{ "generated_utc": "2026-04-29T19:20:32Z", "rollups": { "tier-1": { "common_clause_count": 239, "coverage_pct": 100.0, "covered_count": 239, "priority_weight_covered": 219.7, "priority_weight_pct": 100.0, "priority_weight_total": 219.7 }, "tier-2": { "common_clause_count": 148, "coverage_pct": 100.0, "covered_count": 148, "priority_weight_covered": 142.6, "priority_weight_pct": 100.0, "priority_weight_total": 142.6 }, "tier-3": { "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 1.7, "priority_weight_pct": 100.0, "priority_weight_total": 1.7 } }, "schema_version": "1.0.0", "tiers": { "tier-1": { "cmmc": { "name": "Cybersecurity Maturity Model Certification", "short_name": "CMMC", "tier": 1, "versions": { "2.0": { "authoritative_url": "https://dodcio.defense.gov/CMMC/", "clauses": [ { "clause": "AC.L2-3.1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Authorized access to systems", "uc_count": 2, "uc_ids": [ "22.20.1", "22.32.17" ] }, { "clause": "AC.L2-3.1.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Least privilege", "uc_count": 2, "uc_ids": [ "22.20.14", "22.20.2" ] }, { "clause": "AU.L2-3.3.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Create audit records", "uc_count": 2, "uc_ids": [ "10.12.40", "22.20.3" ] }, { "clause": "AU.L2-3.3.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Ensure unique user traceability", "uc_count": 1, "uc_ids": [ "22.20.4" ] }, { "clause": "AU.L2-3.3.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit reporting and correlation", "uc_count": 6, "uc_ids": [ "22.20.16", "22.20.18", "22.20.20", "22.20.5", "22.32.18", "22.32.19" ] }, { "clause": "CM.L2-3.4.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Baseline configurations", "uc_count": 3, "uc_ids": [ "22.20.10", "22.20.17", "22.20.6" ] }, { "clause": "IR.L2-3.6.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Incident handling capability", "uc_count": 3, "uc_ids": [ "22.20.19", "22.20.7", "22.32.20" ] }, { "clause": "SC.L2-3.13.8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Cryptographic mechanisms for CUI in transit", "uc_count": 1, "uc_ids": [ "22.20.8" ] }, { "clause": "SI.L2-3.14.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Monitor for attacks", "uc_count": 6, "uc_ids": [ "22.20.11", "22.20.12", "22.20.13", "22.20.15", "22.20.9", "22.32.21" ] } ], "common_clause_count": 9, "coverage_pct": 100.0, "covered_count": 9, "priority_weight_covered": 9.0, "priority_weight_pct": 100.0, "priority_weight_total": 9.0 } } }, "dora": { "name": "EU Digital Operational Resilience Act", "short_name": "DORA", "tier": 1, "versions": { "Regulation (EU) 2022/2554": { "authoritative_url": "https://eur-lex.europa.eu/eli/reg/2022/2554/oj", "clauses": [ { "clause": "Art.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "ICT risk-management governance", "uc_count": 14, "uc_ids": [ "22.3.1", "22.3.19", "22.3.21", "22.3.22", "22.3.24", "22.3.26", "22.3.29", "22.3.30" ] }, { "clause": "Art.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "ICT risk-management framework", "uc_count": 4, "uc_ids": [ "22.11.106", "22.3.1", "22.3.41", "22.6.46" ] }, { "clause": "Art.7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "ICT systems, protocols and tools", "uc_count": 3, "uc_ids": [ "22.3.1", "22.3.42", "22.8.32" ] }, { "clause": "Art.8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Identification", "uc_count": 3, "uc_ids": [ "22.11.103", "22.3.1", "22.3.43" ] }, { "clause": "Art.9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Protection and prevention", "uc_count": 3, "uc_ids": [ "22.11.97", "22.3.1", "22.41.3" ] }, { "clause": "Art.10", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Detection", "uc_count": 3, "uc_ids": [ "22.3.1", "22.3.7", "22.8.33" ] }, { "clause": "Art.11", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Response and recovery", "uc_count": 3, "uc_ids": [ "22.3.1", "22.3.5", "22.3.8" ] }, { "clause": "Art.12", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.45.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Backup policies and recovery methods", "uc_count": 6, "uc_ids": [ "22.3.1", "22.3.5", "22.3.9", "22.35.3", "22.45.1", "22.45.3" ] }, { "clause": "Art.17", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "ICT-related incident management process", "uc_count": 8, "uc_ids": [ "22.3.2", "22.3.23", "22.3.31", "22.3.44", "22.6.51", "22.6.52", "22.8.34", "22.8.35" ] }, { "clause": "Art.18", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Classification of ICT-related incidents", "uc_count": 2, "uc_ids": [ "22.3.11", "22.3.2" ] }, { "clause": "Art.19", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.39.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Reporting of major ICT-related incidents", "uc_count": 4, "uc_ids": [ "22.3.12", "22.3.2", "22.3.38", "22.39.1" ] }, { "clause": "Art.24", "covered": true, "draft_uc_count": 2, "draft_uc_ids": [ "22.45.5", "22.46.4" ], "max_assurance": "full", "priority_weight": 0.7, "topic": "Digital operational-resilience testing", "uc_count": 7, "uc_ids": [ "22.11.105", "22.3.25", "22.3.27", "22.3.28", "22.3.3", "22.3.39", "22.3.45" ] }, { "clause": "Art.26", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "Threat-led penetration testing", "uc_count": 2, "uc_ids": [ "22.3.17", "22.3.3" ] }, { "clause": "Art.28", "covered": true, "draft_uc_count": 2, "draft_uc_ids": [ "22.38.5", "22.44.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "ICT third-party risk", "uc_count": 7, "uc_ids": [ "22.3.4", "22.3.40", "22.38.3", "22.44.1", "22.44.2", "22.44.3", "22.8.37" ] } ], "common_clause_count": 14, "coverage_pct": 100.0, "covered_count": 14, "priority_weight_covered": 13.4, "priority_weight_pct": 100.0, "priority_weight_total": 13.4 } } }, "gdpr": { "name": "General Data Protection Regulation", "short_name": "GDPR", "tier": 1, "versions": { "2016/679": { "authoritative_url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj", "clauses": [ { "clause": "Art.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Principles of processing", "uc_count": 3, "uc_ids": [ "22.1.1", "22.49.1", "22.49.2" ] }, { "clause": "Art.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Lawful basis", "uc_count": 6, "uc_ids": [ "10.4.75", "10.4.79", "10.7.154", "11.3.11", "22.1.1", "22.37.1" ] }, { "clause": "Art.7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Conditions for consent", "uc_count": 16, "uc_ids": [ "10.4.111", "10.4.114", "10.4.115", "10.4.24", "10.4.39", "10.4.45", "10.7.137", "10.7.166" ] }, { "clause": "Art.15", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Right of access", "uc_count": 2, "uc_ids": [ "22.1.2", "22.36.1" ] }, { "clause": "Art.16", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "Right to rectification", "uc_count": 1, "uc_ids": [ "22.1.2" ] }, { "clause": "Art.17", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.49.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Right to erasure", "uc_count": 3, "uc_ids": [ "22.1.11", "22.1.2", "22.36.2" ] }, { "clause": "Art.18", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Right to restrict processing", "uc_count": 2, "uc_ids": [ "22.1.16", "22.1.2" ] }, { "clause": "Art.20", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Right to data portability", "uc_count": 2, "uc_ids": [ "22.1.2", "22.36.3" ] }, { "clause": "Art.21", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Right to object", "uc_count": 2, "uc_ids": [ "22.1.2", "22.1.46" ] }, { "clause": "Art.22", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "Automated decision making", "uc_count": 2, "uc_ids": [ "22.1.18", "22.1.2" ] }, { "clause": "Art.25", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Data protection by design and by default", "uc_count": 1, "uc_ids": [ "22.1.9" ] }, { "clause": "Art.28", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Processor obligations", "uc_count": 2, "uc_ids": [ "22.1.15", "22.44.2" ] }, { "clause": "Art.30", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Records of processing", "uc_count": 2, "uc_ids": [ "22.1.43", "22.1.8" ] }, { "clause": "Art.32", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Security of processing", "uc_count": 8, "uc_ids": [ "10.11.62", "10.3.89", "22.1.10", "22.1.41", "22.1.7", "22.35.2", "22.35.3", "22.41.1" ] }, { "clause": "Art.33", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Breach notification to supervisory authority", "uc_count": 5, "uc_ids": [ "22.1.29", "22.1.3", "22.39.1", "22.39.2", "22.9.4" ] }, { "clause": "Art.34", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Breach communication to data subjects", "uc_count": 2, "uc_ids": [ "22.1.13", "22.39.3" ] }, { "clause": "Art.35", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "DPIA", "uc_count": 1, "uc_ids": [ "22.1.14" ] }, { "clause": "Art.44", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.38.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "International transfers — general principle", "uc_count": 6, "uc_ids": [ "22.1.36", "22.1.38", "22.1.44", "22.1.6", "22.38.1", "22.38.3" ] }, { "clause": "Art.45", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.38.5" ], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Transfers via adequacy decision", "uc_count": 6, "uc_ids": [ "22.1.36", "22.1.38", "22.1.39", "22.1.44", "22.1.6", "22.38.2" ] }, { "clause": "Art.46", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.38.4" ], "max_assurance": "full", "priority_weight": 0.7, "topic": "Transfers subject to safeguards", "uc_count": 6, "uc_ids": [ "22.1.36", "22.1.38", "22.1.44", "22.1.6", "22.38.1", "22.38.2" ] } ], "common_clause_count": 20, "coverage_pct": 100.0, "covered_count": 20, "priority_weight_covered": 17.3, "priority_weight_pct": 100.0, "priority_weight_total": 17.3 } } }, "hipaa-security": { "name": "HIPAA Security Rule", "short_name": "HIPAA Security", "tier": 1, "versions": { "2013-final": { "authoritative_url": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C", "clauses": [ { "clause": "§164.308(a)(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security management process", "uc_count": 4, "uc_ids": [ "22.10.1", "22.10.2", "22.10.22", "22.10.55" ] }, { "clause": "§164.308(a)(3)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Workforce security", "uc_count": 1, "uc_ids": [ "22.10.4" ] }, { "clause": "§164.308(a)(4)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Information access management", "uc_count": 1, "uc_ids": [ "22.10.21" ] }, { "clause": "§164.308(a)(5)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.46.5" ], "max_assurance": "full", "priority_weight": 0.7, "topic": "Security awareness and training", "uc_count": 3, "uc_ids": [ "22.10.6", "22.46.1", "22.6.53" ] }, { "clause": "§164.308(a)(6)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security incident procedures", "uc_count": 3, "uc_ids": [ "22.10.56", "22.10.7", "22.39.1" ] }, { "clause": "§164.308(a)(7)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Contingency plan", "uc_count": 2, "uc_ids": [ "22.10.8", "22.45.2" ] }, { "clause": "§164.308(a)(8)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Evaluation", "uc_count": 1, "uc_ids": [ "22.10.9" ] }, { "clause": "§164.310(a)(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Facility access controls", "uc_count": 1, "uc_ids": [ "22.10.31" ] }, { "clause": "§164.310(d)(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Device and media controls", "uc_count": 3, "uc_ids": [ "22.10.29", "22.49.1", "22.49.2" ] }, { "clause": "§164.312(a)(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Access control", "uc_count": 3, "uc_ids": [ "22.10.21", "22.10.24", "22.10.25" ] }, { "clause": "§164.312(a)(2)(iv)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Encryption and decryption", "uc_count": 2, "uc_ids": [ "22.10.16", "22.41.1" ] }, { "clause": "§164.312(b)", "covered": true, "draft_uc_count": 2, "draft_uc_ids": [ "22.35.1", "22.35.5" ], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Audit controls", "uc_count": 3, "uc_ids": [ "10.12.16", "22.10.17", "22.10.36" ] }, { "clause": "§164.312(c)(1)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.35.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Integrity", "uc_count": 3, "uc_ids": [ "22.10.18", "22.10.27", "22.35.2" ] }, { "clause": "§164.312(d)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Person or entity authentication", "uc_count": 3, "uc_ids": [ "22.10.19", "22.10.23", "22.10.42" ] }, { "clause": "§164.312(e)(1)", "covered": true, "draft_uc_count": 2, "draft_uc_ids": [ "22.41.4", "22.45.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Transmission security", "uc_count": 6, "uc_ids": [ "22.10.20", "22.10.22", "22.10.26", "22.41.2", "22.8.31", "22.8.38" ] } ], "common_clause_count": 15, "coverage_pct": 100.0, "covered_count": 15, "priority_weight_covered": 13.8, "priority_weight_pct": 100.0, "priority_weight_total": 13.8 } } }, "iso-27001": { "name": "ISO/IEC 27001 — ISMS", "short_name": "ISO 27001", "tier": 1, "versions": { "2013": { "authoritative_url": "https://www.iso.org/standard/54534.html", "clauses": [ { "clause": "A.9.2.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Review of user access rights (2013)", "uc_count": 1, "uc_ids": [ "22.6.3" ] }, { "clause": "A.12.4.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Event logging (2013)", "uc_count": 1, "uc_ids": [ "22.6.2" ] }, { "clause": "A.12.4.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Protection of log information (2013)", "uc_count": 1, "uc_ids": [ "22.6.38" ] }, { "clause": "A.12.4.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Administrator and operator logs (2013)", "uc_count": 1, "uc_ids": [ "22.6.26" ] }, { "clause": "A.16.1.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Reporting information security events (2013)", "uc_count": 1, "uc_ids": [ "22.6.39" ] } ], "common_clause_count": 5, "coverage_pct": 100.0, "covered_count": 5, "priority_weight_covered": 4.7, "priority_weight_pct": 100.0, "priority_weight_total": 4.7 }, "2022": { "authoritative_url": "https://www.iso.org/standard/27001", "clauses": [ { "clause": "6.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Risk assessment", "uc_count": 2, "uc_ids": [ "22.6.46", "22.6.48" ] }, { "clause": "6.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Information-security objectives", "uc_count": 1, "uc_ids": [ "22.6.47" ] }, { "clause": "7.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Competence", "uc_count": 1, "uc_ids": [ "22.6.53" ] }, { "clause": "7.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Documented information", "uc_count": 1, "uc_ids": [ "22.6.54" ] }, { "clause": "8.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Operational planning", "uc_count": 2, "uc_ids": [ "22.6.55", "22.8.33" ] }, { "clause": "8.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Information-security risk assessment", "uc_count": 3, "uc_ids": [ "22.11.106", "22.6.48", "22.9.7" ] }, { "clause": "9.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Monitoring, measurement, analysis, evaluation", "uc_count": 6, "uc_ids": [ "22.6.47", "22.6.49", "22.9.10", "22.9.6", "22.9.7", "22.9.9" ] }, { "clause": "9.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Internal audit", "uc_count": 1, "uc_ids": [ "22.6.50" ] }, { "clause": "A.5.7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "Threat intelligence (2022 new)", "uc_count": 1, "uc_ids": [ "22.6.11" ] }, { "clause": "A.5.15", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Access control", "uc_count": 1, "uc_ids": [ "22.40.2" ] }, { "clause": "A.5.18", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Access rights review", "uc_count": 3, "uc_ids": [ "22.12.36", "22.12.37", "22.40.3" ] }, { "clause": "A.5.23", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Information security in cloud services (2022 new)", "uc_count": 1, "uc_ids": [ "22.6.13" ] }, { "clause": "A.5.24", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Incident management planning", "uc_count": 3, "uc_ids": [ "22.11.105", "22.3.44", "22.6.51" ] }, { "clause": "A.5.25", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Assessment and decision on events", "uc_count": 2, "uc_ids": [ "22.6.52", "22.8.34" ] }, { "clause": "A.8.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Privileged access rights", "uc_count": 1, "uc_ids": [ "22.6.26" ] }, { "clause": "A.8.9", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.42.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Configuration management (2022 new)", "uc_count": 2, "uc_ids": [ "22.11.92", "22.6.32" ] }, { "clause": "A.8.12", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Data leakage prevention", "uc_count": 3, "uc_ids": [ "22.11.93", "22.6.35", "22.8.38" ] }, { "clause": "A.8.15", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Logging", "uc_count": 2, "uc_ids": [ "22.11.99", "22.6.38" ] }, { "clause": "A.8.16", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Monitoring activities", "uc_count": 3, "uc_ids": [ "22.11.104", "22.6.1", "22.6.39" ] }, { "clause": "A.8.17", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Clock synchronisation", "uc_count": 2, "uc_ids": [ "22.11.100", "22.6.40" ] }, { "clause": "A.8.23", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Web filtering (2022 new)", "uc_count": 2, "uc_ids": [ "22.6.42", "22.8.32" ] }, { "clause": "A.8.25", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Secure development life cycle", "uc_count": 2, "uc_ids": [ "22.11.95", "22.6.45" ] }, { "clause": "A.8.28", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "Secure coding (2022 new)", "uc_count": 1, "uc_ids": [ "22.6.45" ] } ], "common_clause_count": 23, "coverage_pct": 100.0, "covered_count": 23, "priority_weight_covered": 20.9, "priority_weight_pct": 100.0, "priority_weight_total": 20.9 } } }, "nis2": { "name": "EU NIS2 Directive", "short_name": "NIS2", "tier": 1, "versions": { "Directive (EU) 2022/2555": { "authoritative_url": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj", "clauses": [ { "clause": "Art.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.2", "uc_count": 1, "uc_ids": [ "22.2.47" ] }, { "clause": "Art.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.3", "uc_count": 1, "uc_ids": [ "22.2.47" ] }, { "clause": "Art.12", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.12", "uc_count": 1, "uc_ids": [ "22.2.51" ] }, { "clause": "Art.20", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Governance", "uc_count": 4, "uc_ids": [ "22.2.20", "22.2.41", "22.2.42", "22.2.48" ] }, { "clause": "Art.20(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.20(1)", "uc_count": 2, "uc_ids": [ "22.2.48", "22.2.57" ] }, { "clause": "Art.20(2)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.20(2)", "uc_count": 1, "uc_ids": [ "22.2.48" ] }, { "clause": "Art.21(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.21(1)", "uc_count": 1, "uc_ids": [ "22.2.48" ] }, { "clause": "Art.21(2)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Legacy NIS2 mapping already present in the catalogue", "uc_count": 3, "uc_ids": [ "22.2.21", "22.2.22", "22.2.32" ] }, { "clause": "Art.21(2)(a)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk analysis and information-system security policies", "uc_count": 6, "uc_ids": [ "22.2.18", "22.2.26", "22.2.36", "22.2.37", "22.2.56", "22.2.6" ] }, { "clause": "Art.21(2)(b)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.46.4" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident handling", "uc_count": 1, "uc_ids": [ "22.2.23" ] }, { "clause": "Art.21(2)(c)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.45.5" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Business continuity and crisis management", "uc_count": 5, "uc_ids": [ "22.2.17", "22.2.24", "22.2.4", "22.2.40", "22.2.53" ] }, { "clause": "Art.21(2)(d)", "covered": true, "draft_uc_count": 3, "draft_uc_ids": [ "22.43.5", "22.44.4", "22.44.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Supply-chain security", "uc_count": 6, "uc_ids": [ "22.2.16", "22.2.2", "22.2.25", "22.2.50", "22.3.42", "22.44.1" ] }, { "clause": "Art.21(2)(e)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.43.3" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security in acquisition, development and maintenance", "uc_count": 6, "uc_ids": [ "22.2.15", "22.2.27", "22.2.3", "22.2.38", "22.2.51", "22.43.1" ] }, { "clause": "Art.21(2)(f)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Policies and procedures effectiveness", "uc_count": 5, "uc_ids": [ "22.2.39", "22.2.43", "22.2.51", "22.2.57", "22.2.9" ] }, { "clause": "Art.21(2)(g)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Cyber-hygiene and training", "uc_count": 4, "uc_ids": [ "22.2.10", "22.2.28", "22.46.1", "22.46.2" ] }, { "clause": "Art.21(2)(h)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Cryptography and encryption", "uc_count": 3, "uc_ids": [ "22.2.11", "22.2.29", "22.41.2" ] }, { "clause": "Art.21(2)(i)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Human resources and access control", "uc_count": 5, "uc_ids": [ "22.2.13", "22.2.14", "22.2.30", "22.2.5", "22.2.52" ] }, { "clause": "Art.21(2)(j)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "MFA and secure communications", "uc_count": 3, "uc_ids": [ "22.2.12", "22.2.46", "22.2.52" ] }, { "clause": "Art.21(3)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.21(3)", "uc_count": 1, "uc_ids": [ "22.2.50" ] }, { "clause": "Art.21(4)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.21(4)", "uc_count": 1, "uc_ids": [ "22.2.48" ] }, { "clause": "Art.21(5)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.21(5)", "uc_count": 1, "uc_ids": [ "22.2.56" ] }, { "clause": "Art.22", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.22", "uc_count": 1, "uc_ids": [ "22.2.50" ] }, { "clause": "Art.23", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Reporting obligations", "uc_count": 8, "uc_ids": [ "22.2.1", "22.2.33", "22.2.45", "22.2.49", "22.3.44", "22.39.1", "22.39.2", "22.9.4" ] }, { "clause": "Art.23(1)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.39.5" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Legacy NIS2 mapping already present in the catalogue", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(2)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Legacy NIS2 mapping already present in the catalogue", "uc_count": 2, "uc_ids": [ "22.2.49", "22.2.7" ] }, { "clause": "Art.23(3)(a)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(3)(a)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(3)(b)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(3)(b)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(4)", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.39.4" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "NIS2 clause already mapped by a catalogue UC; retained for source traceability and no-gap validation.", "uc_count": 1, "uc_ids": [ "22.2.8" ] }, { "clause": "Art.23(4)(a)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(4)(a)", "uc_count": 2, "uc_ids": [ "22.2.1", "22.2.49" ] }, { "clause": "Art.23(4)(b)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(4)(b)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(4)(c)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(4)(c)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(4)(d)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(4)(d)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(4)(e)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Art.23(4)(e)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(5)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Art.23(5)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(6)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Art.23(6)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(7)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Art.23(7)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(10)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Art.23(10)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.23(11)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Art.23(11)", "uc_count": 1, "uc_ids": [ "22.2.49" ] }, { "clause": "Art.24", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.24", "uc_count": 1, "uc_ids": [ "22.2.56" ] }, { "clause": "Art.25", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.25", "uc_count": 1, "uc_ids": [ "22.2.56" ] }, { "clause": "Art.26", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.26", "uc_count": 1, "uc_ids": [ "22.2.47" ] }, { "clause": "Art.27", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.27", "uc_count": 1, "uc_ids": [ "22.2.47" ] }, { "clause": "Art.28", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.28", "uc_count": 1, "uc_ids": [ "22.2.55" ] }, { "clause": "Art.29", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.29", "uc_count": 1, "uc_ids": [ "22.2.55" ] }, { "clause": "Art.30", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.6, "topic": "Art.30", "uc_count": 1, "uc_ids": [ "22.2.55" ] }, { "clause": "Art.31", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.6, "topic": "Art.31", "uc_count": 1, "uc_ids": [ "22.2.54" ] }, { "clause": "Art.32", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.6, "topic": "Legacy NIS2 mapping already present in the catalogue", "uc_count": 2, "uc_ids": [ "22.2.35", "22.2.54" ] }, { "clause": "Art.33", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.6, "topic": "Legacy NIS2 mapping already present in the catalogue", "uc_count": 2, "uc_ids": [ "22.2.35", "22.2.54" ] }, { "clause": "Art.34", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.6, "topic": "Art.34", "uc_count": 1, "uc_ids": [ "22.2.54" ] }, { "clause": "Art.35", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.6, "topic": "Art.35", "uc_count": 1, "uc_ids": [ "22.2.54" ] }, { "clause": "Annex I", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Annex I", "uc_count": 1, "uc_ids": [ "22.2.47" ] }, { "clause": "Annex II", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Annex II", "uc_count": 1, "uc_ids": [ "22.2.47" ] } ], "common_clause_count": 52, "coverage_pct": 100.0, "covered_count": 52, "priority_weight_covered": 45.0, "priority_weight_pct": 100.0, "priority_weight_total": 45.0 } } }, "nist-800-53": { "name": "NIST SP 800-53 Rev. 5", "short_name": "NIST 800-53", "tier": 1, "versions": { "Rev. 5": { "authoritative_url": "https://csrc.nist.gov/pubs/sp/800/53/r5/final", "clauses": [ { "clause": "AC-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Account management", "uc_count": 3, "uc_ids": [ "22.14.16", "22.40.3", "5.13.49" ] }, { "clause": "AC-3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Access enforcement", "uc_count": 1, "uc_ids": [ "22.14.17" ] }, { "clause": "AC-6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Least privilege", "uc_count": 4, "uc_ids": [ "22.14.19", "22.40.1", "22.40.2", "5.13.47" ] }, { "clause": "AU-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Event logging", "uc_count": 3, "uc_ids": [ "22.14.1", "5.13.45", "5.13.47" ] }, { "clause": "AU-3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Content of audit records", "uc_count": 2, "uc_ids": [ "22.14.2", "5.13.50" ] }, { "clause": "AU-6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit review, analysis, and reporting", "uc_count": 2, "uc_ids": [ "22.14.5", "5.13.50" ] }, { "clause": "AU-8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Time stamps", "uc_count": 2, "uc_ids": [ "22.11.100", "22.14.7" ] }, { "clause": "AU-9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Protection of audit information", "uc_count": 2, "uc_ids": [ "22.14.8", "22.35.3" ] }, { "clause": "AU-12", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Audit record generation", "uc_count": 1, "uc_ids": [ "22.14.11" ] }, { "clause": "CM-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Baseline configuration", "uc_count": 4, "uc_ids": [ "22.14.52", "22.42.2", "5.13.56", "5.13.57" ] }, { "clause": "CM-6", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.42.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Configuration settings", "uc_count": 8, "uc_ids": [ "22.11.92", "22.14.56", "22.42.2", "5.13.28", "5.13.29", "5.13.30", "5.13.31", "5.13.33" ] }, { "clause": "CP-9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "System backup", "uc_count": 4, "uc_ids": [ "22.14.79", "22.45.1", "22.45.2", "22.45.3" ] }, { "clause": "IA-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Identification and authentication (users)", "uc_count": 3, "uc_ids": [ "22.11.96", "22.11.98", "22.14.26" ] }, { "clause": "IA-5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Authenticator management", "uc_count": 1, "uc_ids": [ "22.14.29" ] }, { "clause": "IR-4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident handling", "uc_count": 4, "uc_ids": [ "22.14.45", "22.6.51", "22.6.52", "5.13.58" ] }, { "clause": "PM-1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Information security program plan", "uc_count": 1, "uc_ids": [ "22.47.1" ] }, { "clause": "PS-4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Personnel termination", "uc_count": 1, "uc_ids": [ "22.10.5" ] }, { "clause": "RA-5", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.43.3" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Vulnerability scanning", "uc_count": 11, "uc_ids": [ "22.11.103", "22.14.75", "22.3.43", "22.43.1", "22.43.2", "5.13.34", "5.13.35", "5.13.36" ] }, { "clause": "SC-7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 1.0, "topic": "Boundary protection", "uc_count": 1, "uc_ids": [ "22.14.67" ] }, { "clause": "SC-8", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.41.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Transmission confidentiality and integrity", "uc_count": 2, "uc_ids": [ "22.14.68", "22.41.2" ] }, { "clause": "SC-13", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Cryptographic protection", "uc_count": 3, "uc_ids": [ "22.14.71", "22.41.1", "22.41.3" ] }, { "clause": "SI-4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "System monitoring", "uc_count": 2, "uc_ids": [ "22.14.36", "22.8.33" ] }, { "clause": "SR-3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Supply chain controls and processes", "uc_count": 1, "uc_ids": [ "22.44.1" ] }, { "clause": "PT-3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Personally identifiable information processing purposes", "uc_count": 1, "uc_ids": [ "22.1.48" ] } ], "common_clause_count": 24, "coverage_pct": 100.0, "covered_count": 24, "priority_weight_covered": 23.1, "priority_weight_pct": 100.0, "priority_weight_total": 23.1 } } }, "nist-csf": { "name": "NIST Cybersecurity Framework", "short_name": "NIST CSF", "tier": 1, "versions": { "1.1": { "authoritative_url": "https://www.nist.gov/cyberframework/framework", "clauses": [ { "clause": "ID.AM-1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Physical devices inventory", "uc_count": 1, "uc_ids": [ "22.7.3" ] }, { "clause": "PR.AC-1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Identities and credentials managed", "uc_count": 1, "uc_ids": [ "22.7.4" ] }, { "clause": "DE.AE-3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Event data collection and correlation", "uc_count": 1, "uc_ids": [ "22.7.2" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 }, "2.0": { "authoritative_url": "https://www.nist.gov/cyberframework", "clauses": [ { "clause": "GV.OC-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Organisational context", "uc_count": 1, "uc_ids": [ "22.7.8" ] }, { "clause": "GV.RM-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk management strategy", "uc_count": 1, "uc_ids": [ "22.7.10" ] }, { "clause": "GV.RR-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Organisational leadership", "uc_count": 1, "uc_ids": [ "22.7.11" ] }, { "clause": "ID.AM-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Asset inventory", "uc_count": 2, "uc_ids": [ "22.7.1", "22.7.16" ] }, { "clause": "ID.RA-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk assessment", "uc_count": 1, "uc_ids": [ "22.7.19" ] }, { "clause": "PR.AA-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Authentication", "uc_count": 1, "uc_ids": [ "22.7.23" ] }, { "clause": "PR.AA-05", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Access permissions", "uc_count": 1, "uc_ids": [ "22.7.4" ] }, { "clause": "PR.DS-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Data-at-rest protection", "uc_count": 1, "uc_ids": [ "22.7.26" ] }, { "clause": "PR.DS-02", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Data-in-transit protection", "uc_count": 1, "uc_ids": [ "22.7.27" ] }, { "clause": "PR.PS-04", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Log generation", "uc_count": 1, "uc_ids": [ "22.7.32" ] }, { "clause": "DE.AE-02", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Anomalies and events analysis", "uc_count": 1, "uc_ids": [ "22.7.37" ] }, { "clause": "DE.CM-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Network monitoring", "uc_count": 1, "uc_ids": [ "22.7.31" ] }, { "clause": "DE.CM-03", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Personnel activity monitoring", "uc_count": 1, "uc_ids": [ "22.7.33" ] }, { "clause": "DE.CM-09", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Environment monitoring", "uc_count": 1, "uc_ids": [ "22.7.5" ] }, { "clause": "RS.MA-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident management", "uc_count": 1, "uc_ids": [ "22.7.39" ] }, { "clause": "RS.AN-03", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Incident analysis", "uc_count": 1, "uc_ids": [ "22.7.6" ] }, { "clause": "RC.RP-01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Recovery plan execution", "uc_count": 1, "uc_ids": [ "22.7.46" ] } ], "common_clause_count": 17, "coverage_pct": 100.0, "covered_count": 17, "priority_weight_covered": 16.1, "priority_weight_pct": 100.0, "priority_weight_total": 16.1 } } }, "pci-dss": { "name": "Payment Card Industry Data Security Standard", "short_name": "PCI DSS", "tier": 1, "versions": { "v3.2.1": { "authoritative_url": "https://www.pcisecuritystandards.org/document_library/", "clauses": [ { "clause": "3.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "PAN rendering unreadable", "uc_count": 1, "uc_ids": [ "22.11.18" ] }, { "clause": "8.2.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Strong password parameters", "uc_count": 1, "uc_ids": [ "22.11.48" ] }, { "clause": "10.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Audit trail linking access to user", "uc_count": 1, "uc_ids": [ "22.11.67" ] }, { "clause": "10.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Audit events required to be logged", "uc_count": 1, "uc_ids": [ "22.11.61" ] }, { "clause": "10.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Log integrity", "uc_count": 1, "uc_ids": [ "22.11.65" ] }, { "clause": "10.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Log review", "uc_count": 1, "uc_ids": [ "22.11.63" ] }, { "clause": "11.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Intrusion detection", "uc_count": 1, "uc_ids": [ "22.11.77" ] } ], "common_clause_count": 7, "coverage_pct": 100.0, "covered_count": 7, "priority_weight_covered": 6.7, "priority_weight_pct": 100.0, "priority_weight_total": 6.7 }, "v4.0": { "authoritative_url": "https://www.pcisecuritystandards.org/document_library/", "clauses": [ { "clause": "1.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Network security controls configuration", "uc_count": 1, "uc_ids": [ "22.42.2" ] }, { "clause": "1.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "CDE network boundary", "uc_count": 1, "uc_ids": [ "22.11.91" ] }, { "clause": "2.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Secure system component configuration", "uc_count": 1, "uc_ids": [ "22.11.92" ] }, { "clause": "3.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Sensitive authentication data not stored", "uc_count": 1, "uc_ids": [ "22.11.93" ] }, { "clause": "3.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "PAN protection", "uc_count": 1, "uc_ids": [ "22.41.1" ] }, { "clause": "4.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Strong cryptography for CHD in transit", "uc_count": 1, "uc_ids": [ "22.41.2" ] }, { "clause": "5.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Anti-malware mechanisms", "uc_count": 1, "uc_ids": [ "22.11.94" ] }, { "clause": "6.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Bespoke software developed securely", "uc_count": 1, "uc_ids": [ "22.11.95" ] }, { "clause": "6.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Vulnerabilities identified and addressed", "uc_count": 2, "uc_ids": [ "22.43.1", "22.43.2" ] }, { "clause": "7.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Access granted on least privilege", "uc_count": 1, "uc_ids": [ "22.48.1" ] }, { "clause": "8.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Strong authentication", "uc_count": 1, "uc_ids": [ "22.11.96" ] }, { "clause": "8.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "MFA", "uc_count": 1, "uc_ids": [ "22.11.97" ] }, { "clause": "8.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Application and system accounts", "uc_count": 1, "uc_ids": [ "22.11.98" ] }, { "clause": "10.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit logs captured for all system components", "uc_count": 1, "uc_ids": [ "22.40.1" ] }, { "clause": "10.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Audit logs protected from modification", "uc_count": 1, "uc_ids": [ "22.11.99" ] }, { "clause": "10.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Time synchronised", "uc_count": 1, "uc_ids": [ "22.11.100" ] }, { "clause": "10.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Logs reviewed", "uc_count": 1, "uc_ids": [ "22.11.101" ] }, { "clause": "10.7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Log retention", "uc_count": 1, "uc_ids": [ "22.11.102" ] }, { "clause": "11.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "External and internal vulnerabilities identified", "uc_count": 1, "uc_ids": [ "22.11.103" ] }, { "clause": "11.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Intrusion detection / prevention", "uc_count": 1, "uc_ids": [ "22.11.104" ] }, { "clause": "12.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Targeted risk analysis", "uc_count": 1, "uc_ids": [ "22.11.106" ] }, { "clause": "12.10", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Security incident response", "uc_count": 1, "uc_ids": [ "22.11.105" ] } ], "common_clause_count": 22, "coverage_pct": 100.0, "covered_count": 22, "priority_weight_covered": 21.7, "priority_weight_pct": 100.0, "priority_weight_total": 21.7 } } }, "soc-2": { "name": "SOC 2 Trust Services Criteria", "short_name": "SOC 2", "tier": 1, "versions": { "2017 TSC": { "authoritative_url": "https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services", "clauses": [ { "clause": "CC1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Integrity and ethical values", "uc_count": 2, "uc_ids": [ "22.8.36", "22.8.9" ] }, { "clause": "CC2.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "Internal communication", "uc_count": 4, "uc_ids": [ "22.8.10", "22.8.11", "22.8.4", "22.9.10" ] }, { "clause": "CC3.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk assessment", "uc_count": 5, "uc_ids": [ "22.47.2", "22.8.12", "22.8.19", "22.8.23", "22.9.9" ] }, { "clause": "CC5.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Control activities", "uc_count": 3, "uc_ids": [ "22.47.1", "22.8.15", "22.9.8" ] }, { "clause": "CC6.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Logical access controls", "uc_count": 4, "uc_ids": [ "22.11.96", "22.40.1", "22.8.1", "22.8.16" ] }, { "clause": "CC6.6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Encryption in transit", "uc_count": 3, "uc_ids": [ "22.11.91", "22.8.18", "22.8.31" ] }, { "clause": "CC6.7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "System boundaries and data transmission", "uc_count": 1, "uc_ids": [ "22.8.32" ] }, { "clause": "CC7.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "System operations monitoring", "uc_count": 6, "uc_ids": [ "22.11.101", "22.11.104", "22.12.40", "22.6.49", "22.8.1", "22.8.33" ] }, { "clause": "CC7.2", "covered": true, "draft_uc_count": 2, "draft_uc_ids": [ "22.35.1", "22.35.5" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "System monitoring for anomalies", "uc_count": 10, "uc_ids": [ "22.11.99", "22.35.2", "22.8.13", "22.8.14", "22.8.17", "22.8.20", "22.8.24", "22.8.25" ] }, { "clause": "CC7.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Evaluated events and incidents", "uc_count": 2, "uc_ids": [ "22.6.52", "22.8.34" ] }, { "clause": "CC7.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Incident response", "uc_count": 2, "uc_ids": [ "22.11.105", "22.8.35" ] }, { "clause": "CC8.1", "covered": true, "draft_uc_count": 3, "draft_uc_ids": [ "22.42.3", "22.42.4", "22.42.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Change management", "uc_count": 9, "uc_ids": [ "22.11.92", "22.11.95", "22.12.38", "22.12.39", "22.42.1", "22.6.55", "22.8.1", "22.8.21" ] }, { "clause": "CC9.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Risk mitigation activities", "uc_count": 1, "uc_ids": [ "22.8.37" ] }, { "clause": "A1.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Availability commitments", "uc_count": 5, "uc_ids": [ "22.35.3", "22.45.1", "22.8.22", "22.8.27", "22.8.28" ] }, { "clause": "C1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Confidentiality", "uc_count": 3, "uc_ids": [ "22.11.93", "22.8.29", "22.8.38" ] }, { "clause": "P1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.4, "topic": "Privacy notice", "uc_count": 1, "uc_ids": [ "22.8.39" ] } ], "common_clause_count": 16, "coverage_pct": 100.0, "covered_count": 16, "priority_weight_covered": 13.9, "priority_weight_pct": 100.0, "priority_weight_total": 13.9 } } }, "sox-itgc": { "name": "SOX — PCAOB AS 2201 ITGCs", "short_name": "SOX ITGC", "tier": 1, "versions": { "PCAOB AS 2201": { "authoritative_url": "https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201", "clauses": [ { "clause": "ITGC.AccessMgmt.Provisioning", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "User provisioning", "uc_count": 3, "uc_ids": [ "22.12.1", "22.12.36", "9.5.15" ] }, { "clause": "ITGC.AccessMgmt.Termination", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Timely deprovisioning", "uc_count": 2, "uc_ids": [ "22.12.37", "22.12.5" ] }, { "clause": "ITGC.AccessMgmt.Privileged", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.40.4" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Privileged access", "uc_count": 5, "uc_ids": [ "22.12.2", "22.12.28", "22.40.1", "22.40.2", "7.1.21" ] }, { "clause": "ITGC.AccessMgmt.SOD", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Segregation of duties", "uc_count": 3, "uc_ids": [ "22.12.3", "22.48.1", "22.48.2" ] }, { "clause": "ITGC.AccessMgmt.Review", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Periodic access review", "uc_count": 2, "uc_ids": [ "22.12.26", "22.40.3" ] }, { "clause": "ITGC.ChangeMgmt.Authorization", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Change authorised", "uc_count": 3, "uc_ids": [ "16.4.1", "22.42.1", "7.1.13" ] }, { "clause": "ITGC.ChangeMgmt.Testing", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Change tested", "uc_count": 29, "uc_ids": [ "22.11.95", "22.12.12", "22.12.13", "22.12.14", "22.12.15", "22.12.16", "22.12.17", "22.12.18" ] }, { "clause": "ITGC.ChangeMgmt.Approval", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Change approved", "uc_count": 6, "uc_ids": [ "12.2.17", "22.12.10", "22.12.11", "22.12.39", "22.6.55", "5.13.46" ] }, { "clause": "ITGC.Operations.JobSchedule", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 0.7, "topic": "Batch scheduling and monitoring", "uc_count": 1, "uc_ids": [ "22.12.40" ] }, { "clause": "ITGC.Operations.Backup", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Backup and restore", "uc_count": 1, "uc_ids": [ "22.45.3" ] }, { "clause": "ITGC.Logging.Continuity", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.35.1" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit trail completeness", "uc_count": 3, "uc_ids": [ "22.35.2", "22.9.8", "7.1.40" ] }, { "clause": "ITGC.Logging.Review", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Log review", "uc_count": 3, "uc_ids": [ "22.47.2", "22.49.3", "5.13.45" ] } ], "common_clause_count": 12, "coverage_pct": 100.0, "covered_count": 12, "priority_weight_covered": 11.1, "priority_weight_pct": 100.0, "priority_weight_total": 11.1 } } } }, "tier-2": { "api-rp-1164": { "name": "API Recommended Practice 1164 — Pipeline Control Systems Cybersecurity", "short_name": "API RP 1164", "tier": 2, "versions": { "3rd edition": { "authoritative_url": "https://www.api.org/products-and-services/standards/important-standards-announcements/standard-1164", "clauses": [ { "clause": "5.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Access control", "uc_count": 19, "uc_ids": [ "14.2.14", "14.9.14", "15.3.1", "15.3.37", "22.18.1", "22.18.10", "22.18.11", "22.18.12" ] }, { "clause": "6.2.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Logging and monitoring", "uc_count": 24, "uc_ids": [ "14.2.4", "14.2.9", "14.6.6", "22.18.15", "22.18.16", "22.18.17", "22.18.18", "22.18.19" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "appi": { "name": "Japan Act on the Protection of Personal Information", "short_name": "APPI", "tier": 2, "versions": { "2022 amendments": { "authoritative_url": "https://www.ppc.go.jp/en/legal/", "clauses": [ { "clause": "Art.23", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security control action", "uc_count": 9, "uc_ids": [ "22.29.19", "22.29.20", "22.29.21", "22.29.22", "22.29.23", "22.29.24", "22.35.2", "22.35.3" ] }, { "clause": "Art.26", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Leakage reporting", "uc_count": 7, "uc_ids": [ "22.29.10", "22.29.11", "22.29.7", "22.29.8", "22.39.1", "22.39.2", "22.39.3" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "apra-cps-234": { "name": "APRA CPS 234 Information Security", "short_name": "APRA CPS 234", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.apra.gov.au/information-security", "clauses": [ { "clause": "15", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Policy framework", "uc_count": 3, "uc_ids": [ "1.2.9", "1.3.4", "22.30.21" ] }, { "clause": "23", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident management", "uc_count": 12, "uc_ids": [ "16.1.20", "16.3.6", "22.30.19", "22.30.20", "22.30.23", "22.30.24", "22.30.25", "22.31.14" ] }, { "clause": "36", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Notification of incidents", "uc_count": 4, "uc_ids": [ "16.1.20", "16.3.6", "22.30.22", "22.31.16" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 2.7, "priority_weight_pct": 100.0, "priority_weight_total": 2.7 } } }, "asd-e8": { "name": "ASD Essential Eight Maturity Model", "short_name": "ASD E8", "tier": 2, "versions": { "Nov 2023": { "authoritative_url": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model", "clauses": [ { "clause": "E8.01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Application control", "uc_count": 3, "uc_ids": [ "1.2.91", "12.3.10", "22.31.6" ] }, { "clause": "E8.03", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Configure MS Office macro settings", "uc_count": 2, "uc_ids": [ "22.31.13", "22.31.7" ] }, { "clause": "E8.05", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Restrict administrative privileges", "uc_count": 4, "uc_ids": [ "1.1.76", "22.31.9", "9.1.3", "9.4.1" ] }, { "clause": "E8.06", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Patch operating systems", "uc_count": 4, "uc_ids": [ "1.2.9", "1.3.4", "12.3.2", "22.31.10" ] }, { "clause": "E8.08", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Regular backups", "uc_count": 5, "uc_ids": [ "22.31.12", "5.1.24", "6.3.1", "6.3.13", "6.3.23" ] } ], "common_clause_count": 5, "coverage_pct": 100.0, "covered_count": 5, "priority_weight_covered": 5.0, "priority_weight_pct": 100.0, "priority_weight_total": 5.0 } } }, "au-privacy-act": { "name": "Australian Privacy Act 1988 and Notifiable Data Breaches scheme", "short_name": "AU Privacy Act", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.legislation.gov.au/C2004A03712/latest/text", "clauses": [ { "clause": "APP 1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Open and transparent management of personal info", "uc_count": 3, "uc_ids": [ "22.31.3", "22.31.4", "22.31.5" ] }, { "clause": "APP 11", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security of personal information", "uc_count": 1, "uc_ids": [ "22.50.1" ] }, { "clause": "§26WK", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "NDB — notifiable data breach", "uc_count": 11, "uc_ids": [ "22.29.10", "22.29.11", "22.29.12", "22.29.7", "22.29.8", "22.29.9", "22.31.1", "22.31.2" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "bait-kait": { "name": "BaFin Banking/Insurance Supervisory Requirements for IT (BAIT/KAIT)", "short_name": "BAIT/KAIT", "tier": 2, "versions": { "Aug 2021": { "authoritative_url": "https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Rundschreiben/2021/rs_1021_BAIT_en.html", "clauses": [ { "clause": "§5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Identity & access management", "uc_count": 9, "uc_ids": [ "13.1.39", "22.28.16", "22.28.18", "22.28.19", "22.28.20", "4.1.4", "9.1.3", "9.4.1" ] }, { "clause": "§9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "ICT operations management", "uc_count": 4, "uc_ids": [ "12.2.17", "16.4.1", "22.28.17", "5.1.24" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "basel-iii": { "name": "Basel III — BCBS Operational Risk and Resilience", "short_name": "Basel III", "tier": 2, "versions": { "BCBS 2021": { "authoritative_url": "https://www.bis.org/bcbs/publ/d516.htm", "clauses": [ { "clause": "OPR25.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Operational risk management", "uc_count": 1, "uc_ids": [ "22.50.24" ] }, { "clause": "OPR25.8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Business continuity and resilience", "uc_count": 1, "uc_ids": [ "22.50.25" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "bsi-kritisv": { "name": "BSI KRITIS-Verordnung", "short_name": "BSI-KritisV", "tier": 2, "versions": { "2021 (as amended)": { "authoritative_url": "https://www.gesetze-im-internet.de/bsi-kritisv/", "clauses": [ { "clause": "§8a", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security in IT systems", "uc_count": 5, "uc_ids": [ "22.28.10", "22.28.6", "22.28.7", "22.28.8", "22.28.9" ] } ], "common_clause_count": 1, "coverage_pct": 100.0, "covered_count": 1, "priority_weight_covered": 1.0, "priority_weight_pct": 100.0, "priority_weight_total": 1.0 } } }, "ccpa": { "name": "California Consumer Privacy Act / CPRA", "short_name": "CCPA/CPRA", "tier": 2, "versions": { "CPRA (as amended)": { "authoritative_url": "https://cppa.ca.gov/regulations/", "clauses": [ { "clause": "§1798.100", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Consumer right to know", "uc_count": 5, "uc_ids": [ "10.11.62", "22.36.1", "22.37.2", "22.4.1", "22.49.1" ] }, { "clause": "§1798.105", "covered": true, "draft_uc_count": 1, "draft_uc_ids": [ "22.49.5" ], "max_assurance": "full", "priority_weight": 1.0, "topic": "Consumer right to delete", "uc_count": 4, "uc_ids": [ "22.36.2", "22.4.1", "22.4.24", "22.4.25" ] }, { "clause": "§1798.150", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Private right of action for data breaches", "uc_count": 1, "uc_ids": [ "22.39.3" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 2.7, "priority_weight_pct": 100.0, "priority_weight_total": 2.7 } } }, "cjis": { "name": "FBI CJIS Security Policy", "short_name": "CJIS", "tier": 2, "versions": { "v5.9.4": { "authoritative_url": "https://le.fbi.gov/cjis-division/cjis-security-policy-resource-center", "clauses": [ { "clause": "5.5.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Access control - identification", "uc_count": 9, "uc_ids": [ "1.1.108", "22.32.22", "22.32.23", "22.32.24", "22.32.25", "4.1.4", "5.1.14", "7.1.21" ] }, { "clause": "5.13.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident response", "uc_count": 1, "uc_ids": [ "22.50.2" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "cobit": { "name": "COBIT — Control Objectives for Information and Related Technologies", "short_name": "COBIT", "tier": 2, "versions": { "2019": { "authoritative_url": "https://www.isaca.org/resources/cobit", "clauses": [ { "clause": "APO13.01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Manage security — establish and maintain an ISMS", "uc_count": 1, "uc_ids": [ "22.50.26" ] }, { "clause": "DSS05.03", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Manage security services — manage endpoint security", "uc_count": 1, "uc_ids": [ "22.50.27" ] }, { "clause": "MEA02.01", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Monitor internal controls", "uc_count": 1, "uc_ids": [ "22.50.28" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 2.7, "priority_weight_pct": 100.0, "priority_weight_total": 2.7 } } }, "coppa": { "name": "Children's Online Privacy Protection Act", "short_name": "COPPA", "tier": 2, "versions": { "16 CFR 312": { "authoritative_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-312", "clauses": [ { "clause": "§312.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Verifiable parental consent obligations", "uc_count": 1, "uc_ids": [ "22.50.29" ] }, { "clause": "§312.8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Data security and confidentiality", "uc_count": 1, "uc_ids": [ "22.50.30" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "coso": { "name": "Committee of Sponsoring Organizations — Internal Control / ERM Framework", "short_name": "COSO", "tier": 2, "versions": { "2013 ICFR": { "authoritative_url": "https://www.coso.org/guidance-on-ic", "clauses": [ { "clause": "Principle1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Commitment to integrity and ethical values", "uc_count": 1, "uc_ids": [ "22.50.31" ] }, { "clause": "Principle5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Enforces accountability", "uc_count": 1, "uc_ids": [ "22.50.32" ] }, { "clause": "Principle11", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Selects and develops general controls over technology", "uc_count": 1, "uc_ids": [ "22.50.33" ] }, { "clause": "Principle16", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Ongoing and/or separate evaluations", "uc_count": 1, "uc_ids": [ "22.50.34" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "eidas": { "name": "EU eIDAS Regulation", "short_name": "eIDAS", "tier": 2, "versions": { "Regulation (EU) 2024/1183": { "authoritative_url": "https://eur-lex.europa.eu/eli/reg/2024/1183/oj", "clauses": [ { "clause": "Art.24", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Requirements for qualified trust service providers", "uc_count": 15, "uc_ids": [ "22.24.1", "22.24.10", "22.24.11", "22.24.12", "22.24.13", "22.24.14", "22.24.15", "22.24.2" ] } ], "common_clause_count": 1, "coverage_pct": 100.0, "covered_count": 1, "priority_weight_covered": 1.0, "priority_weight_pct": 100.0, "priority_weight_total": 1.0 } } }, "eu-ai-act": { "name": "EU AI Act", "short_name": "EU AI Act", "tier": 2, "versions": { "Regulation (EU) 2024/1689": { "authoritative_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj", "clauses": [ { "clause": "Art.12", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Record-keeping (logging)", "uc_count": 1, "uc_ids": [ "1.1.65" ] }, { "clause": "Art.13", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Transparency and information", "uc_count": 18, "uc_ids": [ "22.21.10", "22.21.13", "22.21.14", "22.21.16", "22.21.17", "22.21.18", "22.21.19", "22.21.20" ] }, { "clause": "Art.14", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Human oversight", "uc_count": 3, "uc_ids": [ "22.21.11", "22.21.12", "22.21.15" ] }, { "clause": "Art.15", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Accuracy, robustness, cybersecurity", "uc_count": 1, "uc_ids": [ "22.21.4" ] }, { "clause": "Art.19", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Automatically generated logs", "uc_count": 3, "uc_ids": [ "1.2.51", "22.21.2", "22.21.3" ] }, { "clause": "Art.26", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "High-risk AI obligations for deployers", "uc_count": 1, "uc_ids": [ "22.21.1" ] } ], "common_clause_count": 6, "coverage_pct": 100.0, "covered_count": 6, "priority_weight_covered": 5.7, "priority_weight_pct": 100.0, "priority_weight_total": 5.7 } } }, "eu-aml": { "name": "EU Anti-Money-Laundering Framework", "short_name": "EU AML", "tier": 2, "versions": { "6AMLD / AMLR 2024": { "authoritative_url": "https://eur-lex.europa.eu/eli/reg/2024/1624/oj", "clauses": [ { "clause": "Art.9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Internal policies and controls", "uc_count": 25, "uc_ids": [ "22.25.1", "22.25.10", "22.25.11", "22.25.12", "22.25.18", "22.25.19", "22.25.2", "22.25.20" ] }, { "clause": "Art.18", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Customer due diligence", "uc_count": 10, "uc_ids": [ "22.25.13", "22.25.14", "22.25.15", "22.25.16", "22.25.17", "22.25.24", "22.25.25", "22.25.26" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "eu-cra": { "name": "EU Cyber Resilience Act", "short_name": "EU CRA", "tier": 2, "versions": { "Regulation (EU) 2024/2847": { "authoritative_url": "https://eur-lex.europa.eu/eli/reg/2024/2847/oj", "clauses": [ { "clause": "Art.13", "covered": true, "draft_uc_count": 2, "draft_uc_ids": [ "22.43.5", "22.44.5" ], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Obligations of manufacturers", "uc_count": 3, "uc_ids": [ "12.1.4", "12.3.10", "12.3.2" ] }, { "clause": "Art.14", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Reporting of actively exploited vulnerabilities", "uc_count": 21, "uc_ids": [ "12.3.2", "22.23.1", "22.23.10", "22.23.11", "22.23.12", "22.23.13", "22.23.14", "22.23.15" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "fca-smcr": { "name": "FCA Senior Managers and Certification Regime", "short_name": "FCA SM&CR", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.fca.org.uk/firms/senior-managers-certification-regime", "clauses": [ { "clause": "SMR 1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Senior Management Functions, Statements of Responsibilities", "uc_count": 3, "uc_ids": [ "22.27.24", "22.27.25", "22.27.27" ] }, { "clause": "SYSC 3.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Internal controls, systems and audit arrangements", "uc_count": 1, "uc_ids": [ "22.50.3" ] }, { "clause": "COCON 2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Individual Conduct Rules (including acting with integrity/due care)", "uc_count": 1, "uc_ids": [ "22.27.26" ] }, { "clause": "SYSC 4.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "General organisational requirements", "uc_count": 1, "uc_ids": [ "22.50.15" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "fca-ss1-21": { "name": "FCA SS1/21 Operational Resilience", "short_name": "FCA SS1/21", "tier": 2, "versions": { "2021": { "authoritative_url": "https://www.fca.org.uk/publication/policy/ps21-3.pdf", "clauses": [ { "clause": "§1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Identify important business services", "uc_count": 6, "uc_ids": [ "22.27.11", "22.27.13", "22.27.15", "22.27.16", "22.27.17", "22.27.18" ] }, { "clause": "§2.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Set impact tolerances", "uc_count": 2, "uc_ids": [ "22.27.12", "6.3.13" ] }, { "clause": "§3.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Scenario testing", "uc_count": 2, "uc_ids": [ "22.27.14", "6.3.13" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "fda-part-11": { "name": "FDA 21 CFR Part 11", "short_name": "FDA Part 11", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.ecfr.gov/current/title-21/chapter-I/subchapter-A/part-11", "clauses": [ { "clause": "§11.10(e)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Audit trails", "uc_count": 25, "uc_ids": [ "1.1.65", "1.2.33", "1.2.51", "22.17.1", "22.17.11", "22.17.12", "22.17.13", "22.17.14" ] }, { "clause": "§11.10(d)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "System access limited to authorized individuals", "uc_count": 1, "uc_ids": [ "7.1.21" ] }, { "clause": "§11.200", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Electronic signatures", "uc_count": 5, "uc_ids": [ "22.17.10", "22.17.6", "22.17.7", "22.17.8", "22.17.9" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "fedramp": { "name": "Federal Risk and Authorization Management Program", "short_name": "FedRAMP", "tier": 2, "versions": { "Rev.5 Baselines": { "authoritative_url": "https://www.fedramp.gov/baselines/", "clauses": [ { "clause": "AC-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Account management", "uc_count": 8, "uc_ids": [ "13.1.39", "17.1.8", "4.1.4", "5.2.2", "7.1.21", "9.1.3", "9.4.1", "9.5.15" ] }, { "clause": "AU-6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit review, analysis, reporting", "uc_count": 3, "uc_ids": [ "13.1.35", "13.1.37", "4.1.1" ] }, { "clause": "SI-4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "System monitoring", "uc_count": 4, "uc_ids": [ "1.1.65", "1.1.76", "1.2.51", "4.1.1" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "ferpa": { "name": "Family Educational Rights and Privacy Act", "short_name": "FERPA", "tier": 2, "versions": { "20 USC §1232g": { "authoritative_url": "https://www.ecfr.gov/current/title-34/subtitle-A/part-99", "clauses": [ { "clause": "§99.31", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Conditions for disclosure without consent", "uc_count": 1, "uc_ids": [ "22.50.35" ] }, { "clause": "§99.33", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Redisclosure and record-keeping", "uc_count": 1, "uc_ids": [ "22.50.36" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 1.7, "priority_weight_pct": 100.0, "priority_weight_total": 1.7 } } }, "fisma": { "name": "Federal Information Security Modernization Act", "short_name": "FISMA", "tier": 2, "versions": { "2014": { "authoritative_url": "https://www.congress.gov/bill/113th-congress/senate-bill/2521", "clauses": [ { "clause": "§3554(b)(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Information security program", "uc_count": 14, "uc_ids": [ "22.19.10", "22.19.11", "22.19.12", "22.19.13", "22.19.14", "22.19.15", "22.19.6", "22.19.7" ] }, { "clause": "§3554(b)(5)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security controls and monitoring", "uc_count": 19, "uc_ids": [ "22.19.1", "22.19.16", "22.19.17", "22.19.18", "22.19.19", "22.19.2", "22.19.20", "22.19.21" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "glba": { "name": "Gramm-Leach-Bliley Act — Safeguards Rule", "short_name": "GLBA", "tier": 2, "versions": { "16 CFR 314 (2023 amendments)": { "authoritative_url": "https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314", "clauses": [ { "clause": "§314.4(b)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk assessment", "uc_count": 1, "uc_ids": [ "22.50.37" ] }, { "clause": "§314.4(c)(1)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Access controls", "uc_count": 1, "uc_ids": [ "22.50.38" ] }, { "clause": "§314.4(d)(2)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Continuous monitoring", "uc_count": 1, "uc_ids": [ "22.50.39" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "hipaa-privacy": { "name": "HIPAA Privacy Rule", "short_name": "HIPAA Privacy", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E", "clauses": [ { "clause": "§164.502(a)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Uses and disclosures of PHI — general rules", "uc_count": 4, "uc_ids": [ "11.1.5", "11.1.6", "15.3.37", "7.1.21" ] }, { "clause": "§164.504(e)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Business Associate contracts", "uc_count": 1, "uc_ids": [ "22.50.4" ] }, { "clause": "§164.514(a)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "contributing", "priority_weight": 0.7, "topic": "De-identification of PHI", "uc_count": 1, "uc_ids": [ "11.1.5" ] }, { "clause": "§164.528", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Accounting of disclosures", "uc_count": 1, "uc_ids": [ "22.50.16" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.4, "priority_weight_pct": 100.0, "priority_weight_total": 3.4 } } }, "hitrust": { "name": "HITRUST CSF", "short_name": "HITRUST", "tier": 2, "versions": { "v11": { "authoritative_url": "https://hitrustalliance.net/csf-overview/", "clauses": [ { "clause": "09.aa", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit logging", "uc_count": 8, "uc_ids": [ "1.1.65", "1.2.33", "1.2.51", "12.1.4", "13.1.35", "13.1.36", "13.1.37", "7.1.40" ] }, { "clause": "01.b", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "User access management", "uc_count": 9, "uc_ids": [ "1.1.108", "13.1.39", "4.1.4", "7.1.21", "9.1.1", "9.1.3", "9.3.1", "9.4.1" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "hkma-tm-g-2": { "name": "HKMA TM-G-2 General Principles for Technology Risk Management", "short_name": "HKMA TM-G-2", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.hkma.gov.hk/eng/regulatory-resources/regulatory-guides/supervisory-policy-manual/", "clauses": [ { "clause": "§3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Governance of technology risk", "uc_count": 5, "uc_ids": [ "22.30.10", "22.30.11", "22.30.12", "22.30.8", "22.30.9" ] } ], "common_clause_count": 1, "coverage_pct": 100.0, "covered_count": 1, "priority_weight_covered": 1.0, "priority_weight_pct": 100.0, "priority_weight_total": 1.0 } } }, "iec-62443": { "name": "IEC 62443 Industrial Automation and Control Systems Security", "short_name": "IEC 62443", "tier": 2, "versions": { "2013-ongoing": { "authoritative_url": "https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards", "clauses": [ { "clause": "SR 1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Human user identification and authentication", "uc_count": 4, "uc_ids": [ "22.15.11", "22.15.51", "22.15.53", "22.15.55" ] }, { "clause": "SR 2.8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Auditable events", "uc_count": 2, "uc_ids": [ "22.15.22", "22.15.52" ] }, { "clause": "SR 2.9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Audit storage capacity", "uc_count": 1, "uc_ids": [ "22.15.23" ] }, { "clause": "FR 6.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Continuous monitoring", "uc_count": 9, "uc_ids": [ "14.2.4", "14.2.9", "14.6.6", "14.9.14", "14.9.22", "17.1.8", "17.3.3", "22.15.48" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "it-grundschutz": { "name": "BSI IT-Grundschutz Compendium", "short_name": "IT-Grundschutz", "tier": 2, "versions": { "2023 Edition": { "authoritative_url": "https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node.html", "clauses": [ { "clause": "OPS.1.1.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Ordered ICT operation", "uc_count": 11, "uc_ids": [ "1.2.91", "12.2.17", "13.1.36", "16.4.1", "22.28.11", "22.28.12", "22.28.13", "22.28.14" ] }, { "clause": "ORP.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Identity & access", "uc_count": 2, "uc_ids": [ "9.1.3", "9.5.15" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "it-sig-2": { "name": "German IT-Sicherheitsgesetz 2.0", "short_name": "IT-SiG 2.0", "tier": 2, "versions": { "2021": { "authoritative_url": "https://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_BGBl&start=//*[@attr_id=%27bgbl121s1122.pdf%27]", "clauses": [ { "clause": "§8a", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security measures for KRITIS operators", "uc_count": 3, "uc_ids": [ "22.28.2", "22.28.3", "22.28.5" ] }, { "clause": "§8b", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "National IT situation centre notification", "uc_count": 2, "uc_ids": [ "22.28.1", "22.28.4" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "lgpd": { "name": "Lei Geral de Proteção de Dados Pessoais", "short_name": "LGPD", "tier": 2, "versions": { "Lei nº 13.709/2018": { "authoritative_url": "http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm", "clauses": [ { "clause": "Art.46", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security measures", "uc_count": 10, "uc_ids": [ "22.32.1", "22.32.2", "22.32.4", "22.32.5", "22.32.6", "22.32.7", "22.32.8", "22.35.2" ] }, { "clause": "Art.48", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Breach notification", "uc_count": 4, "uc_ids": [ "22.32.3", "22.39.1", "22.39.2", "22.39.3" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "mas-trm": { "name": "MAS Technology Risk Management Guidelines", "short_name": "MAS TRM", "tier": 2, "versions": { "2021": { "authoritative_url": "https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulatory-and-supervisory-framework/risk-management/trm-guidelines-18-january-2021.pdf", "clauses": [ { "clause": "§4.1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Technology risk governance", "uc_count": 9, "uc_ids": [ "12.2.17", "16.4.1", "22.30.1", "22.30.2", "22.30.3", "22.30.4", "22.30.5", "22.30.7" ] }, { "clause": "§8.1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "IT operations — incident mgmt", "uc_count": 2, "uc_ids": [ "16.1.20", "22.30.6" ] }, { "clause": "§11.1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "System resilience", "uc_count": 1, "uc_ids": [ "22.50.5" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "mifid-ii": { "name": "Markets in Financial Instruments Directive II", "short_name": "MiFID II", "tier": 2, "versions": { "Directive 2014/65/EU": { "authoritative_url": "https://eur-lex.europa.eu/eli/dir/2014/65/oj", "clauses": [ { "clause": "Art.16(7)", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Record keeping of communications", "uc_count": 1, "uc_ids": [ "22.5.2" ] }, { "clause": "Art.17", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Algorithmic trading controls", "uc_count": 10, "uc_ids": [ "22.5.10", "22.5.11", "22.5.15", "22.5.16", "22.5.17", "22.5.18", "22.5.19", "22.5.20" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "nerc-cip": { "name": "NERC Critical Infrastructure Protection", "short_name": "NERC CIP", "tier": 2, "versions": { "current": { "authoritative_url": "https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx", "clauses": [ { "clause": "CIP-002-5.1a R1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "BES cyber system identification", "uc_count": 1, "uc_ids": [ "14.2.11" ] }, { "clause": "CIP-005-7 R1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Electronic security perimeter", "uc_count": 6, "uc_ids": [ "10.14.16", "14.2.14", "14.2.4", "14.9.22", "15.3.1", "17.3.3" ] }, { "clause": "CIP-007-6 R4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security event monitoring", "uc_count": 3, "uc_ids": [ "14.2.11", "14.2.14", "14.9.14" ] }, { "clause": "CIP-008-6 R1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident response", "uc_count": 2, "uc_ids": [ "10.14.19", "22.50.6" ] }, { "clause": "CIP-010-4 R1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "full", "priority_weight": 1.0, "topic": "Configuration change management", "uc_count": 8, "uc_ids": [ "1.2.9", "13.1.36", "14.2.9", "14.6.6", "16.4.1", "5.1.24", "5.1.7", "7.1.13" ] } ], "common_clause_count": 5, "coverage_pct": 100.0, "covered_count": 5, "priority_weight_covered": 5.0, "priority_weight_pct": 100.0, "priority_weight_total": 5.0 } } }, "nesa-uae-ias": { "name": "UAE NESA Information Assurance Standards", "short_name": "NESA IAS", "tier": 2, "versions": { "v2 (2020)": { "authoritative_url": "https://www.nesa.gov.ae/", "clauses": [ { "clause": "T3.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Access control management", "uc_count": 2, "uc_ids": [ "22.33.2", "22.33.4" ] }, { "clause": "T4.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Audit trails, logging and information-system monitoring", "uc_count": 2, "uc_ids": [ "22.33.1", "22.33.5" ] }, { "clause": "T6.3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Information security incident management", "uc_count": 1, "uc_ids": [ "22.33.3" ] }, { "clause": "T3.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Cryptographic controls and key management", "uc_count": 1, "uc_ids": [ "22.50.17" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "no-kbf-nve": { "name": "Norwegian Kraftberedskapsforskriften (NVE Power-sector emergency preparedness regulation)", "short_name": "NO KBF", "tier": 2, "versions": { "2012 as amended": { "authoritative_url": "https://lovdata.no/dokument/SF/forskrift/2012-12-07-1157", "clauses": [ { "clause": "§6-1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Informasjonssikkerhet", "uc_count": 5, "uc_ids": [ "22.26.10", "22.26.6", "22.26.7", "22.26.8", "22.26.9" ] } ], "common_clause_count": 1, "coverage_pct": 100.0, "covered_count": 1, "priority_weight_covered": 1.0, "priority_weight_pct": 100.0, "priority_weight_total": 1.0 } } }, "no-personopplysningsloven": { "name": "Norwegian Personopplysningsloven (Personal Data Act)", "short_name": "NO Personopplysningsloven", "tier": 2, "versions": { "2018": { "authoritative_url": "https://lovdata.no/dokument/NL/lov/2018-06-15-38", "clauses": [ { "clause": "§8", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Processing of special categories of personal data", "uc_count": 5, "uc_ids": [ "22.26.16", "22.26.17", "22.26.18", "22.26.19", "22.26.20" ] }, { "clause": "§2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Territorial and material scope", "uc_count": 1, "uc_ids": [ "22.50.19" ] }, { "clause": "§14", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Automated individual decision-making restrictions", "uc_count": 1, "uc_ids": [ "22.50.18" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 2.4, "priority_weight_pct": 100.0, "priority_weight_total": 2.4 } } }, "no-petroleumsforskriften": { "name": "Norwegian Petroleumsforskriften (Petroleum Safety regulation)", "short_name": "NO Petroleumsforskriften", "tier": 2, "versions": { "1997 as amended": { "authoritative_url": "https://lovdata.no/dokument/SF/forskrift/1997-06-27-653", "clauses": [ { "clause": "§15", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Health, safety and environmental (HSE) management requirements", "uc_count": 5, "uc_ids": [ "22.26.11", "22.26.12", "22.26.13", "22.26.14", "22.26.15" ] }, { "clause": "§11", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Emergency preparedness and response", "uc_count": 1, "uc_ids": [ "22.50.7" ] }, { "clause": "§3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "General operator obligations for safety and security", "uc_count": 1, "uc_ids": [ "22.50.20" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 2.7, "priority_weight_pct": 100.0, "priority_weight_total": 2.7 } } }, "no-sikkerhetsloven": { "name": "Norwegian Sikkerhetsloven (National Security Act)", "short_name": "NO Sikkerhetsloven", "tier": 2, "versions": { "2018": { "authoritative_url": "https://lovdata.no/dokument/NL/lov/2018-06-01-24", "clauses": [ { "clause": "§5-3", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk assessment and documentation of security level", "uc_count": 4, "uc_ids": [ "22.26.1", "22.26.2", "22.26.3", "22.26.4" ] }, { "clause": "§6-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Protection of classified / security-graded information", "uc_count": 1, "uc_ids": [ "22.26.5" ] }, { "clause": "§6-1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "General preventive security measures", "uc_count": 1, "uc_ids": [ "22.50.8" ] }, { "clause": "§5-2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Internal control and annual security review", "uc_count": 1, "uc_ids": [ "22.50.21" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "nzism": { "name": "New Zealand Information Security Manual", "short_name": "NZISM", "tier": 2, "versions": { "3.7": { "authoritative_url": "https://www.nzism.gcsb.govt.nz/", "clauses": [ { "clause": "§16.6.9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Event logging requirements", "uc_count": 2, "uc_ids": [ "22.31.18", "22.31.20" ] }, { "clause": "§16.1.32", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "User identification, authentication and access management", "uc_count": 1, "uc_ids": [ "22.50.9" ] }, { "clause": "§17.2.17", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Information security incident management and response", "uc_count": 1, "uc_ids": [ "22.31.19" ] }, { "clause": "§12.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Information security documentation and policy", "uc_count": 1, "uc_ids": [ "22.50.22" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "pipl": { "name": "China Personal Information Protection Law", "short_name": "PIPL", "tier": 2, "versions": { "2021": { "authoritative_url": "http://www.npc.gov.cn/npc/c2/c30834/202108/t20210820_313088.html", "clauses": [ { "clause": "Art.38", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cross-border transfer conditions", "uc_count": 6, "uc_ids": [ "22.29.1", "22.29.2", "22.29.3", "22.29.4", "22.29.5", "22.29.6" ] }, { "clause": "Art.51", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Information security measures", "uc_count": 1, "uc_ids": [ "22.50.10" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "pra-ss2-21": { "name": "PRA SS2/21 Outsourcing and third-party risk management", "short_name": "PRA SS2/21", "tier": 2, "versions": { "2021": { "authoritative_url": "https://www.bankofengland.co.uk/prudential-regulation/publication/2021/march/outsourcing-and-third-party-risk-management-ss", "clauses": [ { "clause": "§3.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Proportionality", "uc_count": 4, "uc_ids": [ "22.27.19", "22.27.20", "22.27.22", "22.27.23" ] }, { "clause": "§9", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Business continuity & exit plans", "uc_count": 3, "uc_ids": [ "22.27.21", "6.3.13", "6.3.23" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "psd2": { "name": "Revised Payment Services Directive", "short_name": "PSD2", "tier": 2, "versions": { "Directive (EU) 2015/2366": { "authoritative_url": "https://eur-lex.europa.eu/eli/dir/2015/2366/oj", "clauses": [ { "clause": "Art.95", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Management of operational and security risks", "uc_count": 12, "uc_ids": [ "12.3.2", "22.22.13", "22.22.14", "22.22.15", "22.22.16", "22.22.17", "22.22.19", "22.22.20" ] }, { "clause": "Art.96", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident reporting", "uc_count": 7, "uc_ids": [ "16.3.6", "22.22.25", "22.22.26", "22.22.27", "22.22.28", "22.22.29", "22.22.30" ] }, { "clause": "Art.97", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Strong customer authentication", "uc_count": 17, "uc_ids": [ "17.2.2", "22.22.1", "22.22.10", "22.22.11", "22.22.12", "22.22.18", "22.22.2", "22.22.3" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "qcb-cyber": { "name": "Qatar Central Bank Cybersecurity Framework", "short_name": "QCB Cyber", "tier": 2, "versions": { "2018": { "authoritative_url": "https://www.qcb.gov.qa/", "clauses": [ { "clause": "§3.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cybersecurity governance and strategy", "uc_count": 4, "uc_ids": [ "22.33.16", "22.33.18", "22.33.19", "22.33.20" ] }, { "clause": "§4.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cyber risk identification and management", "uc_count": 1, "uc_ids": [ "22.50.11" ] }, { "clause": "§6.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cyber incident management and response", "uc_count": 1, "uc_ids": [ "22.33.17" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "rbi-cyber": { "name": "RBI Cyber Security Framework for Banks", "short_name": "RBI Cyber", "tier": 2, "versions": { "2016 (as amended)": { "authoritative_url": "https://rbi.org.in/Scripts/NotificationUser.aspx?Id=10435", "clauses": [ { "clause": "Annex-A", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Baseline cyber-security controls", "uc_count": 6, "uc_ids": [ "1.1.76", "22.30.13", "22.30.14", "22.30.15", "22.30.16", "22.30.18" ] }, { "clause": "Annex-B", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cyber-crisis management plan", "uc_count": 1, "uc_ids": [ "22.30.17" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "sa-pdpl": { "name": "Saudi Personal Data Protection Law", "short_name": "SA PDPL", "tier": 2, "versions": { "current": { "authoritative_url": "https://sdaia.gov.sa/en/SDAIA/about/Files/PersonalDataEnglish.pdf", "clauses": [ { "clause": "Art. 19", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Data security and protection obligations", "uc_count": 4, "uc_ids": [ "22.33.11", "22.33.12", "22.33.13", "22.33.15" ] }, { "clause": "Art. 20", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Personal data breach notification", "uc_count": 1, "uc_ids": [ "22.33.14" ] }, { "clause": "Art. 6", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Lawful grounds and consent for processing", "uc_count": 1, "uc_ids": [ "22.50.12" ] }, { "clause": "Art. 29", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Cross-border personal data transfers", "uc_count": 1, "uc_ids": [ "22.50.23" ] } ], "common_clause_count": 4, "coverage_pct": 100.0, "covered_count": 4, "priority_weight_covered": 3.7, "priority_weight_pct": 100.0, "priority_weight_total": 3.7 } } }, "sama-csf": { "name": "SAMA Cyber Security Framework", "short_name": "SAMA CSF", "tier": 2, "versions": { "v1.0 (2017)": { "authoritative_url": "https://www.sama.gov.sa/en-US/Laws/BankingRules/SAMA%20Cyber%20Security%20Framework.pdf", "clauses": [ { "clause": "3.1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cyber security governance", "uc_count": 4, "uc_ids": [ "22.33.10", "22.33.6", "22.33.8", "22.33.9" ] }, { "clause": "3.3.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security monitoring", "uc_count": 6, "uc_ids": [ "1.1.76", "12.1.4", "17.2.2", "22.33.7", "4.1.1", "9.4.1" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "sg-pdpa": { "name": "Singapore Personal Data Protection Act", "short_name": "SG PDPA", "tier": 2, "versions": { "2020 amended": { "authoritative_url": "https://sso.agc.gov.sg/Act/PDPA2012", "clauses": [ { "clause": "§24", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Protection of personal data obligation", "uc_count": 8, "uc_ids": [ "11.1.5", "11.1.6", "22.29.13", "22.29.14", "22.29.15", "22.29.16", "22.29.17", "22.29.18" ] }, { "clause": "§26A", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Data breach notification", "uc_count": 6, "uc_ids": [ "11.1.6", "16.3.6", "22.29.10", "22.29.7", "22.29.8", "22.29.9" ] }, { "clause": "§26B", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Criteria for notifiability", "uc_count": 1, "uc_ids": [ "11.1.6" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "swift-csp": { "name": "SWIFT Customer Security Programme", "short_name": "SWIFT CSP", "tier": 2, "versions": { "CSCF v2025": { "authoritative_url": "https://www.swift.com/myswift/customer-security-programme-csp/security-controls", "clauses": [ { "clause": "1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "SWIFT environment protection", "uc_count": 7, "uc_ids": [ "22.34.10", "22.34.2", "22.34.5", "22.34.6", "22.34.9", "5.1.7", "5.2.2" ] }, { "clause": "6.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Malware protection", "uc_count": 1, "uc_ids": [ "22.50.13" ] }, { "clause": "6.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Logging and monitoring", "uc_count": 13, "uc_ids": [ "1.1.65", "1.2.33", "13.1.35", "13.1.36", "15.3.2", "22.34.1", "22.34.11", "22.34.12" ] } ], "common_clause_count": 3, "coverage_pct": 100.0, "covered_count": 3, "priority_weight_covered": 3.0, "priority_weight_pct": 100.0, "priority_weight_total": 3.0 } } }, "swiss-nfadp": { "name": "Swiss Federal Act on Data Protection (nFADP)", "short_name": "Swiss nFADP", "tier": 2, "versions": { "2020 revision": { "authoritative_url": "https://www.fedlex.admin.ch/eli/cc/2022/491/en", "clauses": [ { "clause": "Art.7", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Privacy by design", "uc_count": 1, "uc_ids": [ "22.50.14" ] }, { "clause": "Art.24", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Data breach notification", "uc_count": 2, "uc_ids": [ "22.39.1", "22.39.2" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "tsa-sd": { "name": "TSA Pipeline Security Directive", "short_name": "TSA SD", "tier": 2, "versions": { "SD02C": { "authoritative_url": "https://www.tsa.gov/sd02c", "clauses": [ { "clause": "III.A", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cybersecurity plan", "uc_count": 35, "uc_ids": [ "14.2.11", "14.2.4", "15.3.1", "15.3.2", "15.3.37", "22.16.1", "22.16.10", "22.16.11" ] }, { "clause": "III.D", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Cybersecurity assessment", "uc_count": 2, "uc_ids": [ "14.2.11", "14.9.22" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "uk-cyber-essentials": { "name": "UK NCSC Cyber Essentials", "short_name": "Cyber Essentials", "tier": 2, "versions": { "Montpellier (2025)": { "authoritative_url": "https://www.ncsc.gov.uk/cyberessentials/overview", "clauses": [ { "clause": "CE.BF.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Boundary firewalls", "uc_count": 4, "uc_ids": [ "17.1.8", "17.3.3", "22.27.28", "5.2.2" ] }, { "clause": "CE.SAU.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Secure authentication & access", "uc_count": 7, "uc_ids": [ "1.1.108", "17.2.2", "22.27.29", "22.27.30", "4.1.5", "9.1.1", "9.3.1" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "uk-gdpr": { "name": "UK General Data Protection Regulation", "short_name": "UK GDPR", "tier": 2, "versions": { "post-Brexit": { "authoritative_url": "https://www.legislation.gov.uk/eur/2016/679/contents", "clauses": [ { "clause": "Art.32", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Security of processing", "uc_count": 3, "uc_ids": [ "22.35.2", "22.35.3", "22.41.1" ] } ], "common_clause_count": 1, "coverage_pct": 100.0, "covered_count": 1, "priority_weight_covered": 1.0, "priority_weight_pct": 100.0, "priority_weight_total": 1.0 } } }, "uk-nis": { "name": "UK Network and Information Systems Regulations 2018", "short_name": "UK NIS", "tier": 2, "versions": { "2018": { "authoritative_url": "https://www.legislation.gov.uk/uksi/2018/506/contents", "clauses": [ { "clause": "Reg.10", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "OES security duties", "uc_count": 9, "uc_ids": [ "22.27.1", "22.27.10", "22.27.2", "22.27.3", "22.27.5", "22.27.6", "22.27.7", "22.27.8" ] }, { "clause": "Reg.11", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Incident reporting", "uc_count": 3, "uc_ids": [ "16.1.20", "16.3.6", "22.27.4" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "unece-r155": { "name": "UN Regulation No. 155 — Cyber Security Management Systems (CSMS)", "short_name": "UN R155", "tier": 2, "versions": { "2021": { "authoritative_url": "https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security", "clauses": [ { "clause": "7.2.2.2", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Risk assessment and mitigation for vehicle cybersecurity", "uc_count": 1, "uc_ids": [ "22.50.40" ] }, { "clause": "7.2.2.5", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Monitoring, detecting, and responding to cyber attacks", "uc_count": 1, "uc_ids": [ "22.50.41" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 2.0, "priority_weight_pct": 100.0, "priority_weight_total": 2.0 } } }, "unece-r156": { "name": "UN Regulation No. 156 — Software Update Management Systems (SUMS)", "short_name": "UN R156", "tier": 2, "versions": { "2021": { "authoritative_url": "https://unece.org/transport/documents/2021/03/standards/un-regulation-no-156-software-update-and-software-update", "clauses": [ { "clause": "7.1.1", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Software update management system processes", "uc_count": 1, "uc_ids": [ "22.50.42" ] }, { "clause": "7.1.4", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Recording and reporting of software updates", "uc_count": 1, "uc_ids": [ "22.50.43" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 1.7, "priority_weight_pct": 100.0, "priority_weight_total": 1.7 } } } }, "tier-3": { "ferc-cip": { "name": "FERC Critical Infrastructure Protection (beyond NERC CIP)", "short_name": "FERC CIP", "tier": 3, "versions": { "current": { "authoritative_url": "https://www.ferc.gov/industries-data/electric/industry-activities/critical-infrastructure-protection", "clauses": [ { "clause": "Order887", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 1.0, "topic": "Internal network security monitoring for bulk electric systems", "uc_count": 1, "uc_ids": [ "22.50.44" ] }, { "clause": "Order893", "covered": true, "draft_uc_count": 0, "draft_uc_ids": [], "max_assurance": "partial", "priority_weight": 0.7, "topic": "Supply chain risk management for BES systems", "uc_count": 1, "uc_ids": [ "22.50.45" ] } ], "common_clause_count": 2, "coverage_pct": 100.0, "covered_count": 2, "priority_weight_covered": 1.7, "priority_weight_pct": 100.0, "priority_weight_total": 1.7 } } }, "meta-multi": { "name": "Placeholder: multi-regulation or jurisdiction-generic", "short_name": "Multiple", "tier": 3, "versions": { "n/a": { "authoritative_url": null, "clauses": [], "common_clause_count": 0, "coverage_pct": 0.0, "covered_count": 0, "priority_weight_covered": 0, "priority_weight_pct": 0.0, "priority_weight_total": 0 } } } } } }