🚧 Early alpha — building the foundation. See the roadmap →
Security & GRC framework corpus
This is the directory of security & GRC frameworks worth crosswalking — scoped to Crosswalker’s launch problem domains: cybersecurity, information security, GRC, risk management, internal audit, and regulatory compliance. Each entry links to a durable home/landing page (not a download URL — those rot), notes its license, and whether usable source data is in hand.
The landscape — frameworks worth crosswalking
Section titled “The landscape — frameworks worth crosswalking”Status = whether usable source data is in hand: ✅ acquired · ⚠️ partial (a crosswalk or subset) · 📥 still to source. (Whether a framework has been ingested and tested through Crosswalker is a separate status that comes online as we run the ingestion → mapping pipeline — see “Using these in practice” above.) License: 🟢 public / free · 🟡 registration / restrictive-CC · 🔴 purchase / copyrighted. Source links go to durable landing pages, not download URLs.
Threat-informed & adversary frameworks (MITRE family + friends)
Section titled “Threat-informed & adversary frameworks (MITRE family + friends)”| Framework | What it is | Lic | Status | Source |
|---|---|---|---|---|
| MITRE ATT&CK (Enterprise/Mobile/ICS) | Adversary tactics & techniques | 🟢 | ✅ | attack.mitre.org |
| MITRE D3FEND | Defensive countermeasures ontology | 🟢 | ✅ | d3fend.mitre.org |
| MITRE Engage | Adversary engagement / cyber deception & denial (ex-Shield) | 🟢 | ✅ | engage.mitre.org |
| MITRE CAPEC | Common Attack Pattern Enumeration | 🟢 | ✅ | capec.mitre.org |
| MITRE CWE | Common Weakness Enumeration | 🟢 | ✅ | cwe.mitre.org |
| CVE / NVD + CISA KEV | Known + exploited vulnerabilities | 🟢 | ⚠️ ATT&CK↔CVE + KEV↔ATT&CK | nvd.nist.gov |
| MITRE ATLAS | Adversarial AI/ML threat matrix | 🟢 | ✅ | atlas.mitre.org |
| MITRE CAR | Cyber Analytics Repository (detections) | 🟢 | ✅ | car.mitre.org |
| MITRE VERIS | Incident classification taxonomy | 🟢 | ✅ | verisframework.org |
| CTID resource packs | ATT&CK mappings + threat-informed-defense projects (Sightings, Summiting the Pyramid, M3TID, …) | 🟢 | ✅ | ctid.mitre.org |
| Lockheed Cyber Kill Chain | 7-stage intrusion model | 🟡 | ✅ | lockheedmartin.com |
| Diamond Model | Intrusion analysis model | 🟢 | ✅ | activeresponse.org |
Security control frameworks (the core)
Section titled “Security control frameworks (the core)”| Framework | What it is | Lic | Status | Source |
|---|---|---|---|---|
| NIST CSF 2.0 | Functions / categories / subcategories | 🟢 | ✅ | nist.gov/cyberframework |
| NIST 800-53 r5 | Control catalog + assessment | 🟢 | ✅ | csrc.nist.gov |
| NIST 800-171 | CUI protection (→ CMMC) | 🟢 | ✅ | csrc.nist.gov |
| NIST SSDF (800-218) | Secure software development | 🟢 | ✅ | csrc.nist.gov/projects/ssdf |
| NIST 800-207 | Zero Trust Architecture | 🟢 | ✅ | csrc.nist.gov |
| NIST Privacy Framework | Privacy risk (CSF-shaped) | 🟢 | 📥 | nist.gov/privacy-framework |
| CIS Controls v8.1 | 18 controls / 153 safeguards | 🟡 | ✅ | cisecurity.org/controls |
| CIS Benchmarks (~20) | Per-technology hardening (AWS, Azure, GCP, K8s, M365, SQL Server, …) | 🟡 | ✅ | cisecurity.org |
| ISO/IEC 27001 + 27002 | ISMS requirements + Annex A control catalog | 🔴 | ✅ 27001:2022 (+Amd 1:2024) + 27002:2022 | iso.org |
| ISO 27701 / 27017 / 27018 | Privacy (PIMS) / cloud / PII ISMS extensions | 🔴 | ⚠️ have 27701:2025; 27017/27018 missing | iso.org |
| Secure Controls Framework | 175+ framework hub via STRM (+ maturity & risk models) | 🟡 | ✅ | securecontrolsframework.com |
| CSA Cloud Controls Matrix | Cloud control framework | 🟡 | ✅ CCM 4.1 (via CTID pack) | cloudsecurityalliance.org |
| AICPA SOC 2 / TSC | Trust Services Criteria | 🔴 | ✅ | aicpa-cima.com |
Sector, cloud & assurance programs
Section titled “Sector, cloud & assurance programs”| Framework | What it is | Lic | Status | Source |
|---|---|---|---|---|
| CRI Profile (v2.0–2.2) | Financial-sector spine + mappings catalog + DORA / 800-53 / ATT&CK crosswalks + FS-AI-RMF | 🔴 | ✅ | cyberriskinstitute.org |
| FFIEC IT Handbook | US FI examination booklets | 🟢 | ✅ | ithandbook.ffiec.gov |
| FedRAMP | US gov cloud authorization | 🟢 | ✅ | fedramp.gov |
| PCI DSS v4.0.1 | Payment card security | 🔴 | ✅ | pcisecuritystandards.org |
| HIPAA Security Rule | US healthcare PHI | 🟢 | ✅ | hhs.gov/hipaa |
| CMMC | US DoD contractor maturity | 🟢 | ✅ | dodcio.defense.gov/CMMC |
| CISA CPG | Cross-sector performance goals | 🟢 | ✅ | cisa.gov |
| HITRUST CSF v11.8 | Healthcare-centric certifiable framework | 🔴 | ✅ | hitrustalliance.net |
| NERC CIP | Energy / grid critical infrastructure | 🟢 | 📥 | nerc.com |
| SWIFT CSP | Financial messaging security | 🔴 | 📥 | swift.com |
Regulatory & legal obligations (obligation-centric)
Section titled “Regulatory & legal obligations (obligation-centric)”| Regulation | Jurisdiction | Lic | Status | Source |
|---|---|---|---|---|
| DORA | EU financial digital resilience | 🟢 | ✅ | EUR-Lex (ELI 2022/2554) |
| NIS2 | EU critical-entity security | 🟢 | 📥 | EUR-Lex (ELI 2022/2555) |
| GDPR | EU data protection | 🟢 | ⚠️ TSC→GDPR crosswalk | EUR-Lex (ELI 2016/679) |
| NYDFS Part 500 | US (NY) financial cyber | 🟢 | 📥 | dfs.ny.gov |
| SEC cyber disclosure (33-11216) | US public-company disclosure (8-K Item 1.05 + Reg S-K Item 106) | 🟢 | ✅ | Federal Register (2023-16194) |
Risk management & quantification
Section titled “Risk management & quantification”| Framework | What it is | Lic | Status | Source |
|---|---|---|---|---|
| NIST 800-30 / 800-39 | Risk assessment + risk-mgmt process | 🟢 | 📥 | csrc.nist.gov |
| ISO 31000 / 27005 | Risk mgmt principles / infosec risk | 🔴 | ⚠️ have 31000:2018; 27005 missing | iso.org |
| FAIR / Open FAIR | Quantitative cyber-risk taxonomy | 🟡 | 📥 | fairinstitute.org |
| NIST AI RMF | AI risk management (AI 100-1) | 🟢 | ✅ | nist.gov |
| CRI FS-AI-RMF | Financial-services AI risk & control matrix (stages 1–3 + tier 4) | 🔴 | ✅ | cyberriskinstitute.org |
| ISO 42001 | AI management system | 🔴 | 📥 | iso.org |
Application, product & supply-chain security
Section titled “Application, product & supply-chain security”| Framework | What it is | Lic | Status | Source |
|---|---|---|---|---|
| OWASP Top 10 | Web app risk list (Top 10 ↔ CWE via OSIB YAML export) | 🟢 | ✅ | owasp.org · GitHub |
| OWASP ASVS v5.0 | App security verification standard | 🟢 | ✅ | owasp.org |
| OWASP SAMM v2 | Software assurance maturity | 🟢 | ✅ | owaspsamm.org |
| OWASP MASVS | Mobile app security | 🟢 | ✅ | mas.owasp.org |
| SLSA | Supply-chain integrity levels | 🟢 | ✅ | slsa.dev |
| BSIMM | Software security maturity (descriptive) | 🟡 | 📥 | bsimm.com |
Internal audit & governance models
Section titled “Internal audit & governance models”| Framework | What it is | Lic | Status | Source |
|---|---|---|---|---|
| IIA Global Internal Audit Standards (2024) | Internal-audit profession standards — 5 domains / 15 principles / 52 standards (PDF only, no structured file) | 🔴 | ✅ | theiia.org/standards |
| IIA Topical Requirements | Mandatory audit requirement sets — Cybersecurity, Third-Party, Org Resilience (crosswalk to NIST/CRI/DORA) | 🔴 | ✅ | theiia.org |
| COSO Internal Control + ERM | Governance / internal-control / ERM | 🔴 | 📥 | coso.org |
| COBIT 2019 | IT governance & management (objectives/practices/activities XLSX in the toolkit) | 🔴 | ✅ | isaca.org/cobit |
| IIA Three Lines Model | Risk governance roles | 🟢 | ✅ | theiia.org |
Licensing & copyright — what Crosswalker can share
Section titled “Licensing & copyright — what Crosswalker can share”Raw framework sources split three ways for handling:
| Tier | Frameworks | Handling |
|---|---|---|
| 🟢 Public domain / free | NIST, MITRE, FedRAMP, FFIEC, HIPAA, CMMC, CISA, DORA + EU law | commit-safe |
| 🟡 Registration / restrictive CC | CIS (Controls + Benchmarks), Secure Controls Framework | local only |
| 🔴 Copyrighted | CRI, ISO, AICPA / SOC 2, PCI, HITRUST, COBIT, COSO, IIA | local only |
The raw corpus lives at repo-root Frameworks/ — local-by-default (fail-closed gitignore); copyrighted source files go in Frameworks/_licensed/ and are never committed.
The part that matters for using them: Crosswalker stores the transform logic (the import recipes + crosswalk mappings) and your derived output (paraphrased concept notes + crosswalk junction notes) — not the raw copyrighted text. So the mapping logic stays shareable even when the source standard isn’t, which is how copyrighted inputs (CRI, ISO, PCI) can feed a crosswalk graph you can still publish. That’s the schema-as-primitive idea.
Related
Section titled “Related”- ETL & import pipeline — how sources get cleaned, ingested, and mapped (schema-as-primitive)
- Unified risk model — the CRI-centered shared model this corpus feeds
- Using in practice — per-domain implementations (internal audit, GRC/ISRM, regulatory compliance)
- Control-centric vs obligation-centric compliance — why control frameworks and regulations sit differently
- Registry — each framework’s home page + canonical facts
- Framework data sources — sheets, columns, ID formats, transforms per framework