

Notes

  • the second cell of each column MUST contain a valid requirement level;[^1]

  • all empty cells (other than the second cell) are automatically considered as <Not mentioned>;

  • it is possibile to propagate horizontally a requirement level by adding a checkmark symbol () as the cell content. To use this feature, you have to define a rule within the sheet_columns dictionary in the /utils/configs.py file. The rule MUST have the following structure:

        "category_name": {
        "agency": [numbers, of, columns, affected, by, the, propagation]
    },

    for example

        "Protocols": {
        "NERV": [1, 2]
    },

    Please remember that the first column of each agency is considered as the 0-th and all the indexes for the same agency are subsequent. [^3] The 0-th column MUST contain the requirement level to be propagated.

    If a propagation cell is left empty, it is considered as a must not.

[^1]: the requirement levels consist of the RFC 2119-defined keywords must, must not, optional, recommended, not recommended along with <Not mentioned>, added for completeness.

[^2]: the actual "condition" string, not a variable depending on the guideline.

[^3]: N-th being the number of the column a given set of conditions is referring to, starting the count from zero. See the Cipher Suites file for an example.

Clone this wiki locally