Checkpoint — framework corpus + GRC tooling landscape (set up camp)

Tip

This is a working checkpoint — the place to set up camp for the realistic-crosswalking push. Goal: pull real framework files into test-vault/Frameworks/, crosswalk them, and work toward a Unified Risk Ontology (URO) with CRI Profile at the center. Everything you need to start is linked here.

Where we are

After v0.1.6’s query substrate landed (8 Layer A primitives, streaming variants, join/set-op/diff, benchmark + bundled-fixture commands), the next practical step is realistic crosswalking in practice — feeding actual framework data through the import → query → crosswalk pipeline instead of toy fixtures. This checkpoint sets up the corpus + the legal handling for that.

The URO goal (context)

The driving use case (from 2026-05 financial-institution stack research): a Unified Risk Ontology that lets Internal Audit, GRC/ISRM, and Compliance operate on the same shared entities — risks, controls, frameworks, assets, vendors, processes, findings, evidence, incidents — with CRI Profile as the authority-of-record for the GRC/InfoSec team and every other framework crosswalked to it (via OLIR / STRM). The load-bearing joints are the control and the crosswalk: one control hangs off multiple framework requirements → assess once, comply many.

Crosswalker’s role in that model: the control-centric control + crosswalk spine (see control-centric vs obligation-centric compliance), kept as plain-text notes you own. The shared model itself is the unified risk model.

1. Framework corpus — what to get + copyright handling

Full get-these list + per-framework licensing + clickable download links lives in the corpus manifest: test-vault/Frameworks/PROVENANCE.md (committed). Summary:

Status	Frameworks	Handling
🟢 Public domain — commit freely	NIST CSF 2.0, 800-53 r5, 800-171, FFIEC, HIPAA, CMMC, NYDFS 500, DORA, MITRE ATT&CK (attribute), NIST OSCAL catalogs	Frameworks/public/
🔴 Copyrighted — local only	CRI Profile (the spine), ISO 27001:2022, SOC 2 / AICPA TSC, PCI DSS	Frameworks/_licensed/ (gitignored)
🟡 Restrictive CC — gitignore to be safe	CIS Controls v8.1, Secure Controls Framework	Frameworks/_licensed/ (subset OK)

Download links (quick grab)

Landing/download pages — verify version + registration/purchase terms at download time:

• CRI Profile (spine) → cyberriskinstitute.org/the-profile (free, registration) 🔴
• NIST CSF 2.0 → CPRT CSF 2.0 (JSON/Excel) 🟢
• NIST 800-53 r5 → usnistgov/oscal-content (SP800-53/rev5) 🟢
• NIST 800-171 → usnistgov/oscal-content (SP800-171) 🟢
• MITRE ATT&CK → mitre-attack/attack-stix-data (STIX JSON; attribute) 🟢
• CIS Controls v8.1 → cisecurity.org/controls/v8-1 (free, registration) 🟡
• ISO/IEC 27001:2022 → iso.org/standard/27001 (purchase) 🔴
• SOC 2 / AICPA TSC → AICPA Trust Services Criteria 🔴
• Secure Controls Framework + STRM → SCF download · STRM 🟡
• PCI DSS 4.0 → PCI SSC Document Library 🔴
• FFIEC → ithandbook.ffiec.gov 🟢
• NYDFS 500 → dfs.ny.gov cybersecurity · DORA → EUR-Lex 2022/2554 · HIPAA → hhs.gov · CMMC → dodcio.defense.gov/CMMC 🟢

The handling pattern (set up 2026-05-29)

test-vault/Frameworks/
├── public/      ← committed (public-domain + laws/regs + your generated notes)
└── _licensed/   ← GITIGNORED (raw copyrighted vendor files — never committed)

.gitignore carries test-vault/Frameworks/_licensed/. Drop copyrighted source files there; they stay local. Crosswalker’s generated output (your own paraphrased concept notes + crosswalk junction notes) is derived work — it can live in public/ and be committed. The raw vendor text (CRI/ISO/SOC2/PCI diagnostic statements) stays in _licensed/ only.

Rule of thumb: US-government frameworks + actual laws/regs are public domain → commit. Proprietary vendor frameworks → _licensed/. You can still test with them; just don’t commit their raw text.

Existing test fixtures (already in repo)

Small subsets already live at tools/fixtures/realistic/ (synthetic-shape-correct, safe to commit): NIST CSF 2.0 (Govern+Identify), 800-53 AC family, ISO 27001:2022 subset, SOC 2 subset, CIS Controls v8 subset, MITRE ATT&CK Persistence subset, + 3 crosswalks (CSF→800-53, ISO→SOC2 SSSOM, CSF→ATT&CK SSSOM). These power the Phase 6.1 integration tests and the Crosswalker: Import bundled test fixture (dev) command. For real crosswalking, replace/augment with full files per the table above.

2. Related tooling + unified risk model — now in the KB

Two concept pages capture the FI stack research:

Related tooling (GRC, audit, compliance, risk) — the adjacent platforms across these problem domains + where Crosswalker fits among them (NOT Crosswalker’s own ecosystem):

• Control-centric vs obligation-centric compliance — obligation-centric (regulatory/CMS, atomic unit = obligation) vs control-centric (control/framework ops, atomic unit = control). Crosswalker is control-centric. (Informal framing — not the IIA Three Lines Model.)
• Tooling tiers — FI-specialized / enterprise GRC / open-source, with TCO + run-burden tradeoffs.
• Standards-based-crosswalking differentiator — the durable company Crosswalker keeps: CISO Assistant (OLIR), RegScale (OSCAL), SCF (STRM).
• Named roster — control-centric spines, FI-specialized, enterprise GRC/IRM, internal-audit engines, crosswalk metaframeworks.

Unified risk model — the shared data model IA / GRC / compliance operate on together around any of these tools, with CRI Profile at the center: the shared-entity table (control, requirement, framework, asset, vendor, process, finding, evidence, incident) with per-team ownership roles, and the “assess once, comply many” backbone.

The full multivariate analysis (coverage matrix, TCO table, role-fit) lives in the user’s private research session; the KB captures the load-bearing framing + positioning.

How to work out of here (the camp)

1. Obtain framework files per PROVENANCE.md — public ones into Frameworks/public/, proprietary into Frameworks/_licensed/. Log each in the PROVENANCE per-file table.
2. Import concepts: Crosswalker: Import structured data (CSV/XLSX/JSON) → Tier 1 concept notes.
3. Import crosswalks: Crosswalker: Import SSSOM mapping file (or the bundled-fixture dev command) → junction notes in _crosswalker/mappings/.
4. Query/crosswalk: Crosswalker: Insert query into note → pick a recipe → pivot/coverage views render over the junction data.
5. Benchmark/observe: Crosswalker: Run primitives benchmark (perf) for scale; cat crosswalker-debug.log | jq 'select(.category=="view" or .category=="perf")' to trace.

Related

• Frameworks corpus manifest — get-these list + per-file provenance (repo)
• Related tooling — GRC/audit/compliance platforms + control vs obligation
• Unified risk model — the shared CRI-centered model
• Framework data sources — source files, sheets, column mappings per framework
• Framework standards
• Registry: CRI · NIST · CIS · MITRE · ISO · SCF/STRM · SSSOM · OSCAL
• Institutional landscape — who creates/maintains/mandates ontologies (the URO’s human side)
• v0.1.6 milestone — the query substrate this corpus will exercise