npm - @blamejs/exceptd-skills - Versions diffs - 0.13.18 → 0.13.20 - Mend

@blamejs/exceptd-skills 0.13.18 → 0.13.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/CHANGELOG.md +79 -0
package/data/_indexes/_meta.json +9 -9
package/data/_indexes/activity-feed.json +2 -2
package/data/_indexes/catalog-summaries.json +2 -2
package/data/_indexes/chains.json +14 -0
package/data/_indexes/frequency.json +1 -0
package/data/attack-techniques.json +2600 -109
package/data/cve-catalog.json +147 -2678
package/data/cwe-catalog.json +60 -1
package/data/framework-control-gaps.json +252 -84
package/data/rfc-references.json +286 -125
package/data/zeroday-lessons.json +17 -2909
package/lib/canonical-eq.js +88 -0
package/lib/cve-regression-watcher.js +130 -9
package/lib/source-advisories.js +9 -34
package/lib/version-pins.js +73 -0
package/lib/xml-tokenizer.js +344 -0
package/manifest.json +44 -44
package/package.json +6 -2
package/sbom.cdx.json +108 -33
package/scripts/audit-catalog-gaps.js +347 -0
package/scripts/check-test-coverage.js +16 -10
package/scripts/refresh-mitre-ics-attack.js +15 -0
package/scripts/refresh-upstream-catalogs.js +171 -54

package/data/zeroday-lessons.json CHANGED Viewed

@@ -2034,7 +2034,7 @@
   },
   "CVE-2024-3154": {
     "name": "CRI-O arbitrary kernel-module load",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Pod-spec attributes reach modprobe argument path in CRI-O without validation. An attacker with pod-create RBAC on a cluster using CRI-O can cause arbitrary kernel modules to load on the host node, achieving container-escape-equivalent capability.",
       "privileges_required": "pod-create RBAC inside the cluster (namespace-scoped is sufficient)",
@@ -2078,7 +2078,6 @@
         "gap": "Container-runtime supply chain not differentiated from application-runtime supply chain."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "AppArmor/SELinux deny-module-load is rarely enforced on container hosts; CIS-K8s benchmark passes without it. Patch cadence on Kubernetes node runtimes typically lags behind application patches.",
@@ -2090,7 +2089,7 @@
   },
   "CVE-2023-43472": {
     "name": "MLflow path-traversal arbitrary file read",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "MLflow tracking-server artifact endpoint resolves user-controlled paths under the artifact root without normalization. An unauthenticated HTTP request with ../ traversal reads arbitrary files from the host filesystem.",
       "privileges_required": "none (unauth network reachability to MLflow tracking server)",
@@ -2134,7 +2133,6 @@
         "gap": "Secure coding control does not anchor on ML-runtime web-surface review; ML platforms are treated as out-of-scope of conventional secure-coding programs."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 70,
       "basis": "MLflow tracking servers are widely deployed without auth and without front-proxy logging; ML platforms typically fall outside the AppSec team's secure-coding-review remit.",
@@ -2146,7 +2144,7 @@
   },
   "CVE-2020-10148": {
     "name": "SolarWinds Orion API authentication bypass (SUNBURST chain component)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "URI pattern matching against SkipI18nStrings inside Orion's HTTP routing triggers an authentication bypass — an unauthenticated request that matches the pattern reaches API write endpoints. Used by SUNBURST operators to exercise API write access against compromised Orion installations.",
       "privileges_required": "none (unauth network reachability to Orion)",
@@ -2190,7 +2188,6 @@
         "gap": "Supply-chain protection control predates the SolarWinds incident; pre-2020 supply-chain controls did not contemplate a trusted vendor as the breach vector."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 40,
       "basis": "Direct exposure to this specific CVE is low five years post-disclosure (Orion installations are largely patched), but the lessons-class — trusted-vendor-as-pivot — remains under-addressed by most supply-chain controls.",
@@ -2202,7 +2199,7 @@
   },
   "CVE-2023-3519": {
     "name": "Citrix NetScaler ADC/Gateway unauth RCE (CitrixBleed precursor)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Pre-auth stack buffer overflow in the NetScaler SAML processing path. An unauthenticated HTTP POST to /gwtest/formssso reaches the vulnerable nsppe parser; CISA AA23-201A documented in-wild exploitation by Chinese state-sponsored actors against US critical-infrastructure organizations within weeks of disclosure.",
       "privileges_required": "none (unauth network reachability to NetScaler appliance)",
@@ -2246,7 +2243,6 @@
         "gap": "EU NIS2 generic vulnerability-management requirement without unauth-RCE-specific SLA."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "PCI-DSS / NIS2 / SI-2 patch SLAs are wider than the actual exploitation window. Many organizations passing those audits remained exposed during the active mass-exploitation phase.",
@@ -2258,7 +2254,7 @@
   },
   "CVE-2024-1709": {
     "name": "ConnectWise ScreenConnect auth-bypass",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Path-traversal in the auth filter — appending /SetupWizard.aspx/anything to a request URL bypasses authentication and reaches the admin setup endpoint. Attacker creates a new admin account via the setup endpoint and gains full ScreenConnect control, including the ability to push remote-control payloads to every endpoint the affected MSP manages.",
       "privileges_required": "none (unauth network reachability to ScreenConnect web surface)",
@@ -2302,7 +2298,6 @@
         "gap": "Access-control management does not require setup-endpoint hardening on production deployments; the ScreenConnect setup wizard was reachable post-install by design."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "MSP fleets passing SOC 2 / ISO 27001 audits routinely deploy remote-management tooling with default routing exposed; setup-endpoint hardening is not a benchmark requirement.",
@@ -2314,7 +2309,7 @@
   },
   "CVE-2026-20182": {
     "name": "Cisco SD-WAN authentication bypass to admin",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Authentication bypass in the Cisco SD-WAN controller management plane (vManage / vEdge). An unauthenticated attacker reaches admin-equivalent state on the controller, giving control over the SD-WAN fabric's policy plane.",
       "privileges_required": "none (unauth network reachability to SD-WAN controller management surface)",
@@ -2358,7 +2353,6 @@
         "gap": "ICT third-party risk — SD-WAN vendor risk concentrated in a single advisory cadence; DORA does not require dual-vendor fabric topology."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 65,
       "basis": "SD-WAN controller management surfaces are frequently reachable beyond operator subnets in real-world deployments; NIS2 / DORA controls do not enforce management-plane isolation as a specific requirement.",
@@ -2370,7 +2364,7 @@
   },
   "CVE-2024-40635": {
     "name": "containerd integer overflow IP mask leak",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Integer overflow in the containerd CNI IP-allocation path. A crafted CIDR specification overflows the uint32 mask conversion, causing the container to receive a spurious mask that allows traffic to leak across network namespaces.",
       "privileges_required": "ability to influence a container's CNI configuration (typically requires pod-create RBAC or compromise of an in-cluster component that provisions pods)",
@@ -2414,7 +2408,6 @@
         "gap": "Networks security control covers segmentation policy at organizational level but does not extend to container-runtime IPAM verification."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 50,
       "basis": "Most clusters do not pair NetworkPolicy with IPAM-correctness audit. CIS-K8s benchmark passes without it.",
@@ -2493,7 +2486,7 @@
   },
   "CVE-2025-12686": {
     "name": "Synology BeeStation unauth RCE (Pwn2Own Ireland 2025)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Pre-auth RCE chain on the Synology BeeStation Manager web management surface. Demonstrated as a full chain on consumer NAS hardware at Pwn2Own Ireland 2025.",
       "privileges_required": "none (unauth network reachability to BeeStation web surface)",
@@ -2537,7 +2530,6 @@
         "gap": "Configuration-management control covers organizational assets; consumer NAS appliances at remote sites are commonly out of scope of the enterprise CMDB."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Consumer-NAS appliances are pervasive at branch / SMB / remote-worker sites and routinely fall outside enterprise patch and asset-management programs.",
@@ -2549,7 +2541,7 @@
   },
   "CVE-2025-62847": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 1/3)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Component 1/3 of the DEVCORE Research Team chain on the QNAP TS-453E appliance at Pwn2Own Ireland 2025. Chained injection + format-string bug demonstrated as part of the three-CVE chain that earned $40,000 + 4 Master of Pwn points.",
       "privileges_required": "none (unauth network reachability to QTS / QuTS hero web management)",
@@ -2593,7 +2585,6 @@
         "gap": "Configuration-management control covers organizational assets; SMB / branch NAS appliances are commonly out of CMDB scope."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "QNAP appliances are pervasive at SMB / prosumer scale and fall outside enterprise patch programs.",
@@ -2605,7 +2596,7 @@
   },
   "CVE-2025-62848": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 2/3)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Component 2/3 of the DEVCORE Research Team chain on the QNAP TS-453E appliance at Pwn2Own Ireland 2025. Code-injection (CWE-94) chained with CVE-2025-62847 and CVE-2025-62849.",
       "privileges_required": "none (unauth as part of the chain) — standalone exploitation requires the chain pre-condition",
@@ -2649,7 +2640,6 @@
         "gap": "Secure-coding control assumed in vendor firmware; appliance vendors are out-of-band of the operator's secure-coding program."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Same population and coverage gap as CVE-2025-62847; chain components track together.",
@@ -2661,7 +2651,7 @@
   },
   "CVE-2025-62849": {
     "name": "QNAP QTS/QuTS hero RCE (Pwn2Own Ireland 2025, chain 3/3)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Component 3/3 of the DEVCORE Research Team chain on the QNAP TS-453E appliance at Pwn2Own Ireland 2025 — post-auth elevation (CWE-269, T1068). Used by the chain to convert the unauth RCE foothold from CVE-2025-62847/62848 into appliance-level privileged execution.",
       "privileges_required": "post-auth (achieved by the chain via CVE-2025-62847 / CVE-2025-62848)",
@@ -2705,7 +2695,6 @@
         "gap": "Consumer-NAS coverage begins 2027."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Same population as the chain siblings.",
@@ -2852,7 +2841,7 @@
   },
   "CVE-2024-21762": {
     "name": "Fortinet FortiOS / FortiProxy SSL-VPN out-of-bounds write (sslvpnd preauth RCE)",
-    "lesson_date": "2026-05-17",
+    "lesson_date": "2026-05-19",
     "attack_vector": {
       "description": "Out-of-bounds write in the sslvpnd daemon's HTTP request handling on FortiOS and FortiProxy. An unauthenticated attacker sends a specially crafted HTTP request to the SSL-VPN web surface and executes code on the appliance. Mass-scanning began within hours of the 2024-02-08 vendor disclosure; CISA KEV-listed the next day with a 7-day federal remediation deadline. Fortinet's 2025-04-11 follow-up advisory documented a post-exploitation technique where attackers who compromised the device before patching leave behind read-only symlinks in the SSL-VPN language-file directory that grant persistent filesystem read access on fully patched firmware — patch alone is insufficient.",
       "privileges_required": "none (unauth network reach to the SSL-VPN web surface; SSL-VPN must be enabled on the FortiGate)",
@@ -2911,7 +2900,6 @@
         "gap": "Essential 8 patch-applications ML3 (48h) is closer to the operational reality than NIST SI-2 but still misses the mass-scanning window."
       }
     },
-    "new_control_requirements": [],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 60,
       "basis": "Internet-facing SSL-VPN concentrators are routinely deployed by SOC 2 / ISO 27001 / PCI-audited organisations without a documented compressed-SLA patching procedure for the appliance class; the standard 30-day patch SLA was active exposure for this CVE. Post-exploitation symlink cleanup is essentially never tested in compliance audits — operators who patched in place after compromise frequently retained attacker persistence.",
@@ -4942,18 +4930,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-41940",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -4986,18 +4962,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-1708",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5030,18 +4994,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-29635",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5074,18 +5026,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-7399",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5118,18 +5058,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-57728",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5162,18 +5090,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-57726",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5206,18 +5122,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20122",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5250,18 +5154,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20133",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5294,18 +5186,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-2749",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5338,18 +5218,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-27351",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5382,18 +5250,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48700",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5426,18 +5282,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20128",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5470,18 +5314,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32975",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5514,18 +5346,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-27199",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5558,18 +5378,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-34197",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5602,18 +5410,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2009-0238",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5646,18 +5442,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-32201",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5690,18 +5474,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2012-1854",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5734,18 +5506,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-60710",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5778,18 +5538,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-21529",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5822,18 +5570,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-36424",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5866,18 +5602,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2020-9715",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5910,18 +5634,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21643",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5954,18 +5666,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-34621",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5998,18 +5698,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-1340",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6042,18 +5730,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-35616",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6086,18 +5762,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-3502",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6130,18 +5794,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-5281",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6174,18 +5826,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-3055",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6218,18 +5858,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-53521",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6262,18 +5890,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-33634",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6306,18 +5922,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-33017",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6350,18 +5954,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32432",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6394,18 +5986,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-54068",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6438,18 +6018,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-43510",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6482,18 +6050,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-43520",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6526,18 +6082,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-31277",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6570,18 +6114,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20131",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -6614,18 +6146,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-66376",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6658,18 +6178,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20963",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6702,18 +6210,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-47813",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6746,18 +6242,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-3910",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6790,18 +6274,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-3909",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6834,18 +6306,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-68613",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6878,18 +6338,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-22054",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6922,18 +6370,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-26399",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6966,18 +6402,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-1603",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7010,18 +6434,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2017-7921",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7054,18 +6466,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-22681",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7098,18 +6498,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-43000",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7142,18 +6530,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-30952",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7186,18 +6562,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-41974",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7230,18 +6594,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-22719",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7274,18 +6626,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21385",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7318,18 +6658,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2022-20775",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7362,18 +6690,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20127",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7406,18 +6722,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-25108",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7450,18 +6754,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-49113",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7494,18 +6786,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-68461",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7538,18 +6818,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-22175",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7582,18 +6850,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-22769",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7626,18 +6882,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2020-7796",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7670,18 +6914,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-7694",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7714,18 +6946,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2008-0015",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7758,18 +6978,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-2441",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7802,18 +7010,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-1731",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -7846,18 +7042,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20700",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7890,18 +7074,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-43468",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7934,18 +7106,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-15556",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7978,18 +7138,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-40536",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8022,18 +7170,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21513",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8066,18 +7202,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21525",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8110,18 +7234,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21510",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8154,18 +7266,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21533",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8198,18 +7298,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21519",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8242,18 +7330,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21514",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8286,18 +7362,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-11953",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8330,18 +7394,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-24423",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -8374,18 +7426,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-39935",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8418,18 +7458,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-64328",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8462,18 +7490,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2019-19006",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8506,18 +7522,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-40551",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8550,18 +7554,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-1281",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8594,18 +7586,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-24858",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8638,18 +7618,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2018-14634",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8682,18 +7650,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-52691",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -8726,18 +7682,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-23760",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -8770,18 +7714,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-24061",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8814,18 +7746,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-21509",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8858,18 +7778,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-37079",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8902,18 +7810,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-68645",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8946,18 +7842,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-34026",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8990,18 +7874,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-31125",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9034,18 +7906,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-54313",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9078,18 +7938,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20045",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9122,18 +7970,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2026-20805",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9166,18 +8002,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-8110",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9210,18 +8034,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2009-0556",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9254,18 +8066,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-37164",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9298,18 +8098,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-52163",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9342,18 +8130,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-14733",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9386,18 +8162,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-59374",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9430,18 +8194,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-40602",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9474,18 +8226,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-20393",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9518,18 +8258,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-59718",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9562,18 +8290,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-14611",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9606,18 +8322,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2018-4063",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9650,18 +8354,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-58360",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9694,18 +8386,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-6218",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9738,18 +8418,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-62221",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9782,18 +8450,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2022-37055",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9826,18 +8482,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-66644",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9870,18 +8514,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-55182",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -9914,18 +8546,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-26828",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9958,18 +8578,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48633",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10002,18 +8610,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48572",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10046,18 +8642,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-26829",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10090,18 +8674,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-61757",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10134,18 +8706,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-13223",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10178,18 +8738,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-58034",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10222,18 +8770,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-64446",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10266,18 +8802,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-12480",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10310,18 +8834,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-62215",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10354,18 +8866,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-9242",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10398,18 +8898,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-21042",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10442,18 +8930,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48703",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10486,18 +8962,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-11371",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10530,18 +8994,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-41244",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10574,18 +9026,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-24893",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10618,18 +9058,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-6204",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10662,18 +9090,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-6205",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10706,18 +9122,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-54236",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10750,18 +9154,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-59287",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10794,18 +9186,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-61932",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10838,18 +9218,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2022-48503",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10882,18 +9250,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-2746",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10926,18 +9282,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-2747",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10970,18 +9314,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-33073",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11014,18 +9346,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-61884",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -11058,18 +9378,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-54253",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11102,18 +9410,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-47827",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11146,18 +9442,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-24990",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11190,18 +9474,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-59230",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11234,18 +9506,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2016-7836",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11278,18 +9538,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-43798",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11322,18 +9570,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-27915",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11366,18 +9602,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-22555",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11410,18 +9634,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2010-3962",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11454,18 +9666,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-43226",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11498,18 +9698,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2013-3918",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11542,18 +9730,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2011-3402",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11586,18 +9762,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2010-3765",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11630,18 +9794,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-61882",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -11674,18 +9826,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2014-6278",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11718,18 +9858,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2017-1000353",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11762,18 +9890,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2015-7755",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11806,18 +9922,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-21043",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11850,18 +9954,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-4008",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11894,18 +9986,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32463",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11938,18 +10018,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-59689",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11982,18 +10050,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-10035",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -12026,18 +10082,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-20352",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12070,18 +10114,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-21311",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12114,18 +10146,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-20362",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12158,18 +10178,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-20333",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12202,18 +10210,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-5086",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12246,18 +10242,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48543",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12290,18 +10274,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-53690",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12334,18 +10306,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-50224",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12378,18 +10338,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-9377",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12422,18 +10370,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2020-24363",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12466,18 +10402,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-55177",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12510,18 +10434,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-57819",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12554,18 +10466,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-7775",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12598,18 +10498,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48384",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12642,18 +10530,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-8068",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12686,18 +10562,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-8069",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12730,18 +10594,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-54948",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12774,18 +10626,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-8876",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12818,18 +10658,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-8875",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12862,18 +10690,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-8088",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12906,18 +10722,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2007-0671",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12950,18 +10754,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2013-3893",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12994,18 +10786,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2020-25078",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13038,18 +10818,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2020-25079",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13082,18 +10850,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2022-40799",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13126,18 +10882,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-2533",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13170,18 +10914,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-20337",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13214,18 +10946,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-20281",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13258,18 +10978,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-2775",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13302,18 +11010,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-2776",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13346,18 +11042,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-6558",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13390,18 +11074,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-54309",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13434,18 +11106,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-49704",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13478,18 +11138,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-49706",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13522,18 +11170,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-53770",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13566,18 +11202,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-25257",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13610,18 +11234,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-47812",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13654,18 +11266,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-5777",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13698,18 +11298,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2019-9621",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13742,18 +11330,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2019-5418",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13786,18 +11362,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2016-10033",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13830,18 +11394,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2014-3931",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13874,18 +11426,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-6554",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13918,18 +11458,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48928",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13962,18 +11490,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-48927",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14006,18 +11522,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-6543",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14050,18 +11554,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2019-6693",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 75,
       "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -14094,18 +11586,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-0769",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14138,18 +11618,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-54085",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14182,18 +11650,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-0386",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14226,18 +11682,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-33538",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14270,18 +11714,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-43200",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14314,18 +11746,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-33053",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14352,24 +11772,12 @@
         "adequate": false,
         "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
       },
-      "ISO-27001-2022-A.8.8": {
-        "covered": true,
-        "adequate": false,
-        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
-      }
-    },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-24016",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
+      "ISO-27001-2022-A.8.8": {
+        "covered": true,
+        "adequate": false,
+        "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
-    ],
+    },
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14402,18 +11810,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-42009",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14446,18 +11842,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32433",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14490,18 +11874,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-5419",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14534,18 +11906,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-21479",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14578,18 +11938,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-21480",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14622,18 +11970,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-27038",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14666,18 +12002,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2021-32030",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14710,18 +12034,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-3935",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14754,18 +12066,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-35939",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14798,18 +12098,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-56145",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14842,18 +12130,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-39780",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14886,18 +12162,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-4632",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14930,18 +12194,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2023-38950",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14974,18 +12226,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-27443",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15018,18 +12258,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-27920",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15062,18 +12290,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-11182",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15106,18 +12322,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-4428",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15150,18 +12354,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-4427",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15194,18 +12386,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-42999",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15238,18 +12418,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2024-12987",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15282,18 +12450,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32756",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15326,18 +12482,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32709",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15370,18 +12514,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-30397",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15414,18 +12546,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32706",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15458,18 +12578,6 @@
         "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
       }
     },
-    "new_control_requirements": [
-      {
-        "id": "NEW-CTRL-001",
-        "name": "CISA-KEV-RESPONSE-SLA",
-        "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
-        "evidence": "CVE-2025-32701",
-        "gap_closes": [
-          "NIST-800-53-SI-2",
-          "ISO-27001-2022-A.8.8"
-        ]
-      }
-    ],
     "compliance_exposure_score": {
       "percent_audit_passing_orgs_still_exposed": 55,
       "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",