{ "$schema": "https://kyeprotocol.com/schemas/kye.nist_800_53_hub.v1.json", "schema_version": "1.0.0", "registry_id": "kye:registry:nist-800-53-hub", "adopted_at": "2026-05-25", "description": "Canonical NIST 800-53 Rev 5 control-family hub. The KYE Protocol™ compliance-coverage model uses NIST 800-53 as the universal taxonomy: every other framework (EU AI Act, DORA, GDPR, SOC 2, ISO 27001/42001, HAARF, SR 11-7, BCBS 239, MHRA SaMD, etc) crosswalks INTO this hub. Procurement question 'do you map to X?' answered by following the crosswalk — one hop, never N×M.", "constitution_ref": "constitution/00-INDEX.md", "source": "NIST SP 800-53 Rev 5 (Sept 2020) + Rev 5.1 patch (Dec 2023). Public-domain US-government publication.", "publication_rule": { "policy": "public", "rationale": "NIST 800-53 is public-domain; KYE's mapping is the value-add (which artefact binds which control)." }, "control_families": [ { "id": "AC", "name": "Access Control", "controls_count": 25, "kye_engines": ["purpose-scope", "decision", "authority"] }, { "id": "AT", "name": "Awareness and Training", "controls_count": 6, "kye_engines": ["state"] }, { "id": "AU", "name": "Audit and Accountability", "controls_count": 16, "kye_engines": ["evidence", "replay"] }, { "id": "CA", "name": "Assessment, Authorization, and Monitoring","controls_count": 9, "kye_engines": ["decision", "evidence"] }, { "id": "CM", "name": "Configuration Management", "controls_count": 14, "kye_engines": ["rules", "state"] }, { "id": "CP", "name": "Contingency Planning", "controls_count": 13, "kye_engines": ["state"] }, { "id": "IA", "name": "Identification and Authentication", "controls_count": 12, "kye_engines": ["entity", "authority"] }, { "id": "IR", "name": "Incident Response", "controls_count": 10, "kye_engines": ["evidence", "ecosystem"] }, { "id": "MA", "name": "Maintenance", "controls_count": 7, "kye_engines": ["state"] }, { "id": "MP", "name": "Media Protection", "controls_count": 8, "kye_engines": ["evidence"] }, { "id": "PE", "name": "Physical and Environmental Protection", "controls_count": 23, "kye_engines": [] }, { "id": "PL", "name": "Planning", "controls_count": 11, "kye_engines": ["rules"] }, { "id": "PM", "name": "Program Management", "controls_count": 32, "kye_engines": ["rules", "state"] }, { "id": "PS", "name": "Personnel Security", "controls_count": 9, "kye_engines": ["entity"] }, { "id": "PT", "name": "PII Processing and Transparency", "controls_count": 8, "kye_engines": ["purpose-scope", "evidence"] }, { "id": "RA", "name": "Risk Assessment", "controls_count": 10, "kye_engines": ["decision", "rules"] }, { "id": "SA", "name": "System and Services Acquisition", "controls_count": 23, "kye_engines": ["ecosystem"] }, { "id": "SC", "name": "System and Communications Protection", "controls_count": 51, "kye_engines": ["evidence", "replay"] }, { "id": "SI", "name": "System and Information Integrity", "controls_count": 23, "kye_engines": ["evidence", "rules"] }, { "id": "SR", "name": "Supply Chain Risk Management", "controls_count": 12, "kye_engines": ["ecosystem", "entity"] } ], "headline_controls": [ { "id": "AC-2", "name": "Account management", "kye_artefact": "Entity Engine + Authority Engine: per-tenant entity records with signed grant chain." }, { "id": "AC-3", "name": "Access enforcement", "kye_artefact": "PDP per-call admissibility; deny-by-default." }, { "id": "AC-4", "name": "Information flow enforcement", "kye_artefact": "data_flow_graph.v1 + signed cross-border envelope." }, { "id": "AC-6", "name": "Least privilege", "kye_artefact": "Scoped delegation; Purpose Permission™ admissibility." }, { "id": "AU-2", "name": "Event logging", "kye_artefact": "Audit-chain append-only triggers; per-event signed Evidence Pack™." }, { "id": "AU-9", "name": "Protection of audit information", "kye_artefact": "WORM triggers; object-store immutability; per-tenant signing-kid registry." }, { "id": "AU-10", "name": "Non-repudiation", "kye_artefact": "Ed25519-signed Decision Map™; public-key offline verification." }, { "id": "AU-12", "name": "Audit record generation", "kye_artefact": "Every privileged action emits §0.3 governance event family." }, { "id": "CA-7", "name": "Continuous monitoring", "kye_artefact": "kye-liveness-engine 6h heartbeat + readiness probes." }, { "id": "CM-2", "name": "Baseline configuration", "kye_artefact": "Compiled control bundle with integrity seal." }, { "id": "IA-2", "name": "Identification & authentication", "kye_artefact": "Per-tenant API key SHA-256 hashed; service-binding mTLS." }, { "id": "IA-5", "name": "Authenticator management", "kye_artefact": "secrets_registry quarterly rotation; HSM-backed signing kids." }, { "id": "IR-4", "name": "Incident handling", "kye_artefact": "kye-event-correlator-agent + signed incident_evidence_pack." }, { "id": "IR-5", "name": "Incident monitoring", "kye_artefact": "audit-chain queryable by event class; kye-incident-detector." }, { "id": "PT-2", "name": "Authority to process PII", "kye_artefact": "Purpose Permission™ admissibility; signed lawful-basis envelope." }, { "id": "PT-3", "name": "PII processing purposes", "kye_artefact": "data_use_manifest.v1 with bounded-purpose declaration." }, { "id": "RA-3", "name": "Risk assessment", "kye_artefact": "Risk Engine 5-tier + per-framework floor map." }, { "id": "RA-5", "name": "Vulnerability monitoring", "kye_artefact": "kye-drift-detector + Reality Coupling™." }, { "id": "SA-15", "name": "Development process", "kye_artefact": "Constitution Kit + reference gates; CI-enforced." }, { "id": "SC-7", "name": "Boundary protection", "kye_artefact": "Gateway worker withSecurity + Bearer auth on /v1/*." }, { "id": "SC-8", "name": "Transmission confidentiality", "kye_artefact": "TLS 1.3 floor; HSTS preload; per-tenant region binding." }, { "id": "SC-12", "name": "Cryptographic key establishment", "kye_artefact": "Per-tenant signing-kid registry; quarterly rotation." }, { "id": "SI-4", "name": "System monitoring", "kye_artefact": "kye-event-classifier + audit-chain emission coverage." }, { "id": "SI-12", "name": "Information management & retention", "kye_artefact": "WORM audit + object-store immutability with framework-justified retention years." }, { "id": "SR-3", "name": "Supply chain controls", "kye_artefact": "subprocessors/manifest.json + signed sub-processor register." } ], "framework_crosswalk": { "eu_ai_act": { "Art 6 (high-risk classification)": ["RA-3", "PM-9"], "Art 9 (risk management)": ["RA-3", "CA-7", "PM-9"], "Art 12 (record-keeping)": ["AU-2", "AU-9", "AU-12", "SI-12"], "Art 13 (transparency to deployer)": ["PT-3", "AU-10"], "Art 50 (interaction disclosure)": ["PT-2", "PT-3", "AC-22"] }, "dora": { "Art 6 (ICT risk framework)": ["RA-3", "PM-9", "CA-7"], "Art 28 (critical third party)": ["SR-3", "SA-4", "SA-15"] }, "gdpr": { "Art 5(1)(b) (purpose limitation)": ["PT-2", "PT-3"], "Art 30 (RoPA)": ["PT-3", "AU-2", "PM-5"], "Art 32 (security of processing)": ["AU-9", "SC-8", "SC-12", "IA-5"], "Art 35 (DPIA)": ["RA-3", "PT-2"], "Art 44-49 (cross-border)": ["AC-4", "PT-2"] }, "soc_2": { "CC1 (control environment)": ["PM-1", "PM-2", "PS-1"], "CC6 (logical access)": ["AC-2", "AC-3", "AC-6", "IA-2", "IA-5"], "CC7 (system operations)": ["CA-7", "SI-4", "IR-4"], "CC8 (change management)": ["CM-2", "CM-3", "SA-15"], "A1 (availability)": ["CP-2", "CP-9", "SC-5"] }, "iso_27001": { "Annex A.5 (information security)": ["PM-1"], "Annex A.8 (asset management)": ["CM-8", "MP-2"], "Annex A.9 (access control)": ["AC-2", "AC-3", "AC-6", "IA-2"], "Annex A.12 (operations)": ["AU-2", "CM-2", "SI-3"], "Annex A.18 (compliance)": ["CA-7", "PM-1"] }, "iso_42001": { "Annex A.4 (lifecycle)": ["SA-15", "CM-3", "PM-9"], "Annex A.6 (documented system)": ["PL-2", "SA-11"] }, "nist_ai_rmf": { "GOVERN-1.2 (traceability)": ["AU-10", "AU-12", "PT-3"], "MAP-2.1 (system characterisation)": ["PL-2", "SA-11"] }, "aicm": { "IAM (authority at action)": ["AC-3", "AC-6", "IA-2"], "AAC (agentic authority & accountability)": ["AC-3", "AC-6", "AU-10", "AU-12"], "GRC (oversight & attestation)": ["PM-1", "PM-9", "CA-7"], "LOG (evidence + decision map)": ["AU-2", "AU-9", "AU-12", "AU-10"], "MRM (replay resolution)": ["AU-10", "AU-12"], "STA (supply-chain provenance)": ["SR-3", "AU-12"] }, "nist_800_207": { "Tenet 1 (every request authenticated)": ["AC-3", "IA-2"], "Tenet 2 (policy-evaluated)": ["AC-3", "AC-4", "AC-6"] }, "fca_opres": { "IBS designation": ["CP-2", "CA-7", "PM-9"] }, "sr_11_7": { "§V (model risk management)": ["RA-3", "AU-10", "PM-9"], "§VI (model inventory)": ["CM-8", "PL-2"] }, "bcbs_239": { "§6 (maker-checker)": ["AC-3", "AC-5", "AC-6"] }, "pci_dss_4": { "6.4.1 (segregated envs)": ["SC-7", "SC-32"] }, "psd2_psd3": { "SCA": ["IA-2", "AC-3"] }, "hipaa": { "§164.312 (technical safeguards)": ["AC-2", "AC-3", "AU-2", "SC-8", "SC-12"] }, "haarf": { "§4.2 (verifiable-by-3rd-party)": ["AU-10", "AU-9"], "Risk-Reduction-per-Effort": ["RA-3", "RA-7"] }, "mhra_samd": { "SaMD AI Change Program": ["CM-3", "CA-7"] }, "fedramp_mod": { "Baseline": ["AC-2", "AC-3", "AU-2", "AU-9", "AU-12", "SC-7", "SC-8", "SC-12", "SI-4"] }, "sec_17a4_finra_4511": { "Records preservation": ["AU-9", "SI-12"] }, "uk_ncsc_caf": { "Principle B6 (training)": ["AT-2", "AT-3"] }, "nist_csf_2_0": { "GOVERN": ["PM-1", "PM-9"], "IDENTIFY": ["RA-3", "CM-8"], "PROTECT": ["AC-3", "IA-2", "SC-8"], "DETECT": ["AU-2", "SI-4"], "RESPOND": ["IR-4", "IR-5"], "RECOVER": ["CP-2"] } }, "counts": { "control_families": 20, "headline_controls": 25, "frameworks_crosswalked": 21 } }