Skip to content

enhancement: declare NIST 800-53 r5 control-family axis (20 families) #319

Open
Open
enhancement: declare NIST 800-53 r5 control-family axis (20 families)#319
Labels
enhancementNew feature or requestschema
Milestone
v3.5.0 — Cross-Cutting Reconciliation & Canonical Data Layer

Description

@Daren9m
Daren9m
opened on Apr 28, 2026

Gap

data/frameworks/nist-800-53-r5.json declares only scoring.profiles (Low / Moderate / High baselines). The 20 control families that every 800-53 controlId starts with (AC-1, AU-2, IA-5, …) are not declared in CheckID. Downstream consumers (M365-Assess #843) regex the family code out of controlId strings via the family-letter-prefix strategy.

Families to declare

The NIST 800-53 r5 control catalog defines 20 families:

Code Name
AC Access Control
AT Awareness and Training
AU Audit and Accountability
CA Assessment, Authorization, and Monitoring
CM Configuration Management
CP Contingency Planning
IA Identification and Authentication
IR Incident Response
MA Maintenance
MP Media Protection
PE Physical and Environmental Protection
PL Planning
PM Program Management
PS Personnel Security
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
SA System and Services Acquisition
SC System and Communications Protection
SI System and Information Integrity
SR Supply Chain Risk Management

Extraction

Every 800-53 controlId starts with the 2-letter family code followed by - (e.g. AC-1, IA-5(7)). Strategy: letter-prefix-before-dash.

Acceptance criteria

  • Spike spike: multi-axis taxonomy schema for frameworks #317 resolved
  • data/frameworks/nist-800-53-r5.json declares the family axis per agreed shape
  • All 20 family codes in the values map (registry may not reference all today, but the catalog is bounded)
  • Pester validation confirms every 800-53 controlId in data/registry.json resolves to a declared family
  • Existing scoring.profiles (Low/Mod/High) coexists with the new family axis (or is migrated to a baseline axis — TBD by spike)

Blocked by

Spike #317.

Related

The FedRAMP r5 family axis (filed as a sibling issue) uses the same 20 families and could share the values map.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestschema

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions