@blamejs/exceptd-skills 0.10.0 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/bin/exceptd.js +303 -9
- package/data/_indexes/_meta.json +2 -2
- package/data/playbooks/ai-api.json +400 -90
- package/data/playbooks/containers.json +406 -94
- package/data/playbooks/cred-stores.json +374 -89
- package/data/playbooks/crypto.json +369 -87
- package/data/playbooks/framework.json +376 -86
- package/data/playbooks/hardening.json +357 -84
- package/data/playbooks/kernel.json +324 -77
- package/data/playbooks/mcp.json +407 -92
- package/data/playbooks/runtime.json +345 -81
- package/data/playbooks/sbom.json +497 -111
- package/data/playbooks/secrets.json +352 -83
- package/lib/playbook-runner.js +77 -7
- package/lib/schemas/playbook.schema.json +5 -0
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
|
@@ -10,11 +10,26 @@
|
|
|
10
10
|
"date": "2026-05-11",
|
|
11
11
|
"summary": "Initial seven-phase compliance-theater correlation playbook. Analyze-heavy: ingests findings from upstream playbooks (kernel / mcp / ai-api / crypto / sbom), correlates them to per-framework gaps, fires escalation_criteria when paper-compliance claims fail theater tests. Cross-walks across NIST 800-53, ISO 27001:2022, SOC 2, PCI DSS 4.0, NIS2, DORA, EU AI Act, UK CAF, AU ISM/Essential 8, SG MAS TRM, JP NISC, IN CERT-In, CA OSFI B-10.",
|
|
12
12
|
"cves_added": [],
|
|
13
|
-
"framework_gaps_updated": [
|
|
13
|
+
"framework_gaps_updated": [
|
|
14
|
+
"nist-800-53-meta",
|
|
15
|
+
"iso-27001-2022-meta",
|
|
16
|
+
"soc2-meta",
|
|
17
|
+
"pci-dss-4-meta",
|
|
18
|
+
"nis2-meta",
|
|
19
|
+
"dora-meta",
|
|
20
|
+
"eu-ai-act-meta",
|
|
21
|
+
"uk-caf-meta",
|
|
22
|
+
"au-essential-8-meta",
|
|
23
|
+
"sg-mas-trm-meta",
|
|
24
|
+
"jp-nisc-meta",
|
|
25
|
+
"in-cert-meta",
|
|
26
|
+
"ca-osfi-b10-meta"
|
|
27
|
+
]
|
|
14
28
|
}
|
|
15
29
|
],
|
|
16
30
|
"owner": "@blamejs/grc",
|
|
17
31
|
"air_gap_mode": false,
|
|
32
|
+
"scope": "cross-cutting",
|
|
18
33
|
"preconditions": [
|
|
19
34
|
{
|
|
20
35
|
"id": "upstream-findings-available",
|
|
@@ -31,7 +46,6 @@
|
|
|
31
46
|
}
|
|
32
47
|
]
|
|
33
48
|
},
|
|
34
|
-
|
|
35
49
|
"domain": {
|
|
36
50
|
"name": "Compliance theater correlation and framework-gap mapping",
|
|
37
51
|
"attack_class": "compliance-theater",
|
|
@@ -41,15 +55,29 @@
|
|
|
41
55
|
"cwe_refs": [],
|
|
42
56
|
"d3fend_refs": [],
|
|
43
57
|
"frameworks_in_scope": [
|
|
44
|
-
"nist-800-53",
|
|
45
|
-
"
|
|
46
|
-
"
|
|
47
|
-
"
|
|
58
|
+
"nist-800-53",
|
|
59
|
+
"nist-800-82",
|
|
60
|
+
"nist-csf-2",
|
|
61
|
+
"iso-27001-2022",
|
|
62
|
+
"soc2",
|
|
63
|
+
"pci-dss-4",
|
|
64
|
+
"nis2",
|
|
65
|
+
"dora",
|
|
66
|
+
"eu-ai-act",
|
|
67
|
+
"eu-cra",
|
|
68
|
+
"uk-caf",
|
|
69
|
+
"au-ism",
|
|
70
|
+
"au-essential-8",
|
|
71
|
+
"sg-mas-trm",
|
|
72
|
+
"jp-nisc",
|
|
73
|
+
"in-cert",
|
|
74
|
+
"ca-osfi-b10",
|
|
75
|
+
"hipaa",
|
|
76
|
+
"nerc-cip",
|
|
77
|
+
"cmmc"
|
|
48
78
|
]
|
|
49
79
|
},
|
|
50
|
-
|
|
51
80
|
"phases": {
|
|
52
|
-
|
|
53
81
|
"govern": {
|
|
54
82
|
"jurisdiction_obligations": [
|
|
55
83
|
{
|
|
@@ -58,7 +86,12 @@
|
|
|
58
86
|
"obligation": "submit_governance_evidence",
|
|
59
87
|
"window_hours": 720,
|
|
60
88
|
"clock_starts": "manual",
|
|
61
|
-
"evidence_required": [
|
|
89
|
+
"evidence_required": [
|
|
90
|
+
"compliance_theater_verdicts",
|
|
91
|
+
"framework_gap_mapping",
|
|
92
|
+
"exception_register",
|
|
93
|
+
"risk_acceptance_records"
|
|
94
|
+
]
|
|
62
95
|
},
|
|
63
96
|
{
|
|
64
97
|
"jurisdiction": "EU",
|
|
@@ -66,7 +99,11 @@
|
|
|
66
99
|
"obligation": "submit_governance_evidence",
|
|
67
100
|
"window_hours": 720,
|
|
68
101
|
"clock_starts": "manual",
|
|
69
|
-
"evidence_required": [
|
|
102
|
+
"evidence_required": [
|
|
103
|
+
"ict_risk_governance_evidence",
|
|
104
|
+
"framework_lag_declarations",
|
|
105
|
+
"compensating_controls_register"
|
|
106
|
+
]
|
|
70
107
|
},
|
|
71
108
|
{
|
|
72
109
|
"jurisdiction": "EU",
|
|
@@ -74,7 +111,11 @@
|
|
|
74
111
|
"obligation": "notify_regulator",
|
|
75
112
|
"window_hours": 24,
|
|
76
113
|
"clock_starts": "detect_confirmed",
|
|
77
|
-
"evidence_required": [
|
|
114
|
+
"evidence_required": [
|
|
115
|
+
"theater_detected_summary",
|
|
116
|
+
"affected_controls",
|
|
117
|
+
"interim_compensating_control_record"
|
|
118
|
+
]
|
|
78
119
|
},
|
|
79
120
|
{
|
|
80
121
|
"jurisdiction": "UK",
|
|
@@ -82,7 +123,11 @@
|
|
|
82
123
|
"obligation": "submit_governance_evidence",
|
|
83
124
|
"window_hours": 8760,
|
|
84
125
|
"clock_starts": "manual",
|
|
85
|
-
"evidence_required": [
|
|
126
|
+
"evidence_required": [
|
|
127
|
+
"caf_outcome_assessment",
|
|
128
|
+
"gap_register",
|
|
129
|
+
"remediation_roadmap"
|
|
130
|
+
]
|
|
86
131
|
},
|
|
87
132
|
{
|
|
88
133
|
"jurisdiction": "AU",
|
|
@@ -90,7 +135,10 @@
|
|
|
90
135
|
"obligation": "notify_regulator",
|
|
91
136
|
"window_hours": 72,
|
|
92
137
|
"clock_starts": "validate_complete",
|
|
93
|
-
"evidence_required": [
|
|
138
|
+
"evidence_required": [
|
|
139
|
+
"materiality_assessment",
|
|
140
|
+
"remediation_completed_evidence"
|
|
141
|
+
]
|
|
94
142
|
},
|
|
95
143
|
{
|
|
96
144
|
"jurisdiction": "SG",
|
|
@@ -98,7 +146,10 @@
|
|
|
98
146
|
"obligation": "submit_governance_evidence",
|
|
99
147
|
"window_hours": 8760,
|
|
100
148
|
"clock_starts": "manual",
|
|
101
|
-
"evidence_required": [
|
|
149
|
+
"evidence_required": [
|
|
150
|
+
"technology_risk_management_evidence",
|
|
151
|
+
"gap_register"
|
|
152
|
+
]
|
|
102
153
|
}
|
|
103
154
|
],
|
|
104
155
|
"theater_fingerprints": [
|
|
@@ -106,37 +157,57 @@
|
|
|
106
157
|
"pattern_id": "audit-clean-but-finding-active",
|
|
107
158
|
"claim": "Audit opinion is unqualified (SOC 2 clean, ISO 27001:2022 certified, NIS2 compliant) — controls are operating effectively.",
|
|
108
159
|
"fast_detection_test": "For each upstream playbook finding with active exploitation indicator or RWEP >= 75: identify the framework control(s) the org claims address the finding. Compare the audit opinion date to the finding's RWEP date. If the audit opinion is clean AND was issued after the threat became operational reality AND the finding remains unremediated, the audit is structurally non-informative about this exposure.",
|
|
109
|
-
"implicated_controls": [
|
|
160
|
+
"implicated_controls": [
|
|
161
|
+
"soc2-clean-opinion",
|
|
162
|
+
"iso-27001-2022-cert",
|
|
163
|
+
"nis2-art21"
|
|
164
|
+
]
|
|
110
165
|
},
|
|
111
166
|
{
|
|
112
167
|
"pattern_id": "framework-lag-without-compensating-control",
|
|
113
168
|
"claim": "Framework lag is acknowledged; compensating controls are in place.",
|
|
114
169
|
"fast_detection_test": "For each framework with declared lag (govern phase of upstream playbook): confirm the org has documented compensating controls AND those controls were tested in the last 90 days. Theater if lag declared but compensating controls absent OR untested OR last test predates the most recent operational threat.",
|
|
115
|
-
"implicated_controls": [
|
|
170
|
+
"implicated_controls": [
|
|
171
|
+
"nist-800-53-CA-7",
|
|
172
|
+
"iso-27001-2022-A.5.36"
|
|
173
|
+
]
|
|
116
174
|
},
|
|
117
175
|
{
|
|
118
176
|
"pattern_id": "policy-exception-without-expiry",
|
|
119
177
|
"claim": "Policy exceptions are documented and managed.",
|
|
120
178
|
"fast_detection_test": "Pull the exception register. For each exception, verify: (a) explicit duration with calendar expiry, (b) named risk-acceptance owner at correct authority level (CISO+ for high-RWEP), (c) compensating controls listed AND tested, (d) re-evaluation triggers documented. Theater if any high-RWEP exception lacks expiry, named owner, or tested compensating controls.",
|
|
121
|
-
"implicated_controls": [
|
|
179
|
+
"implicated_controls": [
|
|
180
|
+
"nist-800-53-CA-7",
|
|
181
|
+
"iso-27001-2022-A.5.36",
|
|
182
|
+
"soc2-CC9"
|
|
183
|
+
]
|
|
122
184
|
},
|
|
123
185
|
{
|
|
124
186
|
"pattern_id": "framework-jurisdictional-monoculture",
|
|
125
187
|
"claim": "We are SOC 2 / ISO 27001:2022 / NIST 800-53 compliant — our compliance posture is comprehensive.",
|
|
126
188
|
"fast_detection_test": "If the org operates in EU / UK / AU / SG / JP / IN / CA / HK / TW / IL / CH / ID / VN: confirm at least one binding jurisdictional framework is in scope (NIS2 / DORA / EU AI Act for EU; NCSC CAF for UK; APRA CPS 234 / Essential 8 for AU; MAS TRM for SG; NISC / FISC for JP; CERT-In Directions for IN; OSFI B-10 for CA). Theater if US-centric compliance program operates in a regulated jurisdiction without jurisdictional framework mapping.",
|
|
127
|
-
"implicated_controls": [
|
|
189
|
+
"implicated_controls": [
|
|
190
|
+
"global-grc-meta"
|
|
191
|
+
]
|
|
128
192
|
},
|
|
129
193
|
{
|
|
130
194
|
"pattern_id": "control-mapping-without-tempo",
|
|
131
195
|
"claim": "We have a control-mapping matrix — every control mapped across frameworks.",
|
|
132
196
|
"fast_detection_test": "Pick any control row in the org's framework-mapping matrix. Confirm it carries: (a) framework-specific tempo (patch SLA, notification window, audit cycle), (b) measured operational performance against tempo, (c) gap declaration where tempo lags operational reality. Theater if the matrix is presence-of-control only with no tempo and no gap.",
|
|
133
|
-
"implicated_controls": [
|
|
197
|
+
"implicated_controls": [
|
|
198
|
+
"nist-800-53-meta",
|
|
199
|
+
"iso-27001-2022-meta"
|
|
200
|
+
]
|
|
134
201
|
},
|
|
135
202
|
{
|
|
136
203
|
"pattern_id": "ai-controls-deferred-to-future-framework",
|
|
137
204
|
"claim": "AI security controls are tracked for inclusion when frameworks publish guidance.",
|
|
138
205
|
"fast_detection_test": "Check whether the org has operational controls for: (a) MCP server trust, (b) prompt injection as access-control bypass, (c) AI-API egress baseline, (d) AI-generated-code provenance, (e) model-weights supply-chain integrity. Theater if none of these are operational AND the org uses AI coding assistants / AI APIs / AI workloads in production. Deferring to future framework guidance is theater when the threat is current.",
|
|
139
|
-
"implicated_controls": [
|
|
206
|
+
"implicated_controls": [
|
|
207
|
+
"eu-ai-act-art15",
|
|
208
|
+
"iso-27001-2022-A.8.30",
|
|
209
|
+
"nist-800-53-SA-12"
|
|
210
|
+
]
|
|
140
211
|
}
|
|
141
212
|
],
|
|
142
213
|
"framework_context": {
|
|
@@ -235,9 +306,13 @@
|
|
|
235
306
|
}
|
|
236
307
|
]
|
|
237
308
|
},
|
|
238
|
-
"skill_preload": [
|
|
309
|
+
"skill_preload": [
|
|
310
|
+
"framework-gap-analysis",
|
|
311
|
+
"compliance-theater",
|
|
312
|
+
"global-grc",
|
|
313
|
+
"policy-exception-gen"
|
|
314
|
+
]
|
|
239
315
|
},
|
|
240
|
-
|
|
241
316
|
"direct": {
|
|
242
317
|
"threat_context": "Compliance theater landscape mid-2026: every framework in scope is structurally lagged for the operational threats documented in upstream exceptd playbooks. The dominant operational pattern: organizations carry clean audit opinions (SOC 2 Type II unqualified, ISO 27001:2022 certified, NIST 800-53 ATO, NIS2 self-attestation, DORA submission, etc.) while simultaneously exposed to KEV-listed kernel LPEs (kernel.json), unsigned MCP servers (mcp.json), AI-API C2 vulnerability (ai-api.json), classical-only HNDL-vulnerable crypto (crypto.json), and SBOM-blind supply chain (sbom.json). Three canonical 2026 cases: (1) CVE-2026-31431 'Copy Fail' KEV-listed kernel LPE — SOC 2 CC7.1 clean opinion issued during the active-exploitation window. (2) CVE-2026-30615 Windsurf MCP zero-interaction RCE — CC9 vendor management 'operating effectively' across the affected estate. (3) CVE-2025-53773 GitHub Copilot prompt-injection RCE — CC6 logical access controls 'passed' while prompt injection executes attacker-chosen actions using the AI service account. Each case demonstrates that current-TTP exposure can persist under audit-clean controls. This playbook is the correlation layer: it ingests upstream findings, maps them per-framework, and emits theater verdicts the GRC team must surface to risk acceptance authorities.",
|
|
243
318
|
"rwep_threshold": {
|
|
@@ -247,10 +322,27 @@
|
|
|
247
322
|
},
|
|
248
323
|
"framework_lag_declaration": "All 20 frameworks listed in domain.frameworks_in_scope are structurally insufficient for at least one upstream-playbook threat class. ISO 27001:2022, SOC 2 TSC, and PCI DSS 4.0 are the longest-laggard for AI/MCP/PQC threats (no scheduled amendments). NIST 800-53, NIS2, DORA, EU AI Act, and EU CRA have publishing cadences but lag the threat tempo by 90-365 days. UK CAF (outcome-based) and AU Essential 8 are partially forward-compatible but inconsistent across regulators/sectors. SG MAS TRM, JP FISC, IN CERT-In, CA OSFI B-10 are sector- and jurisdiction-specific with tempo varying by sector. Compound effect: an org running all current threat-class exposures under a single audit opinion is the modal state in mid-2026, not an outlier.",
|
|
249
324
|
"skill_chain": [
|
|
250
|
-
{
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
325
|
+
{
|
|
326
|
+
"skill": "framework-gap-analysis",
|
|
327
|
+
"purpose": "For each upstream finding, produce a per-framework gap declaration including the specific control(s) that should have caught it and why they didn't.",
|
|
328
|
+
"required": true
|
|
329
|
+
},
|
|
330
|
+
{
|
|
331
|
+
"skill": "compliance-theater",
|
|
332
|
+
"purpose": "Run the six theater fingerprints in govern.theater_fingerprints against the ingested finding set. Emit theater verdicts per pattern.",
|
|
333
|
+
"required": true
|
|
334
|
+
},
|
|
335
|
+
{
|
|
336
|
+
"skill": "global-grc",
|
|
337
|
+
"purpose": "Cross-walk findings to per-jurisdiction obligations. Identify orgs that operate in regulated jurisdictions without framework mapping for those jurisdictions (theater pattern #4).",
|
|
338
|
+
"required": true
|
|
339
|
+
},
|
|
340
|
+
{
|
|
341
|
+
"skill": "policy-exception-gen",
|
|
342
|
+
"purpose": "Generate auditor-ready policy exception language for findings that cannot be remediated within the compliance window of any framework in scope.",
|
|
343
|
+
"skip_if": "no high-RWEP findings remain unremediated",
|
|
344
|
+
"required": false
|
|
345
|
+
}
|
|
254
346
|
],
|
|
255
347
|
"token_budget": {
|
|
256
348
|
"estimated_total": 24000,
|
|
@@ -265,7 +357,6 @@
|
|
|
265
357
|
}
|
|
266
358
|
}
|
|
267
359
|
},
|
|
268
|
-
|
|
269
360
|
"look": {
|
|
270
361
|
"artifacts": [
|
|
271
362
|
{
|
|
@@ -330,15 +421,38 @@
|
|
|
330
421
|
}
|
|
331
422
|
],
|
|
332
423
|
"fallback_if_unavailable": [
|
|
333
|
-
{
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
{
|
|
424
|
+
{
|
|
425
|
+
"artifact_id": "audit-evidence-inventory",
|
|
426
|
+
"fallback_action": "mark_inconclusive",
|
|
427
|
+
"confidence_impact": "medium"
|
|
428
|
+
},
|
|
429
|
+
{
|
|
430
|
+
"artifact_id": "compensating-controls-register",
|
|
431
|
+
"fallback_action": "mark_inconclusive",
|
|
432
|
+
"confidence_impact": "medium"
|
|
433
|
+
},
|
|
434
|
+
{
|
|
435
|
+
"artifact_id": "framework-mapping-matrix",
|
|
436
|
+
"fallback_action": "mark_inconclusive",
|
|
437
|
+
"confidence_impact": "low"
|
|
438
|
+
},
|
|
439
|
+
{
|
|
440
|
+
"artifact_id": "jurisdictional-footprint",
|
|
441
|
+
"fallback_action": "use_compensating_artifact",
|
|
442
|
+
"confidence_impact": "low"
|
|
443
|
+
},
|
|
444
|
+
{
|
|
445
|
+
"artifact_id": "ai-usage-attestation",
|
|
446
|
+
"fallback_action": "use_compensating_artifact",
|
|
447
|
+
"confidence_impact": "medium"
|
|
448
|
+
},
|
|
449
|
+
{
|
|
450
|
+
"artifact_id": "upstream-findings",
|
|
451
|
+
"fallback_action": "escalate_to_human",
|
|
452
|
+
"confidence_impact": "high"
|
|
453
|
+
}
|
|
339
454
|
]
|
|
340
455
|
},
|
|
341
|
-
|
|
342
456
|
"detect": {
|
|
343
457
|
"indicators": [
|
|
344
458
|
{
|
|
@@ -421,24 +535,73 @@
|
|
|
421
535
|
"not_detected": "Zero theater fingerprints fire AND all GRC artifacts available AND every upstream finding has documented remediation or accepted residual with current acceptance record."
|
|
422
536
|
}
|
|
423
537
|
},
|
|
424
|
-
|
|
425
538
|
"analyze": {
|
|
426
539
|
"rwep_inputs": [
|
|
427
|
-
{
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
540
|
+
{
|
|
541
|
+
"signal_id": "audit-clean-with-active-finding",
|
|
542
|
+
"rwep_factor": "blast_radius",
|
|
543
|
+
"weight": 30,
|
|
544
|
+
"notes": "Clean audit over active exposure = compounded regulatory + technical risk."
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"signal_id": "framework-lag-no-compensating-control",
|
|
548
|
+
"rwep_factor": "blast_radius",
|
|
549
|
+
"weight": 20,
|
|
550
|
+
"notes": "Lag without compensation = exposure persists."
|
|
551
|
+
},
|
|
552
|
+
{
|
|
553
|
+
"signal_id": "exception-missing-expiry-or-owner",
|
|
554
|
+
"rwep_factor": "blast_radius",
|
|
555
|
+
"weight": 15,
|
|
556
|
+
"notes": "Indefinite exception = open-ended risk acceptance."
|
|
557
|
+
},
|
|
558
|
+
{
|
|
559
|
+
"signal_id": "jurisdiction-without-framework",
|
|
560
|
+
"rwep_factor": "blast_radius",
|
|
561
|
+
"weight": 25,
|
|
562
|
+
"notes": "Operating in regulated jurisdiction without framework mapping = direct regulatory exposure (NIS2 / DORA / etc.)."
|
|
563
|
+
},
|
|
564
|
+
{
|
|
565
|
+
"signal_id": "ai-use-without-ai-controls",
|
|
566
|
+
"rwep_factor": "active_exploitation",
|
|
567
|
+
"weight": 20,
|
|
568
|
+
"notes": "AI in production without AI controls = active threat exposure inherited from upstream playbooks."
|
|
569
|
+
},
|
|
570
|
+
{
|
|
571
|
+
"signal_id": "compound-theater",
|
|
572
|
+
"rwep_factor": "blast_radius",
|
|
573
|
+
"weight": 30,
|
|
574
|
+
"notes": "Compound theater on single control = structural insufficiency across threat classes."
|
|
575
|
+
}
|
|
433
576
|
],
|
|
434
577
|
"blast_radius_model": {
|
|
435
578
|
"scope_question": "If compliance theater is sustained (audit-clean opinion over actual exposure), what is the realistic regulatory + technical impact across the org?",
|
|
436
579
|
"scoring_rubric": [
|
|
437
|
-
{
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
|
|
580
|
+
{
|
|
581
|
+
"condition": "theater confined to one framework + one domain + low-RWEP upstream findings",
|
|
582
|
+
"blast_radius_score": 1,
|
|
583
|
+
"description": "Local theater; risk acceptable at manager level."
|
|
584
|
+
},
|
|
585
|
+
{
|
|
586
|
+
"condition": "theater in one framework across two or more upstream domains, medium-RWEP findings",
|
|
587
|
+
"blast_radius_score": 2,
|
|
588
|
+
"description": "Framework-localized structural issue; CISO awareness required."
|
|
589
|
+
},
|
|
590
|
+
{
|
|
591
|
+
"condition": "theater across multiple frameworks + multiple upstream domains, high-RWEP findings",
|
|
592
|
+
"blast_radius_score": 3,
|
|
593
|
+
"description": "Org-wide GRC pattern; structural program redesign warranted."
|
|
594
|
+
},
|
|
595
|
+
{
|
|
596
|
+
"condition": "theater + jurisdictional exposure (operating in NIS2/DORA/EU AI Act jurisdiction without framework mapping) + active findings",
|
|
597
|
+
"blast_radius_score": 4,
|
|
598
|
+
"description": "Regulatory enforcement risk + technical exposure; CISO + Legal + Board notification."
|
|
599
|
+
},
|
|
600
|
+
{
|
|
601
|
+
"condition": "theater + jurisdictional exposure + KEV-listed active finding + jurisdiction-specific notification clock active (NIS2 24h / DORA 4h / IN CERT-In 6h)",
|
|
602
|
+
"blast_radius_score": 5,
|
|
603
|
+
"description": "Missed notification window + active regulatory enforcement risk + named-incident exposure."
|
|
604
|
+
}
|
|
442
605
|
]
|
|
443
606
|
},
|
|
444
607
|
"compliance_theater_check": {
|
|
@@ -492,21 +655,41 @@
|
|
|
492
655
|
}
|
|
493
656
|
],
|
|
494
657
|
"escalation_criteria": [
|
|
495
|
-
{
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
{
|
|
500
|
-
|
|
658
|
+
{
|
|
659
|
+
"condition": "compound-theater == true",
|
|
660
|
+
"action": "raise_severity"
|
|
661
|
+
},
|
|
662
|
+
{
|
|
663
|
+
"condition": "jurisdiction-without-framework == true AND upstream_finding.rwep >= 75",
|
|
664
|
+
"action": "notify_legal"
|
|
665
|
+
},
|
|
666
|
+
{
|
|
667
|
+
"condition": "audit-clean-with-active-finding == true AND any active_finding.kev_listed == true",
|
|
668
|
+
"action": "notify_legal"
|
|
669
|
+
},
|
|
670
|
+
{
|
|
671
|
+
"condition": "blast_radius_score >= 4",
|
|
672
|
+
"action": "page_on_call"
|
|
673
|
+
},
|
|
674
|
+
{
|
|
675
|
+
"condition": "ai-use-without-ai-controls == true",
|
|
676
|
+
"action": "raise_severity"
|
|
677
|
+
},
|
|
678
|
+
{
|
|
679
|
+
"condition": "any compliance_theater_check.verdict == 'theater' AND blast_radius_score >= 3",
|
|
680
|
+
"action": "trigger_playbook",
|
|
681
|
+
"target_playbook": "sbom"
|
|
682
|
+
}
|
|
501
683
|
]
|
|
502
684
|
},
|
|
503
|
-
|
|
504
685
|
"validate": {
|
|
505
686
|
"remediation_paths": [
|
|
506
687
|
{
|
|
507
688
|
"id": "close-operational-fix",
|
|
508
689
|
"description": "Where upstream findings remain unremediated, escalate the upstream playbook's validate-phase remediation paths to the responsible team with a deadline tied to the relevant framework's notification clock.",
|
|
509
|
-
"preconditions": [
|
|
690
|
+
"preconditions": [
|
|
691
|
+
"upstream_findings_actionable == true"
|
|
692
|
+
],
|
|
510
693
|
"priority": 1,
|
|
511
694
|
"compensating_controls": [],
|
|
512
695
|
"estimated_time_hours": 16
|
|
@@ -514,31 +697,45 @@
|
|
|
514
697
|
{
|
|
515
698
|
"id": "establish-tested-compensating-controls",
|
|
516
699
|
"description": "For each framework lag declaration without compensating control: establish a documented compensating control with explicit test cadence. First test within 30 days of establishment; ongoing test cadence at least quarterly.",
|
|
517
|
-
"preconditions": [
|
|
700
|
+
"preconditions": [
|
|
701
|
+
"compensating_control_design_feasible == true"
|
|
702
|
+
],
|
|
518
703
|
"priority": 2,
|
|
519
|
-
"compensating_controls": [
|
|
704
|
+
"compensating_controls": [
|
|
705
|
+
"test_cadence_recorded_in_change_management"
|
|
706
|
+
],
|
|
520
707
|
"estimated_time_hours": 24
|
|
521
708
|
},
|
|
522
709
|
{
|
|
523
710
|
"id": "exception-register-cleanup",
|
|
524
711
|
"description": "Audit the exception register. For each entry lacking expiry / named owner / tested compensating controls: either (a) bring into compliance with the exception template, or (b) close the exception by remediating the underlying issue, or (c) escalate to next-higher authority for re-acceptance.",
|
|
525
|
-
"preconditions": [
|
|
712
|
+
"preconditions": [
|
|
713
|
+
"exception_register_exists == true"
|
|
714
|
+
],
|
|
526
715
|
"priority": 3,
|
|
527
|
-
"compensating_controls": [
|
|
716
|
+
"compensating_controls": [
|
|
717
|
+
"exception_review_cadence_documented"
|
|
718
|
+
],
|
|
528
719
|
"estimated_time_hours": 8
|
|
529
720
|
},
|
|
530
721
|
{
|
|
531
722
|
"id": "jurisdictional-framework-mapping",
|
|
532
723
|
"description": "Extend control-mapping matrix to include every binding framework for the org's operational jurisdictions. Cross-walk per-control to NIS2 / DORA / EU AI Act / CAF / Essential 8 / APRA / MAS TRM / NISC / CERT-In / OSFI B-10 as applicable.",
|
|
533
|
-
"preconditions": [
|
|
724
|
+
"preconditions": [
|
|
725
|
+
"jurisdictional_footprint_documented == true"
|
|
726
|
+
],
|
|
534
727
|
"priority": 4,
|
|
535
|
-
"compensating_controls": [
|
|
728
|
+
"compensating_controls": [
|
|
729
|
+
"mapping_review_cadence_documented"
|
|
730
|
+
],
|
|
536
731
|
"estimated_time_hours": 40
|
|
537
732
|
},
|
|
538
733
|
{
|
|
539
734
|
"id": "ai-controls-operational",
|
|
540
735
|
"description": "Make AI controls operational: MCP server trust (per mcp.json), prompt-injection access control, AI-API egress baseline (per ai-api.json), AI-generated code provenance, model-weights supply chain integrity (per sbom.json).",
|
|
541
|
-
"preconditions": [
|
|
736
|
+
"preconditions": [
|
|
737
|
+
"ai_in_production == true"
|
|
738
|
+
],
|
|
542
739
|
"priority": 5,
|
|
543
740
|
"compensating_controls": [],
|
|
544
741
|
"estimated_time_hours": 80
|
|
@@ -546,9 +743,15 @@
|
|
|
546
743
|
{
|
|
547
744
|
"id": "board-level-acknowledgement",
|
|
548
745
|
"description": "Where multiple framework-gap declarations cannot be closed within compliance windows: escalate to board-level acknowledgement of the GRC posture with documented framework-lag declaration and accepted residual risk.",
|
|
549
|
-
"preconditions": [
|
|
746
|
+
"preconditions": [
|
|
747
|
+
"remediation_paths[1..5] cannot close all findings within compliance windows",
|
|
748
|
+
"board_acceptance_obtainable == true"
|
|
749
|
+
],
|
|
550
750
|
"priority": 6,
|
|
551
|
-
"compensating_controls": [
|
|
751
|
+
"compensating_controls": [
|
|
752
|
+
"board_review_cadence_documented",
|
|
753
|
+
"executive_summary_for_each_framework_lag"
|
|
754
|
+
],
|
|
552
755
|
"estimated_time_hours": 16
|
|
553
756
|
}
|
|
554
757
|
],
|
|
@@ -594,47 +797,94 @@
|
|
|
594
797
|
"risk": "Framework lag is structural and persistent. Even with all theater fingerprints closed at one point in time, new threat classes (new CVEs, new AI/agentic attack patterns, new PQC standards) emerge faster than frameworks can amend. The GRC posture is therefore an ongoing program, not a checkpoint.",
|
|
595
798
|
"why_remains": "Frameworks publish on annual-to-quintennial cycles. Operational threats publish on hour-to-day cycles. The structural gap cannot be closed by re-audit; only by sustained compensating control + exception discipline + program-level acknowledgement of the lag at board level.",
|
|
596
799
|
"acceptance_level": "board",
|
|
597
|
-
"compensating_controls_in_place": [
|
|
800
|
+
"compensating_controls_in_place": [
|
|
801
|
+
"continuous_upstream_playbook_execution",
|
|
802
|
+
"monthly_theater_fingerprint_re-test",
|
|
803
|
+
"quarterly_compensating_controls_test",
|
|
804
|
+
"annual_board_review_of_framework_lag_register",
|
|
805
|
+
"named_owner_per_framework_lag_at_ciso_level"
|
|
806
|
+
]
|
|
598
807
|
},
|
|
599
808
|
"evidence_requirements": [
|
|
600
809
|
{
|
|
601
810
|
"evidence_type": "scan_report",
|
|
602
811
|
"description": "Compound theater verdict report mapping each fired fingerprint to upstream findings, implicated framework controls, and remediation status.",
|
|
603
812
|
"retention_period": "7_years",
|
|
604
|
-
"framework_satisfied": [
|
|
813
|
+
"framework_satisfied": [
|
|
814
|
+
"nist-800-53-CA-7",
|
|
815
|
+
"iso-27001-2022-A.5.36",
|
|
816
|
+
"soc2-CC1",
|
|
817
|
+
"nis2-art21",
|
|
818
|
+
"dora-art5"
|
|
819
|
+
]
|
|
605
820
|
},
|
|
606
821
|
{
|
|
607
822
|
"evidence_type": "attestation",
|
|
608
823
|
"description": "Signed exceptd attestation file with evidence_hash, count of theater fingerprints fired at detection, count post-remediation, RWEP delta, list of newly-mapped frameworks for any added jurisdictions.",
|
|
609
824
|
"retention_period": "7_years",
|
|
610
|
-
"framework_satisfied": [
|
|
825
|
+
"framework_satisfied": [
|
|
826
|
+
"nist-800-53-CA-7",
|
|
827
|
+
"iso-27001-2022-A.5.36",
|
|
828
|
+
"nis2-art21",
|
|
829
|
+
"dora-art5"
|
|
830
|
+
]
|
|
611
831
|
},
|
|
612
832
|
{
|
|
613
833
|
"evidence_type": "config_diff",
|
|
614
834
|
"description": "Before/after diff of control-mapping matrix and exception register showing additions, expirations, ownership changes.",
|
|
615
835
|
"retention_period": "7_years",
|
|
616
|
-
"framework_satisfied": [
|
|
836
|
+
"framework_satisfied": [
|
|
837
|
+
"nist-800-53-CM-3",
|
|
838
|
+
"iso-27001-2022-A.5.36"
|
|
839
|
+
]
|
|
617
840
|
},
|
|
618
841
|
{
|
|
619
842
|
"evidence_type": "ticket_reference",
|
|
620
843
|
"description": "Board-acceptance record (where path 6 invoked): signed board resolution acknowledging framework lag with named owner and re-evaluation cadence.",
|
|
621
844
|
"retention_period": "7_years",
|
|
622
|
-
"framework_satisfied": [
|
|
845
|
+
"framework_satisfied": [
|
|
846
|
+
"nist-800-53-CA-7",
|
|
847
|
+
"iso-27001-2022-A.5.36",
|
|
848
|
+
"nis2-art21",
|
|
849
|
+
"dora-art5",
|
|
850
|
+
"uk-caf-principle-a"
|
|
851
|
+
]
|
|
623
852
|
}
|
|
624
853
|
],
|
|
625
854
|
"regression_trigger": [
|
|
626
|
-
{
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
630
|
-
{
|
|
855
|
+
{
|
|
856
|
+
"condition": "new_upstream_playbook_finding == true",
|
|
857
|
+
"interval": "on_event"
|
|
858
|
+
},
|
|
859
|
+
{
|
|
860
|
+
"condition": "new_framework_amendment_published == true",
|
|
861
|
+
"interval": "on_event"
|
|
862
|
+
},
|
|
863
|
+
{
|
|
864
|
+
"condition": "new_jurisdiction_entered == true",
|
|
865
|
+
"interval": "on_event"
|
|
866
|
+
},
|
|
867
|
+
{
|
|
868
|
+
"condition": "monthly",
|
|
869
|
+
"interval": "30d"
|
|
870
|
+
},
|
|
871
|
+
{
|
|
872
|
+
"condition": "audit_cycle_begin",
|
|
873
|
+
"interval": "on_event"
|
|
874
|
+
}
|
|
631
875
|
]
|
|
632
876
|
},
|
|
633
|
-
|
|
634
877
|
"close": {
|
|
635
878
|
"evidence_package": {
|
|
636
879
|
"bundle_format": "csaf-2.0",
|
|
637
|
-
"contents": [
|
|
880
|
+
"contents": [
|
|
881
|
+
"scan_report",
|
|
882
|
+
"attestation",
|
|
883
|
+
"config_diff",
|
|
884
|
+
"framework_gap_mapping",
|
|
885
|
+
"compliance_theater_verdict",
|
|
886
|
+
"residual_risk_statement"
|
|
887
|
+
],
|
|
638
888
|
"destination": "grc_platform_api",
|
|
639
889
|
"signed": true
|
|
640
890
|
},
|
|
@@ -646,49 +896,79 @@
|
|
|
646
896
|
"framework_gap": "All 20 frameworks in scope are structurally insufficient for at least one upstream-playbook threat class. ISO 27001:2022 / SOC 2 TSC / PCI DSS 4.0 are longest-laggard for AI/MCP/PQC. NIST / NIS2 / DORA / EU AI Act / EU CRA lag by 90-365 days. UK CAF / AU Essential 8 are partially forward-compatible. Jurisdictional frameworks (MAS TRM, FISC, CERT-In, OSFI B-10) vary by sector.",
|
|
647
897
|
"new_control_requirement": "Sustained GRC program with: (a) continuous upstream-playbook execution, (b) monthly theater fingerprint re-test, (c) quarterly compensating-controls test, (d) annual board review of framework-lag register, (e) named owner per framework lag at CISO level. Theater detection cannot be one-shot; it is a recurring obligation."
|
|
648
898
|
},
|
|
649
|
-
"feeds_back_to_skills": [
|
|
899
|
+
"feeds_back_to_skills": [
|
|
900
|
+
"framework-gap-analysis",
|
|
901
|
+
"compliance-theater",
|
|
902
|
+
"global-grc",
|
|
903
|
+
"policy-exception-gen",
|
|
904
|
+
"zeroday-gap-learn",
|
|
905
|
+
"security-maturity-tiers"
|
|
906
|
+
]
|
|
650
907
|
},
|
|
651
908
|
"notification_actions": [
|
|
652
909
|
{
|
|
653
910
|
"obligation_ref": "EU/NIS2 Art.21 720h",
|
|
654
911
|
"deadline": "computed_at_runtime",
|
|
655
912
|
"recipient": "internal_legal",
|
|
656
|
-
"evidence_attached": [
|
|
913
|
+
"evidence_attached": [
|
|
914
|
+
"compliance_theater_verdicts",
|
|
915
|
+
"framework_gap_mapping",
|
|
916
|
+
"exception_register",
|
|
917
|
+
"risk_acceptance_records"
|
|
918
|
+
],
|
|
657
919
|
"draft_notification": "NIS2 Art.21 governance evidence submission: ${entity_name} attests its risk management measures per Art.21(2)(a-i). Theater fingerprints fired at last assessment: ${theater_count}; remediation status: ${remediation_summary}. Framework lag declarations: ${lag_count}. Named owners: ${named_owners}."
|
|
658
920
|
},
|
|
659
921
|
{
|
|
660
922
|
"obligation_ref": "EU/DORA Art.5 720h",
|
|
661
923
|
"deadline": "computed_at_runtime",
|
|
662
924
|
"recipient": "internal_legal",
|
|
663
|
-
"evidence_attached": [
|
|
925
|
+
"evidence_attached": [
|
|
926
|
+
"ict_risk_governance_evidence",
|
|
927
|
+
"framework_lag_declarations",
|
|
928
|
+
"compensating_controls_register"
|
|
929
|
+
],
|
|
664
930
|
"draft_notification": "DORA Art.5 ICT governance submission: ${entity_name} (financial entity) attests ICT risk management framework per Art.5. Framework lag declarations: ${lag_summary}. Compensating controls tested within cadence: ${tested_count}/${total_count}. Board-acceptance record: ${board_record_ref}."
|
|
665
931
|
},
|
|
666
932
|
{
|
|
667
933
|
"obligation_ref": "EU/NIS2 Art.23 24h",
|
|
668
934
|
"deadline": "computed_at_runtime",
|
|
669
935
|
"recipient": "internal_legal",
|
|
670
|
-
"evidence_attached": [
|
|
936
|
+
"evidence_attached": [
|
|
937
|
+
"theater_detected_summary",
|
|
938
|
+
"affected_controls",
|
|
939
|
+
"interim_compensating_control_record"
|
|
940
|
+
],
|
|
671
941
|
"draft_notification": "NIS2 Art.23 24-hour early-warning notification: compliance-theater finding confirmed on ${affected_controls}. Underlying upstream findings: ${upstream_finding_refs}. Interim compensating controls: ${compensating_controls}. Full assessment to follow within 72 hours per Art.23(4)."
|
|
672
942
|
},
|
|
673
943
|
{
|
|
674
944
|
"obligation_ref": "UK/NCSC CAF Principle B 8760h",
|
|
675
945
|
"deadline": "computed_at_runtime",
|
|
676
946
|
"recipient": "internal_legal",
|
|
677
|
-
"evidence_attached": [
|
|
947
|
+
"evidence_attached": [
|
|
948
|
+
"caf_outcome_assessment",
|
|
949
|
+
"gap_register",
|
|
950
|
+
"remediation_roadmap"
|
|
951
|
+
],
|
|
678
952
|
"draft_notification": "NCSC CAF Principle B (Protecting against cyber attack) outcome assessment: ${entity_name} attests outcome achievement. Gap register: ${gap_register_summary}. Remediation roadmap: ${roadmap_summary}."
|
|
679
953
|
},
|
|
680
954
|
{
|
|
681
955
|
"obligation_ref": "AU/APRA CPS 234 72h",
|
|
682
956
|
"deadline": "computed_at_runtime",
|
|
683
957
|
"recipient": "regulator_email",
|
|
684
|
-
"evidence_attached": [
|
|
958
|
+
"evidence_attached": [
|
|
959
|
+
"materiality_assessment",
|
|
960
|
+
"remediation_completed_evidence"
|
|
961
|
+
],
|
|
685
962
|
"draft_notification": "APRA CPS 234 notification: material information security incident — compliance theater detected on ${affected_controls}. Materiality justification: ${materiality_justification}. Remediation summary: ${remediation_summary}."
|
|
686
963
|
},
|
|
687
964
|
{
|
|
688
965
|
"obligation_ref": "SG/MAS TRM Notice 8760h",
|
|
689
966
|
"deadline": "computed_at_runtime",
|
|
690
967
|
"recipient": "internal_legal",
|
|
691
|
-
"evidence_attached": [
|
|
968
|
+
"evidence_attached": [
|
|
969
|
+
"technology_risk_management_evidence",
|
|
970
|
+
"gap_register"
|
|
971
|
+
],
|
|
692
972
|
"draft_notification": "MAS TRM Notice attestation: ${entity_name} (FI) attests technology risk management framework. Identified gaps: ${gap_summary}. Remediation roadmap: ${roadmap_summary}."
|
|
693
973
|
}
|
|
694
974
|
],
|
|
@@ -697,7 +977,14 @@
|
|
|
697
977
|
"exception_template": {
|
|
698
978
|
"scope": "Framework lag(s) ${framework_list} cannot be closed within compliance windows. Affected upstream findings: ${affected_findings}. Multiple-framework structural insufficiency requires board-level acknowledgement.",
|
|
699
979
|
"duration": "until_next_audit",
|
|
700
|
-
"compensating_controls": [
|
|
980
|
+
"compensating_controls": [
|
|
981
|
+
"sustained_continuous_upstream_playbook_execution",
|
|
982
|
+
"monthly_theater_fingerprint_re-test",
|
|
983
|
+
"quarterly_compensating_controls_test_with_documented_results",
|
|
984
|
+
"annual_board_review_of_framework_lag_register",
|
|
985
|
+
"named_owner_per_framework_lag_at_ciso_level",
|
|
986
|
+
"engagement_with_framework_standards_bodies_for_amendment_advocacy"
|
|
987
|
+
],
|
|
701
988
|
"risk_acceptance_owner": "board",
|
|
702
989
|
"auditor_ready_language": "Pursuant to the organization's enterprise risk management framework and the governance obligations of NIST 800-53 CA-7 (Continuous Monitoring), ISO 27001:2022 A.5.36 (Compliance with policies, rules and standards), NIS2 Art.21 (Risk management measures), DORA Art.5 (Governance and organisation), and UK NCSC CAF Principle A (Managing security risk), the organization records a board-level acknowledgement of structural framework lag across ${framework_list}. The accepted lag class is: framework controls published on annual-to-quintennial cycles cannot keep pace with operational threats publishing on hour-to-day cycles. The organization accepts that current framework controls do not adequately address the operational threats documented in exceptd playbooks ${upstream_playbook_refs}, that this gap is documented in ${exceptd_framework_gap_mapping_ref}, and that the organization's compensating controls during the exception window are: ${compensating_controls}. Detection coverage: continuous upstream playbook execution with theater fingerprint re-test on monthly cadence. Engagement plan: ${standards_engagement_plan}. Risk accepted by the Board on ${acceptance_date}. Time-bound until ${duration_expiry} (next audit cycle, OR ${default_365d_expiry}, whichever is first). Re-evaluation triggers: new framework amendment publication, new upstream-playbook finding above RWEP 75, new jurisdiction entered, OR scheduled expiry."
|
|
703
990
|
}
|
|
@@ -709,17 +996,20 @@
|
|
|
709
996
|
}
|
|
710
997
|
}
|
|
711
998
|
},
|
|
712
|
-
|
|
713
999
|
"directives": [
|
|
714
1000
|
{
|
|
715
1001
|
"id": "correlate-all-upstream-findings",
|
|
716
1002
|
"title": "Correlate all upstream playbook findings to framework gaps and theater fingerprints",
|
|
717
|
-
"applies_to": {
|
|
1003
|
+
"applies_to": {
|
|
1004
|
+
"always": true
|
|
1005
|
+
}
|
|
718
1006
|
},
|
|
719
1007
|
{
|
|
720
1008
|
"id": "baseline-framework-gap-inventory",
|
|
721
1009
|
"title": "Baseline framework-gap inventory when no upstream findings available",
|
|
722
|
-
"applies_to": {
|
|
1010
|
+
"applies_to": {
|
|
1011
|
+
"always": true
|
|
1012
|
+
}
|
|
723
1013
|
}
|
|
724
1014
|
]
|
|
725
1015
|
}
|