Frequently Asked Questions
Note: Cyber-SENTRI is a service that produces and updates a tool that users can use to assess the cyber risk posture of a given system. The tool is a MS Excel spreadsheet and is referred to as the CST (Cyber-SENTRI Spreadsheet Tool) below.
Table of Contents:
-
-
How do I upload data into the Cyber-SENTRI spreadsheet tool (CST)?
-
How do run I run the analysis in the CST as well as see the results?
-
Is there a way to save the results of the analysis to a PDF?
-
What kind of data do I need on a given system to run Cyber-SENTRI analysis on that system?
-
How can I troubleshoot issues with using the CST?
-
-
-
-
- Otherwise if you are unable to watch the video, or prefer a written explanation, keep reading below:
-
-
-
-
-
-
-
-
Upload the Security Control Assessment Data into the CST’s Tab Entitled “Data Input”
- You’ll first need to get access to the given system’s security control data (meaning a listing of all the relevant NIST SP 800-53 security controls and the compliance status of each of those). Most organizations store that information in and/or can export that data to a spreadsheet. From there just copy and paste the listing of relevant security control titles (e.g., AC-1, AC-2, AC-2, etc. ) into the proper column and then copy and paste the listing of those security control’s implementation status (e.g., compliant, non-compliant (and in some cases, non-applicable)).
- Note: If the results are documented in a cybersecurity control compliance data management tool such as eMASS, Xacta, etc., then the results must be exported to a spreadsheet first.
- If the results are documented in a non-spreadsheet format (.doc, .pdf, etc.), the results can be entered into the CSC’s “Upload Controls” tab manually by
- Highlighting each of the control’s titles (e.g. AC-3) and copying them into the “Upload Controls” tab
- Selecting the proper compliance status for each control (e.g. “compliant” or “non-compliant”)
- You’ll first need to get access to the given system’s security control data (meaning a listing of all the relevant NIST SP 800-53 security controls and the compliance status of each of those). Most organizations store that information in and/or can export that data to a spreadsheet. From there just copy and paste the listing of relevant security control titles (e.g., AC-1, AC-2, AC-2, etc. ) into the proper column and then copy and paste the listing of those security control’s implementation status (e.g., compliant, non-compliant (and in some cases, non-applicable)).
-
-
-
-
-
-
-
-
- Otherwise if you are unable to watch the video, or prefer a written explanation, keep reading below:
-
-
- Run the Analysis
- Once the data has been entered into the CST, in most cases, the CST will automatically generate the analysis results and display them in the tabs entitled – “Report” and “Advanced Analysis” Note: Some older versions of MS Excel do not automatically refresh and so you will need to force MS Excel to process the uploaded data by going to the MS Excel “Data” tab (among the menu bar tabs at the top of MS Excel) and clicking on the “Refresh All” button. Also, it is possible that automatic updating type functions are toggled off in your instance of MS Excel’s options, and so you would also need to force the tool to process the data by going to the MS Excel “Data” tab (among the menu bar tabs at the top of MS Excel) and clicking on the of the “Refresh All” button.
- View the Results
- Once the CST has updated (see above), the resulting analysis will populate the “Report” and “Advanced Analysis” tabs and are ready for you to review/use that entering those tabs and scrolling through the content of each.
- Run the Analysis
-
-
- Otherwise if you are unable to watch the video, or prefer a written explanation, keep reading below:
-
-
-
-
Is there a way to save the results of the analysis to a PDF?
-
- Instead of sending around the CST for others to see and use the results, the easiest way to distribute the results would be for you to save the contents of the “Report” tab and/or the “Advanced Analysis” tab as a PDF and send that as an attachment to an email. The instructions how to do this are contained in the first tab of the CST entitled “Instructions and Info”
-
-
-
-
What kind of data do I need on a given system to run Cyber-SENTRI analysis on that system?
-
- The system being assessed must have been assigned NIST SP 800-53 (Rev 4) security controls. Meaning, it has gone through the Risk Management Framework (RMF) “security control categorization” and “security control tailoring” processes and has an established security control baseline.
-
-
-
-
-
- The compliance status of each of the applicable system’s security controls must have been assessed and the results must be documented meaning each security control in the systems baseline has been assessed to be compliant (i.e., implemented) or non-compliant (i.e., not yet implemented or in a failed/ineffective state). The status of each of the security controls can be assessed manually (i.e., by a human assessing whether by inspecting the system and/or observing if the control is in place and operating properly and/or by electronic testing (i.e., running a scan or electronically testing to determine if the security control is in place and operating properly). Note: different methods of assessment have different levels of accuracy assurance and like any system that relies on accurate input data, the efficacy of the CST’s analysis is only going to be accurate if the user is “feeding it” good/accurate information … as the saying goes – “Garbage-in .. Garbage-out!”
-
-
-
-
-
How can I troubleshoot issues with using the CST?
- The most common cause of problems using the CST is running the CST on an older/deprecated versions of MS Excel (e.g., Excel 2016, Excel 2019). If you are having problems with issues like seeing empty bar charts or missing tables, this is likely the problem and you will need to use the CST on a newer version of MS Excel.
-
-