shipstuff · jeftekhari · Apr 20, 2026 · Apr 20, 2026
diff --git a/README.md b/README.md
@@ -15,7 +15,7 @@ On every push or PR, the scanner produces:
 | `incident-response-plan.md` | `docs/policies/` | NIST SP 800-61 based IRP |
 | `security.txt` | `.well-known/` | RFC 9116 security contact file |
 | `risk-assessment.md` | `.grc/` | Likelihood x impact matrix with framework mappings |
-| `nist-csf-report.md` | `.grc/` | 18 NIST CSF controls with SOC 2 + ISO 27001 cross-mapping |
+| `nist-csf-report.md` | `.grc/` | 18 NIST CSF 2.0 subcategories (across all six functions — Govern, Identify, Protect, Detect, Respond, Recover) with SOC 2 TSC 2017 (rev. 2022) + ISO/IEC 27001:2022 cross-mapping |
 | `security-headers-report.md` | `.grc/` | Header status + starter-snippet fixes (CSP typically needs manual review) |
 | `access-controls-report.md` | `.grc/` | Branch protection and auth findings |
 
@@ -156,7 +156,7 @@ Policies live at `docs/policies/` and `.well-known/security.txt` - those DO get
 
 The dashboard shows compliance posture across all your repos:
 
-- Org-wide stats (compliance %, NIST CSF %, vulnerabilities, secrets)
+- Org-wide stats (score vs. mapped controls, NIST CSF coverage, vulnerabilities, secrets)
 - Per-repo detail with data collection, headers, TLS, deps, access controls, artifacts
 - NIST CSF tab with per-function scores and SOC 2 / ISO 27001 cross-references
 - **AI tab** with detected AI systems (provider, SDK, category), risk tier, and data flows
@@ -271,7 +271,7 @@ GRC-Observability-Dashboard/
     index.ts                 # Scanner entry point
     rules/                   # Detection rules
     generators/              # Report generators
-    frameworks/              # NIST CSF + SOC 2 + ISO 27001 cross-mappings
+    frameworks/              # NIST CSF 2.0 + EU AI Act + cross-mappings to SOC 2 TSC / ISO 27001:2022 / ISO/IEC 42001:2023 / NIST AI RMF
     templates/               # Handlebars policy templates
     ai/                      # Optional AI enhancement layer
   examples/

diff --git a/dashboard/views/render.ts b/dashboard/views/render.ts
@@ -1311,7 +1311,7 @@ export function renderInventoryView(rows: InventoryRow[], orgName: string = ""):
       tableHtml += `</tr>`;
     }
     tableHtml += `</table>`;
-    tableHtml += `<p class="note"><strong>Inventory scope.</strong> This view aggregates AI systems across every repo currently scanned by the dashboard. Rows marked with \u2605 have their risk tier set by an explicit override in <code>.grc/config.yml</code>; other rows are heuristic classifications. <strong>Use.</strong> This list is intended as the source document for EU AI Act Article 60 registration of high-risk systems and for auditor evidence packages. Export as CSV via the button above.</p>`;
+    tableHtml += `<p class="note"><strong>Inventory scope.</strong> This view aggregates AI systems across every repo currently scanned by the dashboard. Rows marked with \u2605 have their risk tier set by an explicit override in <code>.grc/config.yml</code>; other rows are heuristic classifications. <strong>Use.</strong> This list is intended as an internal AI systems inventory feeding the EU AI Act Article 49 / Article 26(8) registration flow (EU database established by Article 71) and for auditor evidence packages. Export as CSV via the button above.</p>`;
     tableHtml += `</div>`;
   }
 

diff --git a/dashboard/worker.ts b/dashboard/worker.ts
@@ -237,7 +237,7 @@ function calcNistScore(results: ReturnType<typeof evaluateFramework>): number {
 }
 
 export function getNistFunctionScores(results: ReturnType<typeof evaluateFramework>): FunctionScore[] {
-  return ["Identify", "Protect", "Detect", "Respond", "Recover"].map(fn => {
+  return ["Govern", "Identify", "Protect", "Detect", "Respond", "Recover"].map(fn => {
     const controls = results.filter(r => r.control.function === fn);
     const applicable = controls.filter(r => r.status !== "not-applicable");
     const passed = applicable.filter(r => r.status === "pass").length;

diff --git a/docs/grc-fundamentals.md b/docs/grc-fundamentals.md
@@ -10,30 +10,35 @@ Quick reference for core GRC concepts as they relate to this project.
 
 ## Key Frameworks
 
-### NIST Cybersecurity Framework (CSF)
-Five core functions:
-1. **Identify** — Know your assets, data, and risks
-2. **Protect** — Implement safeguards (access controls, encryption, training)
-3. **Detect** — Monitor for anomalies and incidents
-4. **Respond** — Have a plan for when incidents occur
-5. **Recover** — Restore capabilities after an incident
+### NIST Cybersecurity Framework (CSF) 2.0
+Published February 2024 (NIST.CSWP.29). **Six** core functions — the previous five functions, plus `Govern` newly promoted to the organizational core:
+1. **Govern (GV)** — Establish and monitor cybersecurity risk management strategy, expectations, and policy (NEW in 2.0)
+2. **Identify (ID)** — Know your assets, data, dependencies, and risks
+3. **Protect (PR)** — Implement safeguards (identity, access, data security, platform security, training)
+4. **Detect (DE)** — Monitor for adverse events
+5. **Respond (RS)** — Manage and communicate during incidents
+6. **Recover (RC)** — Restore assets and operations after an incident
+
+Subcategory IDs in CSF 2.0 are zero-padded (e.g. `ID.AM-01`, `PR.AA-01`); older `ID.AM-1`-style IDs are CSF 1.1.
 
 ### SOC 2
-Five Trust Service Criteria:
-1. **Security** — Protection against unauthorized access
+The AICPA's Trust Services Criteria, 2017 edition (revised 2022). Five Trust Services Categories:
+1. **Security** — Protection against unauthorized access (mandatory baseline)
 2. **Availability** — System is available for operation and use
 3. **Processing Integrity** — System processing is complete, valid, accurate
 4. **Confidentiality** — Information designated as confidential is protected
 5. **Privacy** — Personal information is collected, used, retained properly
 
-Type I = controls exist at a point in time. Type II = controls work over a period (usually 6-12 months).
+Type I = a point-in-time attestation that controls exist and are designed appropriately. Type II = a period-of-time attestation (usually 3-12 months) that controls operated effectively.
+
+### ISO/IEC 27001:2022
+International standard for Information Security Management Systems (ISMS), 2022 revision. Annex A lists 93 controls organised into four themes:
+- `A.5` Organizational (37 controls)
+- `A.6` People (8 controls)
+- `A.7` Physical (14 controls)
+- `A.8` Technological (34 controls)
 
-### ISO 27001
-International standard for Information Security Management Systems (ISMS). Has ~93 controls across:
-- Organizational controls
-- People controls
-- Physical controls
-- Technological controls
+Codes use two components (e.g. `A.5.23`, `A.8.9`). The 2013 four-component form (`A.8.1.1`, `A.12.6.1`) is obsolete — the transition ended October 2025.
 
 ### GDPR (General Data Protection Regulation)
 EU regulation. Key requirements:

diff --git a/docs/implementation-checklist.md b/docs/implementation-checklist.md
@@ -104,15 +104,15 @@ The single source of truth for the GRC Observability Dashboard roadmap. Each ite
 - **GRC concept:** Risk treatment options (accept, mitigate, transfer, avoid)
 
 ### Item 11: Framework Mapping — DONE
-- [x] NIST CSF 2.0 as primary framework (18 controls mapped)
-- [x] Each scan check maps to NIST CSF subcategories with pass/partial/fail/N/A evaluation
-- [x] Per-function compliance percentages (Identify, Protect, Detect, Respond, Recover)
-- [x] Cross-mapped to SOC 2 Trust Service Criteria (12 controls)
-- [x] Cross-mapped to ISO 27001 Annex A (22 controls)
+- [x] NIST CSF 2.0 as primary framework — 18 subcategories mapped (NIST.CSWP.29, February 2024)
+- [x] Each scan check maps to CSF 2.0 subcategory IDs (`GV.PO-01`, `ID.AM-01`, `PR.AA-01`, etc.) with pass/partial/fail/N/A evaluation
+- [x] Per-function scores across all six CSF 2.0 functions: **Govern, Identify, Protect, Detect, Respond, Recover**
+- [x] Cross-mapped to SOC 2 Trust Services Criteria, 2017 edition (revised 2022)
+- [x] Cross-mapped to ISO/IEC 27001:2022 Annex A (two-component IDs matching the current standard; 2013's four-component codes are obsolete)
 - [x] Evidence strings for every control assessment
 - [x] Gaps section highlighting failures with specific evidence
 - **GRC concept:** Control frameworks, control objectives, evidence collection
-- **Known limitation:** 18 of NIST CSF 2.0's ~100 subcategories. "75% NIST CSF compliant" is 75% of our 18 controls, not the full framework.
+- **Known limitation:** 18 of NIST CSF 2.0's ~106 subcategories are evaluated. The overall score reports % of mapped controls passing — it is **not** a claim of full framework compliance. Report titles use "Coverage Report" / "Assessment Report" rather than "Compliance Report" for this reason.
 
 ## Phase 4: AI Enhancement Layer — VALIDATED
 
@@ -262,7 +262,7 @@ Optional module — scanner works fully without AI. If an API key is provided, A
 
 ## Phase 8: AI Compliance Layer — DONE
 
-**Why this direction:** The EU AI Act becomes enforceable August 2026 with fines up to €35M or 7% of global turnover. The scanner already detects AI SDK usage via dependency scanning but does nothing AI-compliance-specific with those findings. This phase turns "security compliance scanner" into "security + AI compliance scanner."
+**Why this direction:** The EU AI Act (Regulation (EU) 2024/1689) applies in staggered phases under Article 113 — prohibitions from 2 Feb 2025, governance and GPAI from 2 Aug 2025, most high-risk provisions from 2 Aug 2026, and Article 6(1) products embedded in harmonized legislation from 2 Aug 2027. Article 99 sets tiered fines: up to €35M or 7% of worldwide annual turnover for Article 5 prohibited practices; €15M or 3% for most other obligations; €7.5M or 1% for supplying incorrect information. The scanner already detects AI SDK usage via dependency scanning but did nothing AI-compliance-specific with those findings. This phase turns "security compliance scanner" into "security + AI compliance scanner."
 
 **Our own meta-obligation:** The scanner uses Anthropic/OpenAI in its AI layer. That makes the dashboard itself an "AI system" under the EU AI Act. When we ship this, the scanner should scan itself and produce its own AI compliance documentation.
 
@@ -306,12 +306,12 @@ Optional module — scanner works fully without AI. If an API key is provided, A
 
 ### Sub-phase C: EU AI Act Framework Mapping — DONE
 - [x] New framework file `scanner/frameworks/eu-ai-act.ts` with 13 articles as `AIFrameworkControl` entries and per-article `check(manifest)` / `evidence(manifest)` functions
-- [x] Covers Articles 4 (AI literacy), 5 (prohibited), 9 (risk management), 10 (data governance), 11 (technical docs), 12 (record keeping), 13 (transparency), 14 (human oversight), 15 (accuracy/robustness), 27 (FRIA), 50 (transparency to users), 60 (registration), 73 (incident notification)
+- [x] Covers Articles 4 (AI literacy), 5 (prohibited practices), 9 (risk management), 10 (data governance), 11 (technical documentation), 12 (record-keeping), 13 (transparency to deployers), 14 (human oversight), 15 (accuracy / robustness / cybersecurity), 27 (FRIA), 50 (transparency to users), **71 (EU database for Annex III high-risk AI)** — registration obligations live in Articles 49 (providers) and 26(8) (public-sector deployers) — and 73 (serious incident reporting)
 - [x] Articles grouped by NIST AI RMF phase (Govern/Map/Measure/Manage) to parallel NIST CSF's 5-function structure
 - [x] Extended `scanner/frameworks/cross-map.ts` with `AICrossMapping` + `AI_CROSS_MAPPINGS` — each article cross-referenced to NIST AI RMF subcategories and ISO/IEC 42001 Annex A controls
 - [x] New report generator `scanner/generators/ai-compliance-report.ts` written to `.grc/ai-compliance-report.md` on every scan (mirrors NIST CSF report layout)
 - [x] `evaluateEUAIAct(manifest)`, `calcAIComplianceScore(results)`, and `getAIPhaseScores(results)` exported for dashboard consumption
-- [x] Risk-tier-based applicability: high-risk-only articles (9/11/12/13/14/15/27/60/73) show `not-applicable` unless a `high`/`prohibited` system is detected. Article 5 always applies. Article 50 applies at `limited` and above. Articles 27 and 60 additionally require `eu_market: true`.
+- [x] Risk-tier-based applicability: high-risk-only articles (9/11/12/13/14/15/27/71/73) show `not-applicable` unless a `high`/`prohibited` system is detected. Article 5 always applies. Article 50 applies at `limited` and above. Articles 27 (FRIA) and 71 (EU database) additionally require `eu_market: true`; Article 27 further requires a specific deployer type (public authority, private provider of public services, or Annex III 5(b)/(c) credit/insurance deployer).
 - [x] `euMarket` field added to `AISystem`; propagated at classifier time from the `ai_systems:` override or defaulted from `jurisdiction` (GDPR → EU market by default)
 - **GRC concept:** Framework pluralism — same findings, multiple framework views
 - **Known limitation:** Many articles resolve to `partial` with instructional evidence because they are program-level obligations the scanner cannot auto-verify (AI literacy training, runtime logging, registration status). The tool surfaces the obligation; closing it is off-scanner.