Framework accuracy: CSF 2.0 six functions, ISO 27001:2022, EU AI Act Art. 60→71#33
Merged
Conversation
Correctness audit surfaced several claims a GRC practitioner
would immediately spot. This PR lands all Tier 1 + Tier 2
findings so the repo reflects current standards.
## Tier 1
### NIST CSF 2.0 — 6 functions, 2.0-format IDs
The framework claimed "NIST CSF 2.0" but used CSF 1.1's
5-function structure. CSF 2.0 (NIST.CSWP.29, Feb 2024) adds
GOVERN as the sixth function and repositions it as the
organizational core. Subcategory IDs are also zero-padded in
2.0, and several categories were restructured (PR.AC → PR.AA,
PR.IP dissolved, supply-chain got its own GV.SC category,
DE.CM-4 / DE.CM-8 consolidated into DE.CM-09).
- Widened the `function` union to include "Govern" first.
- Added two Govern controls: GV.PO-01 (policy) and GV.SC-01
(supply-chain risk management, backed by dependency scan +
third-party inventory).
- Renumbered every existing control to the 2.0 subcategory ID
(ID.AM-01, ID.RA-01, PR.AA-01, PR.AA-05, PR.DS-01, PR.DS-02,
PR.DS-10, PR.PS-01, DE.CM-09, RS.MA-01, RS.CO-02, RC.RP-01).
- Moved the "vulnerability disclosure processes" concept to
ID.RA-08 (a new 2.0 subcategory) and combined continuous
monitoring into DE.CM-09.
- `getNistFunctionScores()` + the phase-grid loop now iterate
all 6 functions.
### ISO 27001:2022 Annex A
All cross-references used 2013's four-component codes
(`A.8.1.1`, `A.12.6.1`, `A.16.1.1`). The :2022 revision
restructured Annex A into 93 controls across 4 themes with
two-component IDs. The transition from :2013 ended October
2025 so certifiers are on :2022 today.
Remapped every code:
- `A.8.1.1` → `A.5.9` (Inventory of information and other associated assets)
- `A.9.2.1` → `A.5.16` (Identity management)
- `A.9.4.3` → `A.5.17` (Authentication information)
- `A.10.1.1` → `A.8.24` (Use of cryptography)
- `A.12.6.1` → `A.8.8` (Management of technical vulnerabilities)
- `A.13.1.1` → `A.8.20` (Networks security)
- `A.16.1.1` → `A.5.24` (Incident management planning)
- `A.16.1.2` → `A.6.8` (Reporting of information security events)
- `A.17.1.1` → `A.5.29` (Information security during disruption)
- …plus others
### EU AI Act Article 60 misattribution
Our ART-60 was titled "EU database registration" — but
Article 60 in Regulation (EU) 2024/1689 is "Testing of
high-risk AI systems in real world conditions outside AI
regulatory sandboxes." The EU database is actually
established by **Article 71**; the registration obligations
themselves live in **Article 49** (providers) and
**Article 26(8)** (public-sector deployers).
Renamed ART-60 → ART-71 with the corrected description
pointing to Articles 49 and 26(8) for the underlying
registration duty. Updated every downstream reference in
the checklist, ai-compliance report methodology, inventory
view footer, and cross-map.
### "Compliant" framing
Log line + report titles used "Compliance Report" / "X%
compliant" despite our own CONTRIBUTING.md warning against
this phrasing. Changed to "Coverage Report" (NIST CSF) and
"Assessment Report" (EU AI Act), with an explicit scope
disclaimer in the summary text ("This score reflects X of
NIST CSF 2.0's ~106 subcategories — it is not a claim of
full framework compliance").
## Tier 2
### Article 5 prohibited practices — full 8-item list
The old description listed 4 of the 8 prohibitions. Rewrote
to enumerate all eight from Article 5(1)(a)–(h): subliminal
techniques, exploitation of vulnerabilities, social scoring,
predictive policing by profiling, untargeted facial image
scraping, emotion inference in work/education, biometric
categorization inferring sensitive attributes, and real-time
remote biometric identification in public by law enforcement.
### Article 27 FRIA scope — narrowed
FRIA previously fired on every high-risk EU-market system.
Article 27(1) narrows to three deployer types: public
authorities, private entities providing public services, and
deployers of Annex III point 5(b)/(c) credit/insurance
systems. The scanner can't tell from a manifest which
deployer type applies, so we now report "partial" with
instructional evidence asking the deployer to verify scope
rather than flagging every high-risk EU system as fail.
### Article 12 record-keeping — dropped unsourced claim
Removed the "six-month minimum retention recommended by
guidance" line — it was unsourced. Replaced with the actual
regulatory citations: Article 12(3) sets retention
"appropriate to intended purpose"; Article 19 sets the 10-year
documentation retention for providers.
### Article 73 serious incident timelines
Evidence string now quotes the full Article 73(4) tiered
deadlines: 15 days default, 10 days when an incident led to
a person's death, 2 days for widespread infringement or
irreversible critical-infrastructure disruption.
### NIST SP 800-61 lifecycle
IRP template claimed "Prepare → Detect → Contain → Eradicate
→ Recover → Lessons Learned" — that six-phase flow isn't in
SP 800-61. Rev. 2 uses four phases: Preparation → Detection
& Analysis → Containment, Eradication & Recovery →
Post-Incident Activity. Updated the template + cited the
revision explicitly.
### EU AI Act timeline + fines claim
Checklist said "enforceable August 2026 with fines up to
€35M or 7%". Both oversimplified. Added the full staggered
Article 113 schedule (Feb 2025 / Aug 2025 / Aug 2026 / Aug
2027) and the tiered Article 99 fines (€35M/7% for Art. 5
prohibited, €15M/3% for most obligations, €7.5M/1% for
false information).
### CCPA/CPRA framing
CCPA citation updated to "CCPA §1798.100 (as amended by
CPRA)" to reflect the 2023 substantive amendments.
### Framework version disclosure
Report headers now cite versions explicitly: NIST CSF 2.0
(NIST.CSWP.29, Feb 2024); SOC 2 TSC 2017 (revised 2022);
ISO/IEC 27001:2022 Annex A; NIST AI RMF (AI 100-1, v1.0,
Jan 2023); ISO/IEC 42001:2023 Annex A; EU AI Act (OJ L,
12 July 2024).
## Documentation
- README: framework table now names all 6 CSF 2.0 functions
+ cites TSC 2017 (rev. 2022) + ISO/IEC 27001:2022.
- grc-fundamentals.md: rewrote the NIST CSF, SOC 2, and ISO
27001 sections with accurate structure and version info.
- implementation-checklist.md: framework mapping item now
enumerates all six functions, names the 2.0-format IDs,
and explicitly flags "not a claim of full framework
compliance". Phase 8C intro carries the staggered
timeline + tiered fines.
## Testing
71/71 tests passing. Risk classifier and exports tests
updated to use 2.0-format IDs. Framework report output
rendered end-to-end on this repo: 16 controls mapped, six
functions each scoring individually, CSF 2.0 + ISO
27001:2022 citations in the report header.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thorough correctness pass after a systematic audit. Every claim that a seasoned GRC professional would recognize as stale or wrong is now fixed. The repo is ready for a GRC-audience LinkedIn post after this merges.
Tier 1 — the headline fixes
NIST CSF 2.0 structural correctness
Framework declared "CSF 2.0" but used CSF 1.1's five-function structure. CSF 2.0 (NIST.CSWP.29, Feb 2024) adds GOVERN as the sixth function — the headline change of the 2.0 release. Now:
GV.PO-01,ID.AM-01,PR.AA-01,PR.AA-05,PR.DS-01,PR.DS-02,PR.DS-10,PR.PS-01,DE.CM-09,RS.MA-01,RS.CO-02,RC.RP-01, + new GV.SC-01 supply chain + ID.RA-08 vulnerability disclosure)getNistFunctionScores+ phase-grid loops iterate all 6 functionsISO 27001:2022 Annex A
All cross-references used :2013 four-component codes. The :2013 → :2022 transition ended October 2025 — any certifier is on :2022. Remapped every code to :2022 two-component form (
A.8.1.1→A.5.9;A.9.4.3→A.5.17;A.12.6.1→A.8.8;A.13.1.1→A.8.20;A.16.1.1→A.5.24; etc.).EU AI Act Article 60 misattribution (factual error)
Our ART-60 was "EU database registration". Article 60 in Regulation (EU) 2024/1689 is actually about "testing of high-risk AI systems in real-world conditions outside AI regulatory sandboxes." The EU database is established by Article 71; the registration duties themselves live in Article 49 (providers) and Article 26(8) (public-sector deployers). Renamed ART-60 → ART-71 and corrected every downstream reference.
"Compliance" → "Coverage/Assessment"
Report titles, log lines, and summary labels said "Compliance" despite our own CONTRIBUTING.md warning against it. Titled reports as "Coverage Report" (CSF) / "Assessment Report" (EU AI Act) and added an explicit scope caveat: "This score reflects 18 of NIST CSF 2.0's ~106 subcategories — it is not a claim of full framework compliance."
Tier 2 — correctness on the details
Documentation updated
Test plan
npm run lintclean (42 files)npm test— 71/71 passing (risk classifier + exports tests updated to new IDs; FRIA test updated for new scope-aware check)npm run smoke:dashboardgreennpm run scan -- .produces.grc/nist-csf-report.mdwith all six functions scored and the correct scope disclaimerWhat remains (Tier 3 — pedantic specialist items, deferred)