Skip to main content Link Menu Expand (external link) Document Search Copy Copied
In this article:
  1. Bring Your Own Model (BYOM)
    1. Process
    2. Considerations
      1. Scoring conversions
      2. Dimensions

Bring Your Own Model (BYOM)

BYOM allows users of Axio360 to upload a custom model into Axio360. The model can be an existing cyber security framework not officially offered in Axio360. It can be a model with customized changes to an existing framework or a complete custom model.

Axio provides a BYOM template to import a custom model into the platform. The topics in this section explain the template structure, what information to provide in the template, and the import process.

The dashboard export for BYOM-based assessments is not currently supported.

Process

During the initial roll-out, the following general workflow to introduce a custom model to Axio360 through BYOM is in place:

  1. The customer provides Axio Support with a completed BYOM template file.
  2. Axio Support relays the model to Axio Engineering for processing to BYOM.
  3. Once processed, Axio Support provisions the model to the customer’s account and notifies the customer of its availability in Axio360.

Axio360 works with two BYOM model templates:

Considerations

Please reach out to Axio Support with questions regarding the following information.

Scoring conversions

The only aggregation methods supported are SUM and AVERAGE.

In Axio360, most models follow a 4-point answer scale with the model’s max scoring value defaulting to 1000.

With a 4-point answer scale, the organization’s performance of the practice described in a subcategory for a status of:

  • Fully Implemented (FI) or complete means that the practice is performed as described in the subcategory. Full credit of 1 point is given.
  • Largely Implemented (LI) means that the practice is performed as described in the subcategory. Still, there is some recognized improvement opportunity for achieving framework, organizational, or critical infrastructure objectives. A credit of 0.8 points is given.
  • Partially Implemented (PI) or incomplete means that the implementation of the practice as described in the subcategory is incomplete — there are multiple opportunities for improvement concerning achieving framework, organizational, or critical infrastructure objectives. A credit of 0.2 is given.
  • Not Implemented (NI) or absent means the practice is not performed in the organization. No credit (0) points are given.

Any custom model must utilize scoring conversions that are the best fit. Sometimes, the same weight per subcategory as part of the overall score might be used. For example, each CSF subcategory has the same weight in the overall score for NIST CSF. Given there are 108 subcategories in CSF, each subcategory gets a credit of 9.26, with the final score on the dashboard rounded. LI and FI receive a 100% implementation credit for the NIST CSF bar chart on the dashboard, while practices that are PI and NI receive 0%. For the C2M2 model, which follows the standard 4-point scale credits, for example, any incomplete MIL1 practices (NI or PI) are set to block implementation credit for related MIL2 practices at the objective level. Similarly, incomplete MIL2 practices (NI or PI) are set to block implementation credit for related MIL3 practices at the objective level as well.

Also factoring into the scoring conversions is each models specific aggregation method, which must be defined prior to importing a custom model.

Dimensions

Models don’t always have the same dimensions, which need to be matched or potentially disabled for the assessment to work correctly.


Table of contents