One of the things you’ll want to create is a standard on how you are going manage each of your metrics. This is a pretty simple standard that has nine parts:

1. The metric Control ID which is exactly the same thing as the UCF Control ID (because the creation of a metric is actually a control).

2. The update date and time so that the end users know when the document was last revised.

3. The metric definition itself which has been provided by the UCF controls taken directly from the key authority documents.

4. The authority documents being complied with which has also been taken directly from the UCF control list and references each of the specific metrics as stated by the authority documents.

5. The metric formula as specified by the authority document which is also listed in the UCF controls list.

6. The target goal that the measurement should be reporting against, such as “100% of all systems in place have been appropriately patched.”

7. The data source which was either extracted from the authority document and added to the UCF control, or if the authority document didn’t list a data source, the UCF team has suggested one.

8. The report format which states how the report should be formatted – especially if the report is going to be a slide presentation or graphic report.

9. Applicable controls are those controls to which this specific metric can be used for reporting purposes.

The standard below was created automatically from within the Unified Compliance Framework's database. An entire suite of these tables (one for each metric tracked by the UCF) is provided in the Implementing Metrics Management bundle.

Where does this information come from?

The information that you are reading here in this report comes from the UCF's XML database. We'll repeat each of the fields here with a descriptor for where the informatin can be found within the XML specifcation documents.

All of the information within the metrics reporting standard can be found oniine within the UCF Controls XML table.

All of the information about the XML fields is also covered in The Metrics XML specification document.

Building the Assigned Controls list

The Assigned Controls list is derived from the join table that connects Controls designated in the UCF Controls List back to the UCF Cointrols List to records designated as Metrics, with a few added calculations for formatting purposes.

To begin with, you'll want to create a new field in whatever table holds your Controls list that is the combination of the Control Title plus a bracketed Control ID. We'll call this element Title_with_ID.

You'll then connect your Controls List (records as Controls) to your Controls list (records as Metrics) through the Controls to Metrics Join as shown in the diagram below.

Then within the Controls list, you'll want to create a new field that creates a bulleted list of all related Title_with_ID elements, such as "List(Controls_To_Metrics_Join::Title_with_ID)." That's it really. This will give you the list of Assigned Controls. You don't need this calculated title field to create a list of citations, as you can just use the list of citations as is (with semicolons as separators instead of paragraph marks).