Gap
data/frameworks/nist-csf.json declares the 6 functions (scoring.functions: GV / ID / PR / DE / RS / RC) — the coarsest CSF axis. The middle (category, ~23) and leaf (subcategory, ~106) axes are not declared. CSF controlIds carry all three: PR.AA-03 → function PR, category PR.AA, subcategory PR.AA-03.
Axes to declare
Function (already declared)
6 functions: GV, ID, PR, DE, RS, RC. Keep as the top axis.
Category (~23, currently undeclared)
Each function has 4–6 categories, expressed as {function}.{2-letter-code}. Examples:
GV.OC — Organizational ContextGV.RM — Risk Management StrategyGV.RR — Roles, Responsibilities, and AuthoritiesGV.PO — PolicyGV.OV — OversightGV.SC — Cybersecurity Supply Chain Risk ManagementID.AM — Asset ManagementID.RA — Risk AssessmentID.IM — ImprovementPR.AA — Identity Management, Authentication, and Access ControlPR.AT — Awareness and TrainingPR.DS — Data SecurityPR.PS — Platform SecurityPR.IR — Technology Infrastructure ResilienceDE.CM — Continuous MonitoringDE.AE — Adverse Event AnalysisRS.MA — Incident ManagementRS.AN — Incident AnalysisRS.CO — Incident Response Reporting and CommunicationRS.MI — Incident MitigationRC.RP — Incident Recovery Plan ExecutionRC.CO — Incident Recovery Communication
(Authoritative count to be confirmed against CSF 2.0 Core during implementation.)
Subcategory (~106, currently undeclared)
The leaves: PR.AA-03, DE.CM-09, etc. May be declared as a values map on a third axis, or treated as the natural finding-level granularity (no values map needed if there are too many to maintain). Spike #317 to decide.
Extraction
- Function:
dot-prefix — letters before first . (already in M365-Assess GROUP_EXTRACTORS).
- Category:
function-and-category — letters before first - (e.g. PR.AA-03 → PR.AA).
- Subcategory: identity — the controlId itself.
Acceptance criteria
Blocked by
Spike #317.
Source
NIST Cybersecurity Framework 2.0 Core (Feb 2024). Authoritative category list at https://www.nist.gov/cyberframework/csf-20.
Gap
data/frameworks/nist-csf.jsondeclares the 6 functions (scoring.functions: GV / ID / PR / DE / RS / RC) — the coarsest CSF axis. The middle (category, ~23) and leaf (subcategory, ~106) axes are not declared. CSF controlIds carry all three:PR.AA-03→ functionPR, categoryPR.AA, subcategoryPR.AA-03.Axes to declare
Function (already declared)
6 functions: GV, ID, PR, DE, RS, RC. Keep as the top axis.
Category (~23, currently undeclared)
Each function has 4–6 categories, expressed as
{function}.{2-letter-code}. Examples:GV.OC— Organizational ContextGV.RM— Risk Management StrategyGV.RR— Roles, Responsibilities, and AuthoritiesGV.PO— PolicyGV.OV— OversightGV.SC— Cybersecurity Supply Chain Risk ManagementID.AM— Asset ManagementID.RA— Risk AssessmentID.IM— ImprovementPR.AA— Identity Management, Authentication, and Access ControlPR.AT— Awareness and TrainingPR.DS— Data SecurityPR.PS— Platform SecurityPR.IR— Technology Infrastructure ResilienceDE.CM— Continuous MonitoringDE.AE— Adverse Event AnalysisRS.MA— Incident ManagementRS.AN— Incident AnalysisRS.CO— Incident Response Reporting and CommunicationRS.MI— Incident MitigationRC.RP— Incident Recovery Plan ExecutionRC.CO— Incident Recovery Communication(Authoritative count to be confirmed against CSF 2.0 Core during implementation.)
Subcategory (~106, currently undeclared)
The leaves:
PR.AA-03,DE.CM-09, etc. May be declared as a values map on a third axis, or treated as the natural finding-level granularity (no values map needed if there are too many to maintain). Spike #317 to decide.Extraction
dot-prefix— letters before first.(already in M365-Assess GROUP_EXTRACTORS).function-and-category— letters before first-(e.g.PR.AA-03→PR.AA).Acceptance criteria
data/frameworks/nist-csf.jsondeclares function + category axes per agreed shapedata/registry.jsonresolves to a declared categoryBlocked by
Spike #317.
Source
NIST Cybersecurity Framework 2.0 Core (Feb 2024). Authoritative category list at https://www.nist.gov/cyberframework/csf-20.