genai-security-crosswalk 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE.md +28 -0
- package/README.md +618 -0
- package/data/entries/ASI01.json +911 -0
- package/data/entries/ASI02.json +850 -0
- package/data/entries/ASI03.json +854 -0
- package/data/entries/ASI04.json +759 -0
- package/data/entries/ASI05.json +764 -0
- package/data/entries/ASI06.json +817 -0
- package/data/entries/ASI07.json +789 -0
- package/data/entries/ASI08.json +788 -0
- package/data/entries/ASI09.json +754 -0
- package/data/entries/ASI10.json +833 -0
- package/data/entries/DSGAI01.json +779 -0
- package/data/entries/DSGAI02.json +728 -0
- package/data/entries/DSGAI03.json +671 -0
- package/data/entries/DSGAI04.json +752 -0
- package/data/entries/DSGAI05.json +689 -0
- package/data/entries/DSGAI06.json +673 -0
- package/data/entries/DSGAI07.json +680 -0
- package/data/entries/DSGAI08.json +698 -0
- package/data/entries/DSGAI09.json +687 -0
- package/data/entries/DSGAI10.json +627 -0
- package/data/entries/DSGAI11.json +663 -0
- package/data/entries/DSGAI12.json +695 -0
- package/data/entries/DSGAI13.json +688 -0
- package/data/entries/DSGAI14.json +703 -0
- package/data/entries/DSGAI15.json +655 -0
- package/data/entries/DSGAI16.json +716 -0
- package/data/entries/DSGAI17.json +690 -0
- package/data/entries/DSGAI18.json +613 -0
- package/data/entries/DSGAI19.json +638 -0
- package/data/entries/DSGAI20.json +671 -0
- package/data/entries/DSGAI21.json +881 -0
- package/data/entries/LLM01.json +975 -0
- package/data/entries/LLM02.json +868 -0
- package/data/entries/LLM03.json +817 -0
- package/data/entries/LLM04.json +797 -0
- package/data/entries/LLM05.json +761 -0
- package/data/entries/LLM06.json +848 -0
- package/data/entries/LLM07.json +749 -0
- package/data/entries/LLM08.json +750 -0
- package/data/entries/LLM09.json +760 -0
- package/data/entries/LLM10.json +763 -0
- package/data/incidents-schema.json +121 -0
- package/data/incidents.json +1484 -0
- package/data/schema.json +134 -0
- package/dist/index.d.ts +97 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +124 -0
- package/dist/index.js.map +1 -0
- package/dist/index.test.d.ts +2 -0
- package/dist/index.test.d.ts.map +1 -0
- package/dist/index.test.js +97 -0
- package/dist/index.test.js.map +1 -0
- package/package.json +62 -0
|
@@ -0,0 +1,759 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "ASI04",
|
|
3
|
+
"name": "Agentic Supply Chain",
|
|
4
|
+
"source_list": "Agentic-Top10-2026",
|
|
5
|
+
"version": "2026-Q1",
|
|
6
|
+
"severity": "High",
|
|
7
|
+
"aivss_score": 8.4,
|
|
8
|
+
"audience": [
|
|
9
|
+
"red-teamer",
|
|
10
|
+
"security-engineer",
|
|
11
|
+
"ml-engineer",
|
|
12
|
+
"ot-engineer",
|
|
13
|
+
"ciso",
|
|
14
|
+
"compliance",
|
|
15
|
+
"auditor",
|
|
16
|
+
"developer"
|
|
17
|
+
],
|
|
18
|
+
"mappings": [
|
|
19
|
+
{
|
|
20
|
+
"framework": "MITRE ATLAS",
|
|
21
|
+
"control_id": "AML.T0056",
|
|
22
|
+
"control_name": "Adversarial Model Manipulation",
|
|
23
|
+
"tier": "Hardening",
|
|
24
|
+
"scope": "Both",
|
|
25
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0056",
|
|
26
|
+
"notes": "Tampering with model weights or tool components loaded by agent at runtime"
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
"framework": "MITRE ATLAS",
|
|
30
|
+
"control_id": "AML.T0048",
|
|
31
|
+
"control_name": "Model Contamination",
|
|
32
|
+
"tier": "Hardening",
|
|
33
|
+
"scope": "Both",
|
|
34
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0048",
|
|
35
|
+
"notes": "Persistent malicious behaviour introduced through dynamically loaded agent components"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"framework": "MITRE ATLAS",
|
|
39
|
+
"control_id": "AML.T0010",
|
|
40
|
+
"control_name": "Backdoor ML Model",
|
|
41
|
+
"tier": "Hardening",
|
|
42
|
+
"scope": "Both",
|
|
43
|
+
"url": "https://atlas.mitre.org/techniques/AML.T0010",
|
|
44
|
+
"notes": "Trigger-based backdoors in MCP servers, prompt templates, or model adapters"
|
|
45
|
+
},
|
|
46
|
+
{
|
|
47
|
+
"framework": "NIST AI RMF 1.0",
|
|
48
|
+
"control_id": "GV-1.6",
|
|
49
|
+
"control_name": "Policies for data privacy",
|
|
50
|
+
"tier": "Foundational",
|
|
51
|
+
"scope": "Both",
|
|
52
|
+
"notes": "Supply chain governance policy — approved sources for agent tools, MCP servers, and model components"
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
"framework": "NIST AI RMF 1.0",
|
|
56
|
+
"control_id": "MP-5.1",
|
|
57
|
+
"control_name": "Interdependencies",
|
|
58
|
+
"tier": "Foundational",
|
|
59
|
+
"scope": "Both",
|
|
60
|
+
"notes": "All agent supply chain components mapped — dynamic tool loading inventoried, approved before use"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"framework": "NIST AI RMF 1.0",
|
|
64
|
+
"control_id": "MS-2.5",
|
|
65
|
+
"control_name": "Testing — adversarial",
|
|
66
|
+
"tier": "Foundational",
|
|
67
|
+
"scope": "Both",
|
|
68
|
+
"notes": "Supply chain integrity testing — signature verification, descriptor review, backdoor scanning"
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"framework": "NIST AI RMF 1.0",
|
|
72
|
+
"control_id": "MG-3.2",
|
|
73
|
+
"control_name": "Residual risk",
|
|
74
|
+
"tier": "Foundational",
|
|
75
|
+
"scope": "Both",
|
|
76
|
+
"notes": "Residual supply chain risk documented and treated — third-party component risks in AI risk register"
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
"framework": "EU AI Act",
|
|
80
|
+
"control_id": "Supply chain risks identified and mitigated",
|
|
81
|
+
"control_name": "Art. 9 — Risk management",
|
|
82
|
+
"tier": "Foundational",
|
|
83
|
+
"scope": "Both",
|
|
84
|
+
"notes": "All agent components in Art. 9 risk management — dynamic runtime components explicitly in scope"
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
"framework": "EU AI Act",
|
|
88
|
+
"control_id": "Quality management includes supply chain controls",
|
|
89
|
+
"control_name": "Art. 17 — Quality management",
|
|
90
|
+
"tier": "Foundational",
|
|
91
|
+
"scope": "Both",
|
|
92
|
+
"notes": "Documented supply chain security procedures — component verification, change management"
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
"framework": "EU AI Act",
|
|
96
|
+
"control_id": "Providers document obligations; deployers verify",
|
|
97
|
+
"control_name": "Art. 25 — Value chain responsibilities",
|
|
98
|
+
"tier": "Foundational",
|
|
99
|
+
"scope": "Both",
|
|
100
|
+
"notes": "Agent tool and MCP server supply chain obligations distributed along value chain"
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"framework": "ISO/IEC 27001:2022",
|
|
104
|
+
"control_id": "A.5.19",
|
|
105
|
+
"control_name": "Supplier relationships",
|
|
106
|
+
"tier": "Foundational",
|
|
107
|
+
"scope": "Both",
|
|
108
|
+
"notes": "Security requirements applied to all agent tool and MCP server providers — provenance, integrity, disclosure obligations"
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
"framework": "ISO/IEC 27001:2022",
|
|
112
|
+
"control_id": "A.5.20",
|
|
113
|
+
"control_name": "Supplier agreements",
|
|
114
|
+
"tier": "Foundational",
|
|
115
|
+
"scope": "Both",
|
|
116
|
+
"notes": "Contractual security requirements for all agent component suppliers — integrity guarantees, vulnerability notification SLA"
|
|
117
|
+
},
|
|
118
|
+
{
|
|
119
|
+
"framework": "ISO/IEC 27001:2022",
|
|
120
|
+
"control_id": "A.5.21",
|
|
121
|
+
"control_name": "Supply chain security",
|
|
122
|
+
"tier": "Foundational",
|
|
123
|
+
"scope": "Both",
|
|
124
|
+
"notes": "Managing ICT supply chain risks — agent tool and MCP server ecosystem explicitly in scope"
|
|
125
|
+
},
|
|
126
|
+
{
|
|
127
|
+
"framework": "ISO/IEC 27001:2022",
|
|
128
|
+
"control_id": "A.8.8",
|
|
129
|
+
"control_name": "Management of technical vulnerabilities",
|
|
130
|
+
"tier": "Foundational",
|
|
131
|
+
"scope": "Both",
|
|
132
|
+
"notes": "Agent component CVEs in vulnerability management — ML libraries, inference runtime, MCP server dependencies"
|
|
133
|
+
},
|
|
134
|
+
{
|
|
135
|
+
"framework": "ISO/IEC 42001:2023",
|
|
136
|
+
"control_id": "A.10.1",
|
|
137
|
+
"control_name": "Third-party AI system acquisition",
|
|
138
|
+
"tier": "Foundational",
|
|
139
|
+
"scope": "Both",
|
|
140
|
+
"notes": "All agent tool and MCP server providers assessed — security obligations, integrity guarantees, disclosure SLA in contracts"
|
|
141
|
+
},
|
|
142
|
+
{
|
|
143
|
+
"framework": "ISO/IEC 42001:2023",
|
|
144
|
+
"control_id": "A.10.2",
|
|
145
|
+
"control_name": "Customer relationships",
|
|
146
|
+
"tier": "Foundational",
|
|
147
|
+
"scope": "Both",
|
|
148
|
+
"notes": "Obligations to downstream consumers of agentic systems — what supply chain security is guaranteed"
|
|
149
|
+
},
|
|
150
|
+
{
|
|
151
|
+
"framework": "ISO/IEC 42001:2023",
|
|
152
|
+
"control_id": "A.6.2.3",
|
|
153
|
+
"control_name": "AI system security",
|
|
154
|
+
"tier": "Foundational",
|
|
155
|
+
"scope": "Both",
|
|
156
|
+
"notes": "Component integrity verification as AIMS security design requirement — cryptographic signatures before loading"
|
|
157
|
+
},
|
|
158
|
+
{
|
|
159
|
+
"framework": "ISO/IEC 42001:2023",
|
|
160
|
+
"control_id": "A.7.2",
|
|
161
|
+
"control_name": "Data quality",
|
|
162
|
+
"tier": "Foundational",
|
|
163
|
+
"scope": "Both",
|
|
164
|
+
"notes": "Training data from third-party sources assessed — same data quality criteria as internal data"
|
|
165
|
+
},
|
|
166
|
+
{
|
|
167
|
+
"framework": "CIS Controls v8.1",
|
|
168
|
+
"control_id": "2.1 Establish and maintain software inventory",
|
|
169
|
+
"control_name": "CIS 2 — Inventory and Control of Software Assets",
|
|
170
|
+
"tier": "Foundational",
|
|
171
|
+
"scope": "Both",
|
|
172
|
+
"notes": "ML SBOM as software asset inventory — all agent components (tools, MCP servers, models, libraries)"
|
|
173
|
+
},
|
|
174
|
+
{
|
|
175
|
+
"framework": "CIS Controls v8.1",
|
|
176
|
+
"control_id": "7.1 Establish vulnerability management process",
|
|
177
|
+
"control_name": "CIS 7 — Continuous Vulnerability Management",
|
|
178
|
+
"tier": "Foundational",
|
|
179
|
+
"scope": "Both",
|
|
180
|
+
"notes": "Agent component CVEs in vulnerability management — urgent patching for code execution risks"
|
|
181
|
+
},
|
|
182
|
+
{
|
|
183
|
+
"framework": "CIS Controls v8.1",
|
|
184
|
+
"control_id": "16.6 Use only up-to-date and trusted third-party components",
|
|
185
|
+
"control_name": "CIS 16 — Application Software Security",
|
|
186
|
+
"tier": "Foundational",
|
|
187
|
+
"scope": "Both",
|
|
188
|
+
"notes": "Approved component list — only sourced from approved vendors, signatures verified"
|
|
189
|
+
},
|
|
190
|
+
{
|
|
191
|
+
"framework": "CIS Controls v8.1",
|
|
192
|
+
"control_id": "15.1 Establish service provider management process",
|
|
193
|
+
"control_name": "CIS 15 — Service Provider Management",
|
|
194
|
+
"tier": "Foundational",
|
|
195
|
+
"scope": "Both",
|
|
196
|
+
"notes": "Agent tool and MCP providers managed as service providers — security assessment before onboarding"
|
|
197
|
+
},
|
|
198
|
+
{
|
|
199
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
200
|
+
"control_id": "V10.2.1",
|
|
201
|
+
"control_name": "Verify third-party components current and free of vulnerabilities",
|
|
202
|
+
"tier": "Foundational",
|
|
203
|
+
"scope": "Both",
|
|
204
|
+
"notes": "All agent component libraries scanned for CVEs — ML SBOM maintained and monitored"
|
|
205
|
+
},
|
|
206
|
+
{
|
|
207
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
208
|
+
"control_id": "V10.2.2",
|
|
209
|
+
"control_name": "Verify only minimal approved external libraries",
|
|
210
|
+
"tier": "Foundational",
|
|
211
|
+
"scope": "Both",
|
|
212
|
+
"notes": "Approved component list — unsigned or unverified agent components rejected"
|
|
213
|
+
},
|
|
214
|
+
{
|
|
215
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
216
|
+
"control_id": "V14.2.2",
|
|
217
|
+
"control_name": "Verify build pipelines include security checks",
|
|
218
|
+
"tier": "Foundational",
|
|
219
|
+
"scope": "Both",
|
|
220
|
+
"notes": "CI/CD pipeline for agent components includes integrity verification and CVE scanning"
|
|
221
|
+
},
|
|
222
|
+
{
|
|
223
|
+
"framework": "OWASP ASVS 4.0.3",
|
|
224
|
+
"control_id": "V1.1.2",
|
|
225
|
+
"control_name": "Verify threat model covers all data flows",
|
|
226
|
+
"tier": "Foundational",
|
|
227
|
+
"scope": "Both",
|
|
228
|
+
"notes": "Supply chain threat model documents all agent component sources and trust levels"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"framework": "ISA/IEC 62443",
|
|
232
|
+
"control_id": "SR 3.2",
|
|
233
|
+
"control_name": "Software and information integrity",
|
|
234
|
+
"tier": "Foundational",
|
|
235
|
+
"scope": "Both",
|
|
236
|
+
"notes": "Integrity verification of all agent tools and MCP components before OT deployment"
|
|
237
|
+
},
|
|
238
|
+
{
|
|
239
|
+
"framework": "ISA/IEC 62443",
|
|
240
|
+
"control_id": "SR 2.6",
|
|
241
|
+
"control_name": "Use control",
|
|
242
|
+
"tier": "Foundational",
|
|
243
|
+
"scope": "Both",
|
|
244
|
+
"notes": "Only approved, verified agent components permitted in OT zones — no runtime loading of unapproved tools"
|
|
245
|
+
},
|
|
246
|
+
{
|
|
247
|
+
"framework": "ISA/IEC 62443",
|
|
248
|
+
"control_id": "Supplier security requirements",
|
|
249
|
+
"control_name": "62443-2-4",
|
|
250
|
+
"tier": "Foundational",
|
|
251
|
+
"scope": "Both",
|
|
252
|
+
"notes": "Security requirements applied to all agent tool and MCP server vendors with OT access"
|
|
253
|
+
},
|
|
254
|
+
{
|
|
255
|
+
"framework": "ISA/IEC 62443",
|
|
256
|
+
"control_id": "SR 3.2",
|
|
257
|
+
"control_name": "Software and information integrity (change)",
|
|
258
|
+
"tier": "Foundational",
|
|
259
|
+
"scope": "Both",
|
|
260
|
+
"notes": "Agent component updates subject to OT change management — no automatic updates in production"
|
|
261
|
+
},
|
|
262
|
+
{
|
|
263
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
264
|
+
"control_id": "ICS vulnerabilities",
|
|
265
|
+
"control_name": "§5.3",
|
|
266
|
+
"tier": "Hardening",
|
|
267
|
+
"scope": "Both",
|
|
268
|
+
"notes": "Lateral movement between control systems"
|
|
269
|
+
},
|
|
270
|
+
{
|
|
271
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
272
|
+
"control_id": "Risk assessment",
|
|
273
|
+
"control_name": "§6.2",
|
|
274
|
+
"tier": "Hardening",
|
|
275
|
+
"scope": "Both",
|
|
276
|
+
"notes": "Assess inter-agent trust as OT risk"
|
|
277
|
+
},
|
|
278
|
+
{
|
|
279
|
+
"framework": "NIST SP 800-82 Rev 3",
|
|
280
|
+
"control_id": "Security controls",
|
|
281
|
+
"control_name": "§7.2",
|
|
282
|
+
"tier": "Hardening",
|
|
283
|
+
"scope": "Both",
|
|
284
|
+
"notes": "Authenticate all automated system-to-system communications"
|
|
285
|
+
},
|
|
286
|
+
{
|
|
287
|
+
"framework": "NIST CSF 2.0",
|
|
288
|
+
"control_id": "GV.SC-01",
|
|
289
|
+
"control_name": "Supply Chain Risk Management",
|
|
290
|
+
"tier": "Foundational",
|
|
291
|
+
"scope": "Both",
|
|
292
|
+
"notes": "Cybersecurity supply chain risk management programme — all agent component vendors in scope"
|
|
293
|
+
},
|
|
294
|
+
{
|
|
295
|
+
"framework": "NIST CSF 2.0",
|
|
296
|
+
"control_id": "GV.SC-06",
|
|
297
|
+
"control_name": "Supply Chain Risk Management",
|
|
298
|
+
"tier": "Foundational",
|
|
299
|
+
"scope": "Both",
|
|
300
|
+
"notes": "Cybersecurity requirements in supplier contracts — integrity guarantees, vulnerability disclosure SLA"
|
|
301
|
+
},
|
|
302
|
+
{
|
|
303
|
+
"framework": "NIST CSF 2.0",
|
|
304
|
+
"control_id": "ID.AM-08",
|
|
305
|
+
"control_name": "Asset Management",
|
|
306
|
+
"tier": "Foundational",
|
|
307
|
+
"scope": "Both",
|
|
308
|
+
"notes": "Agent components inventoried — ML SBOM for all tools, MCP servers, model weights, libraries"
|
|
309
|
+
},
|
|
310
|
+
{
|
|
311
|
+
"framework": "NIST CSF 2.0",
|
|
312
|
+
"control_id": "PR.PS-02",
|
|
313
|
+
"control_name": "Platform Security",
|
|
314
|
+
"tier": "Foundational",
|
|
315
|
+
"scope": "Both",
|
|
316
|
+
"notes": "Software managed to reduce risk — component integrity verification, change management"
|
|
317
|
+
},
|
|
318
|
+
{
|
|
319
|
+
"framework": "SOC 2",
|
|
320
|
+
"control_id": "Third-party agentic components assessed — agent frameworks, tool vendors, model providers subject to vendor risk management",
|
|
321
|
+
"control_name": "CC9.2",
|
|
322
|
+
"tier": "Foundational",
|
|
323
|
+
"scope": "Both",
|
|
324
|
+
"notes": "Vendor assessments, contractual security obligations"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"framework": "SOC 2",
|
|
328
|
+
"control_id": "Component changes managed through change management — model updates, framework upgrades, tool changes require security review",
|
|
329
|
+
"control_name": "CC8.1",
|
|
330
|
+
"tier": "Foundational",
|
|
331
|
+
"scope": "Both",
|
|
332
|
+
"notes": "Change management records, security review sign-offs"
|
|
333
|
+
},
|
|
334
|
+
{
|
|
335
|
+
"framework": "SOC 2",
|
|
336
|
+
"control_id": "Agentic supply chain risk included in risk assessment — compromised component scenarios documented with treatment",
|
|
337
|
+
"control_name": "CC3.3",
|
|
338
|
+
"tier": "Foundational",
|
|
339
|
+
"scope": "Both",
|
|
340
|
+
"notes": "Risk register with supply chain entries"
|
|
341
|
+
},
|
|
342
|
+
{
|
|
343
|
+
"framework": "SOC 2",
|
|
344
|
+
"control_id": "Integrity checks required before component deployment — cryptographic verification of model weights and tool descriptors",
|
|
345
|
+
"control_name": "CC5.3",
|
|
346
|
+
"tier": "Foundational",
|
|
347
|
+
"scope": "Both",
|
|
348
|
+
"notes": "Integrity verification configuration, deployment logs"
|
|
349
|
+
},
|
|
350
|
+
{
|
|
351
|
+
"framework": "PCI DSS v4.0",
|
|
352
|
+
"control_id": "Agentic component vendors with CHD access managed as TPSPs — written agreements, annual confirmation of PCI compliance",
|
|
353
|
+
"control_name": "Req 12.8",
|
|
354
|
+
"tier": "Foundational",
|
|
355
|
+
"scope": "Both",
|
|
356
|
+
"notes": "TPSP list, written agreements, compliance confirmations"
|
|
357
|
+
},
|
|
358
|
+
{
|
|
359
|
+
"framework": "PCI DSS v4.0",
|
|
360
|
+
"control_id": "Agentic component CVEs in vulnerability management — ML libraries, agent frameworks, inference runtime dependencies scanned",
|
|
361
|
+
"control_name": "Req 6.3",
|
|
362
|
+
"tier": "Foundational",
|
|
363
|
+
"scope": "Both",
|
|
364
|
+
"notes": "Vulnerability scan results, patch records"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"framework": "PCI DSS v4.0",
|
|
368
|
+
"control_id": "Malicious software protection for agent components — integrity verification for model weights and plugin descriptors",
|
|
369
|
+
"control_name": "Req 5.2",
|
|
370
|
+
"tier": "Foundational",
|
|
371
|
+
"scope": "Both",
|
|
372
|
+
"notes": "Integrity check configuration, verification records"
|
|
373
|
+
},
|
|
374
|
+
{
|
|
375
|
+
"framework": "PCI DSS v4.0",
|
|
376
|
+
"control_id": "Secure baseline configuration for agentic infrastructure — hardening standards applied to agent deployment platforms",
|
|
377
|
+
"control_name": "Req 2.2",
|
|
378
|
+
"tier": "Foundational",
|
|
379
|
+
"scope": "Both",
|
|
380
|
+
"notes": "Hardening baseline documentation"
|
|
381
|
+
},
|
|
382
|
+
{
|
|
383
|
+
"framework": "ENISA Multilayer Framework",
|
|
384
|
+
"control_id": "SCS",
|
|
385
|
+
"control_name": "Supply Chain Security",
|
|
386
|
+
"tier": "Foundational",
|
|
387
|
+
"scope": "Both",
|
|
388
|
+
"notes": "Agentic component vendors assessed — agent frameworks, tool registries, MCP servers, model providers all subject to SCS practices"
|
|
389
|
+
},
|
|
390
|
+
{
|
|
391
|
+
"framework": "ENISA Multilayer Framework",
|
|
392
|
+
"control_id": "L2",
|
|
393
|
+
"control_name": "Data and Model Security (DMS)",
|
|
394
|
+
"tier": "Foundational",
|
|
395
|
+
"scope": "Both",
|
|
396
|
+
"notes": "Model weight and tool descriptor integrity verification — cryptographic signatures, hash-based baseline"
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
"framework": "ENISA Multilayer Framework",
|
|
400
|
+
"control_id": "L2",
|
|
401
|
+
"control_name": "Governance and Risk (GOV)",
|
|
402
|
+
"tier": "Foundational",
|
|
403
|
+
"scope": "Both",
|
|
404
|
+
"notes": "Vendor risk management extended to AI component suppliers — contractual security obligations documented"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"framework": "ENISA Multilayer Framework",
|
|
408
|
+
"control_id": "L1",
|
|
409
|
+
"control_name": "General ICT — Supply Chain",
|
|
410
|
+
"tier": "Foundational",
|
|
411
|
+
"scope": "Both",
|
|
412
|
+
"notes": "Agentic SBOM as software asset inventory — all components inventoried, CVEs monitored"
|
|
413
|
+
},
|
|
414
|
+
{
|
|
415
|
+
"framework": "OWASP SAMM v2.0",
|
|
416
|
+
"control_id": "D-TA",
|
|
417
|
+
"control_name": "Design / Threat Assessment",
|
|
418
|
+
"tier": "Hardening",
|
|
419
|
+
"scope": "Both",
|
|
420
|
+
"notes": "Explicitly model trust relationships between agents; default deny"
|
|
421
|
+
},
|
|
422
|
+
{
|
|
423
|
+
"framework": "OWASP SAMM v2.0",
|
|
424
|
+
"control_id": "D-SA",
|
|
425
|
+
"control_name": "Design / Security Architecture",
|
|
426
|
+
"tier": "Hardening",
|
|
427
|
+
"scope": "Both",
|
|
428
|
+
"notes": "Mutual authentication between all agent-to-agent communication"
|
|
429
|
+
},
|
|
430
|
+
{
|
|
431
|
+
"framework": "OWASP SAMM v2.0",
|
|
432
|
+
"control_id": "G-PC",
|
|
433
|
+
"control_name": "Governance / Policy & Compliance",
|
|
434
|
+
"tier": "Hardening",
|
|
435
|
+
"scope": "Both",
|
|
436
|
+
"notes": "Policy governing what agents may instruct other agents to do"
|
|
437
|
+
},
|
|
438
|
+
{
|
|
439
|
+
"framework": "OWASP SAMM v2.0",
|
|
440
|
+
"control_id": "V-AA",
|
|
441
|
+
"control_name": "Verification / Architecture Assessment",
|
|
442
|
+
"tier": "Hardening",
|
|
443
|
+
"scope": "Both",
|
|
444
|
+
"notes": "Review and document all agent-to-agent trust grants"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"framework": "OWASP SAMM v2.0",
|
|
448
|
+
"control_id": "V-ST",
|
|
449
|
+
"control_name": "Verification / Security Testing",
|
|
450
|
+
"tier": "Hardening",
|
|
451
|
+
"scope": "Both",
|
|
452
|
+
"notes": "Test whether a compromised sub-agent can escalate through the network"
|
|
453
|
+
},
|
|
454
|
+
{
|
|
455
|
+
"framework": "CWE/CVE",
|
|
456
|
+
"control_id": "Download of Code Without Integrity Check",
|
|
457
|
+
"control_name": "CWE-494",
|
|
458
|
+
"tier": "Foundational",
|
|
459
|
+
"scope": "Both",
|
|
460
|
+
"notes": "Agent tool components and MCP servers loaded without signature verification"
|
|
461
|
+
},
|
|
462
|
+
{
|
|
463
|
+
"framework": "CWE/CVE",
|
|
464
|
+
"control_id": "Inclusion of Functionality from Untrusted Control Sphere",
|
|
465
|
+
"control_name": "CWE-829",
|
|
466
|
+
"tier": "Foundational",
|
|
467
|
+
"scope": "Both",
|
|
468
|
+
"notes": "MCP servers and plugins from external registries loaded into agent execution context"
|
|
469
|
+
},
|
|
470
|
+
{
|
|
471
|
+
"framework": "CWE/CVE",
|
|
472
|
+
"control_id": "Embedded Malicious Code",
|
|
473
|
+
"control_name": "CWE-506",
|
|
474
|
+
"tier": "Foundational",
|
|
475
|
+
"scope": "Both",
|
|
476
|
+
"notes": "Model weights and tool components containing hidden backdoor functionality"
|
|
477
|
+
},
|
|
478
|
+
{
|
|
479
|
+
"framework": "CWE/CVE",
|
|
480
|
+
"control_id": "Reliance on Insufficiently Trustworthy Component",
|
|
481
|
+
"control_name": "CWE-1357",
|
|
482
|
+
"tier": "Foundational",
|
|
483
|
+
"scope": "Both",
|
|
484
|
+
"notes": "Agent dependency on third-party MCP servers without security assessment"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"framework": "CWE/CVE",
|
|
488
|
+
"control_id": "Unintended Proxy or Intermediary",
|
|
489
|
+
"control_name": "CWE-441",
|
|
490
|
+
"tier": "Foundational",
|
|
491
|
+
"scope": "Both",
|
|
492
|
+
"notes": "Compromised tool acting as malicious intermediary in agent workflow"
|
|
493
|
+
},
|
|
494
|
+
{
|
|
495
|
+
"framework": "OWASP AI Testing Guide",
|
|
496
|
+
"control_id": "Component integrity verification",
|
|
497
|
+
"control_name": "SCT — Supply Chain",
|
|
498
|
+
"tier": "Foundational",
|
|
499
|
+
"scope": "Both",
|
|
500
|
+
"notes": "Verify cryptographic signatures of all agent components; scan for hidden instructions in descriptors"
|
|
501
|
+
},
|
|
502
|
+
{
|
|
503
|
+
"framework": "OWASP AI Testing Guide",
|
|
504
|
+
"control_id": "Behavioural change detection post-update",
|
|
505
|
+
"control_name": "MBT — Model Behaviour",
|
|
506
|
+
"tier": "Foundational",
|
|
507
|
+
"scope": "Both",
|
|
508
|
+
"notes": "Establish behavioural baseline before component update; verify no unexpected behaviour change after update"
|
|
509
|
+
},
|
|
510
|
+
{
|
|
511
|
+
"framework": "OWASP AI Testing Guide",
|
|
512
|
+
"control_id": "Runtime component monitoring",
|
|
513
|
+
"control_name": "AST — Agent-Specific",
|
|
514
|
+
"tier": "Foundational",
|
|
515
|
+
"scope": "Both",
|
|
516
|
+
"notes": "Verify that component modification at runtime is detected and triggers agent suspension"
|
|
517
|
+
},
|
|
518
|
+
{
|
|
519
|
+
"framework": "MAESTRO",
|
|
520
|
+
"control_id": "L3",
|
|
521
|
+
"control_name": "Agent Frameworks",
|
|
522
|
+
"tier": "Foundational",
|
|
523
|
+
"scope": "Both"
|
|
524
|
+
},
|
|
525
|
+
{
|
|
526
|
+
"framework": "MAESTRO",
|
|
527
|
+
"control_id": "L4",
|
|
528
|
+
"control_name": "Deployment & Infrastructure",
|
|
529
|
+
"tier": "Foundational",
|
|
530
|
+
"scope": "Both"
|
|
531
|
+
},
|
|
532
|
+
{
|
|
533
|
+
"framework": "MAESTRO",
|
|
534
|
+
"control_id": "L1",
|
|
535
|
+
"control_name": "Foundation Models",
|
|
536
|
+
"tier": "Foundational",
|
|
537
|
+
"scope": "Both"
|
|
538
|
+
},
|
|
539
|
+
{
|
|
540
|
+
"framework": "AIUC-1",
|
|
541
|
+
"control_id": "B001",
|
|
542
|
+
"control_name": "Third-party testing of adversarial robustness",
|
|
543
|
+
"tier": "Hardening",
|
|
544
|
+
"scope": "Both"
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"framework": "AIUC-1",
|
|
548
|
+
"control_id": "B003",
|
|
549
|
+
"control_name": "Manage public release of technical details",
|
|
550
|
+
"tier": "Hardening",
|
|
551
|
+
"scope": "Both"
|
|
552
|
+
},
|
|
553
|
+
{
|
|
554
|
+
"framework": "AIUC-1",
|
|
555
|
+
"control_id": "B008",
|
|
556
|
+
"control_name": "Protect model deployment environment",
|
|
557
|
+
"tier": "Hardening",
|
|
558
|
+
"scope": "Both"
|
|
559
|
+
},
|
|
560
|
+
{
|
|
561
|
+
"framework": "AIUC-1",
|
|
562
|
+
"control_id": "A",
|
|
563
|
+
"control_name": "Data & Privacy (full domain)",
|
|
564
|
+
"tier": "Hardening",
|
|
565
|
+
"scope": "Both"
|
|
566
|
+
},
|
|
567
|
+
{
|
|
568
|
+
"framework": "OWASP NHI Top 10",
|
|
569
|
+
"control_id": "Compromised MCP server holds or can request excessive permissions",
|
|
570
|
+
"control_name": "NHI-3 Vulnerable Third-Party NHI",
|
|
571
|
+
"tier": "Foundational",
|
|
572
|
+
"scope": "Both",
|
|
573
|
+
"notes": "Validate all third-party NHIs at connection — revoke tokens from unverified sources"
|
|
574
|
+
},
|
|
575
|
+
{
|
|
576
|
+
"framework": "OWASP NHI Top 10",
|
|
577
|
+
"control_id": "Malicious components extract credentials from agent memory or config",
|
|
578
|
+
"control_name": "NHI-6 Insecure Credential Storage",
|
|
579
|
+
"tier": "Foundational",
|
|
580
|
+
"scope": "Both",
|
|
581
|
+
"notes": "Credential isolation — components cannot access other components' credentials"
|
|
582
|
+
},
|
|
583
|
+
{
|
|
584
|
+
"framework": "OWASP NHI Top 10",
|
|
585
|
+
"control_id": "Supply chain compromise introduces credential exfiltration code",
|
|
586
|
+
"control_name": "NHI-2 Secret Leakage",
|
|
587
|
+
"tier": "Foundational",
|
|
588
|
+
"scope": "Both",
|
|
589
|
+
"notes": "Scan all agent components for credential access patterns before deployment"
|
|
590
|
+
},
|
|
591
|
+
{
|
|
592
|
+
"framework": "NIST SP 800-218A",
|
|
593
|
+
"control_id": "Vet all third-party agent components — tools, plugins, MCP servers, model weights, orchestration libraries — for provenance, integrity, and security posture before use",
|
|
594
|
+
"control_name": "PW.4.1-PS – Reuse existing well-secured software",
|
|
595
|
+
"tier": "Foundational",
|
|
596
|
+
"scope": "Both",
|
|
597
|
+
"notes": "Prevents introduction of compromised components into agent pipelines"
|
|
598
|
+
},
|
|
599
|
+
{
|
|
600
|
+
"framework": "NIST SP 800-218A",
|
|
601
|
+
"control_id": "Verify integrity of all agent artefacts and third-party components using cryptographic signatures and checksums before deployment",
|
|
602
|
+
"control_name": "PS.2.1-PS – Verify software integrity",
|
|
603
|
+
"tier": "Foundational",
|
|
604
|
+
"scope": "Both",
|
|
605
|
+
"notes": "Detects tampering in agent supply chain artefacts"
|
|
606
|
+
},
|
|
607
|
+
{
|
|
608
|
+
"framework": "NIST SP 800-218A",
|
|
609
|
+
"control_id": "Maintain a secure, versioned registry of all agent components with provenance records; enable auditability and rollback",
|
|
610
|
+
"control_name": "PS.3.1-PS – Archive and protect software releases",
|
|
611
|
+
"tier": "Foundational",
|
|
612
|
+
"scope": "Both",
|
|
613
|
+
"notes": "Ensures traceability and recovery capability for supply chain incidents"
|
|
614
|
+
},
|
|
615
|
+
{
|
|
616
|
+
"framework": "NIST SP 800-218A",
|
|
617
|
+
"control_id": "Monitor for newly disclosed vulnerabilities in third-party agent components; establish a triage process for AI-specific supply chain disclosures",
|
|
618
|
+
"control_name": "RV.1.1-PS – Identify and confirm vulnerabilities",
|
|
619
|
+
"tier": "Foundational",
|
|
620
|
+
"scope": "Both",
|
|
621
|
+
"notes": "Enables rapid response to supply chain compromises"
|
|
622
|
+
},
|
|
623
|
+
{
|
|
624
|
+
"framework": "FedRAMP",
|
|
625
|
+
"control_id": "SR-2",
|
|
626
|
+
"control_name": "Supply Chain Risk Management Plan — agent components",
|
|
627
|
+
"tier": "Foundational",
|
|
628
|
+
"scope": "Both",
|
|
629
|
+
"notes": "Include all agent components — tools, plugins, MCP servers, model weights, and agent frameworks — in the supply chain risk management plan"
|
|
630
|
+
},
|
|
631
|
+
{
|
|
632
|
+
"framework": "FedRAMP",
|
|
633
|
+
"control_id": "SR-3",
|
|
634
|
+
"control_name": "Supply Chain Controls — agent component provenance",
|
|
635
|
+
"tier": "Foundational",
|
|
636
|
+
"scope": "Both",
|
|
637
|
+
"notes": "Verify integrity and provenance of all agent supply chain components using cryptographic signatures, checksums, and attestation before deployment"
|
|
638
|
+
},
|
|
639
|
+
{
|
|
640
|
+
"framework": "FedRAMP",
|
|
641
|
+
"control_id": "SA-9",
|
|
642
|
+
"control_name": "External Information System Services — third-party agent services",
|
|
643
|
+
"tier": "Foundational",
|
|
644
|
+
"scope": "Both",
|
|
645
|
+
"notes": "Require third-party agent tool and plugin providers to meet FedRAMP requirements; establish SLAs for security, availability, and incident notification"
|
|
646
|
+
},
|
|
647
|
+
{
|
|
648
|
+
"framework": "FedRAMP",
|
|
649
|
+
"control_id": "SA-3",
|
|
650
|
+
"control_name": "System Development Life Cycle — agent SDLC",
|
|
651
|
+
"tier": "Foundational",
|
|
652
|
+
"scope": "Both",
|
|
653
|
+
"notes": "Integrate agent-specific security activities into the SDLC — tool integration review, privilege analysis, and adversarial testing at each lifecycle phase"
|
|
654
|
+
},
|
|
655
|
+
{
|
|
656
|
+
"framework": "DORA",
|
|
657
|
+
"control_id": "Art. 28–44",
|
|
658
|
+
"control_name": "Third-Party Risk — agent component vendor oversight",
|
|
659
|
+
"tier": "Foundational",
|
|
660
|
+
"scope": "Both",
|
|
661
|
+
"notes": "Include agent tool vendors, plugin providers, MCP server maintainers, and model providers in third-party ICT risk oversight with due diligence and contractual controls"
|
|
662
|
+
},
|
|
663
|
+
{
|
|
664
|
+
"framework": "DORA",
|
|
665
|
+
"control_id": "Art. 8",
|
|
666
|
+
"control_name": "Identification — agent supply chain assets",
|
|
667
|
+
"tier": "Foundational",
|
|
668
|
+
"scope": "Both",
|
|
669
|
+
"notes": "Identify and classify all agent supply chain components — tools, plugins, MCP servers, model weights, frameworks — in the ICT asset inventory with provenance"
|
|
670
|
+
},
|
|
671
|
+
{
|
|
672
|
+
"framework": "DORA",
|
|
673
|
+
"control_id": "Art. 5–7",
|
|
674
|
+
"control_name": "ICT Risk Management — agent supply chain governance",
|
|
675
|
+
"tier": "Foundational",
|
|
676
|
+
"scope": "Both",
|
|
677
|
+
"notes": "Include agent supply chain risk in the ICT risk management framework; define policies for agent component sourcing, vetting, and lifecycle management"
|
|
678
|
+
},
|
|
679
|
+
{
|
|
680
|
+
"framework": "DORA",
|
|
681
|
+
"control_id": "Art. 24–27",
|
|
682
|
+
"control_name": "Resilience Testing — supply chain resilience",
|
|
683
|
+
"tier": "Foundational",
|
|
684
|
+
"scope": "Both",
|
|
685
|
+
"notes": "Include agent supply chain disruption in resilience testing; test fallback procedures for third-party tool and service failures"
|
|
686
|
+
}
|
|
687
|
+
],
|
|
688
|
+
"tools": [
|
|
689
|
+
{
|
|
690
|
+
"name": "CycloneDX",
|
|
691
|
+
"type": "open-source",
|
|
692
|
+
"url": "https://cyclonedx.org"
|
|
693
|
+
},
|
|
694
|
+
{
|
|
695
|
+
"name": "ModelScan",
|
|
696
|
+
"type": "open-source",
|
|
697
|
+
"url": "https://github.com/protectai/modelscan"
|
|
698
|
+
},
|
|
699
|
+
{
|
|
700
|
+
"name": "OWASP Dependency-Check",
|
|
701
|
+
"type": "open-source",
|
|
702
|
+
"url": "https://owasp.org/www-project-dependency-check/"
|
|
703
|
+
},
|
|
704
|
+
{
|
|
705
|
+
"name": "MCP Inspector",
|
|
706
|
+
"type": "open-source",
|
|
707
|
+
"url": "https://github.com/modelcontextprotocol/inspector"
|
|
708
|
+
},
|
|
709
|
+
{
|
|
710
|
+
"name": "Syft",
|
|
711
|
+
"type": "open-source",
|
|
712
|
+
"url": "https://github.com/anchore/syft"
|
|
713
|
+
},
|
|
714
|
+
{
|
|
715
|
+
"name": "Snyk",
|
|
716
|
+
"type": "commercial",
|
|
717
|
+
"url": "https://snyk.io"
|
|
718
|
+
},
|
|
719
|
+
{
|
|
720
|
+
"name": "Sigstore",
|
|
721
|
+
"type": "open-source",
|
|
722
|
+
"url": "https://www.sigstore.dev"
|
|
723
|
+
}
|
|
724
|
+
],
|
|
725
|
+
"incidents": [
|
|
726
|
+
{
|
|
727
|
+
"name": "Hugging Face model repository pickle-based malware supply chain",
|
|
728
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
729
|
+
"year": 2024,
|
|
730
|
+
"incident_id": "INC-009"
|
|
731
|
+
},
|
|
732
|
+
{
|
|
733
|
+
"name": "Hugging Face model card supply chain manipulation",
|
|
734
|
+
"url": "https://github.com/emmanuelgjr/GenAI-Security-Crosswalk/blob/main/data/incidents.json",
|
|
735
|
+
"year": 2025,
|
|
736
|
+
"incident_id": "INC-038"
|
|
737
|
+
}
|
|
738
|
+
],
|
|
739
|
+
"crossrefs": {
|
|
740
|
+
"llm_top10": [
|
|
741
|
+
"LLM03",
|
|
742
|
+
"LLM08",
|
|
743
|
+
"LLM05"
|
|
744
|
+
],
|
|
745
|
+
"dsgai_2026": [
|
|
746
|
+
"DSGAI04",
|
|
747
|
+
"DSGAI06",
|
|
748
|
+
"DSGAI19"
|
|
749
|
+
]
|
|
750
|
+
},
|
|
751
|
+
"changelog": [
|
|
752
|
+
{
|
|
753
|
+
"date": "2026-03-27",
|
|
754
|
+
"version": "1.0.0",
|
|
755
|
+
"change": "Initial entry — generated from GenAI Security Crosswalk v1.5.1 mapping files",
|
|
756
|
+
"author": "emmanuelgjr"
|
|
757
|
+
}
|
|
758
|
+
]
|
|
759
|
+
}
|