Abstract
This appendix provides comprehensive mappings between OSSASAI controls and established international security standards, enabling organizations to:
- Demonstrate multi-framework compliance through unified control implementation
- Leverage existing compliance investments when adopting OSSASAI
- Identify coverage gaps requiring supplementary controls
- Support regulatory reporting with cross-referenced evidence
1. Framework Alignment Overview
OSSASAI is designed for interoperability with major security frameworks:
| Framework | Version | Coverage | Applicability |
|---|---|---|---|
| OWASP ASVS | 4.0.3 | 85% | Application security verification |
| NIST SP 800-53 | Rev. 5 | 78% | Federal information systems |
| NIST Cybersecurity Framework | 2.0 | 82% | Critical infrastructure |
| NIST AI RMF | 1.0 | 90% | AI system risk management |
| ISO/IEC 27001 | 2022 | 75% | Information security management |
| CIS Controls | v8 | 80% | Prioritized security actions |
| SLSA | 1.0 | 95% | Supply chain integrity |
| MITRE ATT&CK | v14 | N/A | Threat technique mapping |
2. OWASP Application Security Verification Standard (ASVS) v4.0
2.1 Control Mapping
| OSSASAI Control | ASVS Requirement | ASVS Section | Coverage |
|---|---|---|---|
| OSSASAI-CP-01 | V1.1.1, V1.1.2 | Secure SDLC | Full |
| OSSASAI-CP-02 | V4.1.1, V4.1.2, V4.1.3 | Access Control Design | Full |
| OSSASAI-CP-03 | V1.14.1, V1.14.2 | Configuration Architecture | Full |
| OSSASAI-CP-04 | V4.1.4, V4.1.5 | Access Control | Partial |
| OSSASAI-ID-01 | V2.1.1, V2.4.1 | Password Security | Full |
| OSSASAI-ID-02 | V3.2.1, V3.2.2, V3.2.3 | Session Binding | Full |
| OSSASAI-ID-03 | V3.4.1, V3.4.2 | Session Termination | Full |
| OSSASAI-TB-01 | V12.1.1, V12.1.2 | File Upload Restrictions | Partial |
| OSSASAI-TB-02 | V5.2.1, V5.3.1, V5.3.4 | Input Validation, OS Command | Full |
| OSSASAI-TB-03 | V12.4.1 | File Storage | Partial |
| OSSASAI-TB-04 | V13.1.1, V13.1.3 | API Security | Full |
| OSSASAI-LS-01 | V6.2.1, V6.2.2 | Cryptographic Storage | Full |
| OSSASAI-LS-02 | V7.1.1, V7.1.2, V7.1.3 | Log Content | Full |
| OSSASAI-LS-03 | V6.4.1, V6.4.2 | Secret Management | Partial |
| OSSASAI-LS-04 | V7.3.1, V7.3.3 | Log Protection | Full |
| OSSASAI-SC-01 | V14.2.1, V14.2.2 | Dependency | Full |
| OSSASAI-SC-02 | V14.2.3, V14.2.4 | Dependency | Full |
| OSSASAI-NS-01 | V9.1.1, V9.1.2, V9.1.3 | TLS | Full |
| OSSASAI-NS-02 | V9.2.1, V9.2.2 | Server Certificate | Full |
| OSSASAI-NS-03 | V13.2.1, V13.2.2 | RESTful API | Full |
| OSSASAI-NS-04 | V7.2.1, V7.2.2 | Log Processing | Full |
2.2 Gap Analysis
| ASVS Category | OSSASAI Coverage | Supplementary Controls |
|---|---|---|
| V1: Architecture | 75% | Requires additional SDLC controls |
| V2: Authentication | 85% | MFA requirements extend ID controls |
| V3: Session Management | 90% | Full coverage |
| V4: Access Control | 95% | Full coverage |
| V5: Input Validation | 80% | Additional sanitization for AI inputs |
| V9: Communications | 100% | Full coverage |
| V13: API Security | 90% | Full coverage |
| V14: Configuration | 85% | Full coverage |
3. NIST SP 800-53 Rev. 5 Mapping
3.1 Control Family Mapping
| OSSASAI Control | NIST Control ID | NIST Control Name | Family |
|---|---|---|---|
| OSSASAI-CP-01 | CM-6 | Configuration Settings | Configuration Management |
| OSSASAI-CP-01 | CM-7 | Least Functionality | Configuration Management |
| OSSASAI-CP-02 | AC-3 | Access Enforcement | Access Control |
| OSSASAI-CP-02 | AC-6 | Least Privilege | Access Control |
| OSSASAI-CP-03 | SI-7 | Software, Firmware, Information Integrity | System & Info Integrity |
| OSSASAI-CP-03 | CM-14 | Signed Components | Configuration Management |
| OSSASAI-CP-04 | AC-4 | Information Flow Enforcement | Access Control |
| OSSASAI-ID-01 | IA-2 | Identification and Authentication | Identification & Auth |
| OSSASAI-ID-01 | IA-8 | Identification and Authentication (Non-Org) | Identification & Auth |
| OSSASAI-ID-02 | SC-4 | Information in Shared System Resources | System & Comm Protection |
| OSSASAI-ID-02 | AC-4 | Information Flow Enforcement | Access Control |
| OSSASAI-ID-03 | AC-3 | Access Enforcement | Access Control |
| OSSASAI-TB-01 | AC-6(9) | Least Privilege - Auditing | Access Control |
| OSSASAI-TB-01 | SC-7 | Boundary Protection | System & Comm Protection |
| OSSASAI-TB-02 | SI-10 | Information Input Validation | System & Info Integrity |
| OSSASAI-TB-02 | SI-10(5) | Restrict Inputs to Trusted Sources | System & Info Integrity |
| OSSASAI-TB-03 | SC-39 | Process Isolation | System & Comm Protection |
| OSSASAI-TB-04 | SC-7(5) | Deny by Default / Allow by Exception | System & Comm Protection |
| OSSASAI-LS-01 | IA-5 | Authenticator Management | Identification & Auth |
| OSSASAI-LS-01 | SC-28 | Protection of Information at Rest | System & Comm Protection |
| OSSASAI-LS-02 | AU-3 | Content of Audit Records | Audit & Accountability |
| OSSASAI-LS-02 | SI-12 | Information Management and Retention | System & Info Integrity |
| OSSASAI-LS-03 | SI-10 | Information Input Validation | System & Info Integrity |
| OSSASAI-LS-04 | AU-11 | Audit Record Retention | Audit & Accountability |
| OSSASAI-LS-04 | SI-12 | Information Management and Retention | System & Info Integrity |
| OSSASAI-SC-01 | SA-12 | Supply Chain Risk Management | System Acquisition |
| OSSASAI-SC-01 | SR-3 | Supply Chain Controls and Processes | Supply Chain Risk Mgmt |
| OSSASAI-SC-02 | SA-10 | Developer Configuration Management | System Acquisition |
| OSSASAI-SC-02 | SR-4 | Provenance | Supply Chain Risk Mgmt |
| OSSASAI-FV-01 | SA-17 | Developer Security Architecture | System Acquisition |
| OSSASAI-FV-02 | SI-7(6) | Cryptographic Protection | System & Info Integrity |
| OSSASAI-FV-03 | SA-11 | Developer Testing and Evaluation | System Acquisition |
| OSSASAI-NS-01 | SC-8 | Transmission Confidentiality and Integrity | System & Comm Protection |
| OSSASAI-NS-02 | SC-8(1) | Cryptographic Protection | System & Comm Protection |
| OSSASAI-NS-03 | SC-7(8) | Route Traffic to Proxy Servers | System & Comm Protection |
| OSSASAI-NS-04 | SI-4 | System Monitoring | System & Info Integrity |
3.2 Impact Level Mapping
| OSSASAI Level | NIST Impact Level | Required Control Baseline |
|---|---|---|
| L1 | Low | FedRAMP Low |
| L2 | Moderate | FedRAMP Moderate |
| L3 | High | FedRAMP High |
4. NIST Cybersecurity Framework (CSF) v2.0 Mapping
4.1 Function Mapping
| CSF Function | OSSASAI Control Domain | Primary Controls |
|---|---|---|
| GOVERN | All | Governance through assurance levels |
| IDENTIFY | Threat Model | Risk scoring, adversary analysis |
| PROTECT | CP, ID, TB, LS | CP-01, CP-02, ID-02, TB-01 |
| DETECT | LS, NS | LS-02, NS-04 |
| RESPOND | Incident Response | Playbooks, recovery procedures |
| RECOVER | Incident Response | Recovery, post-incident review |
4.2 Category Mapping
| CSF Category | OSSASAI Controls |
|---|---|
| ID.AM (Asset Management) | Asset classification in threat model |
| ID.RA (Risk Assessment) | Risk scoring framework |
| PR.AC (Access Control) | CP-02, CP-04, ID-01, ID-02 |
| PR.DS (Data Security) | LS-01, LS-02, TB-04 |
| PR.IP (Information Protection) | CP-01, CP-03, SC-01, SC-02 |
| PR.PT (Protective Technology) | TB-01, TB-02, TB-03, NS-01 |
| DE.AE (Anomalies and Events) | NS-04, LS-02 |
| DE.CM (Continuous Monitoring) | Compliance monitoring |
| RS.AN (Analysis) | Incident playbooks |
| RS.MI (Mitigation) | Remediation procedures |
| RC.RP (Recovery Planning) | Recovery procedures |
5. NIST AI Risk Management Framework (AI RMF) 1.0 Mapping
5.1 Core Function Mapping
| AI RMF Function | OSSASAI Alignment |
|---|---|
| GOVERN | Assurance levels, profile mechanism, governance structure |
| MAP | Trust boundaries, threat model, asset classification |
| MEASURE | Risk scoring, verification procedures, evidence collection |
| MANAGE | Control catalog, remediation guidance, continuous monitoring |
5.2 Characteristic Mapping
| AI RMF Characteristic | OSSASAI Controls | Applicability |
|---|---|---|
| Valid and Reliable | FV-01, FV-02, TB-02 | Tool governance, formal verification |
| Safe | TB-01, TB-02, TB-03, TB-04 | Sandboxing, least privilege, approval gates |
| Secure and Resilient | All control domains | Full framework scope |
| Accountable and Transparent | LS-02, LS-04, TB-02 | Audit logging, approval trails |
| Explainable | Evidence framework | Verification procedures |
| Privacy-Enhanced | LS-01, LS-02, LS-03 | Secrets protection, redaction |
| Fair | ID-02, ID-03 | Session isolation, access control |
5.3 Trustworthy AI Mapping
| AI RMF Subcategory | OSSASAI Controls |
|---|---|
| GOVERN 1.2: Accountability structures | Assurance levels, profile governance |
| MAP 1.1: Context established | Trust boundaries, threat model |
| MAP 2.3: Scientific integrity | Academic references, research methodology |
| MEASURE 2.6: Monitoring | Continuous compliance monitoring |
| MANAGE 1.3: Risk treatments | Control remediation procedures |
| MANAGE 3.1: Incident response | IR playbooks and procedures |
6. ISO/IEC 27001:2022 Mapping
6.1 Annex A Control Mapping
| OSSASAI Control | ISO 27001 Control | Control Title |
|---|---|---|
| OSSASAI-CP-01 | A.8.9 | Configuration management |
| OSSASAI-CP-02 | A.5.15 | Access control |
| OSSASAI-CP-02 | A.8.2 | Privileged access rights |
| OSSASAI-CP-03 | A.8.19 | Installation of software |
| OSSASAI-ID-01 | A.5.16 | Identity management |
| OSSASAI-ID-01 | A.5.17 | Authentication information |
| OSSASAI-ID-02 | A.8.11 | Data masking |
| OSSASAI-TB-01 | A.8.3 | Information access restriction |
| OSSASAI-TB-02 | A.8.28 | Secure coding |
| OSSASAI-LS-01 | A.5.33 | Protection of records |
| OSSASAI-LS-02 | A.8.15 | Logging |
| OSSASAI-SC-01 | A.5.21 | Managing ICT services in supply chain |
| OSSASAI-SC-02 | A.5.22 | Monitoring of supplier services |
| OSSASAI-NS-01 | A.8.24 | Use of cryptography |
| OSSASAI-NS-02 | A.8.24 | Use of cryptography |
6.2 ISMS Integration
OSSASAI supports ISO 27001 ISMS implementation through:
- Clause 6.1.2: OSSASAI threat model for risk identification
- Clause 6.1.3: OSSASAI controls for risk treatment
- Clause 8.2: OSSASAI assurance levels for risk assessment criteria
- Clause 9.1: OSSASAI evidence framework for monitoring and measurement
- Clause 10.1: OSSASAI remediation procedures for continual improvement
7. CIS Controls v8 Mapping
7.1 Control Mapping
| OSSASAI Control | CIS Control | CIS Safeguard | Implementation Group |
|---|---|---|---|
| OSSASAI-CP-01 | 4 | 4.1, 4.2 | IG1 |
| OSSASAI-CP-02 | 6 | 6.1, 6.2, 6.8 | IG1 |
| OSSASAI-CP-03 | 7 | 7.3, 7.4 | IG2 |
| OSSASAI-ID-01 | 6 | 6.3, 6.4 | IG1 |
| OSSASAI-ID-02 | 3 | 3.3 | IG2 |
| OSSASAI-TB-01 | 3 | 3.3, 3.4 | IG1 |
| OSSASAI-TB-02 | 2 | 2.5, 2.6 | IG2 |
| OSSASAI-LS-01 | 3 | 3.10, 3.11 | IG2 |
| OSSASAI-LS-02 | 8 | 8.2, 8.5 | IG1 |
| OSSASAI-SC-01 | 16 | 16.1, 16.9 | IG2 |
| OSSASAI-SC-02 | 16 | 16.2, 16.4 | IG3 |
| OSSASAI-NS-01 | 3 | 3.10 | IG2 |
| OSSASAI-NS-02 | 3 | 3.10 | IG2 |
7.2 Implementation Group Alignment
| OSSASAI Level | CIS Implementation Group | Minimum Safeguards |
|---|---|---|
| L1 | IG1 | 56 |
| L2 | IG2 | 130 |
| L3 | IG3 | 153 |
8. SLSA (Supply-chain Levels for Software Artifacts) v1.0 Mapping
8.1 Build Level Mapping
| SLSA Level | OSSASAI Requirement | Controls |
|---|---|---|
| Level 1 | Documentation exists | SC-01 |
| Level 2 | Build service, signed provenance | SC-01, SC-02 |
| Level 3 | Hardened build platform | SC-02, FV-03 |
| Level 4 | Two-party review, hermetic builds | SC-02, FV-01, FV-02 |
8.2 Source Level Mapping
| SLSA Requirement | OSSASAI Control | Coverage |
|---|---|---|
| Version controlled | SC-01 | Full |
| Verified history | SC-02 | Full |
| Retained indefinitely | LS-04 | Full |
| Two-person reviewed | FV-01 | L3 only |
9. MITRE ATT&CK Mapping
9.1 Technique Coverage
| ATT&CK Tactic | Relevant Techniques | OSSASAI Mitigations |
|---|---|---|
| Initial Access | T1566 (Phishing), T1190 (Exploit) | CP-01, CP-02, ID-01 |
| Execution | T1059 (Command/Script), T1203 (Exploit) | TB-02, TB-03 |
| Persistence | T1547 (Boot/Logon), T1574 (Hijack) | CP-03, SC-01, SC-02 |
| Privilege Escalation | T1548 (Abuse Elevation), T1068 (Exploit) | CP-02, CP-04, TB-01 |
| Defense Evasion | T1070 (Indicator Removal), T1562 (Impair) | LS-02, LS-04, NS-04 |
| Credential Access | T1552 (Unsecured Credentials), T1555 (Credential Store) | LS-01, ID-03 |
| Discovery | T1083 (File/Directory), T1082 (System Info) | TB-01, ID-02 |
| Collection | T1560 (Archive), T1119 (Automated) | TB-04, NS-04 |
| Exfiltration | T1041 (Over C2), T1567 (Over Web) | TB-04, NS-01 |
9.2 Agent-Specific Techniques (Proposed)
OSSASAI proposes additions to ATT&CK for agent-specific techniques:
| Proposed Technique | Description | OSSASAI Control |
|---|---|---|
| T1xxx.001 | Direct Prompt Injection | ID-02, TB-02 |
| T1xxx.002 | Indirect Prompt Injection | TB-04, LS-03 |
| T1xxx.003 | Session Context Poisoning | ID-02, ID-03 |
| T1xxx.004 | Memory/RAG Injection | LS-03 |
| T1xxx.005 | Tool Capability Abuse | TB-01, TB-02 |
10. Regulatory Compliance Mapping
10.1 GDPR Alignment
| GDPR Article | OSSASAI Controls | Coverage |
|---|---|---|
| Article 5 (Principles) | All controls | Framework-level |
| Article 17 (Right to Erasure) | LS-04 | Full |
| Article 25 (Data Protection by Design) | CP-01, LS-02 | Full |
| Article 32 (Security of Processing) | All technical controls | Full |
| Article 33 (Breach Notification) | Incident Response | Full |
10.2 SOC 2 Trust Services Criteria
| TSC Category | OSSASAI Alignment |
|---|---|
| Security (CC) | CP, ID, TB, NS controls |
| Availability (A) | TB-03, Incident Response |
| Processing Integrity (PI) | FV-01, FV-02, TB-02 |
| Confidentiality (C) | LS-01, LS-02, TB-04 |
| Privacy (P) | LS-02, LS-04, ID-02 |
11. Cross-Framework Compliance Matrix
Organizations implementing OSSASAI L2 achieve the following estimated compliance:
| Framework | Estimated Coverage | Residual Gap |
|---|---|---|
| OWASP ASVS L2 | 85% | MFA, advanced crypto |
| NIST 800-53 Moderate | 78% | Physical security, personnel |
| ISO 27001:2022 | 75% | ISMS governance clauses |
| CIS Controls IG2 | 80% | Network infrastructure |
| SOC 2 Type II | 82% | Third-party attestation |
12. References
- OWASP. (2021). “Application Security Verification Standard v4.0.3.”
- NIST. (2020). “SP 800-53 Rev. 5: Security and Privacy Controls.”
- NIST. (2024). “Cybersecurity Framework Version 2.0.”
- NIST. (2023). “AI Risk Management Framework (AI RMF 1.0).”
- ISO/IEC. (2022). “27001:2022 Information Security Management Systems.”
- CIS. (2021). “CIS Controls v8.”
- SLSA. (2023). “Supply-chain Levels for Software Artifacts v1.0.”
- MITRE. (2024). “ATT&CK Framework v14.”