Skip to content

Add NIST CSF AI ZTA SLSA evidence overlays#1472

Open
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/nist-csf-ai-zta-slsa-1464
Open

Add NIST CSF AI ZTA SLSA evidence overlays#1472
jddark62 wants to merge 1 commit into
UnitOneAI:mainfrom
jddark62:improve/nist-csf-ai-zta-slsa-1464

Conversation

@jddark62

@jddark62 jddark62 commented Jun 6, 2026

Copy link
Copy Markdown

Summary

Closes #1464.

This updates nist-csf-assessment with supplemental evidence overlays for AI governance, Zero Trust maturity, software supply-chain integrity, platform-managed encryption context, and policy-as-code maturity while preserving official NIST CSF 2.0 subcategory IDs.

What Changed

  • Add CSF-SUPP-01 through CSF-SUPP-07 checks for missing AI RMF evidence, AI transparency/provenance/monitoring gaps, unsupported Zero Trust maturity claims, Tier 4 claims without continuous verification or policy-as-code evidence, missing SLSA/software integrity evidence, CMEK false positives for lower-risk platform-managed encryption, and missing Not Evaluable evidence states.
  • Add supplemental mapping for AI RMF, CISA ZTMM, SLSA/software integrity, and policy-as-code to existing CSF 2.0 categories.
  • Clarify that AI RMF, ZTMM, SLSA, and policy-as-code are informative evidence overlays, not invented CSF subcategories.
  • Add PR.DS-01 guidance so platform-managed encryption can satisfy Tier 2 / Risk Informed cases when documented and aligned to risk appetite, while reserving CMEK/HSM/BYOK expectations for higher-risk Tier 3/4 targets.
  • Add Tier 4 / Adaptive scoring guidance requiring operational signals such as policy-as-code drift detection, control tests, ZT telemetry, provenance checks, and AI model monitoring.
  • Extend the assessment output with a supplemental evidence overlay table.
  • Add six YAML fixtures covering missing AI RMF governance, Zero Trust tool-only claims, supplier contracts without SLSA evidence, Tier 2 platform encryption false positive, Adaptive claims without policy-as-code, and a complete overlay package.

Validation

  • git diff --check
  • Parsed all 6 YAML fixtures successfully
  • Markdown fence balance check
  • Marker/content scan for CSF-SUPP, AI RMF, Zero Trust, SLSA, policy-as-code, platform-managed encryption, CMEK, Not Evaluable, and 1.0.1
  • Live official reference checks returned HTTP 200 for NIST AI RMF, CISA Zero Trust Maturity Model, SLSA, Open Policy Agent, and NIST Cybersecurity Framework
  • Privacy scan for local paths, personal email, and workspace identifiers

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms.
  • Preferred payment method can be coordinated privately after maintainer acceptance.

/claim #1464

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] nist-csf-assessment: add AI-specific GOVERN metrics and NIST AI RMF 1.0 mapping

1 participant

@jddark62