genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,817 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "LLM03",
|
|
3
|
+
"name": "Supply Chain Vulnerabilities",
|
|
4
|
+
"source_list": "LLM-Top10-2025",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "High",
|
|
7
|
+
"aivss_score": null,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"developer",
|
|
12
|
+
"ml-engineer",
|
|
13
|
+
"ot-engineer",
|
|
14
|
+
"ciso",
|
|
15
|
+
"compliance",
|
|
16
|
+
"auditor"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0056",
|
|
22
|
+
"control_name": "Adversarial Model Manipulation",
|
|
23
|
+
"tier": "Foundational",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0056",
|
|
26
|
+
"notes": "Tampering with model weights, adapters, or configurations during supply chain"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0048",
|
|
31
|
+
"control_name": "Model Contamination",
|
|
32
|
+
"tier": "Foundational",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0048",
|
|
35
|
+
"notes": "Introducing persistent malicious behaviour into model through supply chain"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0010",
|
|
40
|
+
"control_name": "Backdoor ML Model",
|
|
41
|
+
"tier": "Foundational",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0010",
|
|
44
|
+
"notes": "Embedding trigger-based backdoors in model weights via training or fine-tuning supply chain"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.6",
|
|
49
|
+
"control_name": "Policies for data privacy",
|
|
50
|
+
"tier": "Foundational",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Supply chain data governance — policies for third-party model and data provenance"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-5.1",
|
|
57
|
+
"control_name": "Interdependencies",
|
|
58
|
+
"tier": "Foundational",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "Mapping of all AI system dependencies including third-party models, datasets, and libraries"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing and evaluation",
|
|
66
|
+
"tier": "Foundational",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Evaluation programme includes supply chain component integrity testing"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-3.2",
|
|
73
|
+
"control_name": "Residual risk — third party",
|
|
74
|
+
"tier": "Foundational",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Residual risk from third-party components documented, monitored, and treated"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Supply chain risks must be identified and mitigated in the risk management system",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Foundational",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "Third-party component risks are in scope for Art. 9 risk management"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Quality management must cover supply chain controls",
|
|
89
|
+
"control_name": "Art. 17 — Quality management",
|
|
90
|
+
"tier": "Foundational",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Documented supply chain security procedures required"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Responsibilities distributed along the AI value chain between providers and deployers",
|
|
97
|
+
"control_name": "Art. 25 — Value chain responsibilities",
|
|
98
|
+
"tier": "Foundational",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Providers must document what deployers inherit — deployers must verify"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "EU AI Act",
|
|
104
|
+
"control_id": "GPAI providers must document training data governance including third-party sources",
|
|
105
|
+
"control_name": "Art. 53(1)(a) — GPAI documentation",
|
|
106
|
+
"tier": "Foundational",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Third-party training data provenance is a GPAI documentation obligation"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.5.19",
|
|
113
|
+
"control_name": "Supplier relationships",
|
|
114
|
+
"tier": "Foundational",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Security requirements applied to all LLM model and data vendors — provenance, integrity, disclosure obligations"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.5.20",
|
|
121
|
+
"control_name": "Supplier agreements",
|
|
122
|
+
"tier": "Foundational",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Contractual security requirements for LLM component suppliers — integrity guarantees, vulnerability notification"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.5.21",
|
|
129
|
+
"control_name": "Supply chain security",
|
|
130
|
+
"tier": "Foundational",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Managing ICT supply chain risks — LLM model and library supply chain explicitly in scope"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 27001:2022",
|
|
136
|
+
"control_id": "A.8.8",
|
|
137
|
+
"control_name": "Management of technical vulnerabilities",
|
|
138
|
+
"tier": "Foundational",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "Scanning and patching LLM component vulnerabilities — model weights and inference runtime libraries"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.10.1",
|
|
145
|
+
"control_name": "Third-party AI system acquisition",
|
|
146
|
+
"tier": "Foundational",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Security requirements applied to all LLM component vendors — model providers, dataset suppliers, inference runtime vendors"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.10.2",
|
|
153
|
+
"control_name": "Customer relationships",
|
|
154
|
+
"tier": "Foundational",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "LLM deployment obligations to downstream customers — what security properties are guaranteed"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "A.6.1.2",
|
|
161
|
+
"control_name": "Responsible AI system management",
|
|
162
|
+
"tier": "Foundational",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "LLM components managed responsibly through lifecycle — acquisition, testing, deployment, decommission"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "ISO/IEC 42001:2023",
|
|
168
|
+
"control_id": "A.7.2",
|
|
169
|
+
"control_name": "Data quality",
|
|
170
|
+
"tier": "Foundational",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "Third-party training datasets assessed for quality — provenance, completeness, representativeness, security"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "2.1 Establish and maintain software asset inventory",
|
|
177
|
+
"control_name": "CIS 2 — Inventory and Control of Software Assets",
|
|
178
|
+
"tier": "Foundational",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "ML SBOM maintained as part of software asset inventory — model versions, libraries, adapters"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "7.1 Establish vulnerability management process",
|
|
185
|
+
"control_name": "CIS 7 — Continuous Vulnerability Management",
|
|
186
|
+
"tier": "Foundational",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Vulnerability management process covers LLM component CVEs and dependency risks"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "16.6 Use only up-to-date and trusted third-party components",
|
|
193
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
194
|
+
"tier": "Foundational",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Only approved, verified LLM components used in production — unsigned components rejected"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V10.2.1",
|
|
201
|
+
"control_name": "Verify third-party components are current and free from vulnerabilities",
|
|
202
|
+
"tier": "Foundational",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "All LLM component libraries and dependencies scanned for CVEs — ML SBOM maintained"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V10.2.2",
|
|
209
|
+
"control_name": "Verify only minimal approved external libraries are used",
|
|
210
|
+
"tier": "Foundational",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Approved component list for LLM deployments — unsigned or unverified components rejected"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V14.2.2",
|
|
217
|
+
"control_name": "Verify build pipelines include security checks",
|
|
218
|
+
"tier": "Foundational",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "CI/CD pipeline for LLM components includes integrity verification and vulnerability scanning"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "ISA/IEC 62443",
|
|
224
|
+
"control_id": "SR 3.2",
|
|
225
|
+
"control_name": "Software and information integrity",
|
|
226
|
+
"tier": "Foundational",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Integrity verification of all LLM components before deployment in OT environment"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 2.6",
|
|
233
|
+
"control_name": "Use control",
|
|
234
|
+
"tier": "Foundational",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Restrictions on software installation — only approved, verified LLM components permitted in OT zones"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "Supplier security requirements",
|
|
241
|
+
"control_name": "62443-2-4",
|
|
242
|
+
"tier": "Foundational",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Security requirements applied to all LLM vendors with access to OT environments"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
248
|
+
"control_id": "Third-party software compromise as OT attack vector",
|
|
249
|
+
"control_name": "Section 5.5 — Supply chain threats",
|
|
250
|
+
"tier": "Foundational",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "LLM model weights and plugins as supply chain risk components"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
256
|
+
"control_id": "Supply chain risk treatment",
|
|
257
|
+
"control_name": "Section 6.3 — Risk response",
|
|
258
|
+
"tier": "Foundational",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "ML SBOM and component integrity verification as supply chain controls"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "OT supply chain risk management programme",
|
|
265
|
+
"control_name": "Section 8.4 — Supply chain programme",
|
|
266
|
+
"tier": "Foundational",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "LLM vendors subject to same supply chain security requirements as OT software vendors"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Title",
|
|
273
|
+
"control_name": "Control",
|
|
274
|
+
"tier": "Foundational",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Application"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Supply Chain Protection",
|
|
281
|
+
"control_name": "SA-12",
|
|
282
|
+
"tier": "Foundational",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Security requirements applied to all LLM component vendors — provenance, integrity, vulnerability disclosure"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
288
|
+
"control_id": "Supply Chain Controls and Plans",
|
|
289
|
+
"control_name": "SR-3",
|
|
290
|
+
"tier": "Foundational",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Documented supply chain security plan covering LLM components in OT deployment"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
296
|
+
"control_id": "Supplier Assessments and Reviews",
|
|
297
|
+
"control_name": "SR-6",
|
|
298
|
+
"tier": "Foundational",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Periodic security assessment of LLM vendors with OT-deployed components"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "GV.SC-01",
|
|
305
|
+
"control_name": "Supply Chain Risk Management",
|
|
306
|
+
"tier": "Foundational",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Cybersecurity supply chain risk management programme — LLM component vendors in scope"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "GV.SC-06",
|
|
313
|
+
"control_name": "Supply Chain Risk Management",
|
|
314
|
+
"tier": "Foundational",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Cybersecurity requirements included in contracts with suppliers — LLM model and data vendors"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "NIST CSF 2.0",
|
|
320
|
+
"control_id": "ID.AM-08",
|
|
321
|
+
"control_name": "Asset Management",
|
|
322
|
+
"tier": "Foundational",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Systems and hardware managed — ML SBOM as asset inventory for LLM components"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "NIST CSF 2.0",
|
|
328
|
+
"control_id": "PR.PS-02",
|
|
329
|
+
"control_name": "Platform Security",
|
|
330
|
+
"tier": "Foundational",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Software managed to reduce risk — LLM component vulnerability management and patching"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "LLM component vendors assessed before use — security questionnaires, SOC 2 reports reviewed, ongoing monitoring",
|
|
337
|
+
"control_name": "CC9.1 — Vendor risk management",
|
|
338
|
+
"tier": "Foundational",
|
|
339
|
+
"scope": "Both"
|
|
340
|
+
},
|
|
341
|
+
{
|
|
342
|
+
"framework": "SOC 2",
|
|
343
|
+
"control_id": "Contractual security obligations for LLM vendors — data handling, vulnerability disclosure, incident notification",
|
|
344
|
+
"control_name": "CC9.2 — Vendor agreements",
|
|
345
|
+
"tier": "Foundational",
|
|
346
|
+
"scope": "Both"
|
|
347
|
+
},
|
|
348
|
+
{
|
|
349
|
+
"framework": "SOC 2",
|
|
350
|
+
"control_id": "LLM model updates and component changes managed through change management — approval, testing, rollback",
|
|
351
|
+
"control_name": "CC8.1 — Change management",
|
|
352
|
+
"tier": "Foundational",
|
|
353
|
+
"scope": "Both"
|
|
354
|
+
},
|
|
355
|
+
{
|
|
356
|
+
"framework": "SOC 2",
|
|
357
|
+
"control_id": "Supply chain attack vectors identified in LLM risk assessment — training data sources, model providers, plugin vendors",
|
|
358
|
+
"control_name": "CC3.2 — Risk assessment",
|
|
359
|
+
"tier": "Foundational",
|
|
360
|
+
"scope": "Both"
|
|
361
|
+
},
|
|
362
|
+
{
|
|
363
|
+
"framework": "PCI DSS v4.0",
|
|
364
|
+
"control_id": "Req 12.8.1",
|
|
365
|
+
"control_name": "Third-party service providers",
|
|
366
|
+
"tier": "Foundational",
|
|
367
|
+
"scope": "Both",
|
|
368
|
+
"notes": "List of all TPSPs maintained — LLM component vendors with CDE access or data in scope"
|
|
369
|
+
},
|
|
370
|
+
{
|
|
371
|
+
"framework": "PCI DSS v4.0",
|
|
372
|
+
"control_id": "Req 12.8.3",
|
|
373
|
+
"control_name": "TPSP agreements",
|
|
374
|
+
"tier": "Foundational",
|
|
375
|
+
"scope": "Both",
|
|
376
|
+
"notes": "Written agreements with LLM vendors — acknowledge responsibility for CHD security"
|
|
377
|
+
},
|
|
378
|
+
{
|
|
379
|
+
"framework": "PCI DSS v4.0",
|
|
380
|
+
"control_id": "Req 12.8.4",
|
|
381
|
+
"control_name": "TPSP PCI DSS compliance",
|
|
382
|
+
"tier": "Foundational",
|
|
383
|
+
"scope": "Both",
|
|
384
|
+
"notes": "Monitor TPSP PCI DSS compliance status — LLM component vendors with CHD access have compliant status verified"
|
|
385
|
+
},
|
|
386
|
+
{
|
|
387
|
+
"framework": "PCI DSS v4.0",
|
|
388
|
+
"control_id": "Req 6.3.3",
|
|
389
|
+
"control_name": "Security vulnerabilities",
|
|
390
|
+
"tier": "Foundational",
|
|
391
|
+
"scope": "Both",
|
|
392
|
+
"notes": "All LLM software components at latest security patches — ML libraries and inference runtime patched"
|
|
393
|
+
},
|
|
394
|
+
{
|
|
395
|
+
"framework": "PCI DSS v4.0",
|
|
396
|
+
"control_id": "Req 6.5.1",
|
|
397
|
+
"control_name": "Secure system changes",
|
|
398
|
+
"tier": "Foundational",
|
|
399
|
+
"scope": "Both",
|
|
400
|
+
"notes": "Model component updates follow change management — security testing before production"
|
|
401
|
+
},
|
|
402
|
+
{
|
|
403
|
+
"framework": "ENISA Multilayer Framework",
|
|
404
|
+
"control_id": "SCS",
|
|
405
|
+
"control_name": "Supply Chain Security",
|
|
406
|
+
"tier": "Foundational",
|
|
407
|
+
"scope": "Both",
|
|
408
|
+
"notes": "LLM component vendors assessed — model providers, dataset vendors, inference runtime suppliers subject to SCS practices"
|
|
409
|
+
},
|
|
410
|
+
{
|
|
411
|
+
"framework": "ENISA Multilayer Framework",
|
|
412
|
+
"control_id": "L2",
|
|
413
|
+
"control_name": "Data and Model Security (DMS)",
|
|
414
|
+
"tier": "Foundational",
|
|
415
|
+
"scope": "Both",
|
|
416
|
+
"notes": "Model weight integrity verification — cryptographic signatures, hash-based baseline"
|
|
417
|
+
},
|
|
418
|
+
{
|
|
419
|
+
"framework": "ENISA Multilayer Framework",
|
|
420
|
+
"control_id": "L2",
|
|
421
|
+
"control_name": "Governance and Risk (GOV)",
|
|
422
|
+
"tier": "Foundational",
|
|
423
|
+
"scope": "Both",
|
|
424
|
+
"notes": "Vendor risk management extended to AI component suppliers — contractual security obligations"
|
|
425
|
+
},
|
|
426
|
+
{
|
|
427
|
+
"framework": "ENISA Multilayer Framework",
|
|
428
|
+
"control_id": "L1",
|
|
429
|
+
"control_name": "General ICT — Supply Chain",
|
|
430
|
+
"tier": "Foundational",
|
|
431
|
+
"scope": "Both",
|
|
432
|
+
"notes": "ML SBOM as software asset inventory — all LLM components inventoried, CVEs monitored"
|
|
433
|
+
},
|
|
434
|
+
{
|
|
435
|
+
"framework": "OWASP SAMM v2.0",
|
|
436
|
+
"control_id": "G-PC",
|
|
437
|
+
"control_name": "Policy & Compliance",
|
|
438
|
+
"tier": "Foundational",
|
|
439
|
+
"scope": "Both",
|
|
440
|
+
"notes": "Supply chain security policy covers LLM component vendors — security requirements in procurement"
|
|
441
|
+
},
|
|
442
|
+
{
|
|
443
|
+
"framework": "OWASP SAMM v2.0",
|
|
444
|
+
"control_id": "I-SB",
|
|
445
|
+
"control_name": "Secure Build",
|
|
446
|
+
"tier": "Foundational",
|
|
447
|
+
"scope": "Both",
|
|
448
|
+
"notes": "ML SBOM maintained, CVE scanning in CI/CD — LLM components verified before each deployment"
|
|
449
|
+
},
|
|
450
|
+
{
|
|
451
|
+
"framework": "OWASP SAMM v2.0",
|
|
452
|
+
"control_id": "V-AA",
|
|
453
|
+
"control_name": "Architecture Assessment",
|
|
454
|
+
"tier": "Foundational",
|
|
455
|
+
"scope": "Both",
|
|
456
|
+
"notes": "LLM supply chain architecture reviewed — trust boundaries and component integrity verified"
|
|
457
|
+
},
|
|
458
|
+
{
|
|
459
|
+
"framework": "STRIDE",
|
|
460
|
+
"control_id": "S",
|
|
461
|
+
"control_name": "Component Spoofing",
|
|
462
|
+
"tier": "Foundational",
|
|
463
|
+
"scope": "Both"
|
|
464
|
+
},
|
|
465
|
+
{
|
|
466
|
+
"framework": "STRIDE",
|
|
467
|
+
"control_id": "T",
|
|
468
|
+
"control_name": "Supply Chain Tampering",
|
|
469
|
+
"tier": "Foundational",
|
|
470
|
+
"scope": "Both"
|
|
471
|
+
},
|
|
472
|
+
{
|
|
473
|
+
"framework": "STRIDE",
|
|
474
|
+
"control_id": "E",
|
|
475
|
+
"control_name": "Escalation via Trusted Component",
|
|
476
|
+
"tier": "Foundational",
|
|
477
|
+
"scope": "Both"
|
|
478
|
+
},
|
|
479
|
+
{
|
|
480
|
+
"framework": "CWE/CVE",
|
|
481
|
+
"control_id": "CWE-494",
|
|
482
|
+
"control_name": "CWE-494",
|
|
483
|
+
"tier": "Foundational",
|
|
484
|
+
"scope": "Both",
|
|
485
|
+
"url": "https://cwe.mitre.org/data/definitions/494.html"
|
|
486
|
+
},
|
|
487
|
+
{
|
|
488
|
+
"framework": "CWE/CVE",
|
|
489
|
+
"control_id": "CWE-345",
|
|
490
|
+
"control_name": "CWE-345",
|
|
491
|
+
"tier": "Foundational",
|
|
492
|
+
"scope": "Both",
|
|
493
|
+
"url": "https://cwe.mitre.org/data/definitions/345.html"
|
|
494
|
+
},
|
|
495
|
+
{
|
|
496
|
+
"framework": "CWE/CVE",
|
|
497
|
+
"control_id": "CWE-1357",
|
|
498
|
+
"control_name": "CWE-1357",
|
|
499
|
+
"tier": "Foundational",
|
|
500
|
+
"scope": "Both",
|
|
501
|
+
"url": "https://cwe.mitre.org/data/definitions/1357.html"
|
|
502
|
+
},
|
|
503
|
+
{
|
|
504
|
+
"framework": "OWASP AI Testing Guide",
|
|
505
|
+
"control_id": "Component integrity verification",
|
|
506
|
+
"control_name": "SCT — Supply Chain",
|
|
507
|
+
"tier": "Foundational",
|
|
508
|
+
"scope": "Both",
|
|
509
|
+
"notes": "Verify cryptographic integrity of model weights, adapters, and libraries; test that procurement pipeline rejects tampered components"
|
|
510
|
+
},
|
|
511
|
+
{
|
|
512
|
+
"framework": "OWASP AI Testing Guide",
|
|
513
|
+
"control_id": "Backdoor behaviour detection",
|
|
514
|
+
"control_name": "MBT — Model Behaviour",
|
|
515
|
+
"tier": "Foundational",
|
|
516
|
+
"scope": "Both",
|
|
517
|
+
"notes": "Test model with trigger inputs across all deployment configurations to detect backdoors introduced through supply chain"
|
|
518
|
+
},
|
|
519
|
+
{
|
|
520
|
+
"framework": "OWASP AI Testing Guide",
|
|
521
|
+
"control_id": "Plugin and tool descriptor integrity",
|
|
522
|
+
"control_name": "AST — Agent-Specific",
|
|
523
|
+
"tier": "Foundational",
|
|
524
|
+
"scope": "Both",
|
|
525
|
+
"notes": "Verify plugin descriptors and tool registries have not been tampered with; test that integrity checks reject modified components"
|
|
526
|
+
},
|
|
527
|
+
{
|
|
528
|
+
"framework": "MAESTRO",
|
|
529
|
+
"control_id": "L3",
|
|
530
|
+
"control_name": "Agent Frameworks",
|
|
531
|
+
"tier": "Foundational",
|
|
532
|
+
"scope": "Both"
|
|
533
|
+
},
|
|
534
|
+
{
|
|
535
|
+
"framework": "MAESTRO",
|
|
536
|
+
"control_id": "L4",
|
|
537
|
+
"control_name": "Deployment & Infrastructure",
|
|
538
|
+
"tier": "Foundational",
|
|
539
|
+
"scope": "Both"
|
|
540
|
+
},
|
|
541
|
+
{
|
|
542
|
+
"framework": "MAESTRO",
|
|
543
|
+
"control_id": "L2",
|
|
544
|
+
"control_name": "Data Operations",
|
|
545
|
+
"tier": "Foundational",
|
|
546
|
+
"scope": "Both"
|
|
547
|
+
},
|
|
548
|
+
{
|
|
549
|
+
"framework": "AIUC-1",
|
|
550
|
+
"control_id": "B001",
|
|
551
|
+
"control_name": "Third-party adversarial robustness testing",
|
|
552
|
+
"tier": "Foundational",
|
|
553
|
+
"scope": "Both",
|
|
554
|
+
"notes": "Foundational"
|
|
555
|
+
},
|
|
556
|
+
{
|
|
557
|
+
"framework": "AIUC-1",
|
|
558
|
+
"control_id": "B003",
|
|
559
|
+
"control_name": "Third-party security assessment",
|
|
560
|
+
"tier": "Foundational",
|
|
561
|
+
"scope": "Both",
|
|
562
|
+
"notes": "Hardening"
|
|
563
|
+
},
|
|
564
|
+
{
|
|
565
|
+
"framework": "AIUC-1",
|
|
566
|
+
"control_id": "B008",
|
|
567
|
+
"control_name": "Third-party NHI controls",
|
|
568
|
+
"tier": "Foundational",
|
|
569
|
+
"scope": "Both",
|
|
570
|
+
"notes": "Hardening"
|
|
571
|
+
},
|
|
572
|
+
{
|
|
573
|
+
"framework": "AIUC-1",
|
|
574
|
+
"control_id": "A",
|
|
575
|
+
"control_name": "Data & Privacy supply chain controls",
|
|
576
|
+
"tier": "Foundational",
|
|
577
|
+
"scope": "Both",
|
|
578
|
+
"notes": "Foundational"
|
|
579
|
+
},
|
|
580
|
+
{
|
|
581
|
+
"framework": "OWASP NHI Top 10",
|
|
582
|
+
"control_id": "Third-party plugin tokens with excessive permissions",
|
|
583
|
+
"control_name": "NHI-3 Vulnerable Third-Party NHI",
|
|
584
|
+
"tier": "Foundational",
|
|
585
|
+
"scope": "Both",
|
|
586
|
+
"notes": "Review all third-party credentials; apply minimum scope"
|
|
587
|
+
},
|
|
588
|
+
{
|
|
589
|
+
"framework": "OWASP NHI Top 10",
|
|
590
|
+
"control_id": "Third-party dev/staging credentials used in production",
|
|
591
|
+
"control_name": "NHI-8 Environment Isolation Failure",
|
|
592
|
+
"tier": "Foundational",
|
|
593
|
+
"scope": "Both",
|
|
594
|
+
"notes": "Enforce environment isolation for all third-party integrations"
|
|
595
|
+
},
|
|
596
|
+
{
|
|
597
|
+
"framework": "OWASP NHI Top 10",
|
|
598
|
+
"control_id": "Third-party component credentials exposed in shared config",
|
|
599
|
+
"control_name": "NHI-2 Secret Leakage",
|
|
600
|
+
"tier": "Foundational",
|
|
601
|
+
"scope": "Both",
|
|
602
|
+
"notes": "Separate credential stores per third-party component"
|
|
603
|
+
},
|
|
604
|
+
{
|
|
605
|
+
"framework": "NIST SP 800-218A",
|
|
606
|
+
"control_id": "PS.1.1-PS",
|
|
607
|
+
"control_name": "Protect all code from unauthorised access — training data and pipelines",
|
|
608
|
+
"tier": "Foundational",
|
|
609
|
+
"scope": "Both",
|
|
610
|
+
"notes": "Protect training data repositories, fine-tuning datasets, and ML pipeline code from unauthorised read, write, and modification"
|
|
611
|
+
},
|
|
612
|
+
{
|
|
613
|
+
"framework": "NIST SP 800-218A",
|
|
614
|
+
"control_id": "PS.3.1-PS",
|
|
615
|
+
"control_name": "Archive and protect software releases — model versioning",
|
|
616
|
+
"tier": "Foundational",
|
|
617
|
+
"scope": "Both",
|
|
618
|
+
"notes": "Maintain versioned, integrity-verified training data snapshots and model checkpoints in a secure model registry; enable rollback"
|
|
619
|
+
},
|
|
620
|
+
{
|
|
621
|
+
"framework": "NIST SP 800-218A",
|
|
622
|
+
"control_id": "PW.4.1-PS",
|
|
623
|
+
"control_name": "Reuse existing well-secured software — dataset vetting",
|
|
624
|
+
"tier": "Foundational",
|
|
625
|
+
"scope": "Both",
|
|
626
|
+
"notes": "Vet all third-party and external training datasets for provenance, integrity, and potential poisoning before use in any training run"
|
|
627
|
+
},
|
|
628
|
+
{
|
|
629
|
+
"framework": "NIST SP 800-218A",
|
|
630
|
+
"control_id": "RV.3.1-PS",
|
|
631
|
+
"control_name": "Analyse root causes — training data forensics",
|
|
632
|
+
"tier": "Foundational",
|
|
633
|
+
"scope": "Both",
|
|
634
|
+
"notes": "When poisoning is detected, conduct training data analysis to identify the poisoned records, their source, and the blast radius"
|
|
635
|
+
},
|
|
636
|
+
{
|
|
637
|
+
"framework": "FedRAMP",
|
|
638
|
+
"control_id": "SR-2",
|
|
639
|
+
"control_name": "Supply Chain Risk Management Plan — AI data sources",
|
|
640
|
+
"tier": "Foundational",
|
|
641
|
+
"scope": "Both",
|
|
642
|
+
"notes": "Include AI training data sources, fine-tuning datasets, and pre-trained model weights in the supply chain risk management plan; document provenance and risk assessment for each"
|
|
643
|
+
},
|
|
644
|
+
{
|
|
645
|
+
"framework": "FedRAMP",
|
|
646
|
+
"control_id": "SR-3",
|
|
647
|
+
"control_name": "Supply Chain Controls and Processes — model provenance",
|
|
648
|
+
"tier": "Foundational",
|
|
649
|
+
"scope": "Both",
|
|
650
|
+
"notes": "Implement supply chain controls for AI model components — verify integrity, provenance, and authenticity of all training data and model weights before use"
|
|
651
|
+
},
|
|
652
|
+
{
|
|
653
|
+
"framework": "FedRAMP",
|
|
654
|
+
"control_id": "SI-3",
|
|
655
|
+
"control_name": "Malicious Code Protection — training pipeline integrity",
|
|
656
|
+
"tier": "Foundational",
|
|
657
|
+
"scope": "Both",
|
|
658
|
+
"notes": "Extend malicious code protection to training data pipelines; detect and block poisoned data, anomalous labels, and backdoor triggers"
|
|
659
|
+
},
|
|
660
|
+
{
|
|
661
|
+
"framework": "FedRAMP",
|
|
662
|
+
"control_id": "CM-3",
|
|
663
|
+
"control_name": "Configuration Change Control — model update governance",
|
|
664
|
+
"tier": "Foundational",
|
|
665
|
+
"scope": "Both",
|
|
666
|
+
"notes": "Require formal change control for all model updates, fine-tuning runs, and training data changes; maintain audit trail of all modifications"
|
|
667
|
+
},
|
|
668
|
+
{
|
|
669
|
+
"framework": "DORA",
|
|
670
|
+
"control_id": "Art. 28–44",
|
|
671
|
+
"control_name": "Third-Party Risk — AI data and model provider oversight",
|
|
672
|
+
"tier": "Foundational",
|
|
673
|
+
"scope": "Both",
|
|
674
|
+
"notes": "Include AI model providers and training data vendors in third-party ICT risk oversight; assess data provenance, integrity, and poisoning risk"
|
|
675
|
+
},
|
|
676
|
+
{
|
|
677
|
+
"framework": "DORA",
|
|
678
|
+
"control_id": "Art. 9",
|
|
679
|
+
"control_name": "Protection and Prevention — training pipeline integrity",
|
|
680
|
+
"tier": "Foundational",
|
|
681
|
+
"scope": "Both",
|
|
682
|
+
"notes": "Implement security controls protecting training data pipelines from unauthorised modification, poisoned data injection, and backdoor embedding"
|
|
683
|
+
},
|
|
684
|
+
{
|
|
685
|
+
"framework": "DORA",
|
|
686
|
+
"control_id": "Art. 8",
|
|
687
|
+
"control_name": "Identification — AI training data assets",
|
|
688
|
+
"tier": "Foundational",
|
|
689
|
+
"scope": "Both",
|
|
690
|
+
"notes": "Identify and classify all AI training datasets, fine-tuning data, and model weights as ICT assets in the asset inventory"
|
|
691
|
+
},
|
|
692
|
+
{
|
|
693
|
+
"framework": "DORA",
|
|
694
|
+
"control_id": "Art. 13",
|
|
695
|
+
"control_name": "Learning and Evolving — poisoning post-mortem",
|
|
696
|
+
"tier": "Foundational",
|
|
697
|
+
"scope": "Both",
|
|
698
|
+
"notes": "Conduct post-incident analysis for data poisoning events; identify root cause, trace poisoned records, and update protection controls"
|
|
699
|
+
}
|
|
700
|
+
],
|
|
701
|
+
"tools": [
|
|
702
|
+
{
|
|
703
|
+
"name": "CycloneDX",
|
|
704
|
+
"type": "open-source",
|
|
705
|
+
"url": "https://cyclonedx.org"
|
|
706
|
+
},
|
|
707
|
+
{
|
|
708
|
+
"name": "OWASP Dependency-Check",
|
|
709
|
+
"type": "open-source",
|
|
710
|
+
"url": "https://owasp.org/www-project-dependency-check/"
|
|
711
|
+
},
|
|
712
|
+
{
|
|
713
|
+
"name": "ModelScan",
|
|
714
|
+
"type": "open-source",
|
|
715
|
+
"url": "https://github.com/protectai/modelscan"
|
|
716
|
+
},
|
|
717
|
+
{
|
|
718
|
+
"name": "Snyk",
|
|
719
|
+
"type": "commercial",
|
|
720
|
+
"url": "https://snyk.io"
|
|
721
|
+
},
|
|
722
|
+
{
|
|
723
|
+
"name": "Grype",
|
|
724
|
+
"type": "open-source",
|
|
725
|
+
"url": "https://github.com/anchore/grype"
|
|
726
|
+
},
|
|
727
|
+
{
|
|
728
|
+
"name": "Syft",
|
|
729
|
+
"type": "open-source",
|
|
730
|
+
"url": "https://github.com/anchore/syft"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "Garak",
|
|
734
|
+
"type": "open-source",
|
|
735
|
+
"url": "https://github.com/leondz/garak"
|
|
736
|
+
},
|
|
737
|
+
{
|
|
738
|
+
"name": "IBM Adversarial Robustness Toolbox",
|
|
739
|
+
"type": "open-source",
|
|
740
|
+
"url": "https://github.com/Trusted-AI/adversarial-robustness-toolbox"
|
|
741
|
+
},
|
|
742
|
+
{
|
|
743
|
+
"name": "CleanLab",
|
|
744
|
+
"type": "open-source",
|
|
745
|
+
"url": "https://github.com/cleanlab/cleanlab"
|
|
746
|
+
},
|
|
747
|
+
{
|
|
748
|
+
"name": "Great Expectations",
|
|
749
|
+
"type": "open-source",
|
|
750
|
+
"url": "https://greatexpectations.io"
|
|
751
|
+
},
|
|
752
|
+
{
|
|
753
|
+
"name": "Sigstore",
|
|
754
|
+
"type": "open-source",
|
|
755
|
+
"url": "https://www.sigstore.dev"
|
|
756
|
+
},
|
|
757
|
+
{
|
|
758
|
+
"name": "Counterfit",
|
|
759
|
+
"url": "https://github.com/Azure/counterfit",
|
|
760
|
+
"type": "open-source"
|
|
761
|
+
},
|
|
762
|
+
{
|
|
763
|
+
"name": "WhyLogs",
|
|
764
|
+
"url": "https://github.com/whylabs/whylogs",
|
|
765
|
+
"type": "open-source"
|
|
766
|
+
}
|
|
767
|
+
],
|
|
768
|
+
"incidents": [
|
|
769
|
+
{
|
|
770
|
+
"name": "Hugging Face model repository pickle-based malware supply chain",
|
|
771
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
772
|
+
"year": 2024,
|
|
773
|
+
"incident_id": "INC-009"
|
|
774
|
+
},
|
|
775
|
+
{
|
|
776
|
+
"name": "Hugging Face model card supply chain manipulation",
|
|
777
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
778
|
+
"year": 2025,
|
|
779
|
+
"incident_id": "INC-038"
|
|
780
|
+
},
|
|
781
|
+
{
|
|
782
|
+
"name": "Scale AI / Sama contractor data exposure — third-party AI labeling workforce privacy violations",
|
|
783
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
784
|
+
"year": 2024,
|
|
785
|
+
"incident_id": "INC-044"
|
|
786
|
+
},
|
|
787
|
+
{
|
|
788
|
+
"name": "Stability AI synthetic CSAM generation — training data and output safety failures",
|
|
789
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
790
|
+
"year": 2024,
|
|
791
|
+
"incident_id": "INC-049"
|
|
792
|
+
}
|
|
793
|
+
],
|
|
794
|
+
"crossrefs": {
|
|
795
|
+
"agentic_top10": [
|
|
796
|
+
"ASI04",
|
|
797
|
+
"ASI07",
|
|
798
|
+
"ASI06"
|
|
799
|
+
],
|
|
800
|
+
"dsgai_2026": [
|
|
801
|
+
"DSGAI04",
|
|
802
|
+
"DSGAI03",
|
|
803
|
+
"DSGAI06",
|
|
804
|
+
"DSGAI16",
|
|
805
|
+
"DSGAI17",
|
|
806
|
+
"DSGAI05"
|
|
807
|
+
]
|
|
808
|
+
},
|
|
809
|
+
"changelog": [
|
|
810
|
+
{
|
|
811
|
+
"date": "2026-03-27",
|
|
812
|
+
"version": "1.0.0",
|
|
813
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
814
|
+
"author": "emmanuelgjr"
|
|
815
|
+
}
|
|
816
|
+
]
|
|
817
|
+
}
|