diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12120.cs b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12120.cs
index 64e0f988cc..e081efe08c 100644
--- a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12120.cs
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/ConvertDatabase12120.cs
@@ -24,6 +24,8 @@ public override void Execute(SqlConnection conn)
{
try
{
+ RunFile(Path.Combine(this.applicationPath, "VersionUpgrader", "SQL", "12110_to_12120.sql"), conn);
+ RunFile(Path.Combine(this.applicationPath, "VersionUpgrader", "SQL", "12110_to_12120_data.sql"), conn);
this.UpgradeToVersionLocalDB(conn, myVersion);
}
catch (Exception e)
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12110_to_12120.sql b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12110_to_12120.sql
new file mode 100644
index 0000000000..5bd6384bff
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12110_to_12120.sql
@@ -0,0 +1,180 @@
+/*
+Run this script on:
+
+ (localdb)\INLLocalDB2022.CSETWeb12110 - This database will be modified
+
+to synchronize it with:
+
+ (localdb)\INLLocalDB2022.CSETWeb12120
+
+You are recommended to back up your database before running this script
+
+Script created by SQL Compare version 14.10.9.22680 from Red Gate Software Ltd at 12/12/2023 1:39:53 PM
+
+*/
+SET NUMERIC_ROUNDABORT OFF
+GO
+SET ANSI_PADDING, ANSI_WARNINGS, CONCAT_NULL_YIELDS_NULL, ARITHABORT, QUOTED_IDENTIFIER, ANSI_NULLS ON
+GO
+SET XACT_ABORT ON
+GO
+SET TRANSACTION ISOLATION LEVEL Serializable
+GO
+BEGIN TRANSACTION
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+PRINT N'Altering [dbo].[usp_getStandardsResultsByCategory]'
+GO
+
+-- =============================================
+-- Author: hansbk
+-- Create date: 8/1/2018
+-- Description: Stub needs completed
+-- =============================================
+ALTER PROCEDURE [dbo].[usp_getStandardsResultsByCategory]
+ @assessment_id int
+AS
+BEGIN
+ -- SET NOCOUNT ON added to prevent extra result sets from
+ -- interfering with SELECT statements.
+ SET NOCOUNT ON;
+
+ SET TRANSACTION ISOLATION LEVEL read uncommitted
+
+ /*
+TODO this needs to take into account requirements vs questions
+get the question set then for all the questions take the total risk (in this set only)
+then calculate the total risk in each question_group_heading(category)
+then calculate the actual percentage of the total risk in each category
+order by the total
+*/
+declare @applicationMode nvarchar(50)
+
+exec dbo.GetApplicationModeDefault @assessment_id, @ApplicationMode output
+
+
+declare @maxRank int
+if(@ApplicationMode = 'Questions Based')
+begin
+
+
+
+ IF OBJECT_ID('tempdb..#Temp') IS NOT NULL DROP TABLE #Temp
+ IF OBJECT_ID('tempdb..#TempAnswered') IS NOT NULL DROP TABLE #TempAnswered
+
+ SELECT s.Set_Name,Question_Group_Heading,isnull(count(c.question_id),0) qc into #temp
+ FROM Answer_Questions a
+ join NEW_QUESTION c on a.Question_Or_Requirement_Id=c.Question_Id
+ join vQuestion_Headings h on c.Heading_Pair_Id=h.heading_pair_Id
+ join NEW_QUESTION_SETS s on c.Question_Id = s.Question_Id
+ join AVAILABLE_STANDARDS v on s.Set_Name = v.Set_Name
+ join NEW_QUESTION_LEVELS l on s.New_Question_Set_Id = l.New_Question_Set_Id
+ join STANDARD_SELECTION ss on v.Assessment_Id = ss.Assessment_Id
+ join UNIVERSAL_SAL_LEVEL ul on ss.Selected_Sal_Level = ul.Full_Name_Sal
+ where a.Assessment_Id = @assessment_id and a.Answer_Text != 'NA' and v.Selected = 1 and v.Assessment_Id = @assessment_id and l.Universal_Sal_Level = ul.Universal_Sal_Level
+ group by s.Set_Name, Question_Group_Heading
+
+ insert into #temp (Set_Name,Question_Group_Heading, QC)
+ select a.Set_name,a.Question_Group_Heading, qc=0 from
+ (select * from (select distinct question_group_heading from #temp) a, (select distinct set_name from #temp) b) a
+ left join #temp on a.question_group_heading=#temp.question_group_heading and a.set_name = #temp.set_name
+ where #temp.set_name is null
+
+ SELECT s.Set_Name,Question_Group_Heading,isnull(count(c.question_id),0) qc into #tempAnswered
+ FROM Answer_Questions a
+ join NEW_QUESTION c on a.Question_Or_Requirement_Id=c.Question_Id
+ join vQuestion_Headings h on c.Heading_Pair_Id=h.heading_pair_Id
+ join NEW_QUESTION_SETS s on c.Question_Id = s.Question_Id
+ join AVAILABLE_STANDARDS v on s.Set_Name = v.Set_Name
+ join NEW_QUESTION_LEVELS l on s.New_Question_Set_Id = l.New_Question_Set_Id
+ join STANDARD_SELECTION ss on v.Assessment_Id = ss.Assessment_Id
+ join UNIVERSAL_SAL_LEVEL ul on ss.Selected_Sal_Level = ul.Full_Name_Sal
+ where a.Assessment_Id = @assessment_id and a.Answer_Text in ('Y','A') and v.Selected = 1 and v.Assessment_Id = @assessment_id and l.Universal_Sal_Level = ul.Universal_Sal_Level
+ group by s.Set_Name, Question_Group_Heading
+
+ select t.Set_Name,
+ s.Short_Name,
+ t.Question_Group_Heading,
+ isnull(a.qc,0) yaCount,
+ isnull(t.qc,0) Actualcr,
+ round(isnull(cast(a.qc as decimal(18,3))/t.qc,0),5) * 100 [prc]
+ from #temp t left join #tempAnswered a on t.Set_Name = a.Set_Name and t.Question_Group_Heading = a.Question_Group_Heading
+ join [SETS] s on t.Set_Name = s.Set_Name
+ order by Question_Group_Heading desc
+end
+else
+begin
+
+ IF OBJECT_ID('tempdb..#TempR') IS NOT NULL DROP TABLE #TempR
+ IF OBJECT_ID('tempdb..#TempRAnswer') IS NOT NULL DROP TABLE #TempRAnswer
+
+ SELECT s.set_name, h.Question_Group_Heading, isnull(count(c.Requirement_Id),0) qc into #tempR
+ FROM Answer_Requirements a
+ join NEW_REQUIREMENT c on a.Question_Or_Requirement_Id=c.Requirement_Id
+ join QUESTION_GROUP_HEADING h on c.Question_Group_Heading_Id = h.Question_Group_Heading_Id
+ join REQUIREMENT_SETS s on c.Requirement_Id = s.Requirement_Id
+ join AVAILABLE_STANDARDS v on s.Set_Name = v.Set_Name
+ where a.Assessment_Id = @assessment_id and v.Assessment_Id = a.Assessment_Id and v.Selected = 1 and a.Answer_Text <> 'NA'
+ group by s.set_name, Question_Group_Heading
+
+ /**for multiple sets get the unique list of sets and question_group headers
+ take the cross product
+ left join and fill with zero
+ Essentially fill in the gaps on the categories
+ */
+
+
+ insert into #tempR (Set_Name,Question_Group_Heading, QC)
+ select a.Set_name,a.Question_Group_Heading, qc=0 from
+ (select * from (select distinct question_group_heading from #tempR) a, (select distinct set_name from #tempR) b) a
+ left join #tempR on a.question_group_heading=#tempR.question_group_heading and a.set_name = #tempR.set_name
+ where #tempR.set_name is null
+
+ SELECT s.set_name, h.Question_Group_Heading,count(c.Requirement_Id) qc into #tempRAnswer
+ FROM Answer_Requirements a
+ join NEW_REQUIREMENT c on a.Question_Or_Requirement_Id=c.Requirement_Id
+ join QUESTION_GROUP_HEADING h on c.Question_Group_Heading_Id = h.Question_Group_Heading_Id
+ join REQUIREMENT_SETS s on c.Requirement_Id = s.Requirement_Id
+ join AVAILABLE_STANDARDS v on s.Set_Name = v.Set_Name
+ where a.Assessment_Id = @assessment_id and v.Assessment_Id = a.Assessment_Id and v.Selected = 1 and a.Answer_Text in ('Y','A')
+ group by s.set_name, Question_Group_Heading
+
+ select t.Set_Name,
+ s.Short_Name,
+ t.Question_Group_Heading,
+ isnull(a.qc,0) yaCount,
+ isnull(t.qc,0) Actualcr,
+ --isnull(a.qc,0)/cast(t.qc as decimal(18,3)) * 100 [prc]
+ round(isnull(cast(a.qc as decimal(18,3))/t.qc,0),5) * 100 [prc]
+ from #tempR t
+ left join #tempRAnswer a on t.Set_Name = a.Set_Name and t.Question_Group_Heading = a.Question_Group_Heading
+ join [SETS] s on t.Set_Name = s.Set_Name
+ order by Question_Group_Heading desc
+end
+END
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+COMMIT TRANSACTION
+GO
+IF @@ERROR <> 0 SET NOEXEC ON
+GO
+-- This statement writes to the SQL Server Log so SQL Monitor can show this deployment.
+IF HAS_PERMS_BY_NAME(N'sys.xp_logevent', N'OBJECT', N'EXECUTE') = 1
+BEGIN
+ DECLARE @databaseName AS nvarchar(2048), @eventMessage AS nvarchar(2048)
+ SET @databaseName = REPLACE(REPLACE(DB_NAME(), N'\', N'\\'), N'"', N'\"')
+ SET @eventMessage = N'Redgate SQL Compare: { "deployment": { "description": "Redgate SQL Compare deployed to ' + @databaseName + N'", "database": "' + @databaseName + N'" }}'
+ EXECUTE sys.xp_logevent 55000, @eventMessage
+END
+GO
+DECLARE @Success AS BIT
+SET @Success = 1
+SET NOEXEC OFF
+IF (@Success = 1) PRINT 'The database update succeeded'
+ELSE BEGIN
+ IF @@TRANCOUNT > 0 ROLLBACK TRANSACTION
+ PRINT 'The database update failed'
+END
+GO
diff --git a/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12110_to_12120_data.sql b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12110_to_12120_data.sql
new file mode 100644
index 0000000000..72e57d0d86
--- /dev/null
+++ b/CSETWebApi/CSETWeb_Api/CSETWebCore.UpgradeLibrary/VersionUpgrader/SQL/12110_to_12120_data.sql
@@ -0,0 +1,897 @@
+/*
+Run this script on:
+
+(localdb)\INLLocalDB2022.CSETWeb12110 - This database will be modified
+
+to synchronize it with:
+
+(localdb)\INLLocalDB2022.CSETWeb12120
+
+You are recommended to back up your database before running this script
+
+Script created by SQL Data Compare version 14.10.9.22680 from Red Gate Software Ltd at 12/12/2023 1:42:20 PM
+
+*/
+
+SET NUMERIC_ROUNDABORT OFF
+GO
+SET ANSI_PADDING, ANSI_WARNINGS, CONCAT_NULL_YIELDS_NULL, ARITHABORT, QUOTED_IDENTIFIER, ANSI_NULLS, NOCOUNT ON
+GO
+SET DATEFORMAT YMD
+GO
+SET XACT_ABORT ON
+GO
+SET TRANSACTION ISOLATION LEVEL Serializable
+GO
+BEGIN TRANSACTION
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_QUESTIONS]')
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK__MATURITY___Matur__5B638405]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_GROUPINGS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_LEVELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_MODELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_OPTIONS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTION_TYPES]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK__HYDRO_DAT__Mat_Q__38652BE2 from [dbo].[HYDRO_DATA]')
+ALTER TABLE [dbo].[HYDRO_DATA] NOCHECK CONSTRAINT [FK__HYDRO_DAT__Mat_Q__38652BE2]
+
+PRINT(N'Drop constraint FK_MATURITY_QUESTIONS_MAT_QUESTION_ID from [dbo].[ISE_ACTIONS]')
+ALTER TABLE [dbo].[ISE_ACTIONS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MAT_QUESTION_ID]
+
+PRINT(N'Drop constraint FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1 from [dbo].[MATURITY_ANSWER_OPTIONS]')
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS] NOCHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1]
+
+PRINT(N'Drop constraint FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS from [dbo].[MATURITY_QUESTION_PROPS]')
+ALTER TABLE [dbo].[MATURITY_QUESTION_PROPS] NOCHECK CONSTRAINT [FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_MATURITY_REFERENCE_TEXT_MATURITY_QUESTIONS from [dbo].[MATURITY_REFERENCE_TEXT]')
+ALTER TABLE [dbo].[MATURITY_REFERENCE_TEXT] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCE_TEXT_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_MATURITY_REFERENCES_MATURITY_QUESTIONS from [dbo].[MATURITY_REFERENCES]')
+ALTER TABLE [dbo].[MATURITY_REFERENCES] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCES_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS from [dbo].[MATURITY_SOURCE_FILES]')
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] NOCHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_MATURITY_SUB_MODEL_QUESTIONS_MATURITY_QUESTIONS from [dbo].[MATURITY_SUB_MODEL_QUESTIONS]')
+ALTER TABLE [dbo].[MATURITY_SUB_MODEL_QUESTIONS] NOCHECK CONSTRAINT [FK_MATURITY_SUB_MODEL_QUESTIONS_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraint FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS from [dbo].[TTP_MAT_QUESTION]')
+ALTER TABLE [dbo].[TTP_MAT_QUESTION] NOCHECK CONSTRAINT [FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_GROUPING_TYPES]
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_MODELS]
+
+PRINT(N'Drop constraint FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS from [dbo].[MATURITY_DOMAIN_REMARKS]')
+ALTER TABLE [dbo].[MATURITY_DOMAIN_REMARKS] NOCHECK CONSTRAINT [FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS]
+
+PRINT(N'Drop constraints from [dbo].[NEW_REQUIREMENT]')
+ALTER TABLE [dbo].[NEW_REQUIREMENT] NOCHECK CONSTRAINT [FK_NEW_REQUIREMENT_NCSF_Category]
+ALTER TABLE [dbo].[NEW_REQUIREMENT] NOCHECK CONSTRAINT [FK_NEW_REQUIREMENT_QUESTION_GROUP_HEADING]
+ALTER TABLE [dbo].[NEW_REQUIREMENT] NOCHECK CONSTRAINT [FK_NEW_REQUIREMENT_SETS]
+ALTER TABLE [dbo].[NEW_REQUIREMENT] NOCHECK CONSTRAINT [FK_NEW_REQUIREMENT_STANDARD_CATEGORY]
+
+PRINT(N'Drop constraint FK_FINANCIAL_REQUIREMENTS_NEW_REQUIREMENT from [dbo].[FINANCIAL_REQUIREMENTS]')
+ALTER TABLE [dbo].[FINANCIAL_REQUIREMENTS] NOCHECK CONSTRAINT [FK_FINANCIAL_REQUIREMENTS_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_NERC_RISK_RANKING_NEW_REQUIREMENT from [dbo].[NERC_RISK_RANKING]')
+ALTER TABLE [dbo].[NERC_RISK_RANKING] NOCHECK CONSTRAINT [FK_NERC_RISK_RANKING_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_Parameter_Requirements_NEW_REQUIREMENT from [dbo].[PARAMETER_REQUIREMENTS]')
+ALTER TABLE [dbo].[PARAMETER_REQUIREMENTS] NOCHECK CONSTRAINT [FK_Parameter_Requirements_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_LEVELS_NEW_REQUIREMENT from [dbo].[REQUIREMENT_LEVELS]')
+ALTER TABLE [dbo].[REQUIREMENT_LEVELS] NOCHECK CONSTRAINT [FK_REQUIREMENT_LEVELS_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_QUESTIONS_NEW_REQUIREMENT from [dbo].[REQUIREMENT_QUESTIONS]')
+ALTER TABLE [dbo].[REQUIREMENT_QUESTIONS] NOCHECK CONSTRAINT [FK_REQUIREMENT_QUESTIONS_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_QUESTIONS_SETS_NEW_REQUIREMENT from [dbo].[REQUIREMENT_QUESTIONS_SETS]')
+ALTER TABLE [dbo].[REQUIREMENT_QUESTIONS_SETS] NOCHECK CONSTRAINT [FK_REQUIREMENT_QUESTIONS_SETS_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_REFERENCES_NEW_REQUIREMENT from [dbo].[REQUIREMENT_REFERENCES]')
+ALTER TABLE [dbo].[REQUIREMENT_REFERENCES] NOCHECK CONSTRAINT [FK_REQUIREMENT_REFERENCES_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_SETS_NEW_REQUIREMENT from [dbo].[REQUIREMENT_SETS]')
+ALTER TABLE [dbo].[REQUIREMENT_SETS] NOCHECK CONSTRAINT [FK_REQUIREMENT_SETS_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_SOURCE_FILES_NEW_REQUIREMENT from [dbo].[REQUIREMENT_SOURCE_FILES]')
+ALTER TABLE [dbo].[REQUIREMENT_SOURCE_FILES] NOCHECK CONSTRAINT [FK_REQUIREMENT_SOURCE_FILES_NEW_REQUIREMENT]
+
+PRINT(N'Drop constraints from [dbo].[MATURITY_MODELS]')
+ALTER TABLE [dbo].[MATURITY_MODELS] NOCHECK CONSTRAINT [FK_MATURITY_MODELS_MATURITY_LEVEL_USAGE_TYPES]
+
+PRINT(N'Drop constraint FK_ANALYTICS_MATURITY_GROUPINGS_MATURITY_MODELS from [dbo].[ANALYTICS_MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[ANALYTICS_MATURITY_GROUPINGS] NOCHECK CONSTRAINT [FK_ANALYTICS_MATURITY_GROUPINGS_MATURITY_MODELS]
+
+PRINT(N'Drop constraint FK__AVAILABLE__model__6F6A7CB2 from [dbo].[AVAILABLE_MATURITY_MODELS]')
+ALTER TABLE [dbo].[AVAILABLE_MATURITY_MODELS] NOCHECK CONSTRAINT [FK__AVAILABLE__model__6F6A7CB2]
+
+PRINT(N'Drop constraint FK_MATURITY_LEVELS_MATURITY_MODELS from [dbo].[MATURITY_LEVELS]')
+ALTER TABLE [dbo].[MATURITY_LEVELS] NOCHECK CONSTRAINT [FK_MATURITY_LEVELS_MATURITY_MODELS]
+
+PRINT(N'Drop constraint FK_MODES_SETS_MATURITY_MODELS_MATURITY_MODELS from [dbo].[MODES_SETS_MATURITY_MODELS]')
+ALTER TABLE [dbo].[MODES_SETS_MATURITY_MODELS] NOCHECK CONSTRAINT [FK_MODES_SETS_MATURITY_MODELS_MATURITY_MODELS]
+
+PRINT(N'Drop constraints from [dbo].[GEN_FILE]')
+ALTER TABLE [dbo].[GEN_FILE] NOCHECK CONSTRAINT [FK_GEN_FILE_FILE_REF_KEYS]
+ALTER TABLE [dbo].[GEN_FILE] NOCHECK CONSTRAINT [FK_GEN_FILE_FILE_TYPE]
+
+PRINT(N'Drop constraint FILE_KEYWORDS_GEN_FILE_FK from [dbo].[FILE_KEYWORDS]')
+ALTER TABLE [dbo].[FILE_KEYWORDS] NOCHECK CONSTRAINT [FILE_KEYWORDS_GEN_FILE_FK]
+
+PRINT(N'Drop constraint FK_GEN_FILE_LIB_PATH_CORL_GEN_FILE from [dbo].[GEN_FILE_LIB_PATH_CORL]')
+ALTER TABLE [dbo].[GEN_FILE_LIB_PATH_CORL] NOCHECK CONSTRAINT [FK_GEN_FILE_LIB_PATH_CORL_GEN_FILE]
+
+PRINT(N'Drop constraint FK_MATURITY_REFERENCES_GEN_FILE from [dbo].[MATURITY_REFERENCES]')
+ALTER TABLE [dbo].[MATURITY_REFERENCES] NOCHECK CONSTRAINT [FK_MATURITY_REFERENCES_GEN_FILE]
+
+PRINT(N'Drop constraint FK_MATURITY_SOURCE_FILES_GEN_FILE from [dbo].[MATURITY_SOURCE_FILES]')
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] NOCHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_GEN_FILE]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_REFERENCES_GEN_FILE from [dbo].[REQUIREMENT_REFERENCES]')
+ALTER TABLE [dbo].[REQUIREMENT_REFERENCES] NOCHECK CONSTRAINT [FK_REQUIREMENT_REFERENCES_GEN_FILE]
+
+PRINT(N'Drop constraint FK_REQUIREMENT_SOURCE_FILES_GEN_FILE from [dbo].[REQUIREMENT_SOURCE_FILES]')
+ALTER TABLE [dbo].[REQUIREMENT_SOURCE_FILES] NOCHECK CONSTRAINT [FK_REQUIREMENT_SOURCE_FILES_GEN_FILE]
+
+PRINT(N'Drop constraint FK_SET_FILES_GEN_FILE from [dbo].[SET_FILES]')
+ALTER TABLE [dbo].[SET_FILES] NOCHECK CONSTRAINT [FK_SET_FILES_GEN_FILE]
+
+PRINT(N'Drop constraint FK_ASSESSMENTS_GALLERY_ITEM from [dbo].[ASSESSMENTS]')
+ALTER TABLE [dbo].[ASSESSMENTS] NOCHECK CONSTRAINT [FK_ASSESSMENTS_GALLERY_ITEM]
+
+PRINT(N'Drop constraint FK_GALLERY_GROUP_DETAILS_GALLERY_ITEM from [dbo].[GALLERY_GROUP_DETAILS]')
+ALTER TABLE [dbo].[GALLERY_GROUP_DETAILS] NOCHECK CONSTRAINT [FK_GALLERY_GROUP_DETAILS_GALLERY_ITEM]
+
+PRINT(N'Update rows in [dbo].[MATURITY_QUESTIONS]')
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Supplemental_Info]=N'Question Intent:
To determine if services are identified.
-
A service is a set of activities that the organization carries out in the performance of a duty or in the production of a product.
-
Services can be externally or internally focused. Examples can include:
-
a customer-facing website such as an online payment system
-
human resources transactions
-
A fundamental operational resilience objective is to focus on activities to protect and sustain the identified services and
assets that most directly affect the organization''s ability to achieve its mission.
Criteria for “Yes” Response:
-
The organization has identified all services.
Criteria for “Incomplete” Response:
-
The organization has identified some services.
' WHERE [Mat_Question_Id] = 1823
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Supplemental_Info]=N'Question Intent:
To determine if services are prioritized based on analysis of the potential impact if the services are disrupted.
- The organization should conduct analysis of identified services (e.g., a
business impact analysis) to determine the impact to the organization of the loss or disruption of each service.
- The results of this analysis should then be used to prioritize the
organizational services.
Typical work products:
- results of risk assessment and business impact analyses
- prioritized list of organizational services, activities, and associated
assets
Criteria for “Yes” Response:
- The organization has prioritized all services (identified in G1.Q1).
Criteria for “Incomplete” Response:
- The organization has prioritized some services.
' WHERE [Mat_Question_Id] = 1824
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Is the principle of least privilege enforced through policies and procedures? ' WHERE [Mat_Question_Id] = 1917
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Supplemental_Info]=N'
+ Question Intent: To determine if the organization has a documented plan for responding to
+ incidents.
+
+
+ Determine how much of your organization’s operations are dependent on IT. Consider how much
+ your organization relies on information technology to conduct business and make it a part of your culture to
+ plan for contingencies in the event of a cyber incident. Identify and prioritize your organization’s
+ critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that
+ are necessary to understanding your security planning, operations, and security-related goals. Develop an
+ understanding of how long it would take to restore normal operations. Resist the “it can’t happen
+ here” pattern of thinking. Instead, focus cyber risk discussions on “what-if” scenarios and
+ develop an incident response plan to prepare for various cyber events and scenarios.
+
+
+ Lead development of an incident response plan outlining roles and responsibilities. Test it often.
+ Incident response plans and disaster recovery plans are crucial to information security, but they are separate
+ plans. Incident response mainly focuses on information asset protection, while disaster recovery plans focus on
+ business continuity.
+
+
+ Having a defined process for identifying, analyzing, responding to, and learning from incidents that
+ interrupt an organization’s operations provides consistent response to cybersecurity incidents and ensures
+ that objectives are met when handling an incident. Without a defined process, an organization’s incident
+ response might omit actions that the organization considers important. An incident management plan describes how
+ the organization will respond to cybersecurity incidents. The objective of the plan should be translated into
+ specific actions assigned to individuals or groups to perform when an incident occurs.
+
+
+ The incident response plan should address, at a minimum:
+
+
+
+ -
+ the organization’s approach to incident management
+
+ -
+ the structure of the incident management process
+
+ -
+ the requirements and objectives of the incident management process
+
+ -
+ a description of how the organization will identify events, triage and analyze incidents,
+ respond and recover from incidents, and improve its response capabilities over time
+
+ -
+ the roles and responsibilities (including establishing key stakeholders) necessary to carry
+ out the plan
+
+ -
+ applicable training needs and requirements
+
+ -
+ resources that will be required to meet plan objectives
+
+ -
+ relevant costs and budgets associated with incident management activities
+
+
+
+ The following sections lay out the discrete steps for developing a plan that implements the incident
+ management process as described above.
+
+
+ Possible Actions: Create an Incident Response Plan
+
+
+
+ -
+ Obtain support for incident management planning.
+
+ -
+ Establish an event detection process.
+
+ -
+ Establish a triage and analysis process.
+
+ -
+ Establish an incident declaration process.
+
+ -
+ Establish an incident response and recovery process.
+
+ -
+ Establish an incident communications process.
+
+ -
+ Establish a post-incident analysis and improvement process.
+
+ -
+ Assign roles and responsibilities for incident management, including establishing appropriate
+ stakeholders for escalation and resolution.
+
+
+
+ Criteria for “Yes” Response:
+
+
+ -
+ The organization has a documented plan for responding to incidents.
+
+
+' WHERE [Mat_Question_Id] = 1926
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'[[Threat]] [[information]] is exchanged with [[stakeholders]] (for example, executives, operations staff, government, connected organizations, vendors, sector organizations, regulators, [[Information Sharing and Analysis Centers|Information Sharing and Analysis Centers (ISACs)]]' WHERE [Mat_Question_Id] = 2056
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'A documented [[cybersecurity]] architecture is established and maintained that includes [[Information Technology|IT]] and [[Operations Technology|OT]] systems and networks and aligns with system and asset categorization and prioritization' WHERE [Mat_Question_Id] = 2276
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'
+ Limit information system access to authorized users, processes acting on behalf of authorized users, or
+ devices (including other information systems).
+
+
+
+
Determine if:
+
+ -
+ [a] authorized users are identified;
+
+ -
+ [b] processes acting on behalf of authorized users are identified;
+
+ -
+ [c] devices (and other systems) authorized to connect to the system are identified;
+
+
+ -
+ [d] system access is limited to authorized users;
+
+ -
+ [e] system access is limited to processes acting on behalf of authorized users; and
+
+ -
+ [f] system access is limited to authorized devices (including other systems).
+
+
+
Determine if:
[a] the frequency to assess risk to organizational operations, organizational assets, and individuals is defined; and
[b] risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
', [Supplemental_Info]=N'
+ ASSESSMENT OBJECTIVES [NIST SP 800-171A]
+
+
+ Determine if:
+
+ -
+ [a] the frequency to assess risk to organizational operations, organizational assets, and
+ individuals is defined; and
+
+ -
+ [b] risk to organizational operations, organizational assets, and individuals resulting from
+ the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined
+ frequency.
+
+
+
+
+
+ POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-171A]
+
+
+
+
+ Examine
+
+
+
+
+
+ [SELECT FROM: Risk assessment policy; security planning policy and procedures;
+ procedures addressing organizational risk assessments; system security plan; risk assessment; risk assessment
+ results; risk assessment reviews; risk assessment updates; other relevant documents or records].
+
+
+
+
+ Interview
+
+
+
+
+
+ [SELECT FROM: Personnel with risk assessment responsibilities; personnel with
+ information security responsibilities].
+
+
+
+ Test
+
+
+
+
+
+ [SELECT FROM: Organizational processes for risk assessment; mechanisms supporting or for
+ conducting, documenting, reviewing, disseminating, and updating the risk assessment].
+
+
+
+
+ DISCUSSION [NIST SP 800-171 R2]
+
+
+
+
+
+ Clearly defined system boundaries are a prerequisite for effective risk assessments.
+ Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational
+ operations, organizational assets, and individuals based on the operation and use of organizational systems.
+ Risk assessments also consider risk from external parties (e.g., service providers, contractor operating
+ systems on behalf of the organization, individuals accessing organizational system/n/n/n/ns, outsourcing
+ entities).
+ Risk assessments, either formal or informal, can be conducted at the organization level, the mission or
+ business process level, or the system level, and at any phase in the system development life cycle.
+
+
+
+
+ NIST SP 800-30 provides guidance on conducting risk assessments.
+
+
+
+ FURTHER DISCUSSION
+
+
+
+
NOTE: This section is derived from CMMC 1.02 guidance for informational purposes only. It will be
+ updated when the CMMC 2.0 publications become available.
+
+
+ Risk arises from anything that can reduce an organization''s assurance of
+ mission/business success; cause harm to image or reputation; or harm individuals, other organizations,
+ or the Nation.
+
+
+
+
Organizations assess the risk to their operations and assets at regular
+ intervals [a]. Areas where weakness or vulnerabilities could lead to risk may include:
+
+
+ - poorly designed and executed business processes;
+ - inadvertent actions of people, such as disclosure or modification of
+ information;
+ - intentional actions of people inside and outside the organization;
+ - failure of systems to perform as intended;
+ - failures of technology; and
+ - external events, such as natural disasters, public infrastructure and
+ supply chain failures.
+
+
+
+
+ When conducting risk assessments use established criteria and procedures. The
+ results of formal risk assessments are documented. It is important to note that risk assessments differ
+ from vulnerability assessments (see RM.2.142). A vulnerability assessment provides input to a risk
+ assessment along with other information such as results from likelihood analysis and analysis of
+ potential treat sources.
+
+
+ Risk assessments should be performed at defined regular intervals [a]. Mission
+ risks include anything that will keep an organization from meeting its mission. Function risk is
+ anything that will prevent the performance of a function. Image and reputation risks refer to intangible
+ risks that have value and could cause damage to potential or future trust relationships.63
+
+
+ This practice, RM.2.141, which requires periodically assessing the risk to
+ organization systems, assets, and individuals, is a baseline Risk Management practice. RM.2.141 enables
+ several other Risk Management practices (e.g., RM.2.143 and RM.3.146), as well as CA.2.159.
+
+
+
+
+ Example
+
+
+
+
+ You are a system administrator. You and your team members are working on a big
+ government contract requiring you to store CUI. As part of your periodic (e.g., annual) risk assessment
+ exercise, you evaluate the new risk involved with storing CUI [a,b]. When conducting the assessment you
+ consider increased legal exposure, financial requirements of safeguarding CUI, potentially elevated
+ attention from external attackers, and other factors. After determining how storing CUI affects your
+ overall risk profile, you use that as a basis for a conversation on how that risk should be
+ mitigated.
+
+
+
+ Potential Assessment Considerations
+
+
+
+
+
+
+
+ Have initial and periodic risk assessments been
+ conducted [b]?
64
+
+
+
+
Are methods defined for assessing risk (e.g., reviewing security
+ assessments, incident reports, and security advisories, identifying threat sources, threat events, and
+ vulnerabilities, and determining likelihood, impact, and overall risk to the confidentiality of CUI)
+ [b]?
+
+
+ KEY REFERENCES
+
+
+
+ -
+ NIST SP 800-171 Rev 2 3.11.1
+
+ - NIST CSF v1.1 ID.RA-1, ID.RA-4, DE.AE-4, RS.MI-3
+ - CERT RMM v1.2 RISK:SG4
+ - NIST SP 800-53 Rev 4 RA-3
+
+
+
+
Determine if:
[a] a policy and/or process for terminating system access and any credentials coincident with personnel actions is established;
[b] system access and credentials are terminated consistent with personnel actions such as termination or transfer; and
[c] the system is protected during and after personnel transfer actions.
Determine if:
[a] individuals are screened prior to authorizing access to organizational systems containing CUI.
Determine if:
[a] safeguarding measures for CUI are defined for alternate work sites; and
[b] safeguarding measures for CUI are enforced for alternate work sites.
Determine if:
[a] the physical facility where organizational systems reside is protected;
[b] the support infrastructure for organizational systems is protected;
[c] the physical facility where organizational systems reside is monitored; and
[d] the support infrastructure for organizational systems is monitored.
Determine if:
[a] physical access devices are identified;
[b] physical access devices are controlled; and
[c] physical access devices are managed.
Determine if:
[a] audit logs of physical access are maintained.
Determine if:
[a] visitors are escorted; and
[b] visitor activity is monitored.
Determine if:
[a] authorized individuals allowed physical access are identified;
[b] physical access to organizational systems is limited to authorized individuals;
[c] physical access to equipment is limited to authorized individuals; and
[d] physical access to operating environments is limited to authorized individuals.
Determine if:
[a] the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
Scan for vulnerabilities in organizational systems and applications periodically and when new
+ vulnerabilities affecting those systems and applications are identified.
+Determine if:
+
+ - [a] the frequency to scan for vulnerabilities in organizational systems and applications is defined;
+ - [b] vulnerability scans are performed on organizational systems with the defined frequency;
+ - [c] vulnerability scans are performed on applications with the defined frequency;
+ - [d] vulnerability scans are performed on organizational systems when new vulnerabilities are identified; and
+
+ - [e] vulnerability scans are performed on applications when new vulnerabilities are identified.
+
' WHERE [Mat_Question_Id] = 4799
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Determine if:
[a] access to media containing CUI is controlled; and
[b] accountability for media containing CUI is maintained during transport outside of controlled areas.
Determine if:
[a] media containing CUI is marked with applicable CUI markings; and
[b] media containing CUI is marked with distribution limitations.
Determine if:
[a] the use of removable media on system components is controlled.
Determine if:
[a] access to CUI on system media is limited to authorized users.
Determine if:
[a] paper media containing CUI is physically controlled;
[b] digital media containing CUI is physically controlled;
[c] paper media containing CUI is securely stored; and
[d] digital media containing CUI is securely stored.
Determine if:
[a] system media containing FCI is sanitized or destroyed before disposal; and
[b] system media containing FCI is sanitized before it is released for reuse.
Determine if:
[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
Determine if:
[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
Determine if:
[a] maintenance personnel without required access authorization are supervised during maintenance activities.
Determine if:
[a] multifactor authentication is used to establish nonlocal maintenance sessions via external network connections; and
[b] nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
Determine if:
[a] tools used to conduct system maintenance are controlled;
[b] techniques used to conduct system maintenance are controlled;
[c] mechanisms used to conduct system maintenance are controlled; and
[d] personnel used to conduct system maintenance are controlled.
Determine if:
[a] system maintenance is performed.
Determine if:
[a] the incident response capability is tested.
Determine if:
[a] incidents are tracked;
[b] incidents are documented;
[c] authorities to whom incidents are to be reported are identified;
[d] organizational officials to whom incidents are to be reported are identified;
[e] identified authorities are notified of incidents; and
[f] identified organizational officials are notified of incidents.
Determine if:
[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.
Determine if:
[a] vulnerabilities are identified; and
[b] vulnerabilities are remediated in accordance with risk assessments.
Determine if:
[a] authorized use of the system is defined; and
[b] unauthorized use of the system is identified.
Determine if:
[a] the system is monitored to detect attacks and indicators of potential attacks;
[b] inbound communications traffic is monitored to detect attacks and indicators of potential attacks; and
[c] outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
Determine if:
[a] response actions to system security alerts and advisories are identified;
[b] system security alerts and advisories are monitored; and
[c] actions in response to system security alerts and advisories are taken.
Determine if:
[a] the frequency for malicious code scans is defined;
[b] malicious code scans are performed with the defined frequency; and
[c] real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
Determine if:
[a] malicious code protection mechanisms are updated when new releases are available.
Determine if:
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.
Determine if:
[a] the time within which to identify system flaws is specified;
[b] system flaws are identified within the specified time frame;
[c] the time within which to report system flaws is specified;
[d] system flaws are reported within the specified time frame;
[e] the time within which to correct system flaws is specified; and
[f] system flaws are corrected within the specified time frame.
Determine if:
[a] the confidentiality of CUI at rest is protected.
Determine if:
[a] the authenticity of communications sessions is protected.
Determine if:
[a] use of Voice over Internet Protocol (VoIP) technologies is controlled; and
[b] use of Voice over Internet Protocol (VoIP) technologies is monitored.
Determine if:
[a] use of mobile code is controlled; and
[b] use of mobile code is monitored.
Determine if:
[a] cryptographic keys are established whenever cryptography is employed; and
[b] cryptographic keys are managed whenever cryptography is employed.
Determine if:
[a] a period of inactivity to terminate network connections associated with communications sessions is defined;
[b] network connections associated with communications sessions are terminated at the end of the sessions; and
[c] network connections associated with communications sessions are terminated after the defined period of inactivity.
Determine if:
[a] cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified;
[b] alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified; and
[c] either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
Determine if:
[a] remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
Determine if:
[a] network communications traffic is denied by default; and
[b] network communications traffic is allowed by exception.
Determine if:
[a] unauthorized and unintended information transfer via shared system resources is prevented.
Determine if:
[a] user functionality is identified;
[b] system management functionality is identified; and
[c] user functionality is separated from system management functionality.
Determine if:
[a] architectural designs that promote effective information security are identified;
[b] software development techniques that promote effective information security are identified;
[c] systems engineering principles that promote effective information security are identified;
[d] identified architectural designs that promote effective information security are employed;
[e] identified software development techniques that promote effective information security are employed; and
[f] identified systems engineering principles that promote effective information security are employed.
Determine if:
[a] FIPS-validated cryptography is employed to protect the confidentiality of CUI.
Determine if:
[a] collaborative computing devices are identified;
[b] collaborative computing devices provide indication to users of devices in use; and
[c] remote activation of collaborative computing devices is prohibited.
Determine if:
[a] publicly accessible system components are identified; and
[b] subnetworks for publicly accessible system components are physically or logically separated from internal networks.
Determine if:
[a] the external system boundary is defined;
[b] key internal system boundaries are defined;
[c] communications are monitored at the external system boundary;
[d] communications are monitored at key internal boundaries;
[e] communications are controlled at the external system boundary;
[f] communications are controlled at key internal boundaries;
[g] communications are protected at the external system boundary; and
[h] communications are protected at key internal boundaries.
Determine if:
[a] internal system clocks are used to generate time stamps for audit records;
[b] an authoritative source with which to compare and synchronize internal system clocks is specified; and
[c] internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
Determine if:
[a] audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified;
[b] the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined;
[c] audit records are created (generated);
[d] audit records, once created, contain the defined content;
[e] retention requirements for audit records are defined; and
[f] audit records are retained as defined.
Determine if:
[a] the content of the audit records needed to support the ability to uniquely trace users to their actions is defined; and
[b] audit records, once created, contain the defined content.
Determine if:
[a] potential indicators associated with insider threats are identified; and
[b] security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
Determine if:
[a] information security-related duties, roles, and responsibilities are defined;
[b] information security-related duties, roles, and responsibilities are assigned to designated personnel; and
[c] personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
Determine if:
[a] security risks associated with organizational activities involving CUI are identified;
[b] policies, standards, and procedures related to the security of the system are identified;
[c] managers, systems administrators, and users of the system are made aware of the security risks associated with their activities; and
[d] managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
Determine if:
[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; and
[b] encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
Determine if:
[a] privileged commands authorized for remote execution are identified;
[b] security-relevant information authorized to be accessed remotely is identified;
[c] the execution of the identified privileged commands via remote access is authorized; and
[d] access to the identified security-relevant information via remote access is authorized.
Determine if:
[a] mobile devices that process, store, or transmit CUI are identified;
[b] mobile device connections are authorized; and
[c] mobile device connections are monitored and logged.
Determine if:
[a] conditions requiring a user session to terminate are defined; and
[b] a user session is automatically terminated after any of the defined conditions occur.
Determine if:
[a] privileged functions are defined;
[b] non-privileged users are defined;
[c] non-privileged users are prevented from executing privileged functions; and
[d] the execution of privileged functions is captured in audit logs.
Determine if:
[a] the duties of individuals requiring separation are defined;
[b] responsibilities for duties that require separation are assigned to separate individuals; and
[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
Determine if:
[a] cryptographic mechanisms to protect the confidentiality of remote access sessions are identified; and
[b] cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
Determine if:
[a] wireless access to the system is protected using authentication; and
[b] wireless access to the system is protected using encryption.
Determine if:
[a] information flow control policies are defined;
[b] methods and enforcement mechanisms for controlling the flow of CUI are defined;
[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;
[d] authorizations for controlling the flow of CUI are defined; and
[e] approved authorizations for controlling the flow of CUI are enforced.
Determine if:
[a] managed access control points are identified and implemented; and
[b] remote access is routed through managed network access control points.
Determine if:
[a] remote access sessions are permitted;
[b] the types of permitted remote access are identified;
[c] remote access sessions are controlled; and
[d] remote access sessions are monitored.
Determine if:
[a] wireless access points are identified; and
[b] wireless access is authorized prior to allowing such connections.
Determine if:
[a] the period of inactivity after which the system initiates a session lock is defined;
[b] access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity; and
[c] previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
Determine if:
[a] the means of limiting unsuccessful logon attempts is defined; and
[b] the defined means of limiting unsuccessful logon attempts is implemented.
Determine if:
[a] nonsecurity functions are identified; and
[b] users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
Determine if:
[a] privileged accounts are identified;
[b] access to privileged accounts is authorized in accordance with the principle of least privilege;
[c] security functions are identified; and
[d] access to security functions is authorized in accordance with the principle of least privilege.
Determine if:
[a] the use of portable storage devices containing CUI on external systems is identified and documented;
[b] limits on the use of portable storage devices containing CUI on external systems are defined; and
[c] the use of portable storage devices containing CUI on external systems is limited as defined.
Determine if:
[a] individuals authorized to post or process information on publicly accessible systems are identified;
[b] procedures to ensure FCI is not posted or processed on publicly accessible systems are identified;
[c] a review process is in place prior to posting of any content to publicly accessible systems;
[d] content on publicly accessible systems is reviewed to ensure that it does not include FCI; and
[e] mechanisms are in place to remove and address improper posting of FCI.
Determine if:
[a] connections to external systems are identified;
[b] the use of external systems is identified;
[c] connections to external systems are verified;
[d] the use of external systems is verified;
[e] connections to external systems are controlled/limited; and
[f] the use of external systems is controlled/limited.
Determine if:
[a] the types of transactions and functions that authorized users are permitted to execute are defined; and
[b] system access is limited to the defined types of transactions and functions for authorized users.
Determine if:
[a] a process for determining when to review logged events is defined;
[b] event types being logged are reviewed in accordance with the defined review process; and
[c] event types being logged are updated based on the review.
Determine if:
[a] personnel or roles to be alerted in the event of an audit logging process failure are identified;
[b] types of audit logging process failures for which alert will be generated are defined; and
[c] identified personnel or roles are alerted in the event of an audit logging process failure.
Determine if:
[a] audit information is protected from unauthorized access;
[b] audit information is protected from unauthorized modification;
[c] audit information is protected from unauthorized deletion;
[d] audit logging tools are protected from unauthorized access;
[e] audit logging tools are protected from unauthorized modification; and
[f] audit logging tools are protected from unauthorized deletion.
Determine if:
[a] an operational incident-handling capability is established;
[b] the operational incident-handling capability includes preparation;
[c] the operational incident-handling capability includes detection;
[d] the operational incident-handling capability includes analysis;
[e] the operational incident-handling capability includes containment;
[f] the operational incident-handling capability includes recovery; and
[g] the operational incident-handling capability includes user response activities.
Determine if:
[a] a period of inactivity after which an identifier is disabled is defined; and
[b] identifiers are disabled after the defined period of inactivity.
Determine if:
[a] a period within which identifiers cannot be reused is defined; and
[b] reuse of identifiers is prevented within the defined period.
Determine if:
[a] replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
Determine if:
[a] privileged accounts are identified;
[b] multifactor authentication is implemented for local access to privileged accounts;
[c] multifactor authentication is implemented for network access to privileged accounts; and
[d] multifactor authentication is implemented for network access to non-privileged accounts.
Determine if:
[a] authentication information is obscured during the authentication process.
Determine if:
[a] passwords are cryptographically protected in storage; and
[b] passwords are cryptographically protected in transit.
Determine if:
[a] an immediate change to a permanent password is required when a temporary password is used for system logon.
Determine if:
[a] the number of generations during which a password cannot be reused is specified and
[b] reuse of passwords is prohibited during the specified number of generations.
Determine if:
[a] password complexity requirements are defined;
[b] password change of character requirements are defined;
[c] minimum password complexity requirements as defined are enforced when new passwords are created; and
[d] minimum password change of character requirements as defined are enforced when new passwords are created.
Determine if:
[a] the identity of each user is authenticated or verified as a prerequisite to system access;
[b] the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access; and
[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
Determine if:
[a] system users are identified;
[b] processes acting on behalf of users are identified; and
[c] devices accessing the system are identified.
Determine if:
[a] a policy specifying whether whitelisting or blacklisting is to be implemented is specified;
[b] the software allowed to execute under whitelisting or denied use under blacklisting is specified; and
[c] whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
Determine if:
[a] essential programs are defined;
[b] the use of nonessential programs is defined;
[c] the use of nonessential programs is restricted, disabled, or prevented as defined;
[d] essential functions are defined;
[e] the use of nonessential functions is defined;
[f] the use of nonessential functions is restricted, disabled, or prevented as defined;
[g] essential ports are defined;
[h] the use of nonessential ports is defined;
[i] the use of nonessential ports is restricted, disabled, or prevented as defined;
[j] essential protocols are defined;
[k] the use of nonessential protocols is defined;
[l] the use of nonessential protocols is restricted, disabled, or prevented as defined;
[m] essential services are defined;
[n] the use of nonessential services is defined; and
[o] the use of nonessential services is restricted, disabled, or prevented as defined.
Determine if:
[a] physical access restrictions associated with changes to the system are defined;
[b] physical access restrictions associated with changes to the system are documented;
[c] physical access restrictions associated with changes to the system are approved;
[d] physical access restrictions associated with changes to the system are enforced;
[e] logical access restrictions associated with changes to the system are defined;
[f] logical access restrictions associated with changes to the system are documented;
[g] logical access restrictions associated with changes to the system are approved; and
[h] logical access restrictions associated with changes to the system are enforced.
Determine if:
[a] the security impact of changes to the system is analyzed prior to implementation.
Determine if:
[a] changes to the system are tracked;
[b] changes to the system are reviewed;
[c] changes to the system are approved or disapproved; and
[d] changes to the system are logged.
Determine if:
[a] security configuration settings for information technology products employed in the system are established and included in the baseline configuration; and
[b] security configuration settings for information technology products employed in the system are enforced.
Determine if:
[a] a policy for controlling the installation of software by users is established;
[b] installation of software by users is controlled based on the established policy; and
[c] installation of software by users is monitored.
Determine if:
[a] essential system capabilities are defined based on the principle of least functionality; and
[b] the system is configured to provide only the defined essential capabilities.
Determine if:
[a] a baseline configuration is established;
[b] the baseline configuration includes hardware, software, firmware, and documentation;
[c] the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle;
[d] a system inventory is established;
[e] the system inventory includes hardware, software, firmware, and documentation; and
[f] the inventory is maintained (reviewed and updated) throughout the system development life cycle.
Determine if:
[a] security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
Determine if:
[a] deficiencies and vulnerabilities to be addressed by the plan of action are identified;
[b] a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities; and
[c] the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
Determine if:
[a] the frequency of security control assessments is defined; and
[b] security controls are assessed with the defined frequency to determine if the controls are effective in their application.
Determine if:
[a] a system security plan is developed;
[b] the system boundary is described and documented in the system security plan;
[c] the system environment of operation is described and documented in the system security plan;
[d] the security requirements identified and approved by the designated authority as non-applicable are identified;
[e] the method of security requirement implementation is described and documented in the system security plan;
[f] the relationship with or connection to other systems is described and documented in the system security plan;
[g] the frequency to update the system security plan is defined; and [h] system security plan is updated with the defined frequency.
Determine if:
[a] an audit record reduction capability that supports on-demand analysis is provided; and
[b] a report generation capability that supports on-demand reporting is provided.
Determine if:
[a] audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined; and
[b] defined audit record review, analysis, and reporting processes are correlated.
Determine if:
[a] a subset of privileged users granted access to manage audit logging functionality is defined; and
[b] management of audit logging functionality is limited to the defined subset of privileged users.
Control Objective
+Centrally manage [Assignment: organization-defined controls and related processes].
+Supplemental Guidance
+
+Central management refers to
+ organization-wide management and implementation of selected controls and processes. This includes planning,
+ implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and
+ processes. As the central management of controls is generally associated with the concept of common (inherited)
+ controls, such management promotes and facilitates standardization of control implementations and management and the
+ judicious use of organizational resources.
+
+Centrally managed controls and processes may also meet independence requirements for assessments in support of
+ initial and ongoing authorizations to operate and as part of organizational continuous monitoring.
+
+
+ Automated tools (e.g., security information and event management tools or enterprise security monitoring and
+ management tools) can improve the accuracy, consistency, and availability of information associated with centrally
+ managed controls and processes. Automation can also provide data aggregation and data correlation capabilities;
+ alerting mechanisms; and dashboards to support risk-based decision-making within the organization.
+
+
+As part of the control selection processes, organizations determine the controls that may be suitable for
+ central management based on resources and capabilities. It is not always possible to centrally manage every
+ aspect of a control.
+
+In such cases, the control can be treated as a hybrid control with the control managed and implemented
+ centrally or at the system level. The controls and control enhancements that are candidates for full or partial
+ central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all), AC-17(1),
+ AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2),
+ AT-3(1), AT-3(2), AT-3(3), AT-4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11,
+ AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4),
+ CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43,
+ SI-2, SI-3, SI-4(all), SI-7, SI-8.
+
+
+
+ Related Controls: PL-8, PM-9.
+
' WHERE [Mat_Question_Id] = 5226
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'How do you keep track of your user? ' WHERE [Mat_Question_Id] = 5246
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'How is accesses to critical equipment controlled? ' WHERE [Mat_Question_Id] = 5247
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'How do you keep access up to date? ' WHERE [Mat_Question_Id] = 5249
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'How are critical assets protected? ' WHERE [Mat_Question_Id] = 5250
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'What is required for me to gain access to your facility? ' WHERE [Mat_Question_Id] = 5252
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does your facility/plant have any public access? ' WHERE [Mat_Question_Id] = 5253
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'How do you keep access devices up-to-date? ' WHERE [Mat_Question_Id] = 5254
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'How are distribution and communication lines protected? ' WHERE [Mat_Question_Id] = 5255
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'What does your organization do to restrict the use of certain types of media on systems (removable and stationary)? (TAB9)' WHERE [Mat_Question_Id] = 5257
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Do you have a cyber policy? ' WHERE [Mat_Question_Id] = 5261
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Were efforts to create a cyber policy helpful? ' WHERE [Mat_Question_Id] = 5262
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Do you have plans to update cybersecurity plan? ' WHERE [Mat_Question_Id] = 5263
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'What positions in your organization have system security roles? ' WHERE [Mat_Question_Id] = 5264
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization have the capability to manage capacity, bandwidth, or other
+redundancy to limit negative impacts?' WHERE [Mat_Question_Id] = 6230
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization have the capability to deploy storage or compute resources dynamically?' WHERE [Mat_Question_Id] = 6233
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Has the organization defined its role in the supply chain and reviewed it for updates at least annually?' WHERE [Mat_Question_Id] = 6237
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Are the associations between assets and the critical service they support documented and updated as needed at least annually?' WHERE [Mat_Question_Id] = 6246
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Has the organization identified the data connections (data flows) between the critical service and other systems, including other critical services, to understand critical dependencies?' WHERE [Mat_Question_Id] = 6247
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Is the prioritization of assets reviewed and validated?' WHERE [Mat_Question_Id] = 6248
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels?' WHERE [Mat_Question_Id] = 6260
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization require individuals accessing the system to employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations?' WHERE [Mat_Question_Id] = 6261
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Are multiple, distinct authentication challenges over the course of a session employed to confirm identity?' WHERE [Mat_Question_Id] = 6262
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Are both network and host-based intrusion detection employed for the protection of the HVA/critical service?' WHERE [Mat_Question_Id] = 6263
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization implement controls that monitor physical access to the system in addition to the physical access monitoring of facilities (where there is a concentration of system components, including server rooms, media storage areas, and communications centers)?' WHERE [Mat_Question_Id] = 6264
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers? ' WHERE [Mat_Question_Id] = 6276
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization synchronize duplicate systems or system components?' WHERE [Mat_Question_Id] = 6277
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization employ a penetration testing process that includes attempts to bypass or circumvent controls associated with physical access points to the facility?' WHERE [Mat_Question_Id] = 6282
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization require the developer of the system, system component, or system service to perform penetration testing:
a. at a given level of rigor (breadth and depth) and
b. under organization-defined constraints?
' WHERE [Mat_Question_Id] = 6283
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization conduct red-team exercises to simulate attempts by adversaries in real-world conditions to compromise organizational systems in accordance with applicable rules of engagement?' WHERE [Mat_Question_Id] = 6284
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization disrupt and adversely affect the system or system component to validate the effectiveness of protections?
' WHERE [Mat_Question_Id] = 6285
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization test backup information with certain frequency to verify media reliability and information integrity?' WHERE [Mat_Question_Id] = 6286
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization:
(a) Allow the use of authentication factors that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and (b) Enforce a limit of consecutive invalid logon attempts through use of the alternative factors by a user during an organization-defined time period.
' WHERE [Mat_Question_Id] = 6293
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the organization document which audit logs are to be monitored along with each log’s retention period and is that documentation reviewed at least annually?' WHERE [Mat_Question_Id] = 6433
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Does the length of time that each identified audit log (including archives) is retained meet its documented retention requirements?' WHERE [Mat_Question_Id] = 6434
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Is the audit log repository protected from unauthorized modification or deletion?' WHERE [Mat_Question_Id] = 6435
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Is access to the audit log repository restricted to those with a business need?' WHERE [Mat_Question_Id] = 6436
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'Are configuration baselines employed in the following organizational systems? (Select all that apply)' WHERE [Mat_Question_Id] = 6515
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'In a manner compliant with the most current versions of the National Institute of Standards and Technology (NIST) Digital Identity Guidelines, does the Owner/Operator:
Implement and complete a mandatory password reset of all passwords within Information Technology systems (such as corporate remote access and Virtual Private Networks)?
GUIDANCE: These actions must be consistent with industry standards, such as those in NIST Special Publication 800-63: Digital Identity Guidelines, and CISA''s Emergency Directive 21-01
(December 13, 2020) (available at https://cyber.dhs.gov/ed/21-01/).
' WHERE [Mat_Question_Id] = 9976
+UPDATE [dbo].[MATURITY_QUESTIONS] SET [Question_Text]=N'In a manner compliant with the most current versions of the National Institute of Standards and Technology
+ (NIST) Digital Identity Guidelines, does the Owner/Operator:
+
+Implement and complete a mandatory password reset(s) of all equipment within Operational
+ Technology systems, including Programmable Logic Controllers?
+
+PLEASE NOTE: The Owner/Operator must continue to comply with any TSA-approved
+ alternative measures previously approved for systems where implementing a mandatory password reset is not
+ technically feasible.
+
+
+GUIDANCE: These actions must be consistent with industry standards, such as those in NIST Special Publication
+ 800-63: Digital Identity Guidelines, and CISA''s Emergency Directive 21-01 (December 13, 2020) (available at
+ https://cyber.dhs.gov/ed/21-01/).
+
' WHERE [Mat_Question_Id] = 9977
+PRINT(N'Operation applied to 155 rows out of 155')
+
+PRINT(N'Update rows in [dbo].[MATURITY_GROUPINGS]')
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Description]=N'Protecting your systems requires knowing which devices are connected to your network, which applications are in
+ use, who has access to them, and the security measures in place. A cyber-ready business keeps its systems up-to-date
+ and secure. These actions can support a proactive risk management culture and limit the risk of compromise.
+Remove unsupported or unauthorized hardware and software. Supported hardware and software generally allow you to
+ receive updates and patches for vulnerabilities that otherwise are not available for unauthorized and unsupported
+ assets. Inventory authorized hardware and software throughout your organization. Know the physical location and user
+ of the hardware to keep patching updates current. This also allows for any unauthorized hardware or software to be
+ identified and removed.
' WHERE [Grouping_Id] = 177
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Description]=N'Lead development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it
+ often. Incident response plans and disaster recovery plans are crucial to information security, but they are
+ separate plans. Incident response mainly focuses on information asset protection, while disaster recovery plans
+ focus on business continuity. Once you develop a plan, test the plan using realistic simulations (known as
+ "war-gaming"), where roles and responsibilities are assigned to the people who manage cyber incident
+ responses. This ensures that your plan is effective and that you have the appropriate people involved in the plan.
+ Disaster recovery plans minimize recovery time by efficiently recovering critical systems.
+Plan, prepare, and conduct drills for cyber-attacks and incidents as you would a fire or robbery. Make your reaction
+ to cyber incidents or system outages an extension of your other business contingency plans. This involves having
+ incident response plans and procedures, trained staff, assigned roles and responsibilities, and incident
+ communications plans.
' WHERE [Grouping_Id] = 181
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Description]=N'For a "YES" response, first determine if all of the question objectives are met. If only some, but not all
+objectives are met, it is advised to mark a "NO" response and utilize the comments, observations, and mark
+for review functions for tracking purposes.' WHERE [Grouping_Id] = 1187
+UPDATE [dbo].[MATURITY_GROUPINGS] SET [Description]=N'Until the Owner/Operator''s Cybersecurity Implementation Plan (as required by Section II.B. of the SD02C Security
+ Directive) is approved by TSA, the Owner/Operator must apply the following cybersecurity measures, as modified by
+ any TSA-approved alternative measures, and/or action plans, previously issued to the requirements in the Security
+ Directive Pipeline2021-02 series.
+The following requirements must be applied to any Information and/or Operational Technology system connected to a
+ critical pipeline system or facility identified by TSA.
' WHERE [Grouping_Id] = 2616
+PRINT(N'Operation applied to 4 rows out of 4')
+
+PRINT(N'Update rows in [dbo].[NEW_REQUIREMENT]')
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31205
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31206
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31207
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31208
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31209
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31210
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31211
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31212
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31213
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31214
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31215
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31216
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31217
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=18 WHERE [Requirement_Id] = 31218
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31219
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31220
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31221
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31222
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31223
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31224
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31225
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31226
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31227
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31228
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31229
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=10 WHERE [Requirement_Id] = 31230
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=5 WHERE [Requirement_Id] = 31231
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=5 WHERE [Requirement_Id] = 31232
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=5 WHERE [Requirement_Id] = 31233
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=5 WHERE [Requirement_Id] = 31234
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=5 WHERE [Requirement_Id] = 31235
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=5 WHERE [Requirement_Id] = 31236
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31237
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31238
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31239
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31240
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31241
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31242
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31243
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=4 WHERE [Requirement_Id] = 31244
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31252
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31253
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31254
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31255
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31256
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31257
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31258
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31259
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31260
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31261
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31262
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=6 WHERE [Requirement_Id] = 31263
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31264
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31265
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31266
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31267
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31268
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31269
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=72 WHERE [Requirement_Id] = 31270
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31271
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31272
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31273
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31274
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31275
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31276
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=25 WHERE [Requirement_Id] = 31277
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=81 WHERE [Requirement_Id] = 31278
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=81 WHERE [Requirement_Id] = 31279
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=81 WHERE [Requirement_Id] = 31280
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=81 WHERE [Requirement_Id] = 31281
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=81 WHERE [Requirement_Id] = 31282
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31302
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31303
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31304
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31305
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31306
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31307
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31308
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31309
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=51 WHERE [Requirement_Id] = 31310
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31318
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31319
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31320
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31321
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31322
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31323
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31324
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31325
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31326
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31327
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31328
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31329
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31330
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=47 WHERE [Requirement_Id] = 31331
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31332
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31333
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31334
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31335
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31336
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31337
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31338
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31339
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=17 WHERE [Requirement_Id] = 31340
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=49 WHERE [Requirement_Id] = 31341
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=49 WHERE [Requirement_Id] = 31342
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=49 WHERE [Requirement_Id] = 31343
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=49 WHERE [Requirement_Id] = 31344
+UPDATE [dbo].[NEW_REQUIREMENT] SET [Question_Group_Heading_Id]=49 WHERE [Requirement_Id] = 31345
+PRINT(N'Operation applied to 108 rows out of 108')
+
+PRINT(N'Update rows in [dbo].[MATURITY_MODELS]')
+UPDATE [dbo].[MATURITY_MODELS] SET [Model_Name]=N'SD02 Series' WHERE [Maturity_Model_Id] = 14
+UPDATE [dbo].[MATURITY_MODELS] SET [Model_Name]=N'SD02 Owner' WHERE [Maturity_Model_Id] = 16
+PRINT(N'Operation applied to 2 rows out of 2')
+
+PRINT(N'Update rows in [dbo].[GEN_FILE]')
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU 01-CU-11: Electronic Data Security Overview' WHERE [Gen_File_Id] = 6088
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU - 06-CU-07: IT Security Compliance Guide for Credit Unions' WHERE [Gen_File_Id] = 6092
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU - 01-CU-21: Diaster Recovery and Business Resumption' WHERE [Gen_File_Id] = 6095
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU 08-CU-01: Pandemic Planning' WHERE [Gen_File_Id] = 6097
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU 03-CU-14: Computer Software Patch Management' WHERE [Gen_File_Id] = 6099
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU 01-CU-20: Due Diligence Over Third Parties' WHERE [Gen_File_Id] = 6118
+UPDATE [dbo].[GEN_FILE] SET [File_Type_Id]=31, [File_Name]=N'ACET Workbook Guide.pdf', [File_Size]=831488 WHERE [Gen_File_Id] = 7071
+UPDATE [dbo].[GEN_FILE] SET [Title]=N'LTCU 23-CU-07: Cyber Incident Notification Requirements' WHERE [Gen_File_Id] = 7073
+PRINT(N'Operation applied to 8 rows out of 8')
+
+PRINT(N'Update row in [dbo].[GALLERY_ITEM]')
+UPDATE [dbo].[GALLERY_ITEM] SET [Is_Visible]=0 WHERE [Gallery_Item_Guid] = '4737748d-c762-4459-bc76-393e816c6a2d'
+
+PRINT(N'Add constraints to [dbo].[MATURITY_QUESTIONS]')
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] CHECK CONSTRAINT [FK__MATURITY___Matur__5B638405]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_GROUPINGS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_LEVELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_MODELS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_OPTIONS]
+ALTER TABLE [dbo].[MATURITY_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MATURITY_QUESTION_TYPES]
+ALTER TABLE [dbo].[HYDRO_DATA] WITH CHECK CHECK CONSTRAINT [FK__HYDRO_DAT__Mat_Q__38652BE2]
+ALTER TABLE [dbo].[ISE_ACTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTIONS_MAT_QUESTION_ID]
+ALTER TABLE [dbo].[MATURITY_ANSWER_OPTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_ANSWER_OPTIONS_MATURITY_QUESTIONS1]
+ALTER TABLE [dbo].[MATURITY_QUESTION_PROPS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_QUESTION_PROPS_MATURITY_QUESTIONS]
+ALTER TABLE [dbo].[MATURITY_REFERENCE_TEXT] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_REFERENCE_TEXT_MATURITY_QUESTIONS]
+ALTER TABLE [dbo].[MATURITY_REFERENCES] CHECK CONSTRAINT [FK_MATURITY_REFERENCES_MATURITY_QUESTIONS]
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] CHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_MATURITY_QUESTIONS]
+ALTER TABLE [dbo].[MATURITY_SUB_MODEL_QUESTIONS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_SUB_MODEL_QUESTIONS_MATURITY_QUESTIONS]
+ALTER TABLE [dbo].[TTP_MAT_QUESTION] WITH CHECK CHECK CONSTRAINT [FK_TTP_MAT_QUESTION_MATURITY_QUESTIONS]
+
+PRINT(N'Add constraints to [dbo].[MATURITY_GROUPINGS]')
+ALTER TABLE [dbo].[MATURITY_GROUPINGS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_GROUPINGS_MATURITY_GROUPING_TYPES]
+ALTER TABLE [dbo].[MATURITY_DOMAIN_REMARKS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_DOMAIN_REMARKS_MATURITY_GROUPINGS]
+
+PRINT(N'Add constraints to [dbo].[NEW_REQUIREMENT]')
+ALTER TABLE [dbo].[NEW_REQUIREMENT] CHECK CONSTRAINT [FK_NEW_REQUIREMENT_NCSF_Category]
+ALTER TABLE [dbo].[NEW_REQUIREMENT] WITH CHECK CHECK CONSTRAINT [FK_NEW_REQUIREMENT_QUESTION_GROUP_HEADING]
+ALTER TABLE [dbo].[NEW_REQUIREMENT] CHECK CONSTRAINT [FK_NEW_REQUIREMENT_STANDARD_CATEGORY]
+ALTER TABLE [dbo].[FINANCIAL_REQUIREMENTS] WITH CHECK CHECK CONSTRAINT [FK_FINANCIAL_REQUIREMENTS_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[NERC_RISK_RANKING] CHECK CONSTRAINT [FK_NERC_RISK_RANKING_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[PARAMETER_REQUIREMENTS] CHECK CONSTRAINT [FK_Parameter_Requirements_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[REQUIREMENT_LEVELS] CHECK CONSTRAINT [FK_REQUIREMENT_LEVELS_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[REQUIREMENT_QUESTIONS] CHECK CONSTRAINT [FK_REQUIREMENT_QUESTIONS_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[REQUIREMENT_QUESTIONS_SETS] WITH CHECK CHECK CONSTRAINT [FK_REQUIREMENT_QUESTIONS_SETS_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[REQUIREMENT_REFERENCES] CHECK CONSTRAINT [FK_REQUIREMENT_REFERENCES_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[REQUIREMENT_SETS] CHECK CONSTRAINT [FK_REQUIREMENT_SETS_NEW_REQUIREMENT]
+ALTER TABLE [dbo].[REQUIREMENT_SOURCE_FILES] CHECK CONSTRAINT [FK_REQUIREMENT_SOURCE_FILES_NEW_REQUIREMENT]
+
+PRINT(N'Add constraints to [dbo].[MATURITY_MODELS]')
+ALTER TABLE [dbo].[MATURITY_MODELS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_MODELS_MATURITY_LEVEL_USAGE_TYPES]
+ALTER TABLE [dbo].[ANALYTICS_MATURITY_GROUPINGS] WITH CHECK CHECK CONSTRAINT [FK_ANALYTICS_MATURITY_GROUPINGS_MATURITY_MODELS]
+ALTER TABLE [dbo].[AVAILABLE_MATURITY_MODELS] WITH CHECK CHECK CONSTRAINT [FK__AVAILABLE__model__6F6A7CB2]
+ALTER TABLE [dbo].[MATURITY_LEVELS] WITH CHECK CHECK CONSTRAINT [FK_MATURITY_LEVELS_MATURITY_MODELS]
+ALTER TABLE [dbo].[MODES_SETS_MATURITY_MODELS] WITH CHECK CHECK CONSTRAINT [FK_MODES_SETS_MATURITY_MODELS_MATURITY_MODELS]
+
+PRINT(N'Add constraints to [dbo].[GEN_FILE]')
+ALTER TABLE [dbo].[GEN_FILE] WITH CHECK CHECK CONSTRAINT [FK_GEN_FILE_FILE_REF_KEYS]
+ALTER TABLE [dbo].[GEN_FILE] WITH CHECK CHECK CONSTRAINT [FK_GEN_FILE_FILE_TYPE]
+ALTER TABLE [dbo].[FILE_KEYWORDS] CHECK CONSTRAINT [FILE_KEYWORDS_GEN_FILE_FK]
+ALTER TABLE [dbo].[GEN_FILE_LIB_PATH_CORL] CHECK CONSTRAINT [FK_GEN_FILE_LIB_PATH_CORL_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_REFERENCES] CHECK CONSTRAINT [FK_MATURITY_REFERENCES_GEN_FILE]
+ALTER TABLE [dbo].[MATURITY_SOURCE_FILES] CHECK CONSTRAINT [FK_MATURITY_SOURCE_FILES_GEN_FILE]
+ALTER TABLE [dbo].[REQUIREMENT_REFERENCES] CHECK CONSTRAINT [FK_REQUIREMENT_REFERENCES_GEN_FILE]
+ALTER TABLE [dbo].[REQUIREMENT_SOURCE_FILES] CHECK CONSTRAINT [FK_REQUIREMENT_SOURCE_FILES_GEN_FILE]
+ALTER TABLE [dbo].[SET_FILES] WITH CHECK CHECK CONSTRAINT [FK_SET_FILES_GEN_FILE]
+ALTER TABLE [dbo].[ASSESSMENTS] WITH CHECK CHECK CONSTRAINT [FK_ASSESSMENTS_GALLERY_ITEM]
+ALTER TABLE [dbo].[GALLERY_GROUP_DETAILS] WITH CHECK CHECK CONSTRAINT [FK_GALLERY_GROUP_DETAILS_GALLERY_ITEM]
+COMMIT TRANSACTION
+GO
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_0.si b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_0.si
index fd7ebef2fd..40e4a34bad 100644
Binary files a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_0.si and b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_0.si differ
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_1.si b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_1.si
index ec971b538c..22dbff28a6 100644
Binary files a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_1.si and b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_1.si differ
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfe b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfe
index 48f6bfab3a..f47b1c8425 100644
Binary files a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfe and b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfe differ
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfs b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfs
index 42e1afab26..d5559374ff 100644
Binary files a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfs and b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.cfs differ
diff --git a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.si b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.si
index d7aa85113a..1f002dadc4 100644
Binary files a/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.si and b/CSETWebApi/CSETWeb_Api/CSETWeb_ApiCore/LuceneIndex/_2.si differ
diff --git a/CSETWebNg/main-electron.js b/CSETWebNg/main-electron.js
index 503b5c0f38..5cf49bd001 100644
--- a/CSETWebNg/main-electron.js
+++ b/CSETWebNg/main-electron.js
@@ -286,7 +286,7 @@ function createWindow() {
// Setup external links in child windows
childWindow.webContents.setWindowOpenHandler(details => {
- if (!details.url.startsWith('file:///')) {
+ if (!details.url.startsWith('file:///') && !details.url.startsWith('http://localhost')) {
shell.openExternal(details.url);
return {action: 'deny'};
}
@@ -306,7 +306,7 @@ function createWindow() {
// Setup external links in child windows
childWindow.webContents.setWindowOpenHandler(details => {
- if (!details.url.startsWith('file:///')) {
+ if (!details.url.startsWith('file:///') && !details.url.startsWith('http://localhost')) {
shell.openExternal(details.url);
return {action: 'deny'};
} else {
@@ -317,8 +317,8 @@ function createWindow() {
return { action: 'deny' };
- // Navigating to external url if not using file protocol; open in web browser
- } else if (!details.url.startsWith('file:///')) {
+ // Navigating to external url if not using file protocol or localhost; open in web browser
+ } else if (!details.url.startsWith('file:///') && !details.url.startsWith('http://localhost')) {
shell.openExternal(details.url);
return {action: 'deny'};
}
diff --git a/CSETWebNg/src/app/services/config.service.ts b/CSETWebNg/src/app/services/config.service.ts
index ca1f8dfc24..a07b3eeddd 100644
--- a/CSETWebNg/src/app/services/config.service.ts
+++ b/CSETWebNg/src/app/services/config.service.ts
@@ -73,7 +73,7 @@ export class ConfigService {
* Constructor.
* @param http
*/
- constructor(private http: HttpClient, @Inject(DOCUMENT) private document: Document) { }
+ constructor(private http: HttpClient, @Inject(DOCUMENT) private document: Document) {}
/**
*
@@ -108,7 +108,7 @@ export class ConfigService {
.toPromise()
.then((cisaAssessorWorkflowEnabled) => {
if (cisaAssessorWorkflowEnabled) {
- return this.enableCisaAssessorWorkflow()
+ return this.enableCisaAssessorWorkflow();
}
localStorage.setItem('installationMode', this.config.installationMode.toUpperCase());
@@ -133,12 +133,12 @@ export class ConfigService {
}
checkLocalDocStatus() {
- return this.http.get(this.apiUrl + 'HasLocalDocuments')
+ return this.http.get(this.apiUrl + 'HasLocalDocuments');
}
checkOnlineDocStatus() {
// TODO: temporary return until we get this working in production
- return this.http.get(this.apiUrl + 'HasLocalDocuments')
+ return this.http.get(this.apiUrl + 'HasLocalDocuments');
}
/**
@@ -155,12 +155,13 @@ export class ConfigService {
const appProtocol = this.config.app.protocol + '://';
if (localStorage.getItem('apiUrl') != null) {
this.apiUrl = localStorage.getItem('apiUrl') + '/' + this.config.api.apiIdentifier + '/';
+ this.docUrl = localStorage.getItem('apiUrl') + '/' + this.config.api.documentsIdentifier + '/';
} else {
this.apiUrl = apiProtocol + this.config.api.url + apiPort + '/' + this.config.api.apiIdentifier + '/';
+ this.docUrl = apiProtocol + this.config.api.url + apiPort + '/' + this.config.api.documentsIdentifier + '/';
}
this.appUrl = appProtocol + this.config.app.appUrl + appPort;
- this.docUrl = apiProtocol + this.config.api.url + apiPort + '/' + this.config.api.documentsIdentifier + '/';
this.onlineUrl = this.config.api.onlineUrl;
this.helpContactEmail = this.config.helpContactEmail;
this.helpContactPhone = this.config.helpContactPhone;
@@ -173,7 +174,6 @@ export class ConfigService {
this.initialized = true;
}
-
checkOnlineStatusFromConfig() {
this.checkLocalDocStatus().subscribe(
(resp: boolean) => {
@@ -182,7 +182,7 @@ export class ConfigService {
() => {
this.isDocUrl = false;
}
- )
+ );
this.checkOnlineDocStatus().subscribe(
(resp: boolean) => {
@@ -270,74 +270,74 @@ export class ConfigService {
switchConfigsForMode(installationMode) {
switch (installationMode) {
- case 'ACET':
- {
- var x = this.document.getElementsByClassName('root');
- if (x.length > 0) {
- x[0].classList.add('acet-background');
- }
-
- var x = document.getElementsByClassName('ncua-seal');
- if (x.length > 0) {
- x[0].classList.remove('d-none');
- }
-
- // change favicon and title
- const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
- link.href = 'assets/icons/favicon_acet.ico?app=acet1';
-
- var title = this.document.querySelector('title');
- title.innerText = 'ACET';
- }
- break;
- case 'TSA':
- {
- // change favicon and title
- const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
- link.href = 'assets/icons/favicon_tsa.ico?app=tsa1';
-
- var title = this.document.querySelector('title');
- title.innerText = 'CSET-TSA';
- }
- break;
- case 'CF':
- {
- // change favicon and title
- const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
- link.href = 'assets/icons/favicon_cf.ico?app=cf1';
-
- var title = this.document.querySelector('title');
- title.innerText = 'CSET-CF';
+ case 'ACET':
+ {
+ var x = this.document.getElementsByClassName('root');
+ if (x.length > 0) {
+ x[0].classList.add('acet-background');
}
- break;
- case 'RRA':
- {
- // change favicon and title
- const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
- link.href = 'assets/icons/favicon_rra.ico?app=rra1';
-
- var title = this.document.querySelector('title');
- title.innerText = 'CISA - Ransomware Readiness';
- }
- break;
- case 'RENEW':
- {
- // change favicon and title
- const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
- link.href = 'assets/icons/favicon_renew.ico?app=renew1';
-
- var title = this.document.querySelector('title');
- title.innerText = 'CSET Renewables';
+
+ var x = document.getElementsByClassName('ncua-seal');
+ if (x.length > 0) {
+ x[0].classList.remove('d-none');
}
- break;
- default: {
+
+ // change favicon and title
+ const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
+ link.href = 'assets/icons/favicon_acet.ico?app=acet1';
+
+ var title = this.document.querySelector('title');
+ title.innerText = 'ACET';
+ }
+ break;
+ case 'TSA':
+ {
+ // change favicon and title
+ const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
+ link.href = 'assets/icons/favicon_tsa.ico?app=tsa1';
+
+ var title = this.document.querySelector('title');
+ title.innerText = 'CSET-TSA';
+ }
+ break;
+ case 'CF':
+ {
+ // change favicon and title
+ const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
+ link.href = 'assets/icons/favicon_cf.ico?app=cf1';
+
+ var title = this.document.querySelector('title');
+ title.innerText = 'CSET-CF';
+ }
+ break;
+ case 'RRA':
+ {
// change favicon and title
const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
- link.href = 'assets/icons/favicon_cset.ico?app=cset';
+ link.href = 'assets/icons/favicon_rra.ico?app=rra1';
var title = this.document.querySelector('title');
- title.innerText = 'CSET';
+ title.innerText = 'CISA - Ransomware Readiness';
}
+ break;
+ case 'RENEW':
+ {
+ // change favicon and title
+ const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
+ link.href = 'assets/icons/favicon_renew.ico?app=renew1';
+
+ var title = this.document.querySelector('title');
+ title.innerText = 'CSET Renewables';
+ }
+ break;
+ default: {
+ // change favicon and title
+ const link: HTMLLinkElement = this.document.querySelector("link[rel~='icon']");
+ link.href = 'assets/icons/favicon_cset.ico?app=cset';
+
+ var title = this.document.querySelector('title');
+ title.innerText = 'CSET';
+ }
}
}
}