@blamejs/exceptd-skills 0.13.19 → 0.13.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (20) hide show
  1. package/CHANGELOG.md +72 -0
  2. package/data/_indexes/_meta.json +6 -6
  3. package/data/attack-techniques.json +2 -3
  4. package/data/cve-catalog.json +301 -3792
  5. package/data/framework-control-gaps.json +168 -504
  6. package/data/zeroday-lessons.json +5 -3029
  7. package/lib/canonical-eq.js +88 -0
  8. package/lib/cve-regression-watcher.js +130 -9
  9. package/lib/gap-detectors.js +555 -0
  10. package/lib/source-advisories.js +9 -34
  11. package/lib/version-pins.js +73 -0
  12. package/lib/xml-tokenizer.js +344 -0
  13. package/manifest.json +44 -44
  14. package/package.json +4 -3
  15. package/sbom.cdx.json +108 -33
  16. package/scripts/audit-catalog-gaps.js +74 -13
  17. package/scripts/check-catalog-gap-budget.js +133 -0
  18. package/scripts/check-test-coverage.js +16 -18
  19. package/scripts/predeploy.js +14 -0
  20. package/scripts/refresh-upstream-catalogs.js +13 -0
package/data/zeroday-lessons.json CHANGED
@@ -2078,18 +2078,6 @@
2078
2078
  "gap": "Container-runtime supply chain not differentiated from application-runtime supply chain."
2079
2079
  }
2080
2080
  },
2081
- "new_control_requirements": [
2082
- {
2083
- "id": "NEW-CTRL-001",
2084
- "name": "CISA-KEV-RESPONSE-SLA",
2085
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2086
- "evidence": "CVE-2024-3154",
2087
- "gap_closes": [
2088
- "NIST-800-53-SI-2",
2089
- "ISO-27001-2022-A.8.8"
2090
- ]
2091
- }
2092
- ],
2093
2081
  "compliance_exposure_score": {
2094
2082
  "percent_audit_passing_orgs_still_exposed": 55,
2095
2083
  "basis": "AppArmor/SELinux deny-module-load is rarely enforced on container hosts; CIS-K8s benchmark passes without it. Patch cadence on Kubernetes node runtimes typically lags behind application patches.",
@@ -2145,18 +2133,6 @@
2145
2133
  "gap": "Secure coding control does not anchor on ML-runtime web-surface review; ML platforms are treated as out-of-scope of conventional secure-coding programs."
2146
2134
  }
2147
2135
  },
2148
- "new_control_requirements": [
2149
- {
2150
- "id": "NEW-CTRL-001",
2151
- "name": "CISA-KEV-RESPONSE-SLA",
2152
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2153
- "evidence": "CVE-2023-43472",
2154
- "gap_closes": [
2155
- "NIST-800-53-SI-2",
2156
- "ISO-27001-2022-A.8.8"
2157
- ]
2158
- }
2159
- ],
2160
2136
  "compliance_exposure_score": {
2161
2137
  "percent_audit_passing_orgs_still_exposed": 70,
2162
2138
  "basis": "MLflow tracking servers are widely deployed without auth and without front-proxy logging; ML platforms typically fall outside the AppSec team's secure-coding-review remit.",
@@ -2212,18 +2188,6 @@
2212
2188
  "gap": "Supply-chain protection control predates the SolarWinds incident; pre-2020 supply-chain controls did not contemplate a trusted vendor as the breach vector."
2213
2189
  }
2214
2190
  },
2215
- "new_control_requirements": [
2216
- {
2217
- "id": "NEW-CTRL-001",
2218
- "name": "CISA-KEV-RESPONSE-SLA",
2219
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2220
- "evidence": "CVE-2020-10148",
2221
- "gap_closes": [
2222
- "NIST-800-53-SI-2",
2223
- "ISO-27001-2022-A.8.8"
2224
- ]
2225
- }
2226
- ],
2227
2191
  "compliance_exposure_score": {
2228
2192
  "percent_audit_passing_orgs_still_exposed": 40,
2229
2193
  "basis": "Direct exposure to this specific CVE is low five years post-disclosure (Orion installations are largely patched), but the lessons-class — trusted-vendor-as-pivot — remains under-addressed by most supply-chain controls.",
@@ -2279,18 +2243,6 @@
2279
2243
  "gap": "EU NIS2 generic vulnerability-management requirement without unauth-RCE-specific SLA."
2280
2244
  }
2281
2245
  },
2282
- "new_control_requirements": [
2283
- {
2284
- "id": "NEW-CTRL-001",
2285
- "name": "CISA-KEV-RESPONSE-SLA",
2286
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2287
- "evidence": "CVE-2023-3519",
2288
- "gap_closes": [
2289
- "NIST-800-53-SI-2",
2290
- "ISO-27001-2022-A.8.8"
2291
- ]
2292
- }
2293
- ],
2294
2246
  "compliance_exposure_score": {
2295
2247
  "percent_audit_passing_orgs_still_exposed": 60,
2296
2248
  "basis": "PCI-DSS / NIS2 / SI-2 patch SLAs are wider than the actual exploitation window. Many organizations passing those audits remained exposed during the active mass-exploitation phase.",
@@ -2346,18 +2298,6 @@
2346
2298
  "gap": "Access-control management does not require setup-endpoint hardening on production deployments; the ScreenConnect setup wizard was reachable post-install by design."
2347
2299
  }
2348
2300
  },
2349
- "new_control_requirements": [
2350
- {
2351
- "id": "NEW-CTRL-001",
2352
- "name": "CISA-KEV-RESPONSE-SLA",
2353
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2354
- "evidence": "CVE-2024-1709",
2355
- "gap_closes": [
2356
- "NIST-800-53-SI-2",
2357
- "ISO-27001-2022-A.8.8"
2358
- ]
2359
- }
2360
- ],
2361
2301
  "compliance_exposure_score": {
2362
2302
  "percent_audit_passing_orgs_still_exposed": 75,
2363
2303
  "basis": "MSP fleets passing SOC 2 / ISO 27001 audits routinely deploy remote-management tooling with default routing exposed; setup-endpoint hardening is not a benchmark requirement.",
@@ -2413,18 +2353,6 @@
2413
2353
  "gap": "ICT third-party risk — SD-WAN vendor risk concentrated in a single advisory cadence; DORA does not require dual-vendor fabric topology."
2414
2354
  }
2415
2355
  },
2416
- "new_control_requirements": [
2417
- {
2418
- "id": "NEW-CTRL-001",
2419
- "name": "CISA-KEV-RESPONSE-SLA",
2420
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2421
- "evidence": "CVE-2026-20182",
2422
- "gap_closes": [
2423
- "NIST-800-53-SI-2",
2424
- "ISO-27001-2022-A.8.8"
2425
- ]
2426
- }
2427
- ],
2428
2356
  "compliance_exposure_score": {
2429
2357
  "percent_audit_passing_orgs_still_exposed": 65,
2430
2358
  "basis": "SD-WAN controller management surfaces are frequently reachable beyond operator subnets in real-world deployments; NIS2 / DORA controls do not enforce management-plane isolation as a specific requirement.",
@@ -2480,18 +2408,6 @@
2480
2408
  "gap": "Networks security control covers segmentation policy at organizational level but does not extend to container-runtime IPAM verification."
2481
2409
  }
2482
2410
  },
2483
- "new_control_requirements": [
2484
- {
2485
- "id": "NEW-CTRL-001",
2486
- "name": "CISA-KEV-RESPONSE-SLA",
2487
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2488
- "evidence": "CVE-2024-40635",
2489
- "gap_closes": [
2490
- "NIST-800-53-SI-2",
2491
- "ISO-27001-2022-A.8.8"
2492
- ]
2493
- }
2494
- ],
2495
2411
  "compliance_exposure_score": {
2496
2412
  "percent_audit_passing_orgs_still_exposed": 50,
2497
2413
  "basis": "Most clusters do not pair NetworkPolicy with IPAM-correctness audit. CIS-K8s benchmark passes without it.",
@@ -2614,18 +2530,6 @@
2614
2530
  "gap": "Configuration-management control covers organizational assets; consumer NAS appliances at remote sites are commonly out of scope of the enterprise CMDB."
2615
2531
  }
2616
2532
  },
2617
- "new_control_requirements": [
2618
- {
2619
- "id": "NEW-CTRL-001",
2620
- "name": "CISA-KEV-RESPONSE-SLA",
2621
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2622
- "evidence": "CVE-2025-12686",
2623
- "gap_closes": [
2624
- "NIST-800-53-SI-2",
2625
- "ISO-27001-2022-A.8.8"
2626
- ]
2627
- }
2628
- ],
2629
2533
  "compliance_exposure_score": {
2630
2534
  "percent_audit_passing_orgs_still_exposed": 60,
2631
2535
  "basis": "Consumer-NAS appliances are pervasive at branch / SMB / remote-worker sites and routinely fall outside enterprise patch and asset-management programs.",
@@ -2681,18 +2585,6 @@
2681
2585
  "gap": "Configuration-management control covers organizational assets; SMB / branch NAS appliances are commonly out of CMDB scope."
2682
2586
  }
2683
2587
  },
2684
- "new_control_requirements": [
2685
- {
2686
- "id": "NEW-CTRL-001",
2687
- "name": "CISA-KEV-RESPONSE-SLA",
2688
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2689
- "evidence": "CVE-2025-62847",
2690
- "gap_closes": [
2691
- "NIST-800-53-SI-2",
2692
- "ISO-27001-2022-A.8.8"
2693
- ]
2694
- }
2695
- ],
2696
2588
  "compliance_exposure_score": {
2697
2589
  "percent_audit_passing_orgs_still_exposed": 60,
2698
2590
  "basis": "QNAP appliances are pervasive at SMB / prosumer scale and fall outside enterprise patch programs.",
@@ -2748,18 +2640,6 @@
2748
2640
  "gap": "Secure-coding control assumed in vendor firmware; appliance vendors are out-of-band of the operator's secure-coding program."
2749
2641
  }
2750
2642
  },
2751
- "new_control_requirements": [
2752
- {
2753
- "id": "NEW-CTRL-001",
2754
- "name": "CISA-KEV-RESPONSE-SLA",
2755
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2756
- "evidence": "CVE-2025-62848",
2757
- "gap_closes": [
2758
- "NIST-800-53-SI-2",
2759
- "ISO-27001-2022-A.8.8"
2760
- ]
2761
- }
2762
- ],
2763
2643
  "compliance_exposure_score": {
2764
2644
  "percent_audit_passing_orgs_still_exposed": 60,
2765
2645
  "basis": "Same population and coverage gap as CVE-2025-62847; chain components track together.",
@@ -2815,18 +2695,6 @@
2815
2695
  "gap": "Consumer-NAS coverage begins 2027."
2816
2696
  }
2817
2697
  },
2818
- "new_control_requirements": [
2819
- {
2820
- "id": "NEW-CTRL-001",
2821
- "name": "CISA-KEV-RESPONSE-SLA",
2822
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
2823
- "evidence": "CVE-2025-62849",
2824
- "gap_closes": [
2825
- "NIST-800-53-SI-2",
2826
- "ISO-27001-2022-A.8.8"
2827
- ]
2828
- }
2829
- ],
2830
2698
  "compliance_exposure_score": {
2831
2699
  "percent_audit_passing_orgs_still_exposed": 60,
2832
2700
  "basis": "Same population as the chain siblings.",
@@ -3032,18 +2900,6 @@
3032
2900
  "gap": "Essential 8 patch-applications ML3 (48h) is closer to the operational reality than NIST SI-2 but still misses the mass-scanning window."
3033
2901
  }
3034
2902
  },
3035
- "new_control_requirements": [
3036
- {
3037
- "id": "NEW-CTRL-001",
3038
- "name": "CISA-KEV-RESPONSE-SLA",
3039
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
3040
- "evidence": "CVE-2024-21762",
3041
- "gap_closes": [
3042
- "NIST-800-53-SI-2",
3043
- "ISO-27001-2022-A.8.8"
3044
- ]
3045
- }
3046
- ],
3047
2903
  "compliance_exposure_score": {
3048
2904
  "percent_audit_passing_orgs_still_exposed": 60,
3049
2905
  "basis": "Internet-facing SSL-VPN concentrators are routinely deployed by SOC 2 / ISO 27001 / PCI-audited organisations without a documented compressed-SLA patching procedure for the appliance class; the standard 30-day patch SLA was active exposure for this CVE. Post-exploitation symlink cleanup is essentially never tested in compliance audits — operators who patched in place after compromise frequently retained attacker persistence.",
@@ -5074,18 +4930,6 @@
5074
4930
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5075
4931
  }
5076
4932
  },
5077
- "new_control_requirements": [
5078
- {
5079
- "id": "NEW-CTRL-001",
5080
- "name": "CISA-KEV-RESPONSE-SLA",
5081
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5082
- "evidence": "CVE-2026-41940",
5083
- "gap_closes": [
5084
- "NIST-800-53-SI-2",
5085
- "ISO-27001-2022-A.8.8"
5086
- ]
5087
- }
5088
- ],
5089
4933
  "compliance_exposure_score": {
5090
4934
  "percent_audit_passing_orgs_still_exposed": 75,
5091
4935
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5118,18 +4962,6 @@
5118
4962
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5119
4963
  }
5120
4964
  },
5121
- "new_control_requirements": [
5122
- {
5123
- "id": "NEW-CTRL-001",
5124
- "name": "CISA-KEV-RESPONSE-SLA",
5125
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5126
- "evidence": "CVE-2024-1708",
5127
- "gap_closes": [
5128
- "NIST-800-53-SI-2",
5129
- "ISO-27001-2022-A.8.8"
5130
- ]
5131
- }
5132
- ],
5133
4965
  "compliance_exposure_score": {
5134
4966
  "percent_audit_passing_orgs_still_exposed": 75,
5135
4967
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5162,18 +4994,6 @@
5162
4994
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5163
4995
  }
5164
4996
  },
5165
- "new_control_requirements": [
5166
- {
5167
- "id": "NEW-CTRL-001",
5168
- "name": "CISA-KEV-RESPONSE-SLA",
5169
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5170
- "evidence": "CVE-2025-29635",
5171
- "gap_closes": [
5172
- "NIST-800-53-SI-2",
5173
- "ISO-27001-2022-A.8.8"
5174
- ]
5175
- }
5176
- ],
5177
4997
  "compliance_exposure_score": {
5178
4998
  "percent_audit_passing_orgs_still_exposed": 55,
5179
4999
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5206,18 +5026,6 @@
5206
5026
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5207
5027
  }
5208
5028
  },
5209
- "new_control_requirements": [
5210
- {
5211
- "id": "NEW-CTRL-001",
5212
- "name": "CISA-KEV-RESPONSE-SLA",
5213
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5214
- "evidence": "CVE-2024-7399",
5215
- "gap_closes": [
5216
- "NIST-800-53-SI-2",
5217
- "ISO-27001-2022-A.8.8"
5218
- ]
5219
- }
5220
- ],
5221
5029
  "compliance_exposure_score": {
5222
5030
  "percent_audit_passing_orgs_still_exposed": 55,
5223
5031
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5250,18 +5058,6 @@
5250
5058
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5251
5059
  }
5252
5060
  },
5253
- "new_control_requirements": [
5254
- {
5255
- "id": "NEW-CTRL-001",
5256
- "name": "CISA-KEV-RESPONSE-SLA",
5257
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5258
- "evidence": "CVE-2024-57728",
5259
- "gap_closes": [
5260
- "NIST-800-53-SI-2",
5261
- "ISO-27001-2022-A.8.8"
5262
- ]
5263
- }
5264
- ],
5265
5061
  "compliance_exposure_score": {
5266
5062
  "percent_audit_passing_orgs_still_exposed": 75,
5267
5063
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5294,18 +5090,6 @@
5294
5090
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5295
5091
  }
5296
5092
  },
5297
- "new_control_requirements": [
5298
- {
5299
- "id": "NEW-CTRL-001",
5300
- "name": "CISA-KEV-RESPONSE-SLA",
5301
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5302
- "evidence": "CVE-2024-57726",
5303
- "gap_closes": [
5304
- "NIST-800-53-SI-2",
5305
- "ISO-27001-2022-A.8.8"
5306
- ]
5307
- }
5308
- ],
5309
5093
  "compliance_exposure_score": {
5310
5094
  "percent_audit_passing_orgs_still_exposed": 75,
5311
5095
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5338,18 +5122,6 @@
5338
5122
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5339
5123
  }
5340
5124
  },
5341
- "new_control_requirements": [
5342
- {
5343
- "id": "NEW-CTRL-001",
5344
- "name": "CISA-KEV-RESPONSE-SLA",
5345
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5346
- "evidence": "CVE-2026-20122",
5347
- "gap_closes": [
5348
- "NIST-800-53-SI-2",
5349
- "ISO-27001-2022-A.8.8"
5350
- ]
5351
- }
5352
- ],
5353
5125
  "compliance_exposure_score": {
5354
5126
  "percent_audit_passing_orgs_still_exposed": 55,
5355
5127
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5382,18 +5154,6 @@
5382
5154
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5383
5155
  }
5384
5156
  },
5385
- "new_control_requirements": [
5386
- {
5387
- "id": "NEW-CTRL-001",
5388
- "name": "CISA-KEV-RESPONSE-SLA",
5389
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5390
- "evidence": "CVE-2026-20133",
5391
- "gap_closes": [
5392
- "NIST-800-53-SI-2",
5393
- "ISO-27001-2022-A.8.8"
5394
- ]
5395
- }
5396
- ],
5397
5157
  "compliance_exposure_score": {
5398
5158
  "percent_audit_passing_orgs_still_exposed": 55,
5399
5159
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5426,18 +5186,6 @@
5426
5186
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5427
5187
  }
5428
5188
  },
5429
- "new_control_requirements": [
5430
- {
5431
- "id": "NEW-CTRL-001",
5432
- "name": "CISA-KEV-RESPONSE-SLA",
5433
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5434
- "evidence": "CVE-2025-2749",
5435
- "gap_closes": [
5436
- "NIST-800-53-SI-2",
5437
- "ISO-27001-2022-A.8.8"
5438
- ]
5439
- }
5440
- ],
5441
5189
  "compliance_exposure_score": {
5442
5190
  "percent_audit_passing_orgs_still_exposed": 55,
5443
5191
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5470,18 +5218,6 @@
5470
5218
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5471
5219
  }
5472
5220
  },
5473
- "new_control_requirements": [
5474
- {
5475
- "id": "NEW-CTRL-001",
5476
- "name": "CISA-KEV-RESPONSE-SLA",
5477
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5478
- "evidence": "CVE-2023-27351",
5479
- "gap_closes": [
5480
- "NIST-800-53-SI-2",
5481
- "ISO-27001-2022-A.8.8"
5482
- ]
5483
- }
5484
- ],
5485
5221
  "compliance_exposure_score": {
5486
5222
  "percent_audit_passing_orgs_still_exposed": 75,
5487
5223
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5514,18 +5250,6 @@
5514
5250
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5515
5251
  }
5516
5252
  },
5517
- "new_control_requirements": [
5518
- {
5519
- "id": "NEW-CTRL-001",
5520
- "name": "CISA-KEV-RESPONSE-SLA",
5521
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5522
- "evidence": "CVE-2025-48700",
5523
- "gap_closes": [
5524
- "NIST-800-53-SI-2",
5525
- "ISO-27001-2022-A.8.8"
5526
- ]
5527
- }
5528
- ],
5529
5253
  "compliance_exposure_score": {
5530
5254
  "percent_audit_passing_orgs_still_exposed": 55,
5531
5255
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5558,18 +5282,6 @@
5558
5282
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5559
5283
  }
5560
5284
  },
5561
- "new_control_requirements": [
5562
- {
5563
- "id": "NEW-CTRL-001",
5564
- "name": "CISA-KEV-RESPONSE-SLA",
5565
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5566
- "evidence": "CVE-2026-20128",
5567
- "gap_closes": [
5568
- "NIST-800-53-SI-2",
5569
- "ISO-27001-2022-A.8.8"
5570
- ]
5571
- }
5572
- ],
5573
5285
  "compliance_exposure_score": {
5574
5286
  "percent_audit_passing_orgs_still_exposed": 55,
5575
5287
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5602,18 +5314,6 @@
5602
5314
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5603
5315
  }
5604
5316
  },
5605
- "new_control_requirements": [
5606
- {
5607
- "id": "NEW-CTRL-001",
5608
- "name": "CISA-KEV-RESPONSE-SLA",
5609
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5610
- "evidence": "CVE-2025-32975",
5611
- "gap_closes": [
5612
- "NIST-800-53-SI-2",
5613
- "ISO-27001-2022-A.8.8"
5614
- ]
5615
- }
5616
- ],
5617
5317
  "compliance_exposure_score": {
5618
5318
  "percent_audit_passing_orgs_still_exposed": 55,
5619
5319
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5646,18 +5346,6 @@
5646
5346
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5647
5347
  }
5648
5348
  },
5649
- "new_control_requirements": [
5650
- {
5651
- "id": "NEW-CTRL-001",
5652
- "name": "CISA-KEV-RESPONSE-SLA",
5653
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5654
- "evidence": "CVE-2024-27199",
5655
- "gap_closes": [
5656
- "NIST-800-53-SI-2",
5657
- "ISO-27001-2022-A.8.8"
5658
- ]
5659
- }
5660
- ],
5661
5349
  "compliance_exposure_score": {
5662
5350
  "percent_audit_passing_orgs_still_exposed": 75,
5663
5351
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5690,18 +5378,6 @@
5690
5378
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5691
5379
  }
5692
5380
  },
5693
- "new_control_requirements": [
5694
- {
5695
- "id": "NEW-CTRL-001",
5696
- "name": "CISA-KEV-RESPONSE-SLA",
5697
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5698
- "evidence": "CVE-2026-34197",
5699
- "gap_closes": [
5700
- "NIST-800-53-SI-2",
5701
- "ISO-27001-2022-A.8.8"
5702
- ]
5703
- }
5704
- ],
5705
5381
  "compliance_exposure_score": {
5706
5382
  "percent_audit_passing_orgs_still_exposed": 55,
5707
5383
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5734,18 +5410,6 @@
5734
5410
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5735
5411
  }
5736
5412
  },
5737
- "new_control_requirements": [
5738
- {
5739
- "id": "NEW-CTRL-001",
5740
- "name": "CISA-KEV-RESPONSE-SLA",
5741
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5742
- "evidence": "CVE-2009-0238",
5743
- "gap_closes": [
5744
- "NIST-800-53-SI-2",
5745
- "ISO-27001-2022-A.8.8"
5746
- ]
5747
- }
5748
- ],
5749
5413
  "compliance_exposure_score": {
5750
5414
  "percent_audit_passing_orgs_still_exposed": 55,
5751
5415
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5778,18 +5442,6 @@
5778
5442
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5779
5443
  }
5780
5444
  },
5781
- "new_control_requirements": [
5782
- {
5783
- "id": "NEW-CTRL-001",
5784
- "name": "CISA-KEV-RESPONSE-SLA",
5785
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5786
- "evidence": "CVE-2026-32201",
5787
- "gap_closes": [
5788
- "NIST-800-53-SI-2",
5789
- "ISO-27001-2022-A.8.8"
5790
- ]
5791
- }
5792
- ],
5793
5445
  "compliance_exposure_score": {
5794
5446
  "percent_audit_passing_orgs_still_exposed": 55,
5795
5447
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5822,18 +5474,6 @@
5822
5474
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5823
5475
  }
5824
5476
  },
5825
- "new_control_requirements": [
5826
- {
5827
- "id": "NEW-CTRL-001",
5828
- "name": "CISA-KEV-RESPONSE-SLA",
5829
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5830
- "evidence": "CVE-2012-1854",
5831
- "gap_closes": [
5832
- "NIST-800-53-SI-2",
5833
- "ISO-27001-2022-A.8.8"
5834
- ]
5835
- }
5836
- ],
5837
5477
  "compliance_exposure_score": {
5838
5478
  "percent_audit_passing_orgs_still_exposed": 55,
5839
5479
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5866,18 +5506,6 @@
5866
5506
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5867
5507
  }
5868
5508
  },
5869
- "new_control_requirements": [
5870
- {
5871
- "id": "NEW-CTRL-001",
5872
- "name": "CISA-KEV-RESPONSE-SLA",
5873
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5874
- "evidence": "CVE-2025-60710",
5875
- "gap_closes": [
5876
- "NIST-800-53-SI-2",
5877
- "ISO-27001-2022-A.8.8"
5878
- ]
5879
- }
5880
- ],
5881
5509
  "compliance_exposure_score": {
5882
5510
  "percent_audit_passing_orgs_still_exposed": 55,
5883
5511
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5910,18 +5538,6 @@
5910
5538
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5911
5539
  }
5912
5540
  },
5913
- "new_control_requirements": [
5914
- {
5915
- "id": "NEW-CTRL-001",
5916
- "name": "CISA-KEV-RESPONSE-SLA",
5917
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5918
- "evidence": "CVE-2023-21529",
5919
- "gap_closes": [
5920
- "NIST-800-53-SI-2",
5921
- "ISO-27001-2022-A.8.8"
5922
- ]
5923
- }
5924
- ],
5925
5541
  "compliance_exposure_score": {
5926
5542
  "percent_audit_passing_orgs_still_exposed": 75,
5927
5543
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -5954,18 +5570,6 @@
5954
5570
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5955
5571
  }
5956
5572
  },
5957
- "new_control_requirements": [
5958
- {
5959
- "id": "NEW-CTRL-001",
5960
- "name": "CISA-KEV-RESPONSE-SLA",
5961
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
5962
- "evidence": "CVE-2023-36424",
5963
- "gap_closes": [
5964
- "NIST-800-53-SI-2",
5965
- "ISO-27001-2022-A.8.8"
5966
- ]
5967
- }
5968
- ],
5969
5573
  "compliance_exposure_score": {
5970
5574
  "percent_audit_passing_orgs_still_exposed": 55,
5971
5575
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -5998,18 +5602,6 @@
5998
5602
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
5999
5603
  }
6000
5604
  },
6001
- "new_control_requirements": [
6002
- {
6003
- "id": "NEW-CTRL-001",
6004
- "name": "CISA-KEV-RESPONSE-SLA",
6005
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6006
- "evidence": "CVE-2020-9715",
6007
- "gap_closes": [
6008
- "NIST-800-53-SI-2",
6009
- "ISO-27001-2022-A.8.8"
6010
- ]
6011
- }
6012
- ],
6013
5605
  "compliance_exposure_score": {
6014
5606
  "percent_audit_passing_orgs_still_exposed": 55,
6015
5607
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6042,18 +5634,6 @@
6042
5634
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6043
5635
  }
6044
5636
  },
6045
- "new_control_requirements": [
6046
- {
6047
- "id": "NEW-CTRL-001",
6048
- "name": "CISA-KEV-RESPONSE-SLA",
6049
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6050
- "evidence": "CVE-2026-21643",
6051
- "gap_closes": [
6052
- "NIST-800-53-SI-2",
6053
- "ISO-27001-2022-A.8.8"
6054
- ]
6055
- }
6056
- ],
6057
5637
  "compliance_exposure_score": {
6058
5638
  "percent_audit_passing_orgs_still_exposed": 55,
6059
5639
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6086,18 +5666,6 @@
6086
5666
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6087
5667
  }
6088
5668
  },
6089
- "new_control_requirements": [
6090
- {
6091
- "id": "NEW-CTRL-001",
6092
- "name": "CISA-KEV-RESPONSE-SLA",
6093
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6094
- "evidence": "CVE-2026-34621",
6095
- "gap_closes": [
6096
- "NIST-800-53-SI-2",
6097
- "ISO-27001-2022-A.8.8"
6098
- ]
6099
- }
6100
- ],
6101
5669
  "compliance_exposure_score": {
6102
5670
  "percent_audit_passing_orgs_still_exposed": 55,
6103
5671
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6130,18 +5698,6 @@
6130
5698
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6131
5699
  }
6132
5700
  },
6133
- "new_control_requirements": [
6134
- {
6135
- "id": "NEW-CTRL-001",
6136
- "name": "CISA-KEV-RESPONSE-SLA",
6137
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6138
- "evidence": "CVE-2026-1340",
6139
- "gap_closes": [
6140
- "NIST-800-53-SI-2",
6141
- "ISO-27001-2022-A.8.8"
6142
- ]
6143
- }
6144
- ],
6145
5701
  "compliance_exposure_score": {
6146
5702
  "percent_audit_passing_orgs_still_exposed": 55,
6147
5703
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6174,18 +5730,6 @@
6174
5730
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6175
5731
  }
6176
5732
  },
6177
- "new_control_requirements": [
6178
- {
6179
- "id": "NEW-CTRL-001",
6180
- "name": "CISA-KEV-RESPONSE-SLA",
6181
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6182
- "evidence": "CVE-2026-35616",
6183
- "gap_closes": [
6184
- "NIST-800-53-SI-2",
6185
- "ISO-27001-2022-A.8.8"
6186
- ]
6187
- }
6188
- ],
6189
5733
  "compliance_exposure_score": {
6190
5734
  "percent_audit_passing_orgs_still_exposed": 55,
6191
5735
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6218,18 +5762,6 @@
6218
5762
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6219
5763
  }
6220
5764
  },
6221
- "new_control_requirements": [
6222
- {
6223
- "id": "NEW-CTRL-001",
6224
- "name": "CISA-KEV-RESPONSE-SLA",
6225
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6226
- "evidence": "CVE-2026-3502",
6227
- "gap_closes": [
6228
- "NIST-800-53-SI-2",
6229
- "ISO-27001-2022-A.8.8"
6230
- ]
6231
- }
6232
- ],
6233
5765
  "compliance_exposure_score": {
6234
5766
  "percent_audit_passing_orgs_still_exposed": 55,
6235
5767
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6262,18 +5794,6 @@
6262
5794
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6263
5795
  }
6264
5796
  },
6265
- "new_control_requirements": [
6266
- {
6267
- "id": "NEW-CTRL-001",
6268
- "name": "CISA-KEV-RESPONSE-SLA",
6269
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6270
- "evidence": "CVE-2026-5281",
6271
- "gap_closes": [
6272
- "NIST-800-53-SI-2",
6273
- "ISO-27001-2022-A.8.8"
6274
- ]
6275
- }
6276
- ],
6277
5797
  "compliance_exposure_score": {
6278
5798
  "percent_audit_passing_orgs_still_exposed": 55,
6279
5799
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6306,18 +5826,6 @@
6306
5826
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6307
5827
  }
6308
5828
  },
6309
- "new_control_requirements": [
6310
- {
6311
- "id": "NEW-CTRL-001",
6312
- "name": "CISA-KEV-RESPONSE-SLA",
6313
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6314
- "evidence": "CVE-2026-3055",
6315
- "gap_closes": [
6316
- "NIST-800-53-SI-2",
6317
- "ISO-27001-2022-A.8.8"
6318
- ]
6319
- }
6320
- ],
6321
5829
  "compliance_exposure_score": {
6322
5830
  "percent_audit_passing_orgs_still_exposed": 55,
6323
5831
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6350,18 +5858,6 @@
6350
5858
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6351
5859
  }
6352
5860
  },
6353
- "new_control_requirements": [
6354
- {
6355
- "id": "NEW-CTRL-001",
6356
- "name": "CISA-KEV-RESPONSE-SLA",
6357
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6358
- "evidence": "CVE-2025-53521",
6359
- "gap_closes": [
6360
- "NIST-800-53-SI-2",
6361
- "ISO-27001-2022-A.8.8"
6362
- ]
6363
- }
6364
- ],
6365
5861
  "compliance_exposure_score": {
6366
5862
  "percent_audit_passing_orgs_still_exposed": 55,
6367
5863
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6394,18 +5890,6 @@
6394
5890
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6395
5891
  }
6396
5892
  },
6397
- "new_control_requirements": [
6398
- {
6399
- "id": "NEW-CTRL-001",
6400
- "name": "CISA-KEV-RESPONSE-SLA",
6401
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6402
- "evidence": "CVE-2026-33634",
6403
- "gap_closes": [
6404
- "NIST-800-53-SI-2",
6405
- "ISO-27001-2022-A.8.8"
6406
- ]
6407
- }
6408
- ],
6409
5893
  "compliance_exposure_score": {
6410
5894
  "percent_audit_passing_orgs_still_exposed": 55,
6411
5895
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6438,18 +5922,6 @@
6438
5922
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6439
5923
  }
6440
5924
  },
6441
- "new_control_requirements": [
6442
- {
6443
- "id": "NEW-CTRL-001",
6444
- "name": "CISA-KEV-RESPONSE-SLA",
6445
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6446
- "evidence": "CVE-2026-33017",
6447
- "gap_closes": [
6448
- "NIST-800-53-SI-2",
6449
- "ISO-27001-2022-A.8.8"
6450
- ]
6451
- }
6452
- ],
6453
5925
  "compliance_exposure_score": {
6454
5926
  "percent_audit_passing_orgs_still_exposed": 55,
6455
5927
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6482,18 +5954,6 @@
6482
5954
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6483
5955
  }
6484
5956
  },
6485
- "new_control_requirements": [
6486
- {
6487
- "id": "NEW-CTRL-001",
6488
- "name": "CISA-KEV-RESPONSE-SLA",
6489
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6490
- "evidence": "CVE-2025-32432",
6491
- "gap_closes": [
6492
- "NIST-800-53-SI-2",
6493
- "ISO-27001-2022-A.8.8"
6494
- ]
6495
- }
6496
- ],
6497
5957
  "compliance_exposure_score": {
6498
5958
  "percent_audit_passing_orgs_still_exposed": 55,
6499
5959
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6526,18 +5986,6 @@
6526
5986
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6527
5987
  }
6528
5988
  },
6529
- "new_control_requirements": [
6530
- {
6531
- "id": "NEW-CTRL-001",
6532
- "name": "CISA-KEV-RESPONSE-SLA",
6533
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6534
- "evidence": "CVE-2025-54068",
6535
- "gap_closes": [
6536
- "NIST-800-53-SI-2",
6537
- "ISO-27001-2022-A.8.8"
6538
- ]
6539
- }
6540
- ],
6541
5989
  "compliance_exposure_score": {
6542
5990
  "percent_audit_passing_orgs_still_exposed": 55,
6543
5991
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6570,18 +6018,6 @@
6570
6018
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6571
6019
  }
6572
6020
  },
6573
- "new_control_requirements": [
6574
- {
6575
- "id": "NEW-CTRL-001",
6576
- "name": "CISA-KEV-RESPONSE-SLA",
6577
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6578
- "evidence": "CVE-2025-43510",
6579
- "gap_closes": [
6580
- "NIST-800-53-SI-2",
6581
- "ISO-27001-2022-A.8.8"
6582
- ]
6583
- }
6584
- ],
6585
6021
  "compliance_exposure_score": {
6586
6022
  "percent_audit_passing_orgs_still_exposed": 55,
6587
6023
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6614,18 +6050,6 @@
6614
6050
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6615
6051
  }
6616
6052
  },
6617
- "new_control_requirements": [
6618
- {
6619
- "id": "NEW-CTRL-001",
6620
- "name": "CISA-KEV-RESPONSE-SLA",
6621
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6622
- "evidence": "CVE-2025-43520",
6623
- "gap_closes": [
6624
- "NIST-800-53-SI-2",
6625
- "ISO-27001-2022-A.8.8"
6626
- ]
6627
- }
6628
- ],
6629
6053
  "compliance_exposure_score": {
6630
6054
  "percent_audit_passing_orgs_still_exposed": 55,
6631
6055
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6658,18 +6082,6 @@
6658
6082
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6659
6083
  }
6660
6084
  },
6661
- "new_control_requirements": [
6662
- {
6663
- "id": "NEW-CTRL-001",
6664
- "name": "CISA-KEV-RESPONSE-SLA",
6665
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6666
- "evidence": "CVE-2025-31277",
6667
- "gap_closes": [
6668
- "NIST-800-53-SI-2",
6669
- "ISO-27001-2022-A.8.8"
6670
- ]
6671
- }
6672
- ],
6673
6085
  "compliance_exposure_score": {
6674
6086
  "percent_audit_passing_orgs_still_exposed": 55,
6675
6087
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6702,18 +6114,6 @@
6702
6114
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6703
6115
  }
6704
6116
  },
6705
- "new_control_requirements": [
6706
- {
6707
- "id": "NEW-CTRL-001",
6708
- "name": "CISA-KEV-RESPONSE-SLA",
6709
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6710
- "evidence": "CVE-2026-20131",
6711
- "gap_closes": [
6712
- "NIST-800-53-SI-2",
6713
- "ISO-27001-2022-A.8.8"
6714
- ]
6715
- }
6716
- ],
6717
6117
  "compliance_exposure_score": {
6718
6118
  "percent_audit_passing_orgs_still_exposed": 75,
6719
6119
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -6746,18 +6146,6 @@
6746
6146
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6747
6147
  }
6748
6148
  },
6749
- "new_control_requirements": [
6750
- {
6751
- "id": "NEW-CTRL-001",
6752
- "name": "CISA-KEV-RESPONSE-SLA",
6753
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6754
- "evidence": "CVE-2025-66376",
6755
- "gap_closes": [
6756
- "NIST-800-53-SI-2",
6757
- "ISO-27001-2022-A.8.8"
6758
- ]
6759
- }
6760
- ],
6761
6149
  "compliance_exposure_score": {
6762
6150
  "percent_audit_passing_orgs_still_exposed": 55,
6763
6151
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6790,18 +6178,6 @@
6790
6178
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6791
6179
  }
6792
6180
  },
6793
- "new_control_requirements": [
6794
- {
6795
- "id": "NEW-CTRL-001",
6796
- "name": "CISA-KEV-RESPONSE-SLA",
6797
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6798
- "evidence": "CVE-2026-20963",
6799
- "gap_closes": [
6800
- "NIST-800-53-SI-2",
6801
- "ISO-27001-2022-A.8.8"
6802
- ]
6803
- }
6804
- ],
6805
6181
  "compliance_exposure_score": {
6806
6182
  "percent_audit_passing_orgs_still_exposed": 55,
6807
6183
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6834,18 +6210,6 @@
6834
6210
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6835
6211
  }
6836
6212
  },
6837
- "new_control_requirements": [
6838
- {
6839
- "id": "NEW-CTRL-001",
6840
- "name": "CISA-KEV-RESPONSE-SLA",
6841
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6842
- "evidence": "CVE-2025-47813",
6843
- "gap_closes": [
6844
- "NIST-800-53-SI-2",
6845
- "ISO-27001-2022-A.8.8"
6846
- ]
6847
- }
6848
- ],
6849
6213
  "compliance_exposure_score": {
6850
6214
  "percent_audit_passing_orgs_still_exposed": 55,
6851
6215
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6878,18 +6242,6 @@
6878
6242
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6879
6243
  }
6880
6244
  },
6881
- "new_control_requirements": [
6882
- {
6883
- "id": "NEW-CTRL-001",
6884
- "name": "CISA-KEV-RESPONSE-SLA",
6885
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6886
- "evidence": "CVE-2026-3910",
6887
- "gap_closes": [
6888
- "NIST-800-53-SI-2",
6889
- "ISO-27001-2022-A.8.8"
6890
- ]
6891
- }
6892
- ],
6893
6245
  "compliance_exposure_score": {
6894
6246
  "percent_audit_passing_orgs_still_exposed": 55,
6895
6247
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6922,18 +6274,6 @@
6922
6274
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6923
6275
  }
6924
6276
  },
6925
- "new_control_requirements": [
6926
- {
6927
- "id": "NEW-CTRL-001",
6928
- "name": "CISA-KEV-RESPONSE-SLA",
6929
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6930
- "evidence": "CVE-2026-3909",
6931
- "gap_closes": [
6932
- "NIST-800-53-SI-2",
6933
- "ISO-27001-2022-A.8.8"
6934
- ]
6935
- }
6936
- ],
6937
6277
  "compliance_exposure_score": {
6938
6278
  "percent_audit_passing_orgs_still_exposed": 55,
6939
6279
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -6966,18 +6306,6 @@
6966
6306
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
6967
6307
  }
6968
6308
  },
6969
- "new_control_requirements": [
6970
- {
6971
- "id": "NEW-CTRL-001",
6972
- "name": "CISA-KEV-RESPONSE-SLA",
6973
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
6974
- "evidence": "CVE-2025-68613",
6975
- "gap_closes": [
6976
- "NIST-800-53-SI-2",
6977
- "ISO-27001-2022-A.8.8"
6978
- ]
6979
- }
6980
- ],
6981
6309
  "compliance_exposure_score": {
6982
6310
  "percent_audit_passing_orgs_still_exposed": 55,
6983
6311
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7010,18 +6338,6 @@
7010
6338
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7011
6339
  }
7012
6340
  },
7013
- "new_control_requirements": [
7014
- {
7015
- "id": "NEW-CTRL-001",
7016
- "name": "CISA-KEV-RESPONSE-SLA",
7017
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7018
- "evidence": "CVE-2021-22054",
7019
- "gap_closes": [
7020
- "NIST-800-53-SI-2",
7021
- "ISO-27001-2022-A.8.8"
7022
- ]
7023
- }
7024
- ],
7025
6341
  "compliance_exposure_score": {
7026
6342
  "percent_audit_passing_orgs_still_exposed": 55,
7027
6343
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7054,18 +6370,6 @@
7054
6370
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7055
6371
  }
7056
6372
  },
7057
- "new_control_requirements": [
7058
- {
7059
- "id": "NEW-CTRL-001",
7060
- "name": "CISA-KEV-RESPONSE-SLA",
7061
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7062
- "evidence": "CVE-2025-26399",
7063
- "gap_closes": [
7064
- "NIST-800-53-SI-2",
7065
- "ISO-27001-2022-A.8.8"
7066
- ]
7067
- }
7068
- ],
7069
6373
  "compliance_exposure_score": {
7070
6374
  "percent_audit_passing_orgs_still_exposed": 55,
7071
6375
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7098,18 +6402,6 @@
7098
6402
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7099
6403
  }
7100
6404
  },
7101
- "new_control_requirements": [
7102
- {
7103
- "id": "NEW-CTRL-001",
7104
- "name": "CISA-KEV-RESPONSE-SLA",
7105
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7106
- "evidence": "CVE-2026-1603",
7107
- "gap_closes": [
7108
- "NIST-800-53-SI-2",
7109
- "ISO-27001-2022-A.8.8"
7110
- ]
7111
- }
7112
- ],
7113
6405
  "compliance_exposure_score": {
7114
6406
  "percent_audit_passing_orgs_still_exposed": 55,
7115
6407
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7142,18 +6434,6 @@
7142
6434
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7143
6435
  }
7144
6436
  },
7145
- "new_control_requirements": [
7146
- {
7147
- "id": "NEW-CTRL-001",
7148
- "name": "CISA-KEV-RESPONSE-SLA",
7149
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7150
- "evidence": "CVE-2017-7921",
7151
- "gap_closes": [
7152
- "NIST-800-53-SI-2",
7153
- "ISO-27001-2022-A.8.8"
7154
- ]
7155
- }
7156
- ],
7157
6437
  "compliance_exposure_score": {
7158
6438
  "percent_audit_passing_orgs_still_exposed": 55,
7159
6439
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7186,18 +6466,6 @@
7186
6466
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7187
6467
  }
7188
6468
  },
7189
- "new_control_requirements": [
7190
- {
7191
- "id": "NEW-CTRL-001",
7192
- "name": "CISA-KEV-RESPONSE-SLA",
7193
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7194
- "evidence": "CVE-2021-22681",
7195
- "gap_closes": [
7196
- "NIST-800-53-SI-2",
7197
- "ISO-27001-2022-A.8.8"
7198
- ]
7199
- }
7200
- ],
7201
6469
  "compliance_exposure_score": {
7202
6470
  "percent_audit_passing_orgs_still_exposed": 55,
7203
6471
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7230,18 +6498,6 @@
7230
6498
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7231
6499
  }
7232
6500
  },
7233
- "new_control_requirements": [
7234
- {
7235
- "id": "NEW-CTRL-001",
7236
- "name": "CISA-KEV-RESPONSE-SLA",
7237
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7238
- "evidence": "CVE-2023-43000",
7239
- "gap_closes": [
7240
- "NIST-800-53-SI-2",
7241
- "ISO-27001-2022-A.8.8"
7242
- ]
7243
- }
7244
- ],
7245
6501
  "compliance_exposure_score": {
7246
6502
  "percent_audit_passing_orgs_still_exposed": 55,
7247
6503
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7274,18 +6530,6 @@
7274
6530
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7275
6531
  }
7276
6532
  },
7277
- "new_control_requirements": [
7278
- {
7279
- "id": "NEW-CTRL-001",
7280
- "name": "CISA-KEV-RESPONSE-SLA",
7281
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7282
- "evidence": "CVE-2021-30952",
7283
- "gap_closes": [
7284
- "NIST-800-53-SI-2",
7285
- "ISO-27001-2022-A.8.8"
7286
- ]
7287
- }
7288
- ],
7289
6533
  "compliance_exposure_score": {
7290
6534
  "percent_audit_passing_orgs_still_exposed": 55,
7291
6535
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7318,18 +6562,6 @@
7318
6562
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7319
6563
  }
7320
6564
  },
7321
- "new_control_requirements": [
7322
- {
7323
- "id": "NEW-CTRL-001",
7324
- "name": "CISA-KEV-RESPONSE-SLA",
7325
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7326
- "evidence": "CVE-2023-41974",
7327
- "gap_closes": [
7328
- "NIST-800-53-SI-2",
7329
- "ISO-27001-2022-A.8.8"
7330
- ]
7331
- }
7332
- ],
7333
6565
  "compliance_exposure_score": {
7334
6566
  "percent_audit_passing_orgs_still_exposed": 55,
7335
6567
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7362,18 +6594,6 @@
7362
6594
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7363
6595
  }
7364
6596
  },
7365
- "new_control_requirements": [
7366
- {
7367
- "id": "NEW-CTRL-001",
7368
- "name": "CISA-KEV-RESPONSE-SLA",
7369
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7370
- "evidence": "CVE-2026-22719",
7371
- "gap_closes": [
7372
- "NIST-800-53-SI-2",
7373
- "ISO-27001-2022-A.8.8"
7374
- ]
7375
- }
7376
- ],
7377
6597
  "compliance_exposure_score": {
7378
6598
  "percent_audit_passing_orgs_still_exposed": 55,
7379
6599
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7406,18 +6626,6 @@
7406
6626
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7407
6627
  }
7408
6628
  },
7409
- "new_control_requirements": [
7410
- {
7411
- "id": "NEW-CTRL-001",
7412
- "name": "CISA-KEV-RESPONSE-SLA",
7413
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7414
- "evidence": "CVE-2026-21385",
7415
- "gap_closes": [
7416
- "NIST-800-53-SI-2",
7417
- "ISO-27001-2022-A.8.8"
7418
- ]
7419
- }
7420
- ],
7421
6629
  "compliance_exposure_score": {
7422
6630
  "percent_audit_passing_orgs_still_exposed": 55,
7423
6631
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7450,18 +6658,6 @@
7450
6658
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7451
6659
  }
7452
6660
  },
7453
- "new_control_requirements": [
7454
- {
7455
- "id": "NEW-CTRL-001",
7456
- "name": "CISA-KEV-RESPONSE-SLA",
7457
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7458
- "evidence": "CVE-2022-20775",
7459
- "gap_closes": [
7460
- "NIST-800-53-SI-2",
7461
- "ISO-27001-2022-A.8.8"
7462
- ]
7463
- }
7464
- ],
7465
6661
  "compliance_exposure_score": {
7466
6662
  "percent_audit_passing_orgs_still_exposed": 55,
7467
6663
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7494,18 +6690,6 @@
7494
6690
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7495
6691
  }
7496
6692
  },
7497
- "new_control_requirements": [
7498
- {
7499
- "id": "NEW-CTRL-001",
7500
- "name": "CISA-KEV-RESPONSE-SLA",
7501
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7502
- "evidence": "CVE-2026-20127",
7503
- "gap_closes": [
7504
- "NIST-800-53-SI-2",
7505
- "ISO-27001-2022-A.8.8"
7506
- ]
7507
- }
7508
- ],
7509
6693
  "compliance_exposure_score": {
7510
6694
  "percent_audit_passing_orgs_still_exposed": 55,
7511
6695
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7538,18 +6722,6 @@
7538
6722
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7539
6723
  }
7540
6724
  },
7541
- "new_control_requirements": [
7542
- {
7543
- "id": "NEW-CTRL-001",
7544
- "name": "CISA-KEV-RESPONSE-SLA",
7545
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7546
- "evidence": "CVE-2026-25108",
7547
- "gap_closes": [
7548
- "NIST-800-53-SI-2",
7549
- "ISO-27001-2022-A.8.8"
7550
- ]
7551
- }
7552
- ],
7553
6725
  "compliance_exposure_score": {
7554
6726
  "percent_audit_passing_orgs_still_exposed": 55,
7555
6727
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7582,18 +6754,6 @@
7582
6754
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7583
6755
  }
7584
6756
  },
7585
- "new_control_requirements": [
7586
- {
7587
- "id": "NEW-CTRL-001",
7588
- "name": "CISA-KEV-RESPONSE-SLA",
7589
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7590
- "evidence": "CVE-2025-49113",
7591
- "gap_closes": [
7592
- "NIST-800-53-SI-2",
7593
- "ISO-27001-2022-A.8.8"
7594
- ]
7595
- }
7596
- ],
7597
6757
  "compliance_exposure_score": {
7598
6758
  "percent_audit_passing_orgs_still_exposed": 55,
7599
6759
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7626,18 +6786,6 @@
7626
6786
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7627
6787
  }
7628
6788
  },
7629
- "new_control_requirements": [
7630
- {
7631
- "id": "NEW-CTRL-001",
7632
- "name": "CISA-KEV-RESPONSE-SLA",
7633
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7634
- "evidence": "CVE-2025-68461",
7635
- "gap_closes": [
7636
- "NIST-800-53-SI-2",
7637
- "ISO-27001-2022-A.8.8"
7638
- ]
7639
- }
7640
- ],
7641
6789
  "compliance_exposure_score": {
7642
6790
  "percent_audit_passing_orgs_still_exposed": 55,
7643
6791
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7670,18 +6818,6 @@
7670
6818
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7671
6819
  }
7672
6820
  },
7673
- "new_control_requirements": [
7674
- {
7675
- "id": "NEW-CTRL-001",
7676
- "name": "CISA-KEV-RESPONSE-SLA",
7677
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7678
- "evidence": "CVE-2021-22175",
7679
- "gap_closes": [
7680
- "NIST-800-53-SI-2",
7681
- "ISO-27001-2022-A.8.8"
7682
- ]
7683
- }
7684
- ],
7685
6821
  "compliance_exposure_score": {
7686
6822
  "percent_audit_passing_orgs_still_exposed": 55,
7687
6823
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7714,18 +6850,6 @@
7714
6850
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7715
6851
  }
7716
6852
  },
7717
- "new_control_requirements": [
7718
- {
7719
- "id": "NEW-CTRL-001",
7720
- "name": "CISA-KEV-RESPONSE-SLA",
7721
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7722
- "evidence": "CVE-2026-22769",
7723
- "gap_closes": [
7724
- "NIST-800-53-SI-2",
7725
- "ISO-27001-2022-A.8.8"
7726
- ]
7727
- }
7728
- ],
7729
6853
  "compliance_exposure_score": {
7730
6854
  "percent_audit_passing_orgs_still_exposed": 55,
7731
6855
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7758,18 +6882,6 @@
7758
6882
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7759
6883
  }
7760
6884
  },
7761
- "new_control_requirements": [
7762
- {
7763
- "id": "NEW-CTRL-001",
7764
- "name": "CISA-KEV-RESPONSE-SLA",
7765
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7766
- "evidence": "CVE-2020-7796",
7767
- "gap_closes": [
7768
- "NIST-800-53-SI-2",
7769
- "ISO-27001-2022-A.8.8"
7770
- ]
7771
- }
7772
- ],
7773
6885
  "compliance_exposure_score": {
7774
6886
  "percent_audit_passing_orgs_still_exposed": 55,
7775
6887
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7802,18 +6914,6 @@
7802
6914
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7803
6915
  }
7804
6916
  },
7805
- "new_control_requirements": [
7806
- {
7807
- "id": "NEW-CTRL-001",
7808
- "name": "CISA-KEV-RESPONSE-SLA",
7809
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7810
- "evidence": "CVE-2024-7694",
7811
- "gap_closes": [
7812
- "NIST-800-53-SI-2",
7813
- "ISO-27001-2022-A.8.8"
7814
- ]
7815
- }
7816
- ],
7817
6917
  "compliance_exposure_score": {
7818
6918
  "percent_audit_passing_orgs_still_exposed": 55,
7819
6919
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7846,18 +6946,6 @@
7846
6946
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7847
6947
  }
7848
6948
  },
7849
- "new_control_requirements": [
7850
- {
7851
- "id": "NEW-CTRL-001",
7852
- "name": "CISA-KEV-RESPONSE-SLA",
7853
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7854
- "evidence": "CVE-2008-0015",
7855
- "gap_closes": [
7856
- "NIST-800-53-SI-2",
7857
- "ISO-27001-2022-A.8.8"
7858
- ]
7859
- }
7860
- ],
7861
6949
  "compliance_exposure_score": {
7862
6950
  "percent_audit_passing_orgs_still_exposed": 55,
7863
6951
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7890,18 +6978,6 @@
7890
6978
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7891
6979
  }
7892
6980
  },
7893
- "new_control_requirements": [
7894
- {
7895
- "id": "NEW-CTRL-001",
7896
- "name": "CISA-KEV-RESPONSE-SLA",
7897
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7898
- "evidence": "CVE-2026-2441",
7899
- "gap_closes": [
7900
- "NIST-800-53-SI-2",
7901
- "ISO-27001-2022-A.8.8"
7902
- ]
7903
- }
7904
- ],
7905
6981
  "compliance_exposure_score": {
7906
6982
  "percent_audit_passing_orgs_still_exposed": 55,
7907
6983
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -7934,18 +7010,6 @@
7934
7010
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7935
7011
  }
7936
7012
  },
7937
- "new_control_requirements": [
7938
- {
7939
- "id": "NEW-CTRL-001",
7940
- "name": "CISA-KEV-RESPONSE-SLA",
7941
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7942
- "evidence": "CVE-2026-1731",
7943
- "gap_closes": [
7944
- "NIST-800-53-SI-2",
7945
- "ISO-27001-2022-A.8.8"
7946
- ]
7947
- }
7948
- ],
7949
7013
  "compliance_exposure_score": {
7950
7014
  "percent_audit_passing_orgs_still_exposed": 75,
7951
7015
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -7978,18 +7042,6 @@
7978
7042
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
7979
7043
  }
7980
7044
  },
7981
- "new_control_requirements": [
7982
- {
7983
- "id": "NEW-CTRL-001",
7984
- "name": "CISA-KEV-RESPONSE-SLA",
7985
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
7986
- "evidence": "CVE-2026-20700",
7987
- "gap_closes": [
7988
- "NIST-800-53-SI-2",
7989
- "ISO-27001-2022-A.8.8"
7990
- ]
7991
- }
7992
- ],
7993
7045
  "compliance_exposure_score": {
7994
7046
  "percent_audit_passing_orgs_still_exposed": 55,
7995
7047
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8022,18 +7074,6 @@
8022
7074
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8023
7075
  }
8024
7076
  },
8025
- "new_control_requirements": [
8026
- {
8027
- "id": "NEW-CTRL-001",
8028
- "name": "CISA-KEV-RESPONSE-SLA",
8029
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8030
- "evidence": "CVE-2024-43468",
8031
- "gap_closes": [
8032
- "NIST-800-53-SI-2",
8033
- "ISO-27001-2022-A.8.8"
8034
- ]
8035
- }
8036
- ],
8037
7077
  "compliance_exposure_score": {
8038
7078
  "percent_audit_passing_orgs_still_exposed": 55,
8039
7079
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8066,18 +7106,6 @@
8066
7106
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8067
7107
  }
8068
7108
  },
8069
- "new_control_requirements": [
8070
- {
8071
- "id": "NEW-CTRL-001",
8072
- "name": "CISA-KEV-RESPONSE-SLA",
8073
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8074
- "evidence": "CVE-2025-15556",
8075
- "gap_closes": [
8076
- "NIST-800-53-SI-2",
8077
- "ISO-27001-2022-A.8.8"
8078
- ]
8079
- }
8080
- ],
8081
7109
  "compliance_exposure_score": {
8082
7110
  "percent_audit_passing_orgs_still_exposed": 55,
8083
7111
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8110,18 +7138,6 @@
8110
7138
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8111
7139
  }
8112
7140
  },
8113
- "new_control_requirements": [
8114
- {
8115
- "id": "NEW-CTRL-001",
8116
- "name": "CISA-KEV-RESPONSE-SLA",
8117
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8118
- "evidence": "CVE-2025-40536",
8119
- "gap_closes": [
8120
- "NIST-800-53-SI-2",
8121
- "ISO-27001-2022-A.8.8"
8122
- ]
8123
- }
8124
- ],
8125
7141
  "compliance_exposure_score": {
8126
7142
  "percent_audit_passing_orgs_still_exposed": 55,
8127
7143
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8154,18 +7170,6 @@
8154
7170
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8155
7171
  }
8156
7172
  },
8157
- "new_control_requirements": [
8158
- {
8159
- "id": "NEW-CTRL-001",
8160
- "name": "CISA-KEV-RESPONSE-SLA",
8161
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8162
- "evidence": "CVE-2026-21513",
8163
- "gap_closes": [
8164
- "NIST-800-53-SI-2",
8165
- "ISO-27001-2022-A.8.8"
8166
- ]
8167
- }
8168
- ],
8169
7173
  "compliance_exposure_score": {
8170
7174
  "percent_audit_passing_orgs_still_exposed": 55,
8171
7175
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8198,18 +7202,6 @@
8198
7202
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8199
7203
  }
8200
7204
  },
8201
- "new_control_requirements": [
8202
- {
8203
- "id": "NEW-CTRL-001",
8204
- "name": "CISA-KEV-RESPONSE-SLA",
8205
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8206
- "evidence": "CVE-2026-21525",
8207
- "gap_closes": [
8208
- "NIST-800-53-SI-2",
8209
- "ISO-27001-2022-A.8.8"
8210
- ]
8211
- }
8212
- ],
8213
7205
  "compliance_exposure_score": {
8214
7206
  "percent_audit_passing_orgs_still_exposed": 55,
8215
7207
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8242,18 +7234,6 @@
8242
7234
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8243
7235
  }
8244
7236
  },
8245
- "new_control_requirements": [
8246
- {
8247
- "id": "NEW-CTRL-001",
8248
- "name": "CISA-KEV-RESPONSE-SLA",
8249
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8250
- "evidence": "CVE-2026-21510",
8251
- "gap_closes": [
8252
- "NIST-800-53-SI-2",
8253
- "ISO-27001-2022-A.8.8"
8254
- ]
8255
- }
8256
- ],
8257
7237
  "compliance_exposure_score": {
8258
7238
  "percent_audit_passing_orgs_still_exposed": 55,
8259
7239
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8286,18 +7266,6 @@
8286
7266
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8287
7267
  }
8288
7268
  },
8289
- "new_control_requirements": [
8290
- {
8291
- "id": "NEW-CTRL-001",
8292
- "name": "CISA-KEV-RESPONSE-SLA",
8293
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8294
- "evidence": "CVE-2026-21533",
8295
- "gap_closes": [
8296
- "NIST-800-53-SI-2",
8297
- "ISO-27001-2022-A.8.8"
8298
- ]
8299
- }
8300
- ],
8301
7269
  "compliance_exposure_score": {
8302
7270
  "percent_audit_passing_orgs_still_exposed": 55,
8303
7271
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8330,18 +7298,6 @@
8330
7298
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8331
7299
  }
8332
7300
  },
8333
- "new_control_requirements": [
8334
- {
8335
- "id": "NEW-CTRL-001",
8336
- "name": "CISA-KEV-RESPONSE-SLA",
8337
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8338
- "evidence": "CVE-2026-21519",
8339
- "gap_closes": [
8340
- "NIST-800-53-SI-2",
8341
- "ISO-27001-2022-A.8.8"
8342
- ]
8343
- }
8344
- ],
8345
7301
  "compliance_exposure_score": {
8346
7302
  "percent_audit_passing_orgs_still_exposed": 55,
8347
7303
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8374,18 +7330,6 @@
8374
7330
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8375
7331
  }
8376
7332
  },
8377
- "new_control_requirements": [
8378
- {
8379
- "id": "NEW-CTRL-001",
8380
- "name": "CISA-KEV-RESPONSE-SLA",
8381
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8382
- "evidence": "CVE-2026-21514",
8383
- "gap_closes": [
8384
- "NIST-800-53-SI-2",
8385
- "ISO-27001-2022-A.8.8"
8386
- ]
8387
- }
8388
- ],
8389
7333
  "compliance_exposure_score": {
8390
7334
  "percent_audit_passing_orgs_still_exposed": 55,
8391
7335
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8418,18 +7362,6 @@
8418
7362
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8419
7363
  }
8420
7364
  },
8421
- "new_control_requirements": [
8422
- {
8423
- "id": "NEW-CTRL-001",
8424
- "name": "CISA-KEV-RESPONSE-SLA",
8425
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8426
- "evidence": "CVE-2025-11953",
8427
- "gap_closes": [
8428
- "NIST-800-53-SI-2",
8429
- "ISO-27001-2022-A.8.8"
8430
- ]
8431
- }
8432
- ],
8433
7365
  "compliance_exposure_score": {
8434
7366
  "percent_audit_passing_orgs_still_exposed": 55,
8435
7367
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8462,18 +7394,6 @@
8462
7394
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8463
7395
  }
8464
7396
  },
8465
- "new_control_requirements": [
8466
- {
8467
- "id": "NEW-CTRL-001",
8468
- "name": "CISA-KEV-RESPONSE-SLA",
8469
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8470
- "evidence": "CVE-2026-24423",
8471
- "gap_closes": [
8472
- "NIST-800-53-SI-2",
8473
- "ISO-27001-2022-A.8.8"
8474
- ]
8475
- }
8476
- ],
8477
7397
  "compliance_exposure_score": {
8478
7398
  "percent_audit_passing_orgs_still_exposed": 75,
8479
7399
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -8506,18 +7426,6 @@
8506
7426
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8507
7427
  }
8508
7428
  },
8509
- "new_control_requirements": [
8510
- {
8511
- "id": "NEW-CTRL-001",
8512
- "name": "CISA-KEV-RESPONSE-SLA",
8513
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8514
- "evidence": "CVE-2021-39935",
8515
- "gap_closes": [
8516
- "NIST-800-53-SI-2",
8517
- "ISO-27001-2022-A.8.8"
8518
- ]
8519
- }
8520
- ],
8521
7429
  "compliance_exposure_score": {
8522
7430
  "percent_audit_passing_orgs_still_exposed": 55,
8523
7431
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8550,18 +7458,6 @@
8550
7458
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8551
7459
  }
8552
7460
  },
8553
- "new_control_requirements": [
8554
- {
8555
- "id": "NEW-CTRL-001",
8556
- "name": "CISA-KEV-RESPONSE-SLA",
8557
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8558
- "evidence": "CVE-2025-64328",
8559
- "gap_closes": [
8560
- "NIST-800-53-SI-2",
8561
- "ISO-27001-2022-A.8.8"
8562
- ]
8563
- }
8564
- ],
8565
7461
  "compliance_exposure_score": {
8566
7462
  "percent_audit_passing_orgs_still_exposed": 55,
8567
7463
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8594,18 +7490,6 @@
8594
7490
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8595
7491
  }
8596
7492
  },
8597
- "new_control_requirements": [
8598
- {
8599
- "id": "NEW-CTRL-001",
8600
- "name": "CISA-KEV-RESPONSE-SLA",
8601
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8602
- "evidence": "CVE-2019-19006",
8603
- "gap_closes": [
8604
- "NIST-800-53-SI-2",
8605
- "ISO-27001-2022-A.8.8"
8606
- ]
8607
- }
8608
- ],
8609
7493
  "compliance_exposure_score": {
8610
7494
  "percent_audit_passing_orgs_still_exposed": 55,
8611
7495
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8638,18 +7522,6 @@
8638
7522
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8639
7523
  }
8640
7524
  },
8641
- "new_control_requirements": [
8642
- {
8643
- "id": "NEW-CTRL-001",
8644
- "name": "CISA-KEV-RESPONSE-SLA",
8645
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8646
- "evidence": "CVE-2025-40551",
8647
- "gap_closes": [
8648
- "NIST-800-53-SI-2",
8649
- "ISO-27001-2022-A.8.8"
8650
- ]
8651
- }
8652
- ],
8653
7525
  "compliance_exposure_score": {
8654
7526
  "percent_audit_passing_orgs_still_exposed": 55,
8655
7527
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8682,18 +7554,6 @@
8682
7554
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8683
7555
  }
8684
7556
  },
8685
- "new_control_requirements": [
8686
- {
8687
- "id": "NEW-CTRL-001",
8688
- "name": "CISA-KEV-RESPONSE-SLA",
8689
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8690
- "evidence": "CVE-2026-1281",
8691
- "gap_closes": [
8692
- "NIST-800-53-SI-2",
8693
- "ISO-27001-2022-A.8.8"
8694
- ]
8695
- }
8696
- ],
8697
7557
  "compliance_exposure_score": {
8698
7558
  "percent_audit_passing_orgs_still_exposed": 55,
8699
7559
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8726,18 +7586,6 @@
8726
7586
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8727
7587
  }
8728
7588
  },
8729
- "new_control_requirements": [
8730
- {
8731
- "id": "NEW-CTRL-001",
8732
- "name": "CISA-KEV-RESPONSE-SLA",
8733
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8734
- "evidence": "CVE-2026-24858",
8735
- "gap_closes": [
8736
- "NIST-800-53-SI-2",
8737
- "ISO-27001-2022-A.8.8"
8738
- ]
8739
- }
8740
- ],
8741
7589
  "compliance_exposure_score": {
8742
7590
  "percent_audit_passing_orgs_still_exposed": 55,
8743
7591
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8770,18 +7618,6 @@
8770
7618
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8771
7619
  }
8772
7620
  },
8773
- "new_control_requirements": [
8774
- {
8775
- "id": "NEW-CTRL-001",
8776
- "name": "CISA-KEV-RESPONSE-SLA",
8777
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8778
- "evidence": "CVE-2018-14634",
8779
- "gap_closes": [
8780
- "NIST-800-53-SI-2",
8781
- "ISO-27001-2022-A.8.8"
8782
- ]
8783
- }
8784
- ],
8785
7621
  "compliance_exposure_score": {
8786
7622
  "percent_audit_passing_orgs_still_exposed": 55,
8787
7623
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8814,18 +7650,6 @@
8814
7650
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8815
7651
  }
8816
7652
  },
8817
- "new_control_requirements": [
8818
- {
8819
- "id": "NEW-CTRL-001",
8820
- "name": "CISA-KEV-RESPONSE-SLA",
8821
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8822
- "evidence": "CVE-2025-52691",
8823
- "gap_closes": [
8824
- "NIST-800-53-SI-2",
8825
- "ISO-27001-2022-A.8.8"
8826
- ]
8827
- }
8828
- ],
8829
7653
  "compliance_exposure_score": {
8830
7654
  "percent_audit_passing_orgs_still_exposed": 75,
8831
7655
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -8858,18 +7682,6 @@
8858
7682
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8859
7683
  }
8860
7684
  },
8861
- "new_control_requirements": [
8862
- {
8863
- "id": "NEW-CTRL-001",
8864
- "name": "CISA-KEV-RESPONSE-SLA",
8865
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8866
- "evidence": "CVE-2026-23760",
8867
- "gap_closes": [
8868
- "NIST-800-53-SI-2",
8869
- "ISO-27001-2022-A.8.8"
8870
- ]
8871
- }
8872
- ],
8873
7685
  "compliance_exposure_score": {
8874
7686
  "percent_audit_passing_orgs_still_exposed": 75,
8875
7687
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -8902,18 +7714,6 @@
8902
7714
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8903
7715
  }
8904
7716
  },
8905
- "new_control_requirements": [
8906
- {
8907
- "id": "NEW-CTRL-001",
8908
- "name": "CISA-KEV-RESPONSE-SLA",
8909
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8910
- "evidence": "CVE-2026-24061",
8911
- "gap_closes": [
8912
- "NIST-800-53-SI-2",
8913
- "ISO-27001-2022-A.8.8"
8914
- ]
8915
- }
8916
- ],
8917
7717
  "compliance_exposure_score": {
8918
7718
  "percent_audit_passing_orgs_still_exposed": 55,
8919
7719
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8946,18 +7746,6 @@
8946
7746
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8947
7747
  }
8948
7748
  },
8949
- "new_control_requirements": [
8950
- {
8951
- "id": "NEW-CTRL-001",
8952
- "name": "CISA-KEV-RESPONSE-SLA",
8953
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8954
- "evidence": "CVE-2026-21509",
8955
- "gap_closes": [
8956
- "NIST-800-53-SI-2",
8957
- "ISO-27001-2022-A.8.8"
8958
- ]
8959
- }
8960
- ],
8961
7749
  "compliance_exposure_score": {
8962
7750
  "percent_audit_passing_orgs_still_exposed": 55,
8963
7751
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -8990,18 +7778,6 @@
8990
7778
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
8991
7779
  }
8992
7780
  },
8993
- "new_control_requirements": [
8994
- {
8995
- "id": "NEW-CTRL-001",
8996
- "name": "CISA-KEV-RESPONSE-SLA",
8997
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
8998
- "evidence": "CVE-2024-37079",
8999
- "gap_closes": [
9000
- "NIST-800-53-SI-2",
9001
- "ISO-27001-2022-A.8.8"
9002
- ]
9003
- }
9004
- ],
9005
7781
  "compliance_exposure_score": {
9006
7782
  "percent_audit_passing_orgs_still_exposed": 55,
9007
7783
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9034,18 +7810,6 @@
9034
7810
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9035
7811
  }
9036
7812
  },
9037
- "new_control_requirements": [
9038
- {
9039
- "id": "NEW-CTRL-001",
9040
- "name": "CISA-KEV-RESPONSE-SLA",
9041
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9042
- "evidence": "CVE-2025-68645",
9043
- "gap_closes": [
9044
- "NIST-800-53-SI-2",
9045
- "ISO-27001-2022-A.8.8"
9046
- ]
9047
- }
9048
- ],
9049
7813
  "compliance_exposure_score": {
9050
7814
  "percent_audit_passing_orgs_still_exposed": 55,
9051
7815
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9078,18 +7842,6 @@
9078
7842
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9079
7843
  }
9080
7844
  },
9081
- "new_control_requirements": [
9082
- {
9083
- "id": "NEW-CTRL-001",
9084
- "name": "CISA-KEV-RESPONSE-SLA",
9085
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9086
- "evidence": "CVE-2025-34026",
9087
- "gap_closes": [
9088
- "NIST-800-53-SI-2",
9089
- "ISO-27001-2022-A.8.8"
9090
- ]
9091
- }
9092
- ],
9093
7845
  "compliance_exposure_score": {
9094
7846
  "percent_audit_passing_orgs_still_exposed": 55,
9095
7847
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9122,18 +7874,6 @@
9122
7874
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9123
7875
  }
9124
7876
  },
9125
- "new_control_requirements": [
9126
- {
9127
- "id": "NEW-CTRL-001",
9128
- "name": "CISA-KEV-RESPONSE-SLA",
9129
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9130
- "evidence": "CVE-2025-31125",
9131
- "gap_closes": [
9132
- "NIST-800-53-SI-2",
9133
- "ISO-27001-2022-A.8.8"
9134
- ]
9135
- }
9136
- ],
9137
7877
  "compliance_exposure_score": {
9138
7878
  "percent_audit_passing_orgs_still_exposed": 55,
9139
7879
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9166,18 +7906,6 @@
9166
7906
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9167
7907
  }
9168
7908
  },
9169
- "new_control_requirements": [
9170
- {
9171
- "id": "NEW-CTRL-001",
9172
- "name": "CISA-KEV-RESPONSE-SLA",
9173
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9174
- "evidence": "CVE-2025-54313",
9175
- "gap_closes": [
9176
- "NIST-800-53-SI-2",
9177
- "ISO-27001-2022-A.8.8"
9178
- ]
9179
- }
9180
- ],
9181
7909
  "compliance_exposure_score": {
9182
7910
  "percent_audit_passing_orgs_still_exposed": 55,
9183
7911
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9210,18 +7938,6 @@
9210
7938
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9211
7939
  }
9212
7940
  },
9213
- "new_control_requirements": [
9214
- {
9215
- "id": "NEW-CTRL-001",
9216
- "name": "CISA-KEV-RESPONSE-SLA",
9217
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9218
- "evidence": "CVE-2026-20045",
9219
- "gap_closes": [
9220
- "NIST-800-53-SI-2",
9221
- "ISO-27001-2022-A.8.8"
9222
- ]
9223
- }
9224
- ],
9225
7941
  "compliance_exposure_score": {
9226
7942
  "percent_audit_passing_orgs_still_exposed": 55,
9227
7943
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9254,18 +7970,6 @@
9254
7970
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9255
7971
  }
9256
7972
  },
9257
- "new_control_requirements": [
9258
- {
9259
- "id": "NEW-CTRL-001",
9260
- "name": "CISA-KEV-RESPONSE-SLA",
9261
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9262
- "evidence": "CVE-2026-20805",
9263
- "gap_closes": [
9264
- "NIST-800-53-SI-2",
9265
- "ISO-27001-2022-A.8.8"
9266
- ]
9267
- }
9268
- ],
9269
7973
  "compliance_exposure_score": {
9270
7974
  "percent_audit_passing_orgs_still_exposed": 55,
9271
7975
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9298,18 +8002,6 @@
9298
8002
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9299
8003
  }
9300
8004
  },
9301
- "new_control_requirements": [
9302
- {
9303
- "id": "NEW-CTRL-001",
9304
- "name": "CISA-KEV-RESPONSE-SLA",
9305
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9306
- "evidence": "CVE-2025-8110",
9307
- "gap_closes": [
9308
- "NIST-800-53-SI-2",
9309
- "ISO-27001-2022-A.8.8"
9310
- ]
9311
- }
9312
- ],
9313
8005
  "compliance_exposure_score": {
9314
8006
  "percent_audit_passing_orgs_still_exposed": 55,
9315
8007
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9342,18 +8034,6 @@
9342
8034
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9343
8035
  }
9344
8036
  },
9345
- "new_control_requirements": [
9346
- {
9347
- "id": "NEW-CTRL-001",
9348
- "name": "CISA-KEV-RESPONSE-SLA",
9349
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9350
- "evidence": "CVE-2009-0556",
9351
- "gap_closes": [
9352
- "NIST-800-53-SI-2",
9353
- "ISO-27001-2022-A.8.8"
9354
- ]
9355
- }
9356
- ],
9357
8037
  "compliance_exposure_score": {
9358
8038
  "percent_audit_passing_orgs_still_exposed": 55,
9359
8039
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9386,18 +8066,6 @@
9386
8066
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9387
8067
  }
9388
8068
  },
9389
- "new_control_requirements": [
9390
- {
9391
- "id": "NEW-CTRL-001",
9392
- "name": "CISA-KEV-RESPONSE-SLA",
9393
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9394
- "evidence": "CVE-2025-37164",
9395
- "gap_closes": [
9396
- "NIST-800-53-SI-2",
9397
- "ISO-27001-2022-A.8.8"
9398
- ]
9399
- }
9400
- ],
9401
8069
  "compliance_exposure_score": {
9402
8070
  "percent_audit_passing_orgs_still_exposed": 55,
9403
8071
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9430,18 +8098,6 @@
9430
8098
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9431
8099
  }
9432
8100
  },
9433
- "new_control_requirements": [
9434
- {
9435
- "id": "NEW-CTRL-001",
9436
- "name": "CISA-KEV-RESPONSE-SLA",
9437
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9438
- "evidence": "CVE-2023-52163",
9439
- "gap_closes": [
9440
- "NIST-800-53-SI-2",
9441
- "ISO-27001-2022-A.8.8"
9442
- ]
9443
- }
9444
- ],
9445
8101
  "compliance_exposure_score": {
9446
8102
  "percent_audit_passing_orgs_still_exposed": 55,
9447
8103
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9474,18 +8130,6 @@
9474
8130
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9475
8131
  }
9476
8132
  },
9477
- "new_control_requirements": [
9478
- {
9479
- "id": "NEW-CTRL-001",
9480
- "name": "CISA-KEV-RESPONSE-SLA",
9481
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9482
- "evidence": "CVE-2025-14733",
9483
- "gap_closes": [
9484
- "NIST-800-53-SI-2",
9485
- "ISO-27001-2022-A.8.8"
9486
- ]
9487
- }
9488
- ],
9489
8133
  "compliance_exposure_score": {
9490
8134
  "percent_audit_passing_orgs_still_exposed": 55,
9491
8135
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9518,18 +8162,6 @@
9518
8162
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9519
8163
  }
9520
8164
  },
9521
- "new_control_requirements": [
9522
- {
9523
- "id": "NEW-CTRL-001",
9524
- "name": "CISA-KEV-RESPONSE-SLA",
9525
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9526
- "evidence": "CVE-2025-59374",
9527
- "gap_closes": [
9528
- "NIST-800-53-SI-2",
9529
- "ISO-27001-2022-A.8.8"
9530
- ]
9531
- }
9532
- ],
9533
8165
  "compliance_exposure_score": {
9534
8166
  "percent_audit_passing_orgs_still_exposed": 55,
9535
8167
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9562,18 +8194,6 @@
9562
8194
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9563
8195
  }
9564
8196
  },
9565
- "new_control_requirements": [
9566
- {
9567
- "id": "NEW-CTRL-001",
9568
- "name": "CISA-KEV-RESPONSE-SLA",
9569
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9570
- "evidence": "CVE-2025-40602",
9571
- "gap_closes": [
9572
- "NIST-800-53-SI-2",
9573
- "ISO-27001-2022-A.8.8"
9574
- ]
9575
- }
9576
- ],
9577
8197
  "compliance_exposure_score": {
9578
8198
  "percent_audit_passing_orgs_still_exposed": 55,
9579
8199
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9606,18 +8226,6 @@
9606
8226
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9607
8227
  }
9608
8228
  },
9609
- "new_control_requirements": [
9610
- {
9611
- "id": "NEW-CTRL-001",
9612
- "name": "CISA-KEV-RESPONSE-SLA",
9613
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9614
- "evidence": "CVE-2025-20393",
9615
- "gap_closes": [
9616
- "NIST-800-53-SI-2",
9617
- "ISO-27001-2022-A.8.8"
9618
- ]
9619
- }
9620
- ],
9621
8229
  "compliance_exposure_score": {
9622
8230
  "percent_audit_passing_orgs_still_exposed": 55,
9623
8231
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9650,18 +8258,6 @@
9650
8258
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9651
8259
  }
9652
8260
  },
9653
- "new_control_requirements": [
9654
- {
9655
- "id": "NEW-CTRL-001",
9656
- "name": "CISA-KEV-RESPONSE-SLA",
9657
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9658
- "evidence": "CVE-2025-59718",
9659
- "gap_closes": [
9660
- "NIST-800-53-SI-2",
9661
- "ISO-27001-2022-A.8.8"
9662
- ]
9663
- }
9664
- ],
9665
8261
  "compliance_exposure_score": {
9666
8262
  "percent_audit_passing_orgs_still_exposed": 55,
9667
8263
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9694,18 +8290,6 @@
9694
8290
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9695
8291
  }
9696
8292
  },
9697
- "new_control_requirements": [
9698
- {
9699
- "id": "NEW-CTRL-001",
9700
- "name": "CISA-KEV-RESPONSE-SLA",
9701
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9702
- "evidence": "CVE-2025-14611",
9703
- "gap_closes": [
9704
- "NIST-800-53-SI-2",
9705
- "ISO-27001-2022-A.8.8"
9706
- ]
9707
- }
9708
- ],
9709
8293
  "compliance_exposure_score": {
9710
8294
  "percent_audit_passing_orgs_still_exposed": 55,
9711
8295
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9738,18 +8322,6 @@
9738
8322
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9739
8323
  }
9740
8324
  },
9741
- "new_control_requirements": [
9742
- {
9743
- "id": "NEW-CTRL-001",
9744
- "name": "CISA-KEV-RESPONSE-SLA",
9745
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9746
- "evidence": "CVE-2018-4063",
9747
- "gap_closes": [
9748
- "NIST-800-53-SI-2",
9749
- "ISO-27001-2022-A.8.8"
9750
- ]
9751
- }
9752
- ],
9753
8325
  "compliance_exposure_score": {
9754
8326
  "percent_audit_passing_orgs_still_exposed": 55,
9755
8327
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9782,18 +8354,6 @@
9782
8354
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9783
8355
  }
9784
8356
  },
9785
- "new_control_requirements": [
9786
- {
9787
- "id": "NEW-CTRL-001",
9788
- "name": "CISA-KEV-RESPONSE-SLA",
9789
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9790
- "evidence": "CVE-2025-58360",
9791
- "gap_closes": [
9792
- "NIST-800-53-SI-2",
9793
- "ISO-27001-2022-A.8.8"
9794
- ]
9795
- }
9796
- ],
9797
8357
  "compliance_exposure_score": {
9798
8358
  "percent_audit_passing_orgs_still_exposed": 55,
9799
8359
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9826,18 +8386,6 @@
9826
8386
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9827
8387
  }
9828
8388
  },
9829
- "new_control_requirements": [
9830
- {
9831
- "id": "NEW-CTRL-001",
9832
- "name": "CISA-KEV-RESPONSE-SLA",
9833
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9834
- "evidence": "CVE-2025-6218",
9835
- "gap_closes": [
9836
- "NIST-800-53-SI-2",
9837
- "ISO-27001-2022-A.8.8"
9838
- ]
9839
- }
9840
- ],
9841
8389
  "compliance_exposure_score": {
9842
8390
  "percent_audit_passing_orgs_still_exposed": 55,
9843
8391
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9870,18 +8418,6 @@
9870
8418
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9871
8419
  }
9872
8420
  },
9873
- "new_control_requirements": [
9874
- {
9875
- "id": "NEW-CTRL-001",
9876
- "name": "CISA-KEV-RESPONSE-SLA",
9877
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9878
- "evidence": "CVE-2025-62221",
9879
- "gap_closes": [
9880
- "NIST-800-53-SI-2",
9881
- "ISO-27001-2022-A.8.8"
9882
- ]
9883
- }
9884
- ],
9885
8421
  "compliance_exposure_score": {
9886
8422
  "percent_audit_passing_orgs_still_exposed": 55,
9887
8423
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9914,18 +8450,6 @@
9914
8450
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9915
8451
  }
9916
8452
  },
9917
- "new_control_requirements": [
9918
- {
9919
- "id": "NEW-CTRL-001",
9920
- "name": "CISA-KEV-RESPONSE-SLA",
9921
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9922
- "evidence": "CVE-2022-37055",
9923
- "gap_closes": [
9924
- "NIST-800-53-SI-2",
9925
- "ISO-27001-2022-A.8.8"
9926
- ]
9927
- }
9928
- ],
9929
8453
  "compliance_exposure_score": {
9930
8454
  "percent_audit_passing_orgs_still_exposed": 55,
9931
8455
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -9958,18 +8482,6 @@
9958
8482
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
9959
8483
  }
9960
8484
  },
9961
- "new_control_requirements": [
9962
- {
9963
- "id": "NEW-CTRL-001",
9964
- "name": "CISA-KEV-RESPONSE-SLA",
9965
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
9966
- "evidence": "CVE-2025-66644",
9967
- "gap_closes": [
9968
- "NIST-800-53-SI-2",
9969
- "ISO-27001-2022-A.8.8"
9970
- ]
9971
- }
9972
- ],
9973
8485
  "compliance_exposure_score": {
9974
8486
  "percent_audit_passing_orgs_still_exposed": 55,
9975
8487
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10002,18 +8514,6 @@
10002
8514
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10003
8515
  }
10004
8516
  },
10005
- "new_control_requirements": [
10006
- {
10007
- "id": "NEW-CTRL-001",
10008
- "name": "CISA-KEV-RESPONSE-SLA",
10009
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10010
- "evidence": "CVE-2025-55182",
10011
- "gap_closes": [
10012
- "NIST-800-53-SI-2",
10013
- "ISO-27001-2022-A.8.8"
10014
- ]
10015
- }
10016
- ],
10017
8517
  "compliance_exposure_score": {
10018
8518
  "percent_audit_passing_orgs_still_exposed": 75,
10019
8519
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -10046,18 +8546,6 @@
10046
8546
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10047
8547
  }
10048
8548
  },
10049
- "new_control_requirements": [
10050
- {
10051
- "id": "NEW-CTRL-001",
10052
- "name": "CISA-KEV-RESPONSE-SLA",
10053
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10054
- "evidence": "CVE-2021-26828",
10055
- "gap_closes": [
10056
- "NIST-800-53-SI-2",
10057
- "ISO-27001-2022-A.8.8"
10058
- ]
10059
- }
10060
- ],
10061
8549
  "compliance_exposure_score": {
10062
8550
  "percent_audit_passing_orgs_still_exposed": 55,
10063
8551
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10090,18 +8578,6 @@
10090
8578
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10091
8579
  }
10092
8580
  },
10093
- "new_control_requirements": [
10094
- {
10095
- "id": "NEW-CTRL-001",
10096
- "name": "CISA-KEV-RESPONSE-SLA",
10097
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10098
- "evidence": "CVE-2025-48633",
10099
- "gap_closes": [
10100
- "NIST-800-53-SI-2",
10101
- "ISO-27001-2022-A.8.8"
10102
- ]
10103
- }
10104
- ],
10105
8581
  "compliance_exposure_score": {
10106
8582
  "percent_audit_passing_orgs_still_exposed": 55,
10107
8583
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10134,18 +8610,6 @@
10134
8610
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10135
8611
  }
10136
8612
  },
10137
- "new_control_requirements": [
10138
- {
10139
- "id": "NEW-CTRL-001",
10140
- "name": "CISA-KEV-RESPONSE-SLA",
10141
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10142
- "evidence": "CVE-2025-48572",
10143
- "gap_closes": [
10144
- "NIST-800-53-SI-2",
10145
- "ISO-27001-2022-A.8.8"
10146
- ]
10147
- }
10148
- ],
10149
8613
  "compliance_exposure_score": {
10150
8614
  "percent_audit_passing_orgs_still_exposed": 55,
10151
8615
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10178,18 +8642,6 @@
10178
8642
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10179
8643
  }
10180
8644
  },
10181
- "new_control_requirements": [
10182
- {
10183
- "id": "NEW-CTRL-001",
10184
- "name": "CISA-KEV-RESPONSE-SLA",
10185
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10186
- "evidence": "CVE-2021-26829",
10187
- "gap_closes": [
10188
- "NIST-800-53-SI-2",
10189
- "ISO-27001-2022-A.8.8"
10190
- ]
10191
- }
10192
- ],
10193
8645
  "compliance_exposure_score": {
10194
8646
  "percent_audit_passing_orgs_still_exposed": 55,
10195
8647
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10222,18 +8674,6 @@
10222
8674
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10223
8675
  }
10224
8676
  },
10225
- "new_control_requirements": [
10226
- {
10227
- "id": "NEW-CTRL-001",
10228
- "name": "CISA-KEV-RESPONSE-SLA",
10229
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10230
- "evidence": "CVE-2025-61757",
10231
- "gap_closes": [
10232
- "NIST-800-53-SI-2",
10233
- "ISO-27001-2022-A.8.8"
10234
- ]
10235
- }
10236
- ],
10237
8677
  "compliance_exposure_score": {
10238
8678
  "percent_audit_passing_orgs_still_exposed": 55,
10239
8679
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10266,18 +8706,6 @@
10266
8706
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10267
8707
  }
10268
8708
  },
10269
- "new_control_requirements": [
10270
- {
10271
- "id": "NEW-CTRL-001",
10272
- "name": "CISA-KEV-RESPONSE-SLA",
10273
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10274
- "evidence": "CVE-2025-13223",
10275
- "gap_closes": [
10276
- "NIST-800-53-SI-2",
10277
- "ISO-27001-2022-A.8.8"
10278
- ]
10279
- }
10280
- ],
10281
8709
  "compliance_exposure_score": {
10282
8710
  "percent_audit_passing_orgs_still_exposed": 55,
10283
8711
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10310,18 +8738,6 @@
10310
8738
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10311
8739
  }
10312
8740
  },
10313
- "new_control_requirements": [
10314
- {
10315
- "id": "NEW-CTRL-001",
10316
- "name": "CISA-KEV-RESPONSE-SLA",
10317
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10318
- "evidence": "CVE-2025-58034",
10319
- "gap_closes": [
10320
- "NIST-800-53-SI-2",
10321
- "ISO-27001-2022-A.8.8"
10322
- ]
10323
- }
10324
- ],
10325
8741
  "compliance_exposure_score": {
10326
8742
  "percent_audit_passing_orgs_still_exposed": 55,
10327
8743
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10354,18 +8770,6 @@
10354
8770
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10355
8771
  }
10356
8772
  },
10357
- "new_control_requirements": [
10358
- {
10359
- "id": "NEW-CTRL-001",
10360
- "name": "CISA-KEV-RESPONSE-SLA",
10361
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10362
- "evidence": "CVE-2025-64446",
10363
- "gap_closes": [
10364
- "NIST-800-53-SI-2",
10365
- "ISO-27001-2022-A.8.8"
10366
- ]
10367
- }
10368
- ],
10369
8773
  "compliance_exposure_score": {
10370
8774
  "percent_audit_passing_orgs_still_exposed": 55,
10371
8775
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10398,18 +8802,6 @@
10398
8802
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10399
8803
  }
10400
8804
  },
10401
- "new_control_requirements": [
10402
- {
10403
- "id": "NEW-CTRL-001",
10404
- "name": "CISA-KEV-RESPONSE-SLA",
10405
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10406
- "evidence": "CVE-2025-12480",
10407
- "gap_closes": [
10408
- "NIST-800-53-SI-2",
10409
- "ISO-27001-2022-A.8.8"
10410
- ]
10411
- }
10412
- ],
10413
8805
  "compliance_exposure_score": {
10414
8806
  "percent_audit_passing_orgs_still_exposed": 55,
10415
8807
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10442,18 +8834,6 @@
10442
8834
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10443
8835
  }
10444
8836
  },
10445
- "new_control_requirements": [
10446
- {
10447
- "id": "NEW-CTRL-001",
10448
- "name": "CISA-KEV-RESPONSE-SLA",
10449
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10450
- "evidence": "CVE-2025-62215",
10451
- "gap_closes": [
10452
- "NIST-800-53-SI-2",
10453
- "ISO-27001-2022-A.8.8"
10454
- ]
10455
- }
10456
- ],
10457
8837
  "compliance_exposure_score": {
10458
8838
  "percent_audit_passing_orgs_still_exposed": 55,
10459
8839
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10486,18 +8866,6 @@
10486
8866
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10487
8867
  }
10488
8868
  },
10489
- "new_control_requirements": [
10490
- {
10491
- "id": "NEW-CTRL-001",
10492
- "name": "CISA-KEV-RESPONSE-SLA",
10493
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10494
- "evidence": "CVE-2025-9242",
10495
- "gap_closes": [
10496
- "NIST-800-53-SI-2",
10497
- "ISO-27001-2022-A.8.8"
10498
- ]
10499
- }
10500
- ],
10501
8869
  "compliance_exposure_score": {
10502
8870
  "percent_audit_passing_orgs_still_exposed": 55,
10503
8871
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10530,18 +8898,6 @@
10530
8898
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10531
8899
  }
10532
8900
  },
10533
- "new_control_requirements": [
10534
- {
10535
- "id": "NEW-CTRL-001",
10536
- "name": "CISA-KEV-RESPONSE-SLA",
10537
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10538
- "evidence": "CVE-2025-21042",
10539
- "gap_closes": [
10540
- "NIST-800-53-SI-2",
10541
- "ISO-27001-2022-A.8.8"
10542
- ]
10543
- }
10544
- ],
10545
8901
  "compliance_exposure_score": {
10546
8902
  "percent_audit_passing_orgs_still_exposed": 55,
10547
8903
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10574,18 +8930,6 @@
10574
8930
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10575
8931
  }
10576
8932
  },
10577
- "new_control_requirements": [
10578
- {
10579
- "id": "NEW-CTRL-001",
10580
- "name": "CISA-KEV-RESPONSE-SLA",
10581
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10582
- "evidence": "CVE-2025-48703",
10583
- "gap_closes": [
10584
- "NIST-800-53-SI-2",
10585
- "ISO-27001-2022-A.8.8"
10586
- ]
10587
- }
10588
- ],
10589
8933
  "compliance_exposure_score": {
10590
8934
  "percent_audit_passing_orgs_still_exposed": 55,
10591
8935
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10618,18 +8962,6 @@
10618
8962
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10619
8963
  }
10620
8964
  },
10621
- "new_control_requirements": [
10622
- {
10623
- "id": "NEW-CTRL-001",
10624
- "name": "CISA-KEV-RESPONSE-SLA",
10625
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10626
- "evidence": "CVE-2025-11371",
10627
- "gap_closes": [
10628
- "NIST-800-53-SI-2",
10629
- "ISO-27001-2022-A.8.8"
10630
- ]
10631
- }
10632
- ],
10633
8965
  "compliance_exposure_score": {
10634
8966
  "percent_audit_passing_orgs_still_exposed": 55,
10635
8967
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10662,18 +8994,6 @@
10662
8994
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10663
8995
  }
10664
8996
  },
10665
- "new_control_requirements": [
10666
- {
10667
- "id": "NEW-CTRL-001",
10668
- "name": "CISA-KEV-RESPONSE-SLA",
10669
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10670
- "evidence": "CVE-2025-41244",
10671
- "gap_closes": [
10672
- "NIST-800-53-SI-2",
10673
- "ISO-27001-2022-A.8.8"
10674
- ]
10675
- }
10676
- ],
10677
8997
  "compliance_exposure_score": {
10678
8998
  "percent_audit_passing_orgs_still_exposed": 55,
10679
8999
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10706,18 +9026,6 @@
10706
9026
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10707
9027
  }
10708
9028
  },
10709
- "new_control_requirements": [
10710
- {
10711
- "id": "NEW-CTRL-001",
10712
- "name": "CISA-KEV-RESPONSE-SLA",
10713
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10714
- "evidence": "CVE-2025-24893",
10715
- "gap_closes": [
10716
- "NIST-800-53-SI-2",
10717
- "ISO-27001-2022-A.8.8"
10718
- ]
10719
- }
10720
- ],
10721
9029
  "compliance_exposure_score": {
10722
9030
  "percent_audit_passing_orgs_still_exposed": 55,
10723
9031
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10750,18 +9058,6 @@
10750
9058
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10751
9059
  }
10752
9060
  },
10753
- "new_control_requirements": [
10754
- {
10755
- "id": "NEW-CTRL-001",
10756
- "name": "CISA-KEV-RESPONSE-SLA",
10757
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10758
- "evidence": "CVE-2025-6204",
10759
- "gap_closes": [
10760
- "NIST-800-53-SI-2",
10761
- "ISO-27001-2022-A.8.8"
10762
- ]
10763
- }
10764
- ],
10765
9061
  "compliance_exposure_score": {
10766
9062
  "percent_audit_passing_orgs_still_exposed": 55,
10767
9063
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10794,18 +9090,6 @@
10794
9090
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10795
9091
  }
10796
9092
  },
10797
- "new_control_requirements": [
10798
- {
10799
- "id": "NEW-CTRL-001",
10800
- "name": "CISA-KEV-RESPONSE-SLA",
10801
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10802
- "evidence": "CVE-2025-6205",
10803
- "gap_closes": [
10804
- "NIST-800-53-SI-2",
10805
- "ISO-27001-2022-A.8.8"
10806
- ]
10807
- }
10808
- ],
10809
9093
  "compliance_exposure_score": {
10810
9094
  "percent_audit_passing_orgs_still_exposed": 55,
10811
9095
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10838,18 +9122,6 @@
10838
9122
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10839
9123
  }
10840
9124
  },
10841
- "new_control_requirements": [
10842
- {
10843
- "id": "NEW-CTRL-001",
10844
- "name": "CISA-KEV-RESPONSE-SLA",
10845
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10846
- "evidence": "CVE-2025-54236",
10847
- "gap_closes": [
10848
- "NIST-800-53-SI-2",
10849
- "ISO-27001-2022-A.8.8"
10850
- ]
10851
- }
10852
- ],
10853
9125
  "compliance_exposure_score": {
10854
9126
  "percent_audit_passing_orgs_still_exposed": 55,
10855
9127
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10882,18 +9154,6 @@
10882
9154
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10883
9155
  }
10884
9156
  },
10885
- "new_control_requirements": [
10886
- {
10887
- "id": "NEW-CTRL-001",
10888
- "name": "CISA-KEV-RESPONSE-SLA",
10889
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10890
- "evidence": "CVE-2025-59287",
10891
- "gap_closes": [
10892
- "NIST-800-53-SI-2",
10893
- "ISO-27001-2022-A.8.8"
10894
- ]
10895
- }
10896
- ],
10897
9157
  "compliance_exposure_score": {
10898
9158
  "percent_audit_passing_orgs_still_exposed": 55,
10899
9159
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10926,18 +9186,6 @@
10926
9186
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10927
9187
  }
10928
9188
  },
10929
- "new_control_requirements": [
10930
- {
10931
- "id": "NEW-CTRL-001",
10932
- "name": "CISA-KEV-RESPONSE-SLA",
10933
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10934
- "evidence": "CVE-2025-61932",
10935
- "gap_closes": [
10936
- "NIST-800-53-SI-2",
10937
- "ISO-27001-2022-A.8.8"
10938
- ]
10939
- }
10940
- ],
10941
9189
  "compliance_exposure_score": {
10942
9190
  "percent_audit_passing_orgs_still_exposed": 55,
10943
9191
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -10970,18 +9218,6 @@
10970
9218
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
10971
9219
  }
10972
9220
  },
10973
- "new_control_requirements": [
10974
- {
10975
- "id": "NEW-CTRL-001",
10976
- "name": "CISA-KEV-RESPONSE-SLA",
10977
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
10978
- "evidence": "CVE-2022-48503",
10979
- "gap_closes": [
10980
- "NIST-800-53-SI-2",
10981
- "ISO-27001-2022-A.8.8"
10982
- ]
10983
- }
10984
- ],
10985
9221
  "compliance_exposure_score": {
10986
9222
  "percent_audit_passing_orgs_still_exposed": 55,
10987
9223
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11014,18 +9250,6 @@
11014
9250
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11015
9251
  }
11016
9252
  },
11017
- "new_control_requirements": [
11018
- {
11019
- "id": "NEW-CTRL-001",
11020
- "name": "CISA-KEV-RESPONSE-SLA",
11021
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11022
- "evidence": "CVE-2025-2746",
11023
- "gap_closes": [
11024
- "NIST-800-53-SI-2",
11025
- "ISO-27001-2022-A.8.8"
11026
- ]
11027
- }
11028
- ],
11029
9253
  "compliance_exposure_score": {
11030
9254
  "percent_audit_passing_orgs_still_exposed": 55,
11031
9255
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11058,18 +9282,6 @@
11058
9282
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11059
9283
  }
11060
9284
  },
11061
- "new_control_requirements": [
11062
- {
11063
- "id": "NEW-CTRL-001",
11064
- "name": "CISA-KEV-RESPONSE-SLA",
11065
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11066
- "evidence": "CVE-2025-2747",
11067
- "gap_closes": [
11068
- "NIST-800-53-SI-2",
11069
- "ISO-27001-2022-A.8.8"
11070
- ]
11071
- }
11072
- ],
11073
9285
  "compliance_exposure_score": {
11074
9286
  "percent_audit_passing_orgs_still_exposed": 55,
11075
9287
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11102,18 +9314,6 @@
11102
9314
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11103
9315
  }
11104
9316
  },
11105
- "new_control_requirements": [
11106
- {
11107
- "id": "NEW-CTRL-001",
11108
- "name": "CISA-KEV-RESPONSE-SLA",
11109
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11110
- "evidence": "CVE-2025-33073",
11111
- "gap_closes": [
11112
- "NIST-800-53-SI-2",
11113
- "ISO-27001-2022-A.8.8"
11114
- ]
11115
- }
11116
- ],
11117
9317
  "compliance_exposure_score": {
11118
9318
  "percent_audit_passing_orgs_still_exposed": 55,
11119
9319
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11146,18 +9346,6 @@
11146
9346
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11147
9347
  }
11148
9348
  },
11149
- "new_control_requirements": [
11150
- {
11151
- "id": "NEW-CTRL-001",
11152
- "name": "CISA-KEV-RESPONSE-SLA",
11153
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11154
- "evidence": "CVE-2025-61884",
11155
- "gap_closes": [
11156
- "NIST-800-53-SI-2",
11157
- "ISO-27001-2022-A.8.8"
11158
- ]
11159
- }
11160
- ],
11161
9349
  "compliance_exposure_score": {
11162
9350
  "percent_audit_passing_orgs_still_exposed": 75,
11163
9351
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -11190,18 +9378,6 @@
11190
9378
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11191
9379
  }
11192
9380
  },
11193
- "new_control_requirements": [
11194
- {
11195
- "id": "NEW-CTRL-001",
11196
- "name": "CISA-KEV-RESPONSE-SLA",
11197
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11198
- "evidence": "CVE-2025-54253",
11199
- "gap_closes": [
11200
- "NIST-800-53-SI-2",
11201
- "ISO-27001-2022-A.8.8"
11202
- ]
11203
- }
11204
- ],
11205
9381
  "compliance_exposure_score": {
11206
9382
  "percent_audit_passing_orgs_still_exposed": 55,
11207
9383
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11234,18 +9410,6 @@
11234
9410
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11235
9411
  }
11236
9412
  },
11237
- "new_control_requirements": [
11238
- {
11239
- "id": "NEW-CTRL-001",
11240
- "name": "CISA-KEV-RESPONSE-SLA",
11241
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11242
- "evidence": "CVE-2025-47827",
11243
- "gap_closes": [
11244
- "NIST-800-53-SI-2",
11245
- "ISO-27001-2022-A.8.8"
11246
- ]
11247
- }
11248
- ],
11249
9413
  "compliance_exposure_score": {
11250
9414
  "percent_audit_passing_orgs_still_exposed": 55,
11251
9415
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11278,18 +9442,6 @@
11278
9442
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11279
9443
  }
11280
9444
  },
11281
- "new_control_requirements": [
11282
- {
11283
- "id": "NEW-CTRL-001",
11284
- "name": "CISA-KEV-RESPONSE-SLA",
11285
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11286
- "evidence": "CVE-2025-24990",
11287
- "gap_closes": [
11288
- "NIST-800-53-SI-2",
11289
- "ISO-27001-2022-A.8.8"
11290
- ]
11291
- }
11292
- ],
11293
9445
  "compliance_exposure_score": {
11294
9446
  "percent_audit_passing_orgs_still_exposed": 55,
11295
9447
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11322,18 +9474,6 @@
11322
9474
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11323
9475
  }
11324
9476
  },
11325
- "new_control_requirements": [
11326
- {
11327
- "id": "NEW-CTRL-001",
11328
- "name": "CISA-KEV-RESPONSE-SLA",
11329
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11330
- "evidence": "CVE-2025-59230",
11331
- "gap_closes": [
11332
- "NIST-800-53-SI-2",
11333
- "ISO-27001-2022-A.8.8"
11334
- ]
11335
- }
11336
- ],
11337
9477
  "compliance_exposure_score": {
11338
9478
  "percent_audit_passing_orgs_still_exposed": 55,
11339
9479
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11366,18 +9506,6 @@
11366
9506
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11367
9507
  }
11368
9508
  },
11369
- "new_control_requirements": [
11370
- {
11371
- "id": "NEW-CTRL-001",
11372
- "name": "CISA-KEV-RESPONSE-SLA",
11373
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11374
- "evidence": "CVE-2016-7836",
11375
- "gap_closes": [
11376
- "NIST-800-53-SI-2",
11377
- "ISO-27001-2022-A.8.8"
11378
- ]
11379
- }
11380
- ],
11381
9509
  "compliance_exposure_score": {
11382
9510
  "percent_audit_passing_orgs_still_exposed": 55,
11383
9511
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11410,18 +9538,6 @@
11410
9538
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11411
9539
  }
11412
9540
  },
11413
- "new_control_requirements": [
11414
- {
11415
- "id": "NEW-CTRL-001",
11416
- "name": "CISA-KEV-RESPONSE-SLA",
11417
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11418
- "evidence": "CVE-2021-43798",
11419
- "gap_closes": [
11420
- "NIST-800-53-SI-2",
11421
- "ISO-27001-2022-A.8.8"
11422
- ]
11423
- }
11424
- ],
11425
9541
  "compliance_exposure_score": {
11426
9542
  "percent_audit_passing_orgs_still_exposed": 55,
11427
9543
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11454,18 +9570,6 @@
11454
9570
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11455
9571
  }
11456
9572
  },
11457
- "new_control_requirements": [
11458
- {
11459
- "id": "NEW-CTRL-001",
11460
- "name": "CISA-KEV-RESPONSE-SLA",
11461
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11462
- "evidence": "CVE-2025-27915",
11463
- "gap_closes": [
11464
- "NIST-800-53-SI-2",
11465
- "ISO-27001-2022-A.8.8"
11466
- ]
11467
- }
11468
- ],
11469
9573
  "compliance_exposure_score": {
11470
9574
  "percent_audit_passing_orgs_still_exposed": 55,
11471
9575
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11498,18 +9602,6 @@
11498
9602
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11499
9603
  }
11500
9604
  },
11501
- "new_control_requirements": [
11502
- {
11503
- "id": "NEW-CTRL-001",
11504
- "name": "CISA-KEV-RESPONSE-SLA",
11505
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11506
- "evidence": "CVE-2021-22555",
11507
- "gap_closes": [
11508
- "NIST-800-53-SI-2",
11509
- "ISO-27001-2022-A.8.8"
11510
- ]
11511
- }
11512
- ],
11513
9605
  "compliance_exposure_score": {
11514
9606
  "percent_audit_passing_orgs_still_exposed": 55,
11515
9607
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11542,18 +9634,6 @@
11542
9634
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11543
9635
  }
11544
9636
  },
11545
- "new_control_requirements": [
11546
- {
11547
- "id": "NEW-CTRL-001",
11548
- "name": "CISA-KEV-RESPONSE-SLA",
11549
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11550
- "evidence": "CVE-2010-3962",
11551
- "gap_closes": [
11552
- "NIST-800-53-SI-2",
11553
- "ISO-27001-2022-A.8.8"
11554
- ]
11555
- }
11556
- ],
11557
9637
  "compliance_exposure_score": {
11558
9638
  "percent_audit_passing_orgs_still_exposed": 55,
11559
9639
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11586,18 +9666,6 @@
11586
9666
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11587
9667
  }
11588
9668
  },
11589
- "new_control_requirements": [
11590
- {
11591
- "id": "NEW-CTRL-001",
11592
- "name": "CISA-KEV-RESPONSE-SLA",
11593
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11594
- "evidence": "CVE-2021-43226",
11595
- "gap_closes": [
11596
- "NIST-800-53-SI-2",
11597
- "ISO-27001-2022-A.8.8"
11598
- ]
11599
- }
11600
- ],
11601
9669
  "compliance_exposure_score": {
11602
9670
  "percent_audit_passing_orgs_still_exposed": 55,
11603
9671
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11630,18 +9698,6 @@
11630
9698
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11631
9699
  }
11632
9700
  },
11633
- "new_control_requirements": [
11634
- {
11635
- "id": "NEW-CTRL-001",
11636
- "name": "CISA-KEV-RESPONSE-SLA",
11637
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11638
- "evidence": "CVE-2013-3918",
11639
- "gap_closes": [
11640
- "NIST-800-53-SI-2",
11641
- "ISO-27001-2022-A.8.8"
11642
- ]
11643
- }
11644
- ],
11645
9701
  "compliance_exposure_score": {
11646
9702
  "percent_audit_passing_orgs_still_exposed": 55,
11647
9703
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11674,18 +9730,6 @@
11674
9730
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11675
9731
  }
11676
9732
  },
11677
- "new_control_requirements": [
11678
- {
11679
- "id": "NEW-CTRL-001",
11680
- "name": "CISA-KEV-RESPONSE-SLA",
11681
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11682
- "evidence": "CVE-2011-3402",
11683
- "gap_closes": [
11684
- "NIST-800-53-SI-2",
11685
- "ISO-27001-2022-A.8.8"
11686
- ]
11687
- }
11688
- ],
11689
9733
  "compliance_exposure_score": {
11690
9734
  "percent_audit_passing_orgs_still_exposed": 55,
11691
9735
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11718,18 +9762,6 @@
11718
9762
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11719
9763
  }
11720
9764
  },
11721
- "new_control_requirements": [
11722
- {
11723
- "id": "NEW-CTRL-001",
11724
- "name": "CISA-KEV-RESPONSE-SLA",
11725
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11726
- "evidence": "CVE-2010-3765",
11727
- "gap_closes": [
11728
- "NIST-800-53-SI-2",
11729
- "ISO-27001-2022-A.8.8"
11730
- ]
11731
- }
11732
- ],
11733
9765
  "compliance_exposure_score": {
11734
9766
  "percent_audit_passing_orgs_still_exposed": 55,
11735
9767
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11762,18 +9794,6 @@
11762
9794
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11763
9795
  }
11764
9796
  },
11765
- "new_control_requirements": [
11766
- {
11767
- "id": "NEW-CTRL-001",
11768
- "name": "CISA-KEV-RESPONSE-SLA",
11769
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11770
- "evidence": "CVE-2025-61882",
11771
- "gap_closes": [
11772
- "NIST-800-53-SI-2",
11773
- "ISO-27001-2022-A.8.8"
11774
- ]
11775
- }
11776
- ],
11777
9797
  "compliance_exposure_score": {
11778
9798
  "percent_audit_passing_orgs_still_exposed": 75,
11779
9799
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -11806,18 +9826,6 @@
11806
9826
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11807
9827
  }
11808
9828
  },
11809
- "new_control_requirements": [
11810
- {
11811
- "id": "NEW-CTRL-001",
11812
- "name": "CISA-KEV-RESPONSE-SLA",
11813
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11814
- "evidence": "CVE-2014-6278",
11815
- "gap_closes": [
11816
- "NIST-800-53-SI-2",
11817
- "ISO-27001-2022-A.8.8"
11818
- ]
11819
- }
11820
- ],
11821
9829
  "compliance_exposure_score": {
11822
9830
  "percent_audit_passing_orgs_still_exposed": 55,
11823
9831
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11850,18 +9858,6 @@
11850
9858
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11851
9859
  }
11852
9860
  },
11853
- "new_control_requirements": [
11854
- {
11855
- "id": "NEW-CTRL-001",
11856
- "name": "CISA-KEV-RESPONSE-SLA",
11857
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11858
- "evidence": "CVE-2017-1000353",
11859
- "gap_closes": [
11860
- "NIST-800-53-SI-2",
11861
- "ISO-27001-2022-A.8.8"
11862
- ]
11863
- }
11864
- ],
11865
9861
  "compliance_exposure_score": {
11866
9862
  "percent_audit_passing_orgs_still_exposed": 55,
11867
9863
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11894,18 +9890,6 @@
11894
9890
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11895
9891
  }
11896
9892
  },
11897
- "new_control_requirements": [
11898
- {
11899
- "id": "NEW-CTRL-001",
11900
- "name": "CISA-KEV-RESPONSE-SLA",
11901
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11902
- "evidence": "CVE-2015-7755",
11903
- "gap_closes": [
11904
- "NIST-800-53-SI-2",
11905
- "ISO-27001-2022-A.8.8"
11906
- ]
11907
- }
11908
- ],
11909
9893
  "compliance_exposure_score": {
11910
9894
  "percent_audit_passing_orgs_still_exposed": 55,
11911
9895
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11938,18 +9922,6 @@
11938
9922
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11939
9923
  }
11940
9924
  },
11941
- "new_control_requirements": [
11942
- {
11943
- "id": "NEW-CTRL-001",
11944
- "name": "CISA-KEV-RESPONSE-SLA",
11945
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11946
- "evidence": "CVE-2025-21043",
11947
- "gap_closes": [
11948
- "NIST-800-53-SI-2",
11949
- "ISO-27001-2022-A.8.8"
11950
- ]
11951
- }
11952
- ],
11953
9925
  "compliance_exposure_score": {
11954
9926
  "percent_audit_passing_orgs_still_exposed": 55,
11955
9927
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -11982,18 +9954,6 @@
11982
9954
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
11983
9955
  }
11984
9956
  },
11985
- "new_control_requirements": [
11986
- {
11987
- "id": "NEW-CTRL-001",
11988
- "name": "CISA-KEV-RESPONSE-SLA",
11989
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
11990
- "evidence": "CVE-2025-4008",
11991
- "gap_closes": [
11992
- "NIST-800-53-SI-2",
11993
- "ISO-27001-2022-A.8.8"
11994
- ]
11995
- }
11996
- ],
11997
9957
  "compliance_exposure_score": {
11998
9958
  "percent_audit_passing_orgs_still_exposed": 55,
11999
9959
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12026,18 +9986,6 @@
12026
9986
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12027
9987
  }
12028
9988
  },
12029
- "new_control_requirements": [
12030
- {
12031
- "id": "NEW-CTRL-001",
12032
- "name": "CISA-KEV-RESPONSE-SLA",
12033
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12034
- "evidence": "CVE-2025-32463",
12035
- "gap_closes": [
12036
- "NIST-800-53-SI-2",
12037
- "ISO-27001-2022-A.8.8"
12038
- ]
12039
- }
12040
- ],
12041
9989
  "compliance_exposure_score": {
12042
9990
  "percent_audit_passing_orgs_still_exposed": 55,
12043
9991
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12070,18 +10018,6 @@
12070
10018
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12071
10019
  }
12072
10020
  },
12073
- "new_control_requirements": [
12074
- {
12075
- "id": "NEW-CTRL-001",
12076
- "name": "CISA-KEV-RESPONSE-SLA",
12077
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12078
- "evidence": "CVE-2025-59689",
12079
- "gap_closes": [
12080
- "NIST-800-53-SI-2",
12081
- "ISO-27001-2022-A.8.8"
12082
- ]
12083
- }
12084
- ],
12085
10021
  "compliance_exposure_score": {
12086
10022
  "percent_audit_passing_orgs_still_exposed": 55,
12087
10023
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12114,18 +10050,6 @@
12114
10050
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12115
10051
  }
12116
10052
  },
12117
- "new_control_requirements": [
12118
- {
12119
- "id": "NEW-CTRL-001",
12120
- "name": "CISA-KEV-RESPONSE-SLA",
12121
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12122
- "evidence": "CVE-2025-10035",
12123
- "gap_closes": [
12124
- "NIST-800-53-SI-2",
12125
- "ISO-27001-2022-A.8.8"
12126
- ]
12127
- }
12128
- ],
12129
10053
  "compliance_exposure_score": {
12130
10054
  "percent_audit_passing_orgs_still_exposed": 75,
12131
10055
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -12158,18 +10082,6 @@
12158
10082
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12159
10083
  }
12160
10084
  },
12161
- "new_control_requirements": [
12162
- {
12163
- "id": "NEW-CTRL-001",
12164
- "name": "CISA-KEV-RESPONSE-SLA",
12165
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12166
- "evidence": "CVE-2025-20352",
12167
- "gap_closes": [
12168
- "NIST-800-53-SI-2",
12169
- "ISO-27001-2022-A.8.8"
12170
- ]
12171
- }
12172
- ],
12173
10085
  "compliance_exposure_score": {
12174
10086
  "percent_audit_passing_orgs_still_exposed": 55,
12175
10087
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12202,18 +10114,6 @@
12202
10114
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12203
10115
  }
12204
10116
  },
12205
- "new_control_requirements": [
12206
- {
12207
- "id": "NEW-CTRL-001",
12208
- "name": "CISA-KEV-RESPONSE-SLA",
12209
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12210
- "evidence": "CVE-2021-21311",
12211
- "gap_closes": [
12212
- "NIST-800-53-SI-2",
12213
- "ISO-27001-2022-A.8.8"
12214
- ]
12215
- }
12216
- ],
12217
10117
  "compliance_exposure_score": {
12218
10118
  "percent_audit_passing_orgs_still_exposed": 55,
12219
10119
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12246,18 +10146,6 @@
12246
10146
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12247
10147
  }
12248
10148
  },
12249
- "new_control_requirements": [
12250
- {
12251
- "id": "NEW-CTRL-001",
12252
- "name": "CISA-KEV-RESPONSE-SLA",
12253
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12254
- "evidence": "CVE-2025-20362",
12255
- "gap_closes": [
12256
- "NIST-800-53-SI-2",
12257
- "ISO-27001-2022-A.8.8"
12258
- ]
12259
- }
12260
- ],
12261
10149
  "compliance_exposure_score": {
12262
10150
  "percent_audit_passing_orgs_still_exposed": 55,
12263
10151
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12290,18 +10178,6 @@
12290
10178
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12291
10179
  }
12292
10180
  },
12293
- "new_control_requirements": [
12294
- {
12295
- "id": "NEW-CTRL-001",
12296
- "name": "CISA-KEV-RESPONSE-SLA",
12297
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12298
- "evidence": "CVE-2025-20333",
12299
- "gap_closes": [
12300
- "NIST-800-53-SI-2",
12301
- "ISO-27001-2022-A.8.8"
12302
- ]
12303
- }
12304
- ],
12305
10181
  "compliance_exposure_score": {
12306
10182
  "percent_audit_passing_orgs_still_exposed": 55,
12307
10183
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12334,18 +10210,6 @@
12334
10210
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12335
10211
  }
12336
10212
  },
12337
- "new_control_requirements": [
12338
- {
12339
- "id": "NEW-CTRL-001",
12340
- "name": "CISA-KEV-RESPONSE-SLA",
12341
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12342
- "evidence": "CVE-2025-5086",
12343
- "gap_closes": [
12344
- "NIST-800-53-SI-2",
12345
- "ISO-27001-2022-A.8.8"
12346
- ]
12347
- }
12348
- ],
12349
10213
  "compliance_exposure_score": {
12350
10214
  "percent_audit_passing_orgs_still_exposed": 55,
12351
10215
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12378,18 +10242,6 @@
12378
10242
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12379
10243
  }
12380
10244
  },
12381
- "new_control_requirements": [
12382
- {
12383
- "id": "NEW-CTRL-001",
12384
- "name": "CISA-KEV-RESPONSE-SLA",
12385
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12386
- "evidence": "CVE-2025-48543",
12387
- "gap_closes": [
12388
- "NIST-800-53-SI-2",
12389
- "ISO-27001-2022-A.8.8"
12390
- ]
12391
- }
12392
- ],
12393
10245
  "compliance_exposure_score": {
12394
10246
  "percent_audit_passing_orgs_still_exposed": 55,
12395
10247
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12422,18 +10274,6 @@
12422
10274
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12423
10275
  }
12424
10276
  },
12425
- "new_control_requirements": [
12426
- {
12427
- "id": "NEW-CTRL-001",
12428
- "name": "CISA-KEV-RESPONSE-SLA",
12429
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12430
- "evidence": "CVE-2025-53690",
12431
- "gap_closes": [
12432
- "NIST-800-53-SI-2",
12433
- "ISO-27001-2022-A.8.8"
12434
- ]
12435
- }
12436
- ],
12437
10277
  "compliance_exposure_score": {
12438
10278
  "percent_audit_passing_orgs_still_exposed": 55,
12439
10279
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12466,18 +10306,6 @@
12466
10306
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12467
10307
  }
12468
10308
  },
12469
- "new_control_requirements": [
12470
- {
12471
- "id": "NEW-CTRL-001",
12472
- "name": "CISA-KEV-RESPONSE-SLA",
12473
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12474
- "evidence": "CVE-2023-50224",
12475
- "gap_closes": [
12476
- "NIST-800-53-SI-2",
12477
- "ISO-27001-2022-A.8.8"
12478
- ]
12479
- }
12480
- ],
12481
10309
  "compliance_exposure_score": {
12482
10310
  "percent_audit_passing_orgs_still_exposed": 55,
12483
10311
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12510,18 +10338,6 @@
12510
10338
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12511
10339
  }
12512
10340
  },
12513
- "new_control_requirements": [
12514
- {
12515
- "id": "NEW-CTRL-001",
12516
- "name": "CISA-KEV-RESPONSE-SLA",
12517
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12518
- "evidence": "CVE-2025-9377",
12519
- "gap_closes": [
12520
- "NIST-800-53-SI-2",
12521
- "ISO-27001-2022-A.8.8"
12522
- ]
12523
- }
12524
- ],
12525
10341
  "compliance_exposure_score": {
12526
10342
  "percent_audit_passing_orgs_still_exposed": 55,
12527
10343
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12554,18 +10370,6 @@
12554
10370
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12555
10371
  }
12556
10372
  },
12557
- "new_control_requirements": [
12558
- {
12559
- "id": "NEW-CTRL-001",
12560
- "name": "CISA-KEV-RESPONSE-SLA",
12561
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12562
- "evidence": "CVE-2020-24363",
12563
- "gap_closes": [
12564
- "NIST-800-53-SI-2",
12565
- "ISO-27001-2022-A.8.8"
12566
- ]
12567
- }
12568
- ],
12569
10373
  "compliance_exposure_score": {
12570
10374
  "percent_audit_passing_orgs_still_exposed": 55,
12571
10375
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12598,18 +10402,6 @@
12598
10402
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12599
10403
  }
12600
10404
  },
12601
- "new_control_requirements": [
12602
- {
12603
- "id": "NEW-CTRL-001",
12604
- "name": "CISA-KEV-RESPONSE-SLA",
12605
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12606
- "evidence": "CVE-2025-55177",
12607
- "gap_closes": [
12608
- "NIST-800-53-SI-2",
12609
- "ISO-27001-2022-A.8.8"
12610
- ]
12611
- }
12612
- ],
12613
10405
  "compliance_exposure_score": {
12614
10406
  "percent_audit_passing_orgs_still_exposed": 55,
12615
10407
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12642,18 +10434,6 @@
12642
10434
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12643
10435
  }
12644
10436
  },
12645
- "new_control_requirements": [
12646
- {
12647
- "id": "NEW-CTRL-001",
12648
- "name": "CISA-KEV-RESPONSE-SLA",
12649
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12650
- "evidence": "CVE-2025-57819",
12651
- "gap_closes": [
12652
- "NIST-800-53-SI-2",
12653
- "ISO-27001-2022-A.8.8"
12654
- ]
12655
- }
12656
- ],
12657
10437
  "compliance_exposure_score": {
12658
10438
  "percent_audit_passing_orgs_still_exposed": 55,
12659
10439
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12686,18 +10466,6 @@
12686
10466
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12687
10467
  }
12688
10468
  },
12689
- "new_control_requirements": [
12690
- {
12691
- "id": "NEW-CTRL-001",
12692
- "name": "CISA-KEV-RESPONSE-SLA",
12693
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12694
- "evidence": "CVE-2025-7775",
12695
- "gap_closes": [
12696
- "NIST-800-53-SI-2",
12697
- "ISO-27001-2022-A.8.8"
12698
- ]
12699
- }
12700
- ],
12701
10469
  "compliance_exposure_score": {
12702
10470
  "percent_audit_passing_orgs_still_exposed": 55,
12703
10471
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12730,18 +10498,6 @@
12730
10498
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12731
10499
  }
12732
10500
  },
12733
- "new_control_requirements": [
12734
- {
12735
- "id": "NEW-CTRL-001",
12736
- "name": "CISA-KEV-RESPONSE-SLA",
12737
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12738
- "evidence": "CVE-2025-48384",
12739
- "gap_closes": [
12740
- "NIST-800-53-SI-2",
12741
- "ISO-27001-2022-A.8.8"
12742
- ]
12743
- }
12744
- ],
12745
10501
  "compliance_exposure_score": {
12746
10502
  "percent_audit_passing_orgs_still_exposed": 55,
12747
10503
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12774,18 +10530,6 @@
12774
10530
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12775
10531
  }
12776
10532
  },
12777
- "new_control_requirements": [
12778
- {
12779
- "id": "NEW-CTRL-001",
12780
- "name": "CISA-KEV-RESPONSE-SLA",
12781
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12782
- "evidence": "CVE-2024-8068",
12783
- "gap_closes": [
12784
- "NIST-800-53-SI-2",
12785
- "ISO-27001-2022-A.8.8"
12786
- ]
12787
- }
12788
- ],
12789
10533
  "compliance_exposure_score": {
12790
10534
  "percent_audit_passing_orgs_still_exposed": 55,
12791
10535
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12818,18 +10562,6 @@
12818
10562
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12819
10563
  }
12820
10564
  },
12821
- "new_control_requirements": [
12822
- {
12823
- "id": "NEW-CTRL-001",
12824
- "name": "CISA-KEV-RESPONSE-SLA",
12825
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12826
- "evidence": "CVE-2024-8069",
12827
- "gap_closes": [
12828
- "NIST-800-53-SI-2",
12829
- "ISO-27001-2022-A.8.8"
12830
- ]
12831
- }
12832
- ],
12833
10565
  "compliance_exposure_score": {
12834
10566
  "percent_audit_passing_orgs_still_exposed": 55,
12835
10567
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12862,18 +10594,6 @@
12862
10594
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12863
10595
  }
12864
10596
  },
12865
- "new_control_requirements": [
12866
- {
12867
- "id": "NEW-CTRL-001",
12868
- "name": "CISA-KEV-RESPONSE-SLA",
12869
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12870
- "evidence": "CVE-2025-54948",
12871
- "gap_closes": [
12872
- "NIST-800-53-SI-2",
12873
- "ISO-27001-2022-A.8.8"
12874
- ]
12875
- }
12876
- ],
12877
10597
  "compliance_exposure_score": {
12878
10598
  "percent_audit_passing_orgs_still_exposed": 55,
12879
10599
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12906,18 +10626,6 @@
12906
10626
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12907
10627
  }
12908
10628
  },
12909
- "new_control_requirements": [
12910
- {
12911
- "id": "NEW-CTRL-001",
12912
- "name": "CISA-KEV-RESPONSE-SLA",
12913
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12914
- "evidence": "CVE-2025-8876",
12915
- "gap_closes": [
12916
- "NIST-800-53-SI-2",
12917
- "ISO-27001-2022-A.8.8"
12918
- ]
12919
- }
12920
- ],
12921
10629
  "compliance_exposure_score": {
12922
10630
  "percent_audit_passing_orgs_still_exposed": 55,
12923
10631
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12950,18 +10658,6 @@
12950
10658
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12951
10659
  }
12952
10660
  },
12953
- "new_control_requirements": [
12954
- {
12955
- "id": "NEW-CTRL-001",
12956
- "name": "CISA-KEV-RESPONSE-SLA",
12957
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
12958
- "evidence": "CVE-2025-8875",
12959
- "gap_closes": [
12960
- "NIST-800-53-SI-2",
12961
- "ISO-27001-2022-A.8.8"
12962
- ]
12963
- }
12964
- ],
12965
10661
  "compliance_exposure_score": {
12966
10662
  "percent_audit_passing_orgs_still_exposed": 55,
12967
10663
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -12994,18 +10690,6 @@
12994
10690
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
12995
10691
  }
12996
10692
  },
12997
- "new_control_requirements": [
12998
- {
12999
- "id": "NEW-CTRL-001",
13000
- "name": "CISA-KEV-RESPONSE-SLA",
13001
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13002
- "evidence": "CVE-2025-8088",
13003
- "gap_closes": [
13004
- "NIST-800-53-SI-2",
13005
- "ISO-27001-2022-A.8.8"
13006
- ]
13007
- }
13008
- ],
13009
10693
  "compliance_exposure_score": {
13010
10694
  "percent_audit_passing_orgs_still_exposed": 55,
13011
10695
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13038,18 +10722,6 @@
13038
10722
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13039
10723
  }
13040
10724
  },
13041
- "new_control_requirements": [
13042
- {
13043
- "id": "NEW-CTRL-001",
13044
- "name": "CISA-KEV-RESPONSE-SLA",
13045
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13046
- "evidence": "CVE-2007-0671",
13047
- "gap_closes": [
13048
- "NIST-800-53-SI-2",
13049
- "ISO-27001-2022-A.8.8"
13050
- ]
13051
- }
13052
- ],
13053
10725
  "compliance_exposure_score": {
13054
10726
  "percent_audit_passing_orgs_still_exposed": 55,
13055
10727
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13082,18 +10754,6 @@
13082
10754
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13083
10755
  }
13084
10756
  },
13085
- "new_control_requirements": [
13086
- {
13087
- "id": "NEW-CTRL-001",
13088
- "name": "CISA-KEV-RESPONSE-SLA",
13089
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13090
- "evidence": "CVE-2013-3893",
13091
- "gap_closes": [
13092
- "NIST-800-53-SI-2",
13093
- "ISO-27001-2022-A.8.8"
13094
- ]
13095
- }
13096
- ],
13097
10757
  "compliance_exposure_score": {
13098
10758
  "percent_audit_passing_orgs_still_exposed": 55,
13099
10759
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13126,18 +10786,6 @@
13126
10786
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13127
10787
  }
13128
10788
  },
13129
- "new_control_requirements": [
13130
- {
13131
- "id": "NEW-CTRL-001",
13132
- "name": "CISA-KEV-RESPONSE-SLA",
13133
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13134
- "evidence": "CVE-2020-25078",
13135
- "gap_closes": [
13136
- "NIST-800-53-SI-2",
13137
- "ISO-27001-2022-A.8.8"
13138
- ]
13139
- }
13140
- ],
13141
10789
  "compliance_exposure_score": {
13142
10790
  "percent_audit_passing_orgs_still_exposed": 55,
13143
10791
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13170,18 +10818,6 @@
13170
10818
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13171
10819
  }
13172
10820
  },
13173
- "new_control_requirements": [
13174
- {
13175
- "id": "NEW-CTRL-001",
13176
- "name": "CISA-KEV-RESPONSE-SLA",
13177
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13178
- "evidence": "CVE-2020-25079",
13179
- "gap_closes": [
13180
- "NIST-800-53-SI-2",
13181
- "ISO-27001-2022-A.8.8"
13182
- ]
13183
- }
13184
- ],
13185
10821
  "compliance_exposure_score": {
13186
10822
  "percent_audit_passing_orgs_still_exposed": 55,
13187
10823
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13214,18 +10850,6 @@
13214
10850
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13215
10851
  }
13216
10852
  },
13217
- "new_control_requirements": [
13218
- {
13219
- "id": "NEW-CTRL-001",
13220
- "name": "CISA-KEV-RESPONSE-SLA",
13221
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13222
- "evidence": "CVE-2022-40799",
13223
- "gap_closes": [
13224
- "NIST-800-53-SI-2",
13225
- "ISO-27001-2022-A.8.8"
13226
- ]
13227
- }
13228
- ],
13229
10853
  "compliance_exposure_score": {
13230
10854
  "percent_audit_passing_orgs_still_exposed": 55,
13231
10855
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13258,18 +10882,6 @@
13258
10882
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13259
10883
  }
13260
10884
  },
13261
- "new_control_requirements": [
13262
- {
13263
- "id": "NEW-CTRL-001",
13264
- "name": "CISA-KEV-RESPONSE-SLA",
13265
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13266
- "evidence": "CVE-2023-2533",
13267
- "gap_closes": [
13268
- "NIST-800-53-SI-2",
13269
- "ISO-27001-2022-A.8.8"
13270
- ]
13271
- }
13272
- ],
13273
10885
  "compliance_exposure_score": {
13274
10886
  "percent_audit_passing_orgs_still_exposed": 55,
13275
10887
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13302,18 +10914,6 @@
13302
10914
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13303
10915
  }
13304
10916
  },
13305
- "new_control_requirements": [
13306
- {
13307
- "id": "NEW-CTRL-001",
13308
- "name": "CISA-KEV-RESPONSE-SLA",
13309
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13310
- "evidence": "CVE-2025-20337",
13311
- "gap_closes": [
13312
- "NIST-800-53-SI-2",
13313
- "ISO-27001-2022-A.8.8"
13314
- ]
13315
- }
13316
- ],
13317
10917
  "compliance_exposure_score": {
13318
10918
  "percent_audit_passing_orgs_still_exposed": 55,
13319
10919
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13346,18 +10946,6 @@
13346
10946
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13347
10947
  }
13348
10948
  },
13349
- "new_control_requirements": [
13350
- {
13351
- "id": "NEW-CTRL-001",
13352
- "name": "CISA-KEV-RESPONSE-SLA",
13353
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13354
- "evidence": "CVE-2025-20281",
13355
- "gap_closes": [
13356
- "NIST-800-53-SI-2",
13357
- "ISO-27001-2022-A.8.8"
13358
- ]
13359
- }
13360
- ],
13361
10949
  "compliance_exposure_score": {
13362
10950
  "percent_audit_passing_orgs_still_exposed": 55,
13363
10951
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13390,18 +10978,6 @@
13390
10978
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13391
10979
  }
13392
10980
  },
13393
- "new_control_requirements": [
13394
- {
13395
- "id": "NEW-CTRL-001",
13396
- "name": "CISA-KEV-RESPONSE-SLA",
13397
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13398
- "evidence": "CVE-2025-2775",
13399
- "gap_closes": [
13400
- "NIST-800-53-SI-2",
13401
- "ISO-27001-2022-A.8.8"
13402
- ]
13403
- }
13404
- ],
13405
10981
  "compliance_exposure_score": {
13406
10982
  "percent_audit_passing_orgs_still_exposed": 55,
13407
10983
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13434,18 +11010,6 @@
13434
11010
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13435
11011
  }
13436
11012
  },
13437
- "new_control_requirements": [
13438
- {
13439
- "id": "NEW-CTRL-001",
13440
- "name": "CISA-KEV-RESPONSE-SLA",
13441
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13442
- "evidence": "CVE-2025-2776",
13443
- "gap_closes": [
13444
- "NIST-800-53-SI-2",
13445
- "ISO-27001-2022-A.8.8"
13446
- ]
13447
- }
13448
- ],
13449
11013
  "compliance_exposure_score": {
13450
11014
  "percent_audit_passing_orgs_still_exposed": 55,
13451
11015
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13478,18 +11042,6 @@
13478
11042
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13479
11043
  }
13480
11044
  },
13481
- "new_control_requirements": [
13482
- {
13483
- "id": "NEW-CTRL-001",
13484
- "name": "CISA-KEV-RESPONSE-SLA",
13485
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13486
- "evidence": "CVE-2025-6558",
13487
- "gap_closes": [
13488
- "NIST-800-53-SI-2",
13489
- "ISO-27001-2022-A.8.8"
13490
- ]
13491
- }
13492
- ],
13493
11045
  "compliance_exposure_score": {
13494
11046
  "percent_audit_passing_orgs_still_exposed": 55,
13495
11047
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13522,18 +11074,6 @@
13522
11074
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13523
11075
  }
13524
11076
  },
13525
- "new_control_requirements": [
13526
- {
13527
- "id": "NEW-CTRL-001",
13528
- "name": "CISA-KEV-RESPONSE-SLA",
13529
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13530
- "evidence": "CVE-2025-54309",
13531
- "gap_closes": [
13532
- "NIST-800-53-SI-2",
13533
- "ISO-27001-2022-A.8.8"
13534
- ]
13535
- }
13536
- ],
13537
11077
  "compliance_exposure_score": {
13538
11078
  "percent_audit_passing_orgs_still_exposed": 55,
13539
11079
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13566,18 +11106,6 @@
13566
11106
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13567
11107
  }
13568
11108
  },
13569
- "new_control_requirements": [
13570
- {
13571
- "id": "NEW-CTRL-001",
13572
- "name": "CISA-KEV-RESPONSE-SLA",
13573
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13574
- "evidence": "CVE-2025-49704",
13575
- "gap_closes": [
13576
- "NIST-800-53-SI-2",
13577
- "ISO-27001-2022-A.8.8"
13578
- ]
13579
- }
13580
- ],
13581
11109
  "compliance_exposure_score": {
13582
11110
  "percent_audit_passing_orgs_still_exposed": 75,
13583
11111
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13610,18 +11138,6 @@
13610
11138
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13611
11139
  }
13612
11140
  },
13613
- "new_control_requirements": [
13614
- {
13615
- "id": "NEW-CTRL-001",
13616
- "name": "CISA-KEV-RESPONSE-SLA",
13617
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13618
- "evidence": "CVE-2025-49706",
13619
- "gap_closes": [
13620
- "NIST-800-53-SI-2",
13621
- "ISO-27001-2022-A.8.8"
13622
- ]
13623
- }
13624
- ],
13625
11141
  "compliance_exposure_score": {
13626
11142
  "percent_audit_passing_orgs_still_exposed": 75,
13627
11143
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13654,18 +11170,6 @@
13654
11170
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13655
11171
  }
13656
11172
  },
13657
- "new_control_requirements": [
13658
- {
13659
- "id": "NEW-CTRL-001",
13660
- "name": "CISA-KEV-RESPONSE-SLA",
13661
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13662
- "evidence": "CVE-2025-53770",
13663
- "gap_closes": [
13664
- "NIST-800-53-SI-2",
13665
- "ISO-27001-2022-A.8.8"
13666
- ]
13667
- }
13668
- ],
13669
11173
  "compliance_exposure_score": {
13670
11174
  "percent_audit_passing_orgs_still_exposed": 75,
13671
11175
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13698,18 +11202,6 @@
13698
11202
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13699
11203
  }
13700
11204
  },
13701
- "new_control_requirements": [
13702
- {
13703
- "id": "NEW-CTRL-001",
13704
- "name": "CISA-KEV-RESPONSE-SLA",
13705
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13706
- "evidence": "CVE-2025-25257",
13707
- "gap_closes": [
13708
- "NIST-800-53-SI-2",
13709
- "ISO-27001-2022-A.8.8"
13710
- ]
13711
- }
13712
- ],
13713
11205
  "compliance_exposure_score": {
13714
11206
  "percent_audit_passing_orgs_still_exposed": 55,
13715
11207
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13742,18 +11234,6 @@
13742
11234
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13743
11235
  }
13744
11236
  },
13745
- "new_control_requirements": [
13746
- {
13747
- "id": "NEW-CTRL-001",
13748
- "name": "CISA-KEV-RESPONSE-SLA",
13749
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13750
- "evidence": "CVE-2025-47812",
13751
- "gap_closes": [
13752
- "NIST-800-53-SI-2",
13753
- "ISO-27001-2022-A.8.8"
13754
- ]
13755
- }
13756
- ],
13757
11237
  "compliance_exposure_score": {
13758
11238
  "percent_audit_passing_orgs_still_exposed": 55,
13759
11239
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13786,18 +11266,6 @@
13786
11266
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13787
11267
  }
13788
11268
  },
13789
- "new_control_requirements": [
13790
- {
13791
- "id": "NEW-CTRL-001",
13792
- "name": "CISA-KEV-RESPONSE-SLA",
13793
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13794
- "evidence": "CVE-2025-5777",
13795
- "gap_closes": [
13796
- "NIST-800-53-SI-2",
13797
- "ISO-27001-2022-A.8.8"
13798
- ]
13799
- }
13800
- ],
13801
11269
  "compliance_exposure_score": {
13802
11270
  "percent_audit_passing_orgs_still_exposed": 75,
13803
11271
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -13830,18 +11298,6 @@
13830
11298
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13831
11299
  }
13832
11300
  },
13833
- "new_control_requirements": [
13834
- {
13835
- "id": "NEW-CTRL-001",
13836
- "name": "CISA-KEV-RESPONSE-SLA",
13837
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13838
- "evidence": "CVE-2019-9621",
13839
- "gap_closes": [
13840
- "NIST-800-53-SI-2",
13841
- "ISO-27001-2022-A.8.8"
13842
- ]
13843
- }
13844
- ],
13845
11301
  "compliance_exposure_score": {
13846
11302
  "percent_audit_passing_orgs_still_exposed": 55,
13847
11303
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13874,18 +11330,6 @@
13874
11330
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13875
11331
  }
13876
11332
  },
13877
- "new_control_requirements": [
13878
- {
13879
- "id": "NEW-CTRL-001",
13880
- "name": "CISA-KEV-RESPONSE-SLA",
13881
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13882
- "evidence": "CVE-2019-5418",
13883
- "gap_closes": [
13884
- "NIST-800-53-SI-2",
13885
- "ISO-27001-2022-A.8.8"
13886
- ]
13887
- }
13888
- ],
13889
11333
  "compliance_exposure_score": {
13890
11334
  "percent_audit_passing_orgs_still_exposed": 55,
13891
11335
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13918,18 +11362,6 @@
13918
11362
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13919
11363
  }
13920
11364
  },
13921
- "new_control_requirements": [
13922
- {
13923
- "id": "NEW-CTRL-001",
13924
- "name": "CISA-KEV-RESPONSE-SLA",
13925
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13926
- "evidence": "CVE-2016-10033",
13927
- "gap_closes": [
13928
- "NIST-800-53-SI-2",
13929
- "ISO-27001-2022-A.8.8"
13930
- ]
13931
- }
13932
- ],
13933
11365
  "compliance_exposure_score": {
13934
11366
  "percent_audit_passing_orgs_still_exposed": 55,
13935
11367
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -13962,18 +11394,6 @@
13962
11394
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
13963
11395
  }
13964
11396
  },
13965
- "new_control_requirements": [
13966
- {
13967
- "id": "NEW-CTRL-001",
13968
- "name": "CISA-KEV-RESPONSE-SLA",
13969
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
13970
- "evidence": "CVE-2014-3931",
13971
- "gap_closes": [
13972
- "NIST-800-53-SI-2",
13973
- "ISO-27001-2022-A.8.8"
13974
- ]
13975
- }
13976
- ],
13977
11397
  "compliance_exposure_score": {
13978
11398
  "percent_audit_passing_orgs_still_exposed": 55,
13979
11399
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14006,18 +11426,6 @@
14006
11426
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14007
11427
  }
14008
11428
  },
14009
- "new_control_requirements": [
14010
- {
14011
- "id": "NEW-CTRL-001",
14012
- "name": "CISA-KEV-RESPONSE-SLA",
14013
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14014
- "evidence": "CVE-2025-6554",
14015
- "gap_closes": [
14016
- "NIST-800-53-SI-2",
14017
- "ISO-27001-2022-A.8.8"
14018
- ]
14019
- }
14020
- ],
14021
11429
  "compliance_exposure_score": {
14022
11430
  "percent_audit_passing_orgs_still_exposed": 55,
14023
11431
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14050,18 +11458,6 @@
14050
11458
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14051
11459
  }
14052
11460
  },
14053
- "new_control_requirements": [
14054
- {
14055
- "id": "NEW-CTRL-001",
14056
- "name": "CISA-KEV-RESPONSE-SLA",
14057
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14058
- "evidence": "CVE-2025-48928",
14059
- "gap_closes": [
14060
- "NIST-800-53-SI-2",
14061
- "ISO-27001-2022-A.8.8"
14062
- ]
14063
- }
14064
- ],
14065
11461
  "compliance_exposure_score": {
14066
11462
  "percent_audit_passing_orgs_still_exposed": 55,
14067
11463
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14094,18 +11490,6 @@
14094
11490
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14095
11491
  }
14096
11492
  },
14097
- "new_control_requirements": [
14098
- {
14099
- "id": "NEW-CTRL-001",
14100
- "name": "CISA-KEV-RESPONSE-SLA",
14101
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14102
- "evidence": "CVE-2025-48927",
14103
- "gap_closes": [
14104
- "NIST-800-53-SI-2",
14105
- "ISO-27001-2022-A.8.8"
14106
- ]
14107
- }
14108
- ],
14109
11493
  "compliance_exposure_score": {
14110
11494
  "percent_audit_passing_orgs_still_exposed": 55,
14111
11495
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14138,18 +11522,6 @@
14138
11522
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14139
11523
  }
14140
11524
  },
14141
- "new_control_requirements": [
14142
- {
14143
- "id": "NEW-CTRL-001",
14144
- "name": "CISA-KEV-RESPONSE-SLA",
14145
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14146
- "evidence": "CVE-2025-6543",
14147
- "gap_closes": [
14148
- "NIST-800-53-SI-2",
14149
- "ISO-27001-2022-A.8.8"
14150
- ]
14151
- }
14152
- ],
14153
11525
  "compliance_exposure_score": {
14154
11526
  "percent_audit_passing_orgs_still_exposed": 55,
14155
11527
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14182,18 +11554,6 @@
14182
11554
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14183
11555
  }
14184
11556
  },
14185
- "new_control_requirements": [
14186
- {
14187
- "id": "NEW-CTRL-001",
14188
- "name": "CISA-KEV-RESPONSE-SLA",
14189
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14190
- "evidence": "CVE-2019-6693",
14191
- "gap_closes": [
14192
- "NIST-800-53-SI-2",
14193
- "ISO-27001-2022-A.8.8"
14194
- ]
14195
- }
14196
- ],
14197
11557
  "compliance_exposure_score": {
14198
11558
  "percent_audit_passing_orgs_still_exposed": 75,
14199
11559
  "basis": "Known ransomware-campaign use; passing orgs typically still exposed when patch deployment lags KEV due date.",
@@ -14226,18 +11586,6 @@
14226
11586
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14227
11587
  }
14228
11588
  },
14229
- "new_control_requirements": [
14230
- {
14231
- "id": "NEW-CTRL-001",
14232
- "name": "CISA-KEV-RESPONSE-SLA",
14233
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14234
- "evidence": "CVE-2024-0769",
14235
- "gap_closes": [
14236
- "NIST-800-53-SI-2",
14237
- "ISO-27001-2022-A.8.8"
14238
- ]
14239
- }
14240
- ],
14241
11589
  "compliance_exposure_score": {
14242
11590
  "percent_audit_passing_orgs_still_exposed": 55,
14243
11591
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14270,18 +11618,6 @@
14270
11618
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14271
11619
  }
14272
11620
  },
14273
- "new_control_requirements": [
14274
- {
14275
- "id": "NEW-CTRL-001",
14276
- "name": "CISA-KEV-RESPONSE-SLA",
14277
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14278
- "evidence": "CVE-2024-54085",
14279
- "gap_closes": [
14280
- "NIST-800-53-SI-2",
14281
- "ISO-27001-2022-A.8.8"
14282
- ]
14283
- }
14284
- ],
14285
11621
  "compliance_exposure_score": {
14286
11622
  "percent_audit_passing_orgs_still_exposed": 55,
14287
11623
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14314,18 +11650,6 @@
14314
11650
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14315
11651
  }
14316
11652
  },
14317
- "new_control_requirements": [
14318
- {
14319
- "id": "NEW-CTRL-001",
14320
- "name": "CISA-KEV-RESPONSE-SLA",
14321
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14322
- "evidence": "CVE-2023-0386",
14323
- "gap_closes": [
14324
- "NIST-800-53-SI-2",
14325
- "ISO-27001-2022-A.8.8"
14326
- ]
14327
- }
14328
- ],
14329
11653
  "compliance_exposure_score": {
14330
11654
  "percent_audit_passing_orgs_still_exposed": 55,
14331
11655
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14358,18 +11682,6 @@
14358
11682
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14359
11683
  }
14360
11684
  },
14361
- "new_control_requirements": [
14362
- {
14363
- "id": "NEW-CTRL-001",
14364
- "name": "CISA-KEV-RESPONSE-SLA",
14365
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14366
- "evidence": "CVE-2023-33538",
14367
- "gap_closes": [
14368
- "NIST-800-53-SI-2",
14369
- "ISO-27001-2022-A.8.8"
14370
- ]
14371
- }
14372
- ],
14373
11685
  "compliance_exposure_score": {
14374
11686
  "percent_audit_passing_orgs_still_exposed": 55,
14375
11687
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14402,18 +11714,6 @@
14402
11714
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14403
11715
  }
14404
11716
  },
14405
- "new_control_requirements": [
14406
- {
14407
- "id": "NEW-CTRL-001",
14408
- "name": "CISA-KEV-RESPONSE-SLA",
14409
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14410
- "evidence": "CVE-2025-43200",
14411
- "gap_closes": [
14412
- "NIST-800-53-SI-2",
14413
- "ISO-27001-2022-A.8.8"
14414
- ]
14415
- }
14416
- ],
14417
11717
  "compliance_exposure_score": {
14418
11718
  "percent_audit_passing_orgs_still_exposed": 55,
14419
11719
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14446,18 +11746,6 @@
14446
11746
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14447
11747
  }
14448
11748
  },
14449
- "new_control_requirements": [
14450
- {
14451
- "id": "NEW-CTRL-001",
14452
- "name": "CISA-KEV-RESPONSE-SLA",
14453
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14454
- "evidence": "CVE-2025-33053",
14455
- "gap_closes": [
14456
- "NIST-800-53-SI-2",
14457
- "ISO-27001-2022-A.8.8"
14458
- ]
14459
- }
14460
- ],
14461
11749
  "compliance_exposure_score": {
14462
11750
  "percent_audit_passing_orgs_still_exposed": 55,
14463
11751
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14484,24 +11772,12 @@
14484
11772
  "adequate": false,
14485
11773
  "gap": "30-day SLA inadequate for KEV-listed actively-exploited CVE; KEV due date is the operational clock."
14486
11774
  },
14487
- "ISO-27001-2022-A.8.8": {
14488
- "covered": true,
14489
- "adequate": false,
14490
- "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14491
- }
14492
- },
14493
- "new_control_requirements": [
14494
- {
14495
- "id": "NEW-CTRL-001",
14496
- "name": "CISA-KEV-RESPONSE-SLA",
14497
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14498
- "evidence": "CVE-2025-24016",
14499
- "gap_closes": [
14500
- "NIST-800-53-SI-2",
14501
- "ISO-27001-2022-A.8.8"
14502
- ]
11775
+ "ISO-27001-2022-A.8.8": {
11776
+ "covered": true,
11777
+ "adequate": false,
11778
+ "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14503
11779
  }
14504
- ],
11780
+ },
14505
11781
  "compliance_exposure_score": {
14506
11782
  "percent_audit_passing_orgs_still_exposed": 55,
14507
11783
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14534,18 +11810,6 @@
14534
11810
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14535
11811
  }
14536
11812
  },
14537
- "new_control_requirements": [
14538
- {
14539
- "id": "NEW-CTRL-001",
14540
- "name": "CISA-KEV-RESPONSE-SLA",
14541
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14542
- "evidence": "CVE-2024-42009",
14543
- "gap_closes": [
14544
- "NIST-800-53-SI-2",
14545
- "ISO-27001-2022-A.8.8"
14546
- ]
14547
- }
14548
- ],
14549
11813
  "compliance_exposure_score": {
14550
11814
  "percent_audit_passing_orgs_still_exposed": 55,
14551
11815
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14578,18 +11842,6 @@
14578
11842
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14579
11843
  }
14580
11844
  },
14581
- "new_control_requirements": [
14582
- {
14583
- "id": "NEW-CTRL-001",
14584
- "name": "CISA-KEV-RESPONSE-SLA",
14585
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14586
- "evidence": "CVE-2025-32433",
14587
- "gap_closes": [
14588
- "NIST-800-53-SI-2",
14589
- "ISO-27001-2022-A.8.8"
14590
- ]
14591
- }
14592
- ],
14593
11845
  "compliance_exposure_score": {
14594
11846
  "percent_audit_passing_orgs_still_exposed": 55,
14595
11847
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14622,18 +11874,6 @@
14622
11874
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14623
11875
  }
14624
11876
  },
14625
- "new_control_requirements": [
14626
- {
14627
- "id": "NEW-CTRL-001",
14628
- "name": "CISA-KEV-RESPONSE-SLA",
14629
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14630
- "evidence": "CVE-2025-5419",
14631
- "gap_closes": [
14632
- "NIST-800-53-SI-2",
14633
- "ISO-27001-2022-A.8.8"
14634
- ]
14635
- }
14636
- ],
14637
11877
  "compliance_exposure_score": {
14638
11878
  "percent_audit_passing_orgs_still_exposed": 55,
14639
11879
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14666,18 +11906,6 @@
14666
11906
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14667
11907
  }
14668
11908
  },
14669
- "new_control_requirements": [
14670
- {
14671
- "id": "NEW-CTRL-001",
14672
- "name": "CISA-KEV-RESPONSE-SLA",
14673
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14674
- "evidence": "CVE-2025-21479",
14675
- "gap_closes": [
14676
- "NIST-800-53-SI-2",
14677
- "ISO-27001-2022-A.8.8"
14678
- ]
14679
- }
14680
- ],
14681
11909
  "compliance_exposure_score": {
14682
11910
  "percent_audit_passing_orgs_still_exposed": 55,
14683
11911
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14710,18 +11938,6 @@
14710
11938
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14711
11939
  }
14712
11940
  },
14713
- "new_control_requirements": [
14714
- {
14715
- "id": "NEW-CTRL-001",
14716
- "name": "CISA-KEV-RESPONSE-SLA",
14717
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14718
- "evidence": "CVE-2025-21480",
14719
- "gap_closes": [
14720
- "NIST-800-53-SI-2",
14721
- "ISO-27001-2022-A.8.8"
14722
- ]
14723
- }
14724
- ],
14725
11941
  "compliance_exposure_score": {
14726
11942
  "percent_audit_passing_orgs_still_exposed": 55,
14727
11943
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14754,18 +11970,6 @@
14754
11970
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14755
11971
  }
14756
11972
  },
14757
- "new_control_requirements": [
14758
- {
14759
- "id": "NEW-CTRL-001",
14760
- "name": "CISA-KEV-RESPONSE-SLA",
14761
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14762
- "evidence": "CVE-2025-27038",
14763
- "gap_closes": [
14764
- "NIST-800-53-SI-2",
14765
- "ISO-27001-2022-A.8.8"
14766
- ]
14767
- }
14768
- ],
14769
11973
  "compliance_exposure_score": {
14770
11974
  "percent_audit_passing_orgs_still_exposed": 55,
14771
11975
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14798,18 +12002,6 @@
14798
12002
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14799
12003
  }
14800
12004
  },
14801
- "new_control_requirements": [
14802
- {
14803
- "id": "NEW-CTRL-001",
14804
- "name": "CISA-KEV-RESPONSE-SLA",
14805
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14806
- "evidence": "CVE-2021-32030",
14807
- "gap_closes": [
14808
- "NIST-800-53-SI-2",
14809
- "ISO-27001-2022-A.8.8"
14810
- ]
14811
- }
14812
- ],
14813
12005
  "compliance_exposure_score": {
14814
12006
  "percent_audit_passing_orgs_still_exposed": 55,
14815
12007
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14842,18 +12034,6 @@
14842
12034
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14843
12035
  }
14844
12036
  },
14845
- "new_control_requirements": [
14846
- {
14847
- "id": "NEW-CTRL-001",
14848
- "name": "CISA-KEV-RESPONSE-SLA",
14849
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14850
- "evidence": "CVE-2025-3935",
14851
- "gap_closes": [
14852
- "NIST-800-53-SI-2",
14853
- "ISO-27001-2022-A.8.8"
14854
- ]
14855
- }
14856
- ],
14857
12037
  "compliance_exposure_score": {
14858
12038
  "percent_audit_passing_orgs_still_exposed": 55,
14859
12039
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14886,18 +12066,6 @@
14886
12066
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14887
12067
  }
14888
12068
  },
14889
- "new_control_requirements": [
14890
- {
14891
- "id": "NEW-CTRL-001",
14892
- "name": "CISA-KEV-RESPONSE-SLA",
14893
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14894
- "evidence": "CVE-2025-35939",
14895
- "gap_closes": [
14896
- "NIST-800-53-SI-2",
14897
- "ISO-27001-2022-A.8.8"
14898
- ]
14899
- }
14900
- ],
14901
12069
  "compliance_exposure_score": {
14902
12070
  "percent_audit_passing_orgs_still_exposed": 55,
14903
12071
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14930,18 +12098,6 @@
14930
12098
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14931
12099
  }
14932
12100
  },
14933
- "new_control_requirements": [
14934
- {
14935
- "id": "NEW-CTRL-001",
14936
- "name": "CISA-KEV-RESPONSE-SLA",
14937
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14938
- "evidence": "CVE-2024-56145",
14939
- "gap_closes": [
14940
- "NIST-800-53-SI-2",
14941
- "ISO-27001-2022-A.8.8"
14942
- ]
14943
- }
14944
- ],
14945
12101
  "compliance_exposure_score": {
14946
12102
  "percent_audit_passing_orgs_still_exposed": 55,
14947
12103
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -14974,18 +12130,6 @@
14974
12130
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
14975
12131
  }
14976
12132
  },
14977
- "new_control_requirements": [
14978
- {
14979
- "id": "NEW-CTRL-001",
14980
- "name": "CISA-KEV-RESPONSE-SLA",
14981
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
14982
- "evidence": "CVE-2023-39780",
14983
- "gap_closes": [
14984
- "NIST-800-53-SI-2",
14985
- "ISO-27001-2022-A.8.8"
14986
- ]
14987
- }
14988
- ],
14989
12133
  "compliance_exposure_score": {
14990
12134
  "percent_audit_passing_orgs_still_exposed": 55,
14991
12135
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15018,18 +12162,6 @@
15018
12162
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15019
12163
  }
15020
12164
  },
15021
- "new_control_requirements": [
15022
- {
15023
- "id": "NEW-CTRL-001",
15024
- "name": "CISA-KEV-RESPONSE-SLA",
15025
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15026
- "evidence": "CVE-2025-4632",
15027
- "gap_closes": [
15028
- "NIST-800-53-SI-2",
15029
- "ISO-27001-2022-A.8.8"
15030
- ]
15031
- }
15032
- ],
15033
12165
  "compliance_exposure_score": {
15034
12166
  "percent_audit_passing_orgs_still_exposed": 55,
15035
12167
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15062,18 +12194,6 @@
15062
12194
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15063
12195
  }
15064
12196
  },
15065
- "new_control_requirements": [
15066
- {
15067
- "id": "NEW-CTRL-001",
15068
- "name": "CISA-KEV-RESPONSE-SLA",
15069
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15070
- "evidence": "CVE-2023-38950",
15071
- "gap_closes": [
15072
- "NIST-800-53-SI-2",
15073
- "ISO-27001-2022-A.8.8"
15074
- ]
15075
- }
15076
- ],
15077
12197
  "compliance_exposure_score": {
15078
12198
  "percent_audit_passing_orgs_still_exposed": 55,
15079
12199
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15106,18 +12226,6 @@
15106
12226
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15107
12227
  }
15108
12228
  },
15109
- "new_control_requirements": [
15110
- {
15111
- "id": "NEW-CTRL-001",
15112
- "name": "CISA-KEV-RESPONSE-SLA",
15113
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15114
- "evidence": "CVE-2024-27443",
15115
- "gap_closes": [
15116
- "NIST-800-53-SI-2",
15117
- "ISO-27001-2022-A.8.8"
15118
- ]
15119
- }
15120
- ],
15121
12229
  "compliance_exposure_score": {
15122
12230
  "percent_audit_passing_orgs_still_exposed": 55,
15123
12231
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15150,18 +12258,6 @@
15150
12258
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15151
12259
  }
15152
12260
  },
15153
- "new_control_requirements": [
15154
- {
15155
- "id": "NEW-CTRL-001",
15156
- "name": "CISA-KEV-RESPONSE-SLA",
15157
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15158
- "evidence": "CVE-2025-27920",
15159
- "gap_closes": [
15160
- "NIST-800-53-SI-2",
15161
- "ISO-27001-2022-A.8.8"
15162
- ]
15163
- }
15164
- ],
15165
12261
  "compliance_exposure_score": {
15166
12262
  "percent_audit_passing_orgs_still_exposed": 55,
15167
12263
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15194,18 +12290,6 @@
15194
12290
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15195
12291
  }
15196
12292
  },
15197
- "new_control_requirements": [
15198
- {
15199
- "id": "NEW-CTRL-001",
15200
- "name": "CISA-KEV-RESPONSE-SLA",
15201
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15202
- "evidence": "CVE-2024-11182",
15203
- "gap_closes": [
15204
- "NIST-800-53-SI-2",
15205
- "ISO-27001-2022-A.8.8"
15206
- ]
15207
- }
15208
- ],
15209
12293
  "compliance_exposure_score": {
15210
12294
  "percent_audit_passing_orgs_still_exposed": 55,
15211
12295
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15238,18 +12322,6 @@
15238
12322
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15239
12323
  }
15240
12324
  },
15241
- "new_control_requirements": [
15242
- {
15243
- "id": "NEW-CTRL-001",
15244
- "name": "CISA-KEV-RESPONSE-SLA",
15245
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15246
- "evidence": "CVE-2025-4428",
15247
- "gap_closes": [
15248
- "NIST-800-53-SI-2",
15249
- "ISO-27001-2022-A.8.8"
15250
- ]
15251
- }
15252
- ],
15253
12325
  "compliance_exposure_score": {
15254
12326
  "percent_audit_passing_orgs_still_exposed": 55,
15255
12327
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15282,18 +12354,6 @@
15282
12354
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15283
12355
  }
15284
12356
  },
15285
- "new_control_requirements": [
15286
- {
15287
- "id": "NEW-CTRL-001",
15288
- "name": "CISA-KEV-RESPONSE-SLA",
15289
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15290
- "evidence": "CVE-2025-4427",
15291
- "gap_closes": [
15292
- "NIST-800-53-SI-2",
15293
- "ISO-27001-2022-A.8.8"
15294
- ]
15295
- }
15296
- ],
15297
12357
  "compliance_exposure_score": {
15298
12358
  "percent_audit_passing_orgs_still_exposed": 55,
15299
12359
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15326,18 +12386,6 @@
15326
12386
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15327
12387
  }
15328
12388
  },
15329
- "new_control_requirements": [
15330
- {
15331
- "id": "NEW-CTRL-001",
15332
- "name": "CISA-KEV-RESPONSE-SLA",
15333
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15334
- "evidence": "CVE-2025-42999",
15335
- "gap_closes": [
15336
- "NIST-800-53-SI-2",
15337
- "ISO-27001-2022-A.8.8"
15338
- ]
15339
- }
15340
- ],
15341
12389
  "compliance_exposure_score": {
15342
12390
  "percent_audit_passing_orgs_still_exposed": 55,
15343
12391
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15370,18 +12418,6 @@
15370
12418
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15371
12419
  }
15372
12420
  },
15373
- "new_control_requirements": [
15374
- {
15375
- "id": "NEW-CTRL-001",
15376
- "name": "CISA-KEV-RESPONSE-SLA",
15377
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15378
- "evidence": "CVE-2024-12987",
15379
- "gap_closes": [
15380
- "NIST-800-53-SI-2",
15381
- "ISO-27001-2022-A.8.8"
15382
- ]
15383
- }
15384
- ],
15385
12421
  "compliance_exposure_score": {
15386
12422
  "percent_audit_passing_orgs_still_exposed": 55,
15387
12423
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15414,18 +12450,6 @@
15414
12450
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15415
12451
  }
15416
12452
  },
15417
- "new_control_requirements": [
15418
- {
15419
- "id": "NEW-CTRL-001",
15420
- "name": "CISA-KEV-RESPONSE-SLA",
15421
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15422
- "evidence": "CVE-2025-32756",
15423
- "gap_closes": [
15424
- "NIST-800-53-SI-2",
15425
- "ISO-27001-2022-A.8.8"
15426
- ]
15427
- }
15428
- ],
15429
12453
  "compliance_exposure_score": {
15430
12454
  "percent_audit_passing_orgs_still_exposed": 55,
15431
12455
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15458,18 +12482,6 @@
15458
12482
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15459
12483
  }
15460
12484
  },
15461
- "new_control_requirements": [
15462
- {
15463
- "id": "NEW-CTRL-001",
15464
- "name": "CISA-KEV-RESPONSE-SLA",
15465
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15466
- "evidence": "CVE-2025-32709",
15467
- "gap_closes": [
15468
- "NIST-800-53-SI-2",
15469
- "ISO-27001-2022-A.8.8"
15470
- ]
15471
- }
15472
- ],
15473
12485
  "compliance_exposure_score": {
15474
12486
  "percent_audit_passing_orgs_still_exposed": 55,
15475
12487
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15502,18 +12514,6 @@
15502
12514
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15503
12515
  }
15504
12516
  },
15505
- "new_control_requirements": [
15506
- {
15507
- "id": "NEW-CTRL-001",
15508
- "name": "CISA-KEV-RESPONSE-SLA",
15509
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15510
- "evidence": "CVE-2025-30397",
15511
- "gap_closes": [
15512
- "NIST-800-53-SI-2",
15513
- "ISO-27001-2022-A.8.8"
15514
- ]
15515
- }
15516
- ],
15517
12517
  "compliance_exposure_score": {
15518
12518
  "percent_audit_passing_orgs_still_exposed": 55,
15519
12519
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15546,18 +12546,6 @@
15546
12546
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15547
12547
  }
15548
12548
  },
15549
- "new_control_requirements": [
15550
- {
15551
- "id": "NEW-CTRL-001",
15552
- "name": "CISA-KEV-RESPONSE-SLA",
15553
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15554
- "evidence": "CVE-2025-32706",
15555
- "gap_closes": [
15556
- "NIST-800-53-SI-2",
15557
- "ISO-27001-2022-A.8.8"
15558
- ]
15559
- }
15560
- ],
15561
12549
  "compliance_exposure_score": {
15562
12550
  "percent_audit_passing_orgs_still_exposed": 55,
15563
12551
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",
@@ -15590,18 +12578,6 @@
15590
12578
  "gap": "Standard does not differentiate routinely-disclosed CVE from KEV-listed actively-exploited CVE."
15591
12579
  }
15592
12580
  },
15593
- "new_control_requirements": [
15594
- {
15595
- "id": "NEW-CTRL-001",
15596
- "name": "CISA-KEV-RESPONSE-SLA",
15597
- "description": "Operational response within the CISA-published due date for any KEV listing; routinely shorter than the NIST 30-day SLA.",
15598
- "evidence": "CVE-2025-32701",
15599
- "gap_closes": [
15600
- "NIST-800-53-SI-2",
15601
- "ISO-27001-2022-A.8.8"
15602
- ]
15603
- }
15604
- ],
15605
12581
  "compliance_exposure_score": {
15606
12582
  "percent_audit_passing_orgs_still_exposed": 55,
15607
12583
  "basis": "KEV-listed but not yet ransomware-attributed; exposure concentrated in orgs whose patch SLA defaults to NIST 30 days.",