How to Use the Cyber SENTRI Spreadsheet Tool (CST)
The Cyber SENTRI Spreadsheet Tool (CST) is the portable software (built in the form of a MS Excel spreadsheet) tool that performs the Cyber SENTRI analysis on a given system. The requirements to use this tool are as follows:
- The system being assessed must have been assigned NIST SP 800-53 (Rev 4) security controls. Meaning, it has gone through the Risk Management Framework (RMF) “security control categorization” and “security control tailoring” processes and has an established security control baseline.
- The compliance status of each of the applicable system’s security controls must have been assessed and the results must be documented meaning each security control in the systems baseline has been assessed to be compliant (i.e., implemented) or non-compliant (i.e., not yet implemented or in a failed/ineffective state). The status of each of the security controls can be assessed manually (i.e., by a human assessing weather by inspecting the system and/or observing if the control is in place and operating properly and/or by electronic testing (i.e., running a “scan” to determine if the security control is and operating properly). Note: different methods of assessment have different levels of accuracy assurance and like any system, the efficacy of the CST’s analysis is only going to be accurate if the user is “feeding it” good/accurate information … as the saying goes – “Garbage-in .. Garbage-out!”
Running the Cyber SENTRI Analysis on a Given System:
-
Upload the Security Control Assessment Data into the CST’s Tab Entitled “Enter System Data”
-
You’ll first need to get access to the given system’s security control data (meaning a listing of all the relevant NIST SP 800-53 security controls and the compliance status of each of those). Most organizations store that information in and/or can export that data to a spreadsheet. From there just copy and paste the listing of relevant security control titles (e.g., AC-1, AC-2, AC-2, etc. ) into the proper column and then copy and paste the listing of those security control’s implementation status (e.g., compliant, non-compliant (and in some cases, non-applicable)).
-
Note: If the results are documented in a cybersecurity control compliance data management tool such as eMASS, Xacta, etc., then the results must be exported to a spreadsheet first.
-
-
If the results are documented in a non-spreadsheet format (.doc, .pdf, etc.), the results can be entered into the CSC’s “Upload Controls” tab manually by
-
Highlighting each of the control’s titles (e.g. AC-3) and copying them into the “Upload Controls” tab
-
Selecting the proper compliance status for each control (e.g. “compliant” or “non-compliant”)
-
-
-
Run the Analysis
-
Once the data has been entered into the CST, in most cases, the CST will automatically generate the analysis results and display them in the next two tabs entitled – “UNDERSTAND Sys Risk” and “IMPROVE Sys Risk Posture.” Note: Some older versions of MS Excel or if automatic updating type functions are toggled off in your instance of MS Excel options, then you can force the tool to process the data by going to the MS Excel “Data” tab (among the menu bar tabs at the top of MS Excel) and clicking on the of the “Refresh All” button
-
-
View the Results
-
The CST runs the analysis and places the results in two tabs entitled – “UNDERSTAND Sys Risk” and “IMPROVE Sys Risk Posture” which you can either review by entering those tabs and scrolling through the content of the reports or by printing those two tabs as a PDF (see the “Instructions and Info” tab for guidance on how to do that).
-
Training Videos
Below are 2 videos that help explain how to use the CSC.
1) An Overview of the CST Tool
2) A Quick Start Demo to Upload New Security Controls
Troubleshooting the CST
Run into some problems? Try the following yourself before reaching out.
*Under Construction*
Frequently Asked Questions
There will be an FAQ here
