The 777-Node
Intelligence Forest
The world's most comprehensive, source-verified resource for autonomous AI agents. Every node is cryptographically signed, RAG-optimized, and gated via L402 settlement protocols.
Neural Discovery Search
bidda.com / authority / sovereign-forest
SHA-256_INTEGRITY_AUDIT_PASSED
AA1000AP (AccountAbility)
"Compliance with the AA1000AP framework is predicated upon a systematic and auditable application of its foundational principles, reinforced by assurance requirements aligned with both the AA1000 Assurance Standard and Directive (EU) 2022/2464. The Principle of Inclusivity, per Section 2.1, is implemented through an active stakeholder inclusivity framework, mandating a comprehensive stakeholder mapping review at least every 12 months. Adherence to the Principle of Materiality from Section 2.2 requires a formal materiality assessment with an identical 12-month frequency, executed under established ESG board oversight and consistent with double materiality concepts. An active responsiveness mechanism, governed by Section 2.3, ensures that stakeholder communications are addressed within a maximum response time of 30 days, supported by active grievance remediation tracking. Finally, the Principle of Impact, as articulated in Section 2.4, is substantiated through defined impact measurement metrics, including verifiable SDG impact alignment. The integrity of this entire process is confirmed by the requirement for independent assurance, enabled ESG data fidelity audits, and a commitment to an annual public ESG disclosure, ensuring robust, transparent, and defensible reporting on accountability performance."
Technical ID
aa1000ap-accountability
ABA Model Rules (Conduct)
"Compliance with fundamental ABA Model Rules of Professional Conduct is operationalized through a stringent set of configurable controls. The duty of competence, as articulated in ABA Model Rule 1.1, Comment 8, mandates continuous technical competence validation to understand technology's benefits and risks. Protecting client confidentiality pursuant to ABA Model Rule 1.6(c) is achieved by enabling unauthorized disclosure prevention and requiring client data encryption, a standard reinforced by ABA Formal Opinion 477R's guidance on securing protected information. Supervisory responsibilities under ABA Model Rule 5.3 are extended to technology, necessitating a comprehensive vendor risk assessment and ensuring supervisory review of automated output. Adhering to the communications duty in ABA Model Rule 1.4, the platform requires practitioners to obtain informed consent for AI tool usage. System-wide security is bolstered through mandatory multi-factor authentication and enforcing access control based on least privilege principles. In response to cybersecurity incidents, protocols derived from ABA Formal Opinion 483 are enforced, which requires an incident response plan and sets a maximum breach notification delay of 24 hours for prompt client disclosure. The system will also enforce conflict of interest checks automatically and manage data lifecycles according to a five-year client file retention policy."
Technical ID
aba-model-rules-conduct
AI Model Valuation (IAS 38)
"IAS 38 Intangible Assets, issued by the IASB, governs the recognition, measurement, and disclosure of intangible assets including internally developed AI models, training datasets, and software. An intangible asset must meet strict recognition criteria: identifiability, control, and probable future economic benefit. Development-phase AI expenditure may be capitalized only after technical feasibility is established, while research-phase costs must be expensed immediately. Failure to correctly distinguish research from development phases, or to apply the impairment testing requirements under IAS 36, results in materially misstated financial statements and potential regulatory action by securities authorities."
Technical ID
accounting-ias-38
Digital Asset Fair Value (IFRS 13)
"IFRS 13 Fair Value Measurement establishes a single framework for measuring fair value across all IFRS standards that require or permit fair value measurement, including digital assets, AI-tokenized instruments, and crypto holdings. The standard defines fair value as the exit price — the price received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date. Entities must classify inputs into a three-level hierarchy (Level 1: quoted prices, Level 2: observable inputs, Level 3: unobservable inputs) and maximize the use of observable inputs. Digital and AI-linked assets with limited trading history frequently fall into Level 3, requiring robust valuation models and extensive disclosures; inadequate classification or disclosure triggers audit qualifications and securities regulator scrutiny."
Technical ID
accounting-ifr-13
Engineers Ethics (ACEC)
"Engineers must uphold their paramount duty to public safety, health, and welfare, a principle derived from the NSPE Code of Ethics for Engineers - Fundamental Canon 1. This compliance framework mandates that all engineering activities adhere to the highest professional standards, requiring active professional engineering license verification for all relevant personnel. In accordance with the NCEES Model Rules of Professional Conduct, engineers shall act for each employer as faithful agents, necessitating a mandatory disclosure for any potential conflict of interest. The Federal Acquisition Regulation, specifically FAR 52.203-7, informs an absolute prohibition against kickbacks or illicit gifts, establishing a maximum allowable value of zero US dollars. This zero-tolerance policy extends to any form of pay-to-play contracting. Furthermore, protocols aligned with FAR Subpart 3.11 prevent personal conflicts of interest for contractor employees. Strict client confidentiality shall be maintained, and all public statements must be issued in a truthful and objective manner only. Consistent with ACEC Professional and Ethical Conduct Guidelines, an environmental sustainability review is required for applicable projects. To bolster system integrity, a minimum of one independent peer review for safety is mandated. Comprehensive whistleblower protections are enabled, aligning with Sarbanes-Oxley Act Section 806 to safeguard individuals reporting fraud. All ethical audit records must be retained for a minimum period of seven years to ensure long-term accountability."
Technical ID
acec-ethics-eng
ADA (Employment Title I)
"Title I of the Americans with Disabilities Act establishes comprehensive non-discrimination obligations for employers with 15 or more employees. The statute's general rule, articulated in 42 U.S.C. § 12112(a), prohibits discrimination against a qualified individual on the basis of disability concerning all terms, conditions, and privileges of employment. A 'qualified individual', per 42 U.S.C. § 12111(8), is someone who, with or without reasonable accommodation, can perform the essential functions of a position, underscoring the necessity that `essential_job_functions_documented` must be accurate and current. While `pre_offer_medical_inquiries_prohibited` is a strict mandate under 42 U.S.C. § 12112(d), certain `post_offer_medical_exams_permitted` are allowed if required for all entering employees in the same job category. A cornerstone of compliance is providing reasonable accommodations, a process that `requires_interactive_process` between the employer and employee as stipulated by 29 C.F.R. § 1630.2(o)(3), for which an `accommodation_response_sla_days` of 15 is mandated for timely engagement. An employer may deny a requested accommodation only if it imposes an 'undue hardship', defined in 42 U.S.C. § 12111(10), a determination where an `undue_hardship_assessment_required` is necessary. The `direct_threat_defense_allowed` can also be invoked under specific circumstances. Confidentiality is paramount; pursuant to 29 C.F.R. § 1630.14(c)(1), `medical_records_segregation_required` is absolute, with `data_access_restricted_to_need_to_know` principles strictly enforced. Furthermore, `retaliation_prohibited` protections cover individuals who assert their rights, and the `employment_record_retention_years` requirement is set at a minimum of one."
Technical ID
ada-employment-title-1
ADA (Hospitality Accessibility)
"Compliance with Title III of the Americans with Disabilities Act mandates that places of public accommodation, including transient lodging, provide individuals with disabilities full and equal enjoyment of their goods, services, and facilities. Pursuant to the specific requirements outlined in 28 CFR Part 36, Subpart C, this includes digital and procedural accessibility. The entity's website must maintain WCAG 2.1 AA compliance to ensure usability, and reservation policies under 28 CFR § 36.302(e) require that online systems guarantee accessibility features for reservations, while accessible rooms are held until all other non-accessible rooms of that type are sold. Physical plant specifications governed by the 2010 ADA Standards for Accessible Design necessitate a minimum accessible route width of 36 inches throughout the property and a door clear width minimum of 32 inches for passage. Transactional surfaces like the check-in counter must not exceed a maximum height of 36 inches per Section 902.3. Guest rooms designated as accessible under Section 224 and Chapter 8 must have visual alarms installed, and TTY devices must be available upon request. Furthermore, grab bars must be installed in accessible bathrooms, and amenities like pools require that a pool lift or sloped entry is installed and operational. Finally, operational policies must align with 28 CFR § 36.302(c), ensuring service animals are permitted access without surcharges."
Technical ID
ada-hospitality-access
Agent Budgetary Controls & Ceiling Checks
"Agentized financial controls (Action Boundaries) restrict an autonomous agent's spending power per session, task, or API call to prevent catastrophic loss or unbounded consumption."
Technical ID
agent-budget-cap
Agent Emergency Stop (Kill-Switch) Design Patterns
"An AI Agent Kill-Switch is a deterministic safety mechanism designed to immediately terminate or throttle an autonomous agent's execution if it exceeds predefined behavioral, financial, or operational boundaries. A compliant kill-switch architecture requires: sub-50ms signal propagation to prevent runaway execution, a graceful shutdown window with hard-terminate fallback on timeout, state snapshot capture before forced termination, dead letter queue routing for incomplete tasks, rollback of reversible actions, mandatory human-in-loop approval before restart, and audit logging of every kill event with trigger classification. The corrigibility principle underlying kill-switch design — that agents must remain stoppable and correctable by authorized humans — is foundational to EU AI Act Article 9 risk management requirements and to NIST AI RMF MANAGE 4.1 incident response protocols."
Technical ID
agent-kill-switch
Multi-Agent Collision Resolution
"Multi-agent collision logic provides deterministic protocols for resolving conflicts when two or more autonomous AI agents simultaneously attempt to access the same resource, modify the same shared state, execute contradictory actions, or pursue incompatible goal trajectories within a swarm or orchestration framework. Without collision resolution, multi-agent systems produce race conditions, data corruption, deadlocks, and cascading failures that are difficult to audit or remediate. The resolution framework draws from distributed systems theory (consensus algorithms, resource arbitration), multi-agent systems research, and emerging agentic safety standards. Properly implemented collision logic ensures predictable, auditable outcomes and maintains system safety invariants even when individual agents operate concurrently and autonomously."
Technical ID
ai-agent-collision-logic
AI-IP: Guidance on Authorship
"The US Copyright Office's AI Policy Statement (February 2023) and subsequent guidance (March 2023) establish that copyright protection requires human authorship — purely AI-generated content without human creative control is not copyrightable in the United States. Works involving AI assistance may receive copyright protection for the human-authored elements, but only if a human author made sufficient creative choices that were expressed in the final output. The EU, UK, and other jurisdictions take varying positions, with the UK's Computer Generated Works doctrine providing limited protection for AI outputs. Misrepresenting AI-generated content as human-authored to obtain copyright registration constitutes fraud; failure to disclose AI involvement in patent applications may similarly invalidate those applications."
Technical ID
ai-ip-copyright
AICPA Code of Ethics
"Adherence to the AICPA Code of Professional Conduct mandates stringent standards for members, centering on the core Objectivity and Independence Principle outlined in ET Sec. 0.300.040. This framework absolutely requires independence in fact and appearance, a cornerstone of the Independence Rule found within ET Sec. 1.200.001. Consequently, possessing any direct financial interest in an attest client is strictly forbidden. The General Standards Rule under ET Sec. 1.300.001 further enforces due professional care standards, compelling practitioners to maintain professional competence through rigorous continuing education, specifically a minimum of 20 annual and 120 mandatory triennial CPE hours. Financial engagements are also heavily regulated; the Contingent Fees Rule in ET Sec. 1.510.001 disallows such arrangements for attest services, a prohibition extending to commissions for these clients and any gifts beyond a clearly insignificant value. Regarding client relations, the Confidential Client Information Rule per ET Sec. 1.700.001 necessitates explicit client consent before divulging protected data, and full disclosure is required for any third-party service provider utilization. Any potential conflicts of interest for members in public practice, as detailed in ET Sec. 1.110.010, mandate comprehensive disclosure. All associated engagement working papers must be maintained for a retention period of at least seven years to ensure auditable compliance."
Technical ID
aicpa-code-ethics
Responsible Alcohol Service
"Operationalizing responsible alcohol service necessitates strict adherence to prevailing statutory requirements and public safety mandates. Core compliance functions mandate verification that each patron meets the `patronAgeMinimum` of 21 years, confirmed by a `validIdPresented` check and a `patronAgeVerified` status. Service must be immediately withheld if `patronVisibleIntoxication` is observed, in accordance with applicable legal codes. Governing liquor authority regulations inform the `maxStandardDrinksPerHour` limit of two, a threshold designed to prevent over-service. Establishments must also ensure `waterAvailabilityFree` is true to provide patrons with non-alcoholic alternatives. Staffing protocols demand that all service personnel maintain a `staffTrainingCertified` status, with certification recency not exceeding the `staffTrainingRecencyDays` value of 365. Procedurally, operations require a last call to be announced `lastCallAnnouncedMinutesBeforeClose` (30) minutes before service ends. To mitigate liability under dram shop statutes, all service denials must be logged (`refusalOfServiceLogged`), a `safeRideOfferedToIntoxicatedPatron` protocol must be available for impaired individuals, and a complete `incidentLogMaintained` record must be kept for due diligence."
Technical ID
alcohol-service-std
AMA (Ethical Marketing)
"Adherence to this node's parameters ensures marketing communications embody the American Marketing Association's core ethical norms, primarily to do no harm, foster trust within the marketing system, and embrace foundational values. This framework operationalizes AMA principles through stringent technical controls and alignment with federal law. To uphold Honesty and Fairness, as mandated by the Federal Trade Commission Act, all content must pass `fact_verification`, and a `max_deceptive_pattern_score` of 0 is strictly enforced, alongside a requirement that any `competitor_comparison_fairness_verified` parameter is met. The principle of Transparency is systemically enforced through regulations like the FTC's Guides Concerning the Use of Endorsements and Testimonials, demanding `require_sponsorship_disclosure` is active and that disclosures achieve a `disclosure_prominence_score_min` of at least 0.85 for sufficient clarity, which complements the `require_pricing_transparency` rule. Respect for consumers is maintained by prohibiting coercive tactics, reflected in a `max_coercion_index` of 0, and by safeguarding consumer expression under the Consumer Review Fairness Act; these protections are further bolstered while `vulnerable_audience_protection_active` status is engaged, `privacy_consent_verified`, and a functional `require_opt_out_mechanism` is available. Finally, the value of Citizenship is addressed by confirming every `sustainability_claim_substantiated` in accordance with the FTC's Green Guides, ensuring environmental marketing is responsible and defensible."
Technical ID
ama-ethical-marketing
Amazon Ads (Policy)
"Amazon Advertising Policy governs the creation, targeting, and display of Sponsored Products, Sponsored Brands, and Sponsored Display advertisements on the Amazon marketplace. All sponsored ads must carry a mandatory 'Sponsored' label visible to shoppers; this is non-negotiable and enforced automatically by Amazon's ad serving platform in compliance with FTC disclosure requirements. Sponsored Brands campaigns require active Amazon Brand Registry enrollment; unregistered sellers are ineligible. ASINs must be in active Buy Box-eligible status at the time of ad serving — out-of-stock, suppressed, or ineligible listings will not serve. Ads may not redirect traffic to off-Amazon destinations; all click destinations must be Amazon product detail pages, brand stores, or approved custom landing pages. Prohibited content categories include adult products outside designated programs, weapons and weapon accessories, counterfeit goods, and products making unsubstantiated health or medical claims. Image standards require a main image on a pure white background with no text overlays, watermarks, or inset images. Violations result in ad suspension, ASIN suppression, or account-level advertising suspension enforced by Amazon Advertising Policy Review."
Technical ID
amazon-sponsored-ads-policy
APRA CPS 230 (Resilience)
"APRA CPS 230 (Operational Risk Management) is the new cross-industry standard for the Australian financial sector. it replaces several legacy standards (CPS 231, CPS 232) with a unified framework for operational risk, service provider management, and business continuity, placing increased accountability on the board for the firm's resilience."
Technical ID
apra-cps-230-resilience
APRA Prudential Standard CPS 234 Information Security
"A mandatory Australian regulatory standard ensuring that APRA-regulated entities maintain robust information security capabilities, with ultimate accountability residing at the Board level."
Technical ID
apra-cps-234
UNCITRAL Arbitration Rules
"Invocation of the UNCITRAL Arbitration Rules establishes a specific procedural framework for dispute resolution, though several critical parameters remain undefined. The governing instrument currently lacks a designated appointing authority, a defined seat of arbitration, and a specified language for proceedings. While the agreement indicates zero arbitrators are specified, the established framework defaults to a default number of arbitrators of one for adjudicating the dispute. Procedurally, a party must provide its response to a notice within thirty days. Furthermore, the initiating party is required to submit a comprehensive statement of claim to commence the substantive phase. The Commission's text provides mechanisms for parties to seek relief; it explicitly allows for a request for interim measures and offers an optional expedited procedure option, which may be adopted by agreement. A significant compliance consideration is the absence of an explicit confidentiality clause, potentially impacting the privacy of hearings and related documents. Ultimately, any award rendered under these rules is considered final and binding upon all parties involved, as stipulated by relevant international conventions and the model law."
Technical ID
arbitration-uncitral-rules
Aerospace Quality Management System (AS9100 Rev D)
"The gold standard for quality management in the Aviation, Space, and Defense sectors, extending ISO 9001 with rigorous aerospace-specific safety and risk requirements."
Technical ID
as9100-rev-d
AS9100 Rev D (Aviation QMS)
"AS9100 Rev D is the international Quality Management System (QMS) standard for the Aviation, Space, and Defense (AS&D) industry. It incorporates the entire ISO 9001:2015 standard while adding specific requirements for product safety, counterfeit parts prevention, configuration management, and operational risk."
Technical ID
as9100-rev-d-qms
AS9110 (Maintenance QMS)
"AS9110 is the international Quality Management System standard specifically designed for aviation maintenance, repair, and overhaul (MRO) organizations. It builds upon AS9100 requirements by incorporating specific civil aviation regulations (EASA/FAA) and focusing on maintenance-specific factors like human performance and airworthiness."
Technical ID
as9110-maintenance-qms
AS9120 (Distributor QMS)
"AS9120 is the international Quality Management System standard for distributors and stockholders in the Aviation, Space, and Defense industry. It focuses on the chain of custody, traceability, and the control of records to ensure 'Certificate of Conformity' (CoC) and airworthiness documentation are maintained throughout the supply chain."
Technical ID
as9120-distributor-qms
ASA (Advertising Codes)
"Evaluation against the UK Advertising Codes confirms this marketing communication satisfies all primary regulatory obligations. The content is explicitly identifiable as an advertisement, upholding the CAP Code Section 2 principle that marketing must be recognizable. In accordance with both CAP Code Section 3 and the broadcast-specific BCAP Code Section 3 on misleading advertising, which align with Consumer Protection from Unfair Trading Regulations 2008, the material contains no misleading omissions or claims. All objective assertions are supported by robust documentary substantiation, and pricing information is transparent without any unclear pricing or hidden fees. Adherence to CAP Code Section 4 standards on harm and offence is demonstrated by a harm and offense risk score of 0, comfortably below the maximum harm risk threshold of 0.3. The communication does not target children under 16, respecting special protections outlined in CAP Code Section 5. Since it avoids promoting restricted goods and ensures all promotional marketing terms are accessible as mandated by CAP Code Section 8, the asset meets its social responsibility standard and complies with relevant data protection rules."
Technical ID
asa-advertising-codes-uk
Assessing Security and Privacy Controls in Information Systems and Organizations
"This publication provides a methodology and a set of procedures for conducting assessments of security and privacy controls employed within systems and organizations as part of an effective risk management framework. The assessment procedures are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. Security and privacy control assessments are the principal vehicle used to verify that selected controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security and privacy requirements. The procedures are customizable and can be tailored to provide organizations with the flexibility to conduct assessments that support their risk management processes and align with their stated risk tolerance. Control assessment results provide organizational officials with evidence of control effectiveness, an indication of the quality of risk management processes, and information about the security and privacy strengths and weaknesses of systems. These findings are used to determine the overall effectiveness of controls and to provide credible inputs to the organization’s risk management process, facilitating a cost-effective approach to managing risk by identifying weaknesses and enabling appropriate risk responses."
Technical ID
assessing-security-privacy-controls
Deterministic RAG Verification
"Deterministic RAG (Retrieval-Augmented Generation) verification is a systematic process for cross-referencing AI-generated claims against authoritative knowledge bases to detect and block hallucinated, fabricated, or unsupported outputs before they reach end users. The process extracts discrete factual claims from model outputs, retrieves supporting or contradicting evidence from verified knowledge sources, computes an entailment score for each claim, and either passes, flags, or blocks the response based on configurable confidence thresholds. This approach is aligned with NIST AI RMF MEASURE function requirements for AI output accuracy, the EU AI Act Article 13 transparency requirements, and emerging RAG security best practices addressing prompt injection and knowledge base poisoning. Failure to implement fact verification in high-stakes AI deployments (medical, legal, financial) can result in actionable misinformation, regulatory liability, and loss of user trust."
Technical ID
automated-fact-verification
Agent-to-Agent Handover Protocol (BPMN 2.0)
"Enforcing a zero-trust model for state transitions within distributed business processes, the Agent-to-Agent Handover Protocol aligns with NIST SP 800-207's micro-segmentation principles. Secure communication is mandated through a `require_mutual_tls_auth` policy, preventing unauthorized interception. Conforming to IETF RFC 8725 best practices, decentralized authorization is enforced via an `enforce_oauth2_jwt_bearer` mechanism. The protocol upholds the BPMN 2.0 Specification's token execution semantics by ensuring a `bpmn_process_id_required` for every transfer, maintaining process context continuity. State integrity is guaranteed with a `require_state_integrity_hash` validation upon receipt. System security and resilience, as outlined in NIST AI 100-1, are addressed by limiting handover failures to a `max_retries_on_handover_fail` of 3 and capping `max_token_transfer_latency_ms` at 500 milliseconds. Furthermore, a `require_recipient_capacity_check` prevents resource exhaustion. Data protection by design, a cornerstone of GDPR Article 25, is implemented through a strict `require_pii_redaction_prior_to_transfer` rule and a transient `data_retention_in_transit_seconds` of 60 seconds. Following secure engineering guidelines from ISO/IEC 27001, the system must `enforce_least_privilege_context` for all exchanged data, and any cryptographic downgrade is forbidden as `allow_downgrade_encryption` is false. Comprehensive oversight is maintained with an `audit_log_level_minimum` set to 2."
Technical ID
automation-bpmn-agent-handover
Error Boundary Logic (BPMN 2.0)
"Ensuring predictable failure prevention and operational resilience, this BPMN 2.0 configuration aligns with stringent international standards. To satisfy mandates within the EU Digital Operational Resilience Act (DORA) for deterministic automated failover, an active `interrupting_boundary_event` coupled with a defined `fallback_path` executes if a service task exceeds its `5000` millisecond timeout. This boundary defense mechanism supports NIST SP 800-53 requirements for failing to a known, secure state. Processes are limited to `3` retry attempts before initiating escalation, and critical faults mandate a `human_in_loop` for resolution, reflecting the Basel Committee's principles for robust incident management. In furtherance of ISO 27001's framework for ICT readiness, business continuity is bolstered by a `15`-minute maximum recovery time objective, directly supporting GDPR's mandate for timely data restoration. Adherence to PCI DSS is achieved by logging every `error_code` upon catch and issuing an immediate SOC alert on any authentication fault (`alert_soc_on_auth_fault`). Enabled `compensation_handling`, escalation on SLA breaches, and a `24`-hour termination for stale processes collectively create a resilient, auditable, and compliant execution environment."
Technical ID
automation-bpmn-error-boundary
Service Task Execution Pattern (BPMN 2.0)
"Standardized, deterministic service tasks for executing automated logic within a business process, ensuring interoperability between agents and external systems."
Technical ID
automation-bpmn-service-task
Automation Support for Control Assessments: Project Update and Vision
"In 2017, the National Institute of Standards and Technology (NIST) published a methodology for supporting the automation of Special Publication (SP) 800-53 control assessments in the form of Interagency Report (IR) 8011. IR 8011 is a multi-volume series that proposes an approach for creating specific tests, denominated as 'defect checks,' that can be executed using automation to help verify that controls are in place and operating as expected. The methodology supports the NIST Risk Management Framework (RMF) and was developed to ultimately support information security continuous monitoring (ISCM) activities, including ongoing assessments and ongoing authorizations. Following an internal review in 2023, the IR 8011 Development Team identified opportunities to improve the current IR 8011 methodology and facilitate its adoption. This cybersecurity white paper summarizes the findings from this review, which include plans to restructure the IR 8011 workflow for readability, expand keyword search functions, and abstract the security framework so the model can be used with any control-based framework. The ultimate goal is the operationalization of IR 8011, transforming the NIST-produced 'blueprint' into a solution that can benefit agencies and organizations."
Technical ID
automation-support-for-control-assessments
Autonomous Trucking V2V Security
"Compliance with this node ensures secure vehicle-to-vehicle (V2V) communications for autonomous trucking platoons by enforcing a comprehensive suite of cybersecurity controls derived from established automotive and security standards. The framework mandates that all messages utilize authentication through a Security Credential Management System (SCMS) and require Elliptic Curve Digital Signature Algorithm (ECDSA) message signatures for integrity, a core principle of IEEE 1609.2-2016. All cryptographic operations must be executed within a hardware security module (HSM) validated against FIPS 140-3 security requirements, and sensitive data payloads demand AES-256 encryption. For operational integrity, Basic Safety Messages (BSMs), defined within the SAE J2735 message set dictionary, must maintain a minimum broadcast frequency of 10 Hz with a maximum V2V latency of 20 milliseconds. Platoon configurations are strictly governed by the SAE J3134 reference architecture, limiting formations to a maximum of 5 vehicles and stipulating a minimum following distance of 15 meters. To counter persistent threats and align with the cybersecurity engineering principles of ISO/SAE 21434, the system requires an active misbehavior detection system and jamming interference detection capabilities. Privacy is protected through a mandatory pseudonym certificate rotation every 5 minutes. These measures collectively satisfy the Cyber Security Management System (CSMS) mandates outlined in UNECE WP.29 Regulation No. 155, establishing a secure and trusted operational environment for connected autonomous vehicle fleets."
Technical ID
autonomous-trucking-v2v
Moving in tandem: bank provisioning in emerging market economies
"This study analyzes the determinants of loan loss provisions and delinquency ratios based on the balance sheets of 554 banks from emerging market economies (EMEs). The results show that provisions in EME banks respond mostly to aggregate variables, and very little to idiosyncratic factors. Specifically, bank-specific credit growth rates, often considered a measure of individual risk-taking, do not explain the level of loan loss provisions. The predominant effect observed is that provisions and actual losses are negatively related to past economic growth and positively related to past aggregate credit growth, indicating that EME banks' provisioning decisions are highly correlated. The findings suggest that EME banks' provisioning behavior is procyclical, as provisions tend to fall when output grows. The paper also estimates the forward and backward-looking components of provisions, finding that provisions respond mainly to past reported losses and do not anticipate future increases in credit losses. This procyclical behavior, possibly driven by the difficulty of assessing economic cycle permanence in EMEs, suggests that macroprudential tools designed to counter this effect could be effective in dampening credit cycles."
Technical ID
bank-provisioning-emerging-market-economies
Moving in tandem: bank provisioning in emerging market economies
"This study analyzes the determinants of loan loss provisions and delinquency ratios using balance sheet data from 554 banks in 18 emerging market economies (EMEs). The results show that provisions in EME banks respond mostly to aggregate variables and very little to idiosyncratic factors. Specifically, bank-specific credit growth rates, often considered a measure of individual risk-taking, do not explain the level of loan loss provisions. The predominant effect observed is that the level of provisions and actual losses is negatively related to past economic growth and positively related to past aggregate credit growth, suggesting that EME banks’ provisioning decisions are highly correlated. The findings indicate that provisioning is mainly backward-looking, responding to past reported losses rather than anticipating future ones. This behavior is procyclical, as provisions tend to fall when output grows. There is also evidence supporting an "income-smoothing" hypothesis, where banks increase provisions when earnings are higher. The paper suggests that since provisioning decisions are highly correlated and procyclical, macroprudential tools based on aggregate variables could be effective in dampening credit cycles and procyclical behavior."
Technical ID
bank-provisioning-emerging-markets
BSA SAR (Suspicious Activity)
"The Bank Secrecy Act (BSA) requires financial institutions to file a Suspicious Activity Report (SAR) for any transaction that is suspicious, appears to involve illegal activity, or has no logical business purpose. it is the primary reporting tool for the U.S. government to identify and combat money laundering, tax evasion, and terrorist financing."
Technical ID
bank-secrecy-act-suspicious
Bar Standards Board (UK)
"Compliance with Bar Standards Board regulations necessitates strict adherence to a framework governing professional conduct, data security, and financial integrity. Core Duty 6 establishes an uncompromising obligation to maintain client confidentiality, a principle reinforced by the UK General Data Protection Regulation and the Data Protection Act 2018. These data protection laws mandate registration with the Information Commissioner's Office as a data controller, require robust client data encryption, and impose a maximum 72-hour window for reporting significant data breaches. Furthermore, barristers must implement effective information barriers within chambers to prevent conflicts. Financially, Rule C73 explicitly prohibits the handling of client money, limiting financial transactions strictly to service payments. Practitioners must also secure and maintain adequate professional indemnity insurance with a minimum coverage of £2,500,000, as stipulated by Rule C76. Under The Money Laundering Regulations 2017, undertaking a formal anti-money laundering risk assessment is compulsory for specific practice areas like tax or property law. Professional obligations extend to continuous development, requiring annual CPD completion, and promoting transparency through mandatory diversity data collection. All records must be preserved for a minimum of seven years. Crucially, Core Duty 10 and Rule C110 impose an overarching requirement for individuals to report any serious misconduct to the BSB promptly, ensuring the profession's integrity."
Technical ID
bar-standards-board-uk
The Basel Committee’s response to the financial crisis: report to the G20
"The Basel Committee on Banking Supervision developed a reform programme, referred to as “Basel III”, to address the lessons of the financial crisis and strengthen the resilience of banks and the global banking system. The reforms seek to improve the banking sector’s ability to absorb shocks arising from financial and economic stress, thus reducing the risk of spillover from the financial sector to the real economy. The reforms strengthen bank-level, or micro prudential, regulation to raise the resilience of individual banking institutions in periods of stress, and also have a macro prudential focus, addressing system wide risks. The core obligations include raising the quality and level of capital to ensure banks are better able to absorb losses, including increasing the minimum common equity requirement from 2% to 4.5% and adding a capital conservation buffer of 2.5% for a total of 7%. The framework increases risk coverage for trading activities, securitisations, and counterparty credit exposures. It introduces an internationally harmonised leverage ratio as a backstop to the risk-based measures, introduces minimum global liquidity standards (a short term liquidity coverage ratio and a longer term net stable funding ratio), and promotes the build-up of capital buffers in good times that can be drawn down in periods of stress."
Technical ID
basel-committee-financial-crisis-response
The Basel Committee’s response to the financial crisis: report to the G20
"In response to the financial crisis, the Basel Committee on Banking Supervision developed a reform programme, collectively referred to as “Basel III”, to address weaknesses in the banking sector such as excessive leverage, inadequate and low-quality capital, and insufficient liquidity buffers. The reforms seek to improve the banking sector’s ability to absorb shocks arising from financial and economic stress, whatever the source, thus reducing the risk of spillover from the financial sector to the real economy. The reforms strengthen bank-level, or micro prudential, regulation to raise the resilience of individual banking institutions in periods of stress, and also have a macro prudential focus, addressing system wide risks which can build up across the banking sector. The key building blocks of Basel III include raising the quality, level, and risk coverage of the capital framework, with a minimum common equity requirement of 4.5% and a capital conservation buffer of 2.5%. It also introduces an internationally harmonised leverage ratio to serve as a backstop to the risk-based capital measure, and minimum global liquidity standards consisting of a short term liquidity coverage ratio and a longer term, structural net stable funding ratio. The reforms also promote the build up of capital buffers in good times that can be drawn down in periods of stress, including a countercyclical buffer. These new global standards apply to banking institutions and are designed to transform the global regulatory framework and promote a more resilient banking sector."
Technical ID
basel-committee-response-financial-crisis
International Convergence of Capital Measurement and Capital Standards A Revised Framework Comprehensive Version
"This framework presents the Basel Committee on Banking Supervision’s revisions to supervisory regulations governing the capital adequacy of internationally active banks. Its fundamental objective is to develop a framework that would further strengthen the soundness and stability of the international banking system while maintaining sufficient consistency that capital adequacy regulation will not be a significant source of competitive inequality among internationally active banks. The framework applies on a consolidated basis to internationally active banks, including any holding company that is the parent entity within a banking group, to ensure it captures the risk of the whole banking group. The revised framework is based on three pillars: minimum capital requirements, supervisory review, and market discipline. It retains key elements of the 1988 capital adequacy framework, including the general requirement for banks to hold total capital equivalent to at least 8% of their risk-weighted assets. A significant innovation is the greater use of assessments of risk provided by banks’ internal systems as inputs to capital calculations. The framework provides a range of options for determining the capital requirements for credit risk and operational risk to allow banks and supervisors to select approaches that are most appropriate for their operations and their financial market infrastructure."
Technical ID
basel-ii-capital-framework
Basel III Capital Requirements
"Basel III's framework, established by the Basel Committee on Banking Supervision's global regulatory framework and implemented through regulations such as the European Union's CRR and the US Federal Reserve's Regulation Q, mandates significantly strengthened capital and liquidity standards to enhance banking sector resilience. Institutions must maintain a minimum Common Equity Tier 1 ratio of at least 4.5 percent, a Tier 1 capital ratio of 6.0 percent or greater, and a Total Capital ratio equal to or exceeding 8.0 percent of risk-weighted assets. Beyond these minimums, a capital conservation buffer of at least 2.5 percent is required, alongside a calculated countercyclical capital buffer designed to protect against periods of excessive credit growth. Furthermore, a G-SIB surcharge is applied where applicable, consistent with the BCBS updated assessment methodology for higher loss absorbency by globally systemically important banks. A non-risk-weighted leverage ratio of 3.0 percent or more serves as a critical backstop. The framework also introduces two vital liquidity standards from dedicated BCBS publications: a Liquidity Coverage Ratio of at least 100 percent to ensure short-term survivability during stress, and a Net Stable Funding Ratio of 100 percent or greater to promote stable long-term funding structures. Compliance further necessitates meeting specific market risk capital requirements and applying the standardized approach for operational risk."
Technical ID
basel-iii-capital
Basel III: A global regulatory framework for more resilient banks and banking systems
"This document presents the Basel Committee’s reforms to strengthen global capital and liquidity rules with the goal of promoting a more resilient banking sector. The objective of the reforms is to improve the banking sector’s ability to absorb shocks arising from financial and economic stress, whatever the source, thus reducing the risk of spillover from the financial sector to the real economy. The reforms address lessons from the financial crisis, where many countries' banking sectors had built up excessive on- and off-balance sheet leverage, accompanied by an erosion of the level and quality of the capital base and insufficient liquidity buffers. The framework strengthens bank-level, or microprudential, regulation and also has a macroprudential focus, addressing system-wide risks. Core elements include raising both the quality and quantity of the regulatory capital base, where the predominant form of Tier 1 capital must be common shares and retained earnings. It enhances the risk coverage for counterparty credit exposures from derivatives, repo, and securities financing activities. The reforms are underpinned by a leverage ratio that serves as a backstop to the risk-based capital measures. The framework also introduces macroprudential elements to help contain systemic risks, including a capital conservation buffer and a countercyclical buffer to protect the banking sector from periods of excess credit growth."
Technical ID
basel-iii-global-regulatory-framework
Basel III Liquidity (LCR)
"The Liquidity Coverage Ratio (LCR) is a core component of the Basel III post-crisis reform. it ensures that banks maintain an adequate level of unencumbered high-quality liquid assets (HQLA) that can be converted into cash easily and immediately in private markets to meet their liquidity needs for a 30-day calendar day liquidity stress scenario."
Technical ID
basel-iii-liquidity-lcr
Basel IV: Capital Floor & Liquidity
"The Basel IV framework (the final Basel III reforms) introduces a standardized output floor to prevent banks from using internal models to underestimate risk. It significantly tightens capital requirements for G-SIBs and harmonizes the calculation of Risk-Weighted Assets (RWA) across the global banking sector."
Technical ID
basel-iv-liquidity
Basel IV Output Floor
"The Basel IV Output Floor is the centerpiece of the 2017 Basel III 'completion' reforms. It limits the reduction in risk-weighted assets (RWA) that can result from a bank's use of internal models by mandating that RWAs calculated using internal models cannot fall below 72.5% of the RWAs calculated using the standardized approach."
Technical ID
basel-iv-output-floor
Principles for the effective management and supervision of climate-related financial risks
"Climate change may result in physical and transition risks that could affect the safety and soundness of individual banking institutions and have broader financial stability implications for the banking system. This document from the Basel Committee on Banking Supervision (BCBS) seeks to promote a principles-based approach to improving risk management and supervisory practices related to these risks. The consultative document includes 18 high-level principles: Principles 1 through 12 provide banks with guidance on effective management of climate-related financial risks, while principles 13 through 18 provide guidance for prudential supervisors. Banks are potentially exposed to climate-related financial risks regardless of their size, complexity or business model. They should therefore consider the potential impacts of climate-related risk drivers on their individual business models and assess the financial materiality of these risks. Banks should manage climate-related financial risks in a manner that is proportionate to the nature, scale and complexity of their activities and the overall level of risk that each bank is willing to accept. The principles are intended to provide a common baseline for internationally active banks and supervisors, while maintaining sufficient flexibility given the degree of heterogeneity and evolving practices in this area. The board of directors and senior management are expected to take a long-term consideration of climate-related financial risks, as their impacts could manifest over varying time horizons."
Technical ID
bcbs-climate-related-financial-risks
Sound Practices: Implications of fintech developments for banks and bank supervisors
"Interest is growing in financial technology, or 'fintech'. In response, the Basel Committee on Banking Supervision (BCBS) has analyzed the implications for supervisors and banks’ business models. As fintech developments remain fluid, the impact on banks is uncertain, but a common theme is that banks will find it increasingly difficult to maintain their current operating models given technological change and customer expectations. The nature and scope of banking risks as traditionally understood may significantly change over time with the growing adoption of fintech, in the form of both new technologies and business models. This Sound Practices paper combines historical research, product analysis, and scenario analysis to provide a forward-looking perspective on fintech's potential impact on the banking industry, identifying key observations and related recommendations. For banks, the key risks associated with the emergence of fintech include strategic risk, operational risk, cyber-risk and compliance risk. The core recommendation is that banks should ensure they have effective governance structures and risk management processes to identify, manage and monitor these risks. This includes robust strategic planning, sound new product approval processes, implementation of operational risk principles, and appropriate due diligence and monitoring for any operations outsourced to third parties, including fintech firms. Ultimately, banks and bank supervisors are encouraged to balance ensuring the safety and soundness of the banking system with minimizing the risk of inadvertently inhibiting beneficial innovation in the financial sector, thereby promoting financial stability and consumer protection."
Technical ID
bcbs-fintech-sound-practices
Supervisory framework for measuring and controlling large exposures
"This framework was developed to limit the maximum loss a bank could face in the event of a sudden counterparty failure to a level that does not endanger the bank’s solvency. It complements the Committee’s risk-based capital standard because the latter is not designed specifically to protect banks from large losses resulting from the sudden default of a single counterparty. The framework is applicable to all internationally active banks and must apply at every tier within a banking group. The core obligation is for banks to measure, aggregate, and control exposures to single counterparties or to groups of connected counterparties. The sum of all exposure values of a bank to a counterparty or to a group of connected counterparties is defined as a large exposure if it is equal to or above 10% of the bank’s eligible Tier 1 capital base. The sum of all exposure values to a single counterparty or group of connected counterparties must not be higher than 25% of the bank’s available eligible capital base at all times. A relatively tighter limit on exposures between global systemically important banks (G-SIBs) is included, set at 15% of the eligible capital base."
Technical ID
bcbs-large-exposures-framework
Principles for Operational Resilience
"The Basel Committee on Banking Supervision promotes a principles-based approach to improving operational resilience, defined as the ability of a bank to deliver critical operations through disruption. This approach builds on the Committee’s Principles for the Sound Management of Operational Risk (PSMOR) and is intended to strengthen banks’ ability to absorb operational risk-related events such as pandemics, cyber incidents, and technology failures. The principles apply on a consolidated basis to banks consistent with the scope of the Basel Framework. The core obligation is for a bank to establish an effective operational resilience approach that enables it to identify and protect itself from threats, respond and adapt to, and recover and learn from disruptive events to minimize their impact. This involves considering its overall risk appetite and tolerance for disruption. The principles are organized across seven categories: governance; operational risk management; business continuity planning and testing; mapping of interconnections and interdependencies of critical operations; third-party dependency management; incident management; and resilient information and communication technology (ICT), including cyber security. An operationally resilient bank is less prone to incur untimely lapses in its operations and losses from disruptions, thus lessening incident impact on critical operations."
Technical ID
bcbs-principles-operational-resilience
Principles for the Sound Management of Operational Risk
"This document details eleven principles of sound operational risk management covering governance, the risk management environment, and the role of disclosure. It replaces the 2003 Sound Practices for the Management and Supervision of Operational Risk, incorporating the evolution of sound practice and enhanced operational risk management practices now in use by the industry. The principles are relevant to all banks, which are expected to take account of the nature, size, complexity, and risk profile of their activities during implementation. Supervisors will evaluate a bank's policies, processes, and systems related to operational risk as part of their assessment of the bank's framework. The core obligation is for banks to develop, implement, and maintain an operational risk management framework that is fully integrated into the bank’s overall risk management processes. This framework should be founded on a strong risk management culture led by the board of directors and senior management. It must be comprehensively documented in board-approved policies and include clear definitions and governance structures. A common industry practice for sound governance relies on three lines of defence: business line management, an independent corporate operational risk management function, and an independent review. The framework must also address business resiliency and continuity to ensure the bank can operate on an ongoing basis and limit losses in the event of severe business disruption."
Technical ID
bcbs-principles-sound-management-operational-risk
Principles for Sound Liquidity Risk Management and Supervision
"Liquidity is the ability of a bank to fund increases in assets and meet obligations as they come due, without incurring unacceptable losses. The fundamental role of banks in the maturity transformation of short-term deposits into long-term loans makes banks inherently vulnerable to liquidity risk. This guidance outlines principles for the sound management of liquidity risk, prompted by market turmoil that re-emphasised the importance of liquidity to the functioning of financial markets and the banking sector. The difficulties highlighted that many banks had failed to take account of a number of basic principles of liquidity risk management, such as having an adequate framework that satisfactorily accounted for the liquidity risks posed by individual products and business lines. Many firms viewed severe and prolonged liquidity disruptions as implausible and did not conduct stress tests that factored in the possibility of market wide strain. This guidance applies to all types of banks, with implementation tailored to the size, nature of business and complexity of a bank’s activities. The core obligation is that a bank is responsible for the sound management of liquidity risk. A bank should establish a robust liquidity risk management framework that ensures it maintains sufficient liquidity, including a cushion of unencumbered, high quality liquid assets, to withstand a range of stress events, including those involving the loss or impairment of both unsecured and secured funding sources. Supervisors should assess the adequacy of both a bank's liquidity risk management framework and its liquidity position and should take prompt action if a bank is deficient in either area."
Technical ID
bcbs-sound-liquidity-risk-management
Principles for sound stress testing practices and supervision
"Stress testing is an important risk management tool used by banks as part of their internal risk management and, through the Basel II capital adequacy framework, is promoted by supervisors. It alerts bank management to adverse unexpected outcomes related to a variety of risks and provides an indication of how much capital might be needed to absorb losses should large shocks occur. Stress testing plays a particularly important role in providing forward-looking assessments of risk, overcoming limitations of models and historical data, supporting communication, feeding into capital and liquidity planning, informing the setting of a bank's risk tolerance, and facilitating the development of risk mitigation plans. Following the financial crisis, which highlighted significant weaknesses in banks' stress testing practices, the Basel Committee developed these sound principles for banks and supervisors. The principles cover the overall objectives, governance, design, and implementation of stress testing programmes. The recommendations are aimed at deepening and strengthening banks’ stress testing practices and apply to banks on a proportionate basis, commensurate with their size, complexity, and risk profile. The core obligation is for a bank's stress testing to form an integral part of its overall governance, with results that are actionable and impact decision-making at the board and senior management levels."
Technical ID
bcbs-sound-stress-testing-practices
Berne Convention (Copyright)
"The Berne Convention for the Protection of Literary and Artistic Works (1886, Paris 1971) identifies the foundational international standards for the copyright. it specifies the mandatory the principle of the 'Automatic Protection' (without the registration) and the 'Moral Rights' (Article 6bis), ensuring the global recognition of the author's the original creation and the right to the claim the paternity and the protest the distortion of the work."
Technical ID
berne-convention-copyright
Berne Convention (Copyright)
"The Berne Convention for the Protection of Literary and Artistic Works (1886) is the foundational international treaty for copyright. It provides 'Automatic Protection'—meaning copyright exists as soon as a work is fixed in a tangible medium, without the need for registration—and ensures that foreign authors receive the same rights as local ones."
Technical ID
berne-convention-literary-artistic
Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation
"This special publication on Resilient Interdomain Traffic Exchange (RITE) includes initial guidance on securing the interdomain routing control traffic, preventing IP address spoofing, and certain aspects of DoS/DDoS detection and mitigation. The primary focus of these recommendations are the points of interconnection between enterprise networks, or hosted service providers, and the public internet. The primary audience includes information security officers and managers of federal enterprise networks. The guidance also applies to the network services of hosting providers and internet service providers (ISPs) when they are used to support federal IT systems. The core recommendations reduce the risk of accidental and malicious attacks in the routing control plane, and they help detect and prevent IP address spoofing and resulting DoS/DDoS attacks. Technologies recommended for securing interdomain routing control traffic include Resource Public Key Infrastructure (RPKI), BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks include prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms."
Technical ID
bgp-security-ddos-mitigation
III. CBDCs: an opportunity for the monetary system
"This chapter examines how central bank digital currencies (CBDCs) can contribute to an open, safe and competitive monetary system that supports innovation and serves the public interest. CBDCs are a form of digital money, denominated in the national unit of account, which is a direct liability of the central bank. They can be designed for use either among financial intermediaries only (wholesale CBDCs), or by the wider economy (retail CBDCs). The overriding criterion when evaluating a change to the monetary system should be whether it serves the public interest, encompassing economic benefits, governance quality, and basic rights such as data privacy. Digital money should be designed with this in mind, and retail CBDCs could ensure open payment platforms and a competitive level playing field conducive to innovation. The ultimate benefits of adopting a new payment technology will depend on the competitive structure of the underlying payment system and data governance arrangements. The same technology that can encourage a virtuous circle of greater access, lower costs and better services might equally induce a vicious circle of data silos, market power and anti-competitive practices. The report argues that CBDCs are best designed as part of a two-tier system, where the central bank provides the foundational infrastructure and private payment service providers (PSPs) use their creativity to serve customers. Design choices regarding digital identification and architecture (hybrid vs. intermediated) are crucial for balancing innovation, financial stability, and user privacy."
Technical ID
bis-cbdcs-monetary-system
ETFs, illiquid assets, and fire sales
"This paper documents several novel facts about exchange-traded funds (ETFs) holding corporate bonds. Its main empirical finding is that the portfolio of bonds exchanged for new or existing ETF shares, known as creation or redemption baskets, often represents a small fraction of ETF holdings—a fact referred to as “fractional baskets.” For ETFs holding corporate bonds, roughly 10% of holdings are in creation baskets and 20% are in redemption baskets, on average. These baskets also exhibit high turnover; for instance, a bond in a creation basket has on average a 25% chance of being included in the next day’s creation basket. Consequently, ETFs with fractional baskets exhibit persistent premiums and discounts, which is related to the slow adjustment of Net Asset Value (NAV) returns to ETF returns. A simple model is developed to show that an ETF’s authorized participants (APs) can act as a buffer between the ETF market and the underlying illiquid assets, helping to mitigate fire sales. The key takeaway from the model is that an ETF discount arises because the AP acts as a buffer, allowing the ETF price to fall while avoiding selling bonds in quantities that would trigger a fire sale. The findings suggest that the delayed response of NAV, resulting from fractional baskets, can be a potential benefit for ETFs managing illiquid assets by absorbing panic selling in the liquid ETF market while mitigating the impact on the less liquid market for underlying assets."
Technical ID
bis-etfs-illiquid-assets-fire-sales
ETFs, illiquid assets, and fire sales
"This paper documents several facts about exchange-traded funds (ETFs) holding corporate bonds. The main empirical finding is that bond ETF baskets contain a small fraction of holdings, a fact referred to as 'fractional baskets,' which contributes to persistent discrepancies between ETF price and net asset value (NAV). For ETFs holding corporate bonds, roughly 10% of holdings are in creation baskets and 20% are in redemption baskets, on average. This challenges the common assumption that baskets are representative of holdings and has important implications for the ETF arbitrage process. These fractional baskets also exhibit high turnover, and their composition differs from overall holdings in terms of duration and bid-ask spreads. The paper develops a model to show that these discrepancies may be a feature of ETFs holding illiquid assets. The model demonstrates that an ETF’s authorized participants (APs) can act as a buffer between the ETF market and the underlying illiquid assets, helping to mitigate fire sales. When facing redemptions, an AP holding bond inventory endogenously avoids a fire sale because selling bonds at fire sale prices would lead to large mark-to-market losses on their existing inventory. This allows the ETF price to fall while avoiding selling bonds in quantities that would trigger a fire sale, insulating non-redeeming investors and the underlying bond market from immediate pressure."
Technical ID
bis-etfs-illiquid-assets-firesales
BIS Principles (FMI)
"The Principles for Financial Market Infrastructures (PFMI) are the international standards for the infrastructure that facilitates the clearing, settlement, and recording of monetary and other financial transactions. Developed by CPSS (now CPMI) and IOSCO, the 24 principles are designed to ensure the safety, efficiency, and resilience of systemically important payment systems and central counterparties."
Technical ID
bis-principles-fmi-2012
Bitcoin Lightning L402
"L402 (formerly LSAT — Lightning Service Authentication Token) is a protocol standard developed by Lightning Labs that enables HTTP 402 Payment Required responses to be resolved via Bitcoin Lightning Network micropayments, allowing servers to monetize API access at the sub-cent level in a fully programmatic, machine-to-machine flow. The protocol combines Lightning Network invoice payment with macaroon-based access tokens (caveat-bearer tokens derived from macaroon cryptography), enabling pay-per-request, pay-per-session, and capability-scoped access models. L402 is foundational to AI agent commerce because it enables agents to autonomously purchase data, compute, or services without requiring pre-registered accounts or OAuth flows. Misconfigured L402 implementations can result in replay attacks (if preimage verification is skipped), privilege escalation (if macaroon caveats are not enforced server-side), or budget drain (if payment is accepted without corresponding service delivery)."
Technical ID
bitcoin-lightning-l402
Brazil LGPD Compliance
"Lei Geral de Proteção de Dados (LGPD) is Brazil's comprehensive data protection law (Law No. 13,709/2018), modeled after GDPR but with distinct governance requirements for the ANPD (National Data Protection Authority) and mandatory DPO appointments for all controllers."
Technical ID
brazil-lgpd-compliance
BRCGS Food Safety
"Compliance with the BRCGS Global Standard Food Safety Issue 9 mandates a comprehensive, proactive management system, fundamentally rooted in senior management commitment as defined in Section 1. This commitment is evidenced through formal management reviews conducted at a maximum 12-month interval and support for a continuously active internal audit program. The operational core is a fully active food safety plan based on HACCP principles, detailed in Section 2, which must be rigorously maintained. Supporting this system, Clause 3.2 on document control extends to digital infrastructure, requiring active IT system backup and cybersecurity protocols. The stringent traceability mandate in Clause 3.9 necessitates the capability to retrieve all relevant information within a four-hour maximum during exercises, with full product recall tests performed at a 12-month interval. Furthermore, Clause 4.2 requires an active food defense assessment to mitigate intentional adulteration, while Clause 5.4 on product authenticity compels a documented food fraud vulnerability assessment at least every 12 months, reinforced by an active supplier approval procedure. System integrity is also validated through an active environmental monitoring program and record retention policies that mandate keeping documents for a product's shelf life plus an additional 12 months."
Technical ID
brc-food-safety-global
BREEAM Building Performance
"Asset performance verification against the BREEAM framework necessitates a holistic assessment of environmental, social, and economic sustainability factors. Compliance requires demonstrating an overall target BREEAM score percentage of 70, aligning with an 'Excellent' rating under benchmarks such as the BREEAM In-Use International Commercial Version 6. This performance is substantiated through rigorous energy management, consistent with ISO 50001:2018, mandating that energy consumption does not exceed a maximum of 120 kWh per square meter and that sub-metering is installed for all major systems. Environmental management protocols, guided by ISO 14001:2015 and the life cycle assessment principles of EN 15978:2011, demand a minimum construction waste diversion of 85 percent and procurement of sustainable materials reaching at least 80 percent. Health and wellbeing standards, drawing from the BREEAM International New Construction Standard, require active indoor air quality sensors and a minimum daylight factor of 2 percent, promoting conditions consistent with ASHRAE Standard 55. Further operational integrity is confirmed by active water consumption monitoring, automated refrigerant leak detection, and a passed cybersecurity audit for the building management system. The provision of at least five EV charging points supports sustainable transport initiatives, completing the comprehensive compliance profile."
Technical ID
breeam-building-perf
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. It integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach. Organizations are concerned about risks associated with products and services that may contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices. These risks arise from decreased visibility into how technology is developed, integrated, and deployed. The core obligation is for enterprises to implement a systematic process for managing exposure to these risks by developing appropriate response strategies, policies, procedures, and controls. The guidance is intended for a diverse audience, including individuals with system, information security, risk management, system development, acquisition, procurement, and operational responsibilities. C-SCRM is presented as an enterprise-wide activity requiring coordination across various disciplines. This publication empowers enterprises to develop C-SCRM strategies tailored to their specific mission needs, threats, and operational environments, while balancing the costs and benefits of implementation. The guidance is not one-size-fits-all and should be adopted and tailored to the unique size, resources, and risk circumstances of each enterprise."
Technical ID
c-scrm-practices-systems-organizations
C-TPAT Minimum Security Criteria
"The Customs-Trade Partnership Against Terrorism (C-TPAT) is a voluntary public-private sector partnership program where members work with U.S. Customs and Border Protection (CBP) to protect the supply chain, identify security gaps, and implement specific security measures and best practices."
Technical ID
c-tpat-minimum-security
C2PA (Provenance)
"Compliance with this node mandates the immutable attachment of a C2PA manifest to all digital assets, establishing verifiable provenance and aligning with transparency obligations for AI-generated content as stipulated under the EU Artificial Intelligence Act and content authentication directives from US Executive Order 14110. The configuration strictly enforces that each manifest adhere to the C2PA Technical Specification with a `minimum_c2pa_version` of 1.3 and not exceed a `max_manifest_size_kb` of 2048. A mandatory `require_cryptographic_binding` is enforced through a `require_hard_binding_hash` using an algorithm with a `min_hash_algorithm_strength_bits` of 256, leveraging the JUMBF box structures from ISO/IEC 23000-22 for data encapsulation. Key assertions are non-negotiable: a `require_creator_identity_assertion`, based on the W3C Verifiable Credentials Data Model, must be present, alongside a `require_ai_generation_action_assertion` for any synthetic media. The chain of trust is further secured by a `require_certificate_revocation_check` and a `require_secure_timestamp_injection` for temporal integrity. Finally, a complete `require_ingredient_provenance_lineage` must trace the asset's history, while `allow_redaction_assertions` provides a mechanism for declared information removal, satisfying core governance and transparency tenets of the NIST Artificial Intelligence Risk Management Framework."
Technical ID
c2pa-content-provenance
C2PA Content Provenance
"The Coalition for Content Provenance and Authenticity (C2PA) specification defines a cryptographically signed metadata manifest standard that embeds verifiable provenance information directly into digital assets (images, video, audio, documents), enabling any consumer to verify who created the asset, what tools were used, and whether the content has been modified since signing. C2PA is backed by Adobe, Microsoft, Intel, BBC, Sony, and others and is increasingly required by news organizations, AI content platforms, and social media companies for AI-generated content labeling. The specification uses X.509 certificates for signer identity, COSE (CBOR Object Signing and Encryption) for manifest integrity, and defines a trust list maintained by the C2PA Trust List Authority. Organizations distributing AI-generated content without C2PA manifests risk regulatory non-compliance under the EU AI Act Article 50 transparency obligations and face reputational exposure from deepfake misattribution."
Technical ID
c2pa-watermark-valid
CCPA/CPRA Enforcement
"The California Consumer Privacy Act (CCPA), as significantly enhanced by the California Privacy Rights Act (CPRA), provides comprehensive privacy rights to California residents. It introduces the CPPA (California Privacy Protection Agency) and grants the right to correct inaccurate data and limit use of sensitive personal information (SPI)."
Technical ID
california-ccpa-v2
CAN-SPAM Act (Email)
"Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, commonly known as the CAN-SPAM Act, establishes national standards for sending commercial electronic mail. Compliance requires strict adherence to message content, sender identification, and consumer opt-out provisions. All commercial messages must contain a clear and conspicuous notice of the recipient's right to opt out of receiving future communications. Per this node's configuration, such unsubscribe requests must be processed within a 10-business-day window. Furthermore, communications must not feature deceptive subject lines or header information; both "From" and "Reply-To" fields must accurately represent the person or business initiating contact. The inclusion of a valid physical postal address for the sender is a mandatory data point for all outgoing commercial campaigns. It is also critical to distinguish between commercial messages, which have the primary purpose of advertising or promoting a product or service, versus transactional or relationship messages that facilitate an agreed-upon transaction. While certain requirements may differ, the core principles of truthfulness and transparency apply broadly. Failure to comply carries significant financial penalties for each separate email in violation of the federal statute. This node enforces these parameters to mitigate enterprise risk and ensure all email marketing activities align with established legal frameworks."
Technical ID
can-spam-act-email
CASL (Anti-Spam Canada)
"Canada's Anti-Spam Legislation, governed by CASL S.C. 2010, c. 23, mandates strict compliance for sending Commercial Electronic Messages (CEMs). A core tenet is the prohibition outlined in Section 6(1) against dispatching CEMs without recipient consent, which must be either express or implied, a parameter enforced by this system. In accordance with guidance from CRTC Compliance and Enforcement Information Bulletin CRTC 2012-548, the platform disallows pre-checked opt-in boxes to ensure affirmative consent. As defined by Section 10(9) and 10(10), implied consent is strictly time-limited, recognized for 730 days following an existing business relationship and for 183 days after a direct inquiry. All messages must fulfill sender identification requirements prescribed in Section 11(1), necessitating clear sender details alongside a valid physical mailing address. A functional unsubscribe mechanism is also compulsory; its availability must persist for a minimum of 60 days post-send, with opt-out requests processed inside a maximum of 10 business days, as stipulated by Section 11(2) and 11(3). While the Electronic Commerce Protection Regulations SOR/2013-221 provide specific exemptions for personal, family, and certain business-to-business communications, their applicability requires rigorous verification. Maintaining a robust consent audit trail is critical for demonstrating due diligence, especially given that non-compliance can trigger severe administrative monetary penalties, with a corporate maximum penalty potentially reaching 10 million Canadian dollars."
Technical ID
casl-anti-spam-canada
CCPA/CPRA — California Consumer Privacy Rights
"The California Consumer Privacy Act (CCPA, effective January 1, 2020) as substantially amended by the California Privacy Rights Act (CPRA, enforceable from March 29, 2024 following litigation delays; original date July 1, 2023) is the most comprehensive U.S. state privacy law and a de facto national standard for consumer data rights. The law applies to for-profit businesses meeting any of three thresholds: annual gross revenue exceeding $25 million; buying, selling, sharing, or receiving personal information of 100,000+ consumers or households per year; or deriving 50%+ of annual revenue from selling or sharing consumer data. CPRA added: a new sensitive personal information (SPI) category with dedicated rights to limit use; the right to correct inaccurate personal information; a data retention limitation requirement (3-year limit on retaining data beyond original purpose); and the California Privacy Protection Agency (CPPA) as an independent enforcement agency with rulemaking authority. Consumer rights: access (know), deletion, correction (CPRA), opt-out of sale/sharing, limit use of SPI (CPRA), portability, and non-discrimination. Penalties: $2,500 per unintentional violation, $7,500 per intentional violation — with no statutory maximum and class action exposure for data breaches."
Technical ID
ccpa-cpra
CCPA/CPRA (Opt-out Sale)
"California Civil Code § 1798.120 establishes a consumer's fundamental right to direct a business to stop selling or sharing their personal information. Fulfilling this obligation, as detailed in California Civil Code § 1798.135, mandates providing clear notice and an accessible "Do Not Sell or Share My Personal Information" link, a control set by `require_do_not_sell_share_link`. Businesses must offer a `minimum_opt_out_methods` count of two distinct submission mechanisms. Crucially, the process must `allow_frictionless_opt_out` by honoring opt-out preference signals like the Global Privacy Control (GPC), a requirement under 11 California Code of Regulations § 7025 which the system configuration `honor_global_privacy_control_gpc` enables. Upon receiving a valid request, a business has 15 business days (`days_to_effectuate_opt_out`) to cease selling or sharing the consumer's data, pursuant to 11 California Code of Regulations § 7026. This directive also requires that the business `propagate_opt_out_to_third_parties`, notifying all downstream recipients within an identical 15-day window (`days_to_notify_third_parties`). The user experience must be straightforward, as `prohibit_dark_patterns` is enforced and identity verification is not a prerequisite for this request type (`require_identity_verification_opt_out`). For consumers under the `minor_opt_in_age_threshold` of 16, California Civil Code § 1798.120(c) prohibits any sale or sharing without affirmative authorization. After a consumer opts out, a business must wait 12 months (`months_before_opt_in_re_ask`) before asking for re-authorization, a rule stipulated by 11 California Code of Regulations § 7028. All opt-out requests must be documented and retained for a period of 24 months (`record_retention_months`) to demonstrate compliance."
Technical ID
ccpa-cpra-optout-sale
CDP Carbon Disclosure Protocol
"Adherence to the CDP Carbon Disclosure Protocol necessitates annual disclosure via the mandatory ORS portal submission following a minimum reporting period of twelve months. Organizations must quantify greenhouse gas inventories consistent with the WRI/WBCSD Greenhouse Gas Protocol Corporate Accounting and Reporting Standard, which makes Scope 1 and Scope 2 emissions reporting compulsory. Additionally, any material Scope 3 categories exceeding a collective materiality threshold of five percent must be included. The protocol demands robust governance; mandated board-level oversight for climate strategy is a foundational element, and required alignment ensures disclosures are structured around the core Recommendations of the Task Force on Climate-related Financial Disclosures. This includes the required quantification of financial impacts from climate-related risks and opportunities. To earn a leadership score, as defined by the CDP Scoring Methodology, obtaining third-party assurance is an unconditional prerequisite for submitted data. The framework’s design enables Science Based Targets initiative (SBTi) target integration, encouraging validation against the SBTi Corporate Net-Zero Standard. Comprehensive disclosure also involves required supply chain engagement tracking, providing transparency into value chain management practices that align with principles found within ISO 14064-1."
Technical ID
cdp-carbon-disclosure
CFA Ethics & Proficiency
"Operational adherence to this node establishes rigorous conformity with foundational principles of the CFA Institute Code of Ethics and Standards of Professional Conduct. The system mandates robust controls to uphold market integrity, including the enforcement of strict information barriers to prevent the misuse of material nonpublic information consistent with Standard II(A), alongside an absolute prohibition of market manipulation algorithms as dictated by Standard II(B). Duties to clients are paramount, with configurations requiring pro-rata fair dealing for investment actions pursuant to Standard III(B) and enforcing client trade priority. Additionally, continuous investment suitability verification is required for all recommendations to align with client mandates under Standard III(C). The preservation of confidentiality, a core tenet of Standard III(E), is maintained through a mandatory client data encryption requirement. To mitigate conflicts, a maximum acceptable gift value is set at 100 USD and full conflict of interest disclosure is compulsory. In accordance with Standard V(C) on Record Retention, all supporting documentation must be preserved for a minimum of seven years. Systemic integrity is further solidified by a mandatory annual professional conduct attestation and ensuring all performance presentation complies with GIPS standards."
Technical ID
cfa-ethics-standards
CFTC Part 49 (Swaps)
"Compliance with CFTC Part 49 is predicated on maintaining an active registration as a Swap Data Repository (SDR) pursuant to procedures outlined in 17 CFR § 49.3. A designated Chief Compliance Officer, as mandated by 17 CFR § 49.22, administers the comprehensive compliance program and ensures an annual compliance report is filed. The SDR actively disseminates swap transaction data through real-time public reporting mechanisms consistent with 17 CFR § 49.15, while also providing the Commission with direct electronic access to all SDR data as required under 17 CFR § 49.17. Comprehensive swap data recordkeeping obligations are met per 17 CFR § 49.12; all data is maintained for a minimum of five years following swap termination. Strict privacy and confidentiality protocols are enforced over this information, adhering to requirements of 17 CFR § 49.16. Operational integrity and data security are further upheld through fully compliant system safeguards. These safeguards include the successful execution of an annual penetration test, robust disaster recovery plans targeting a two-hour Recovery Time Objective, and a formal procedure for cyber incident notification to the Commission within 24 hours of discovery, ensuring the protection and availability of critical market data."
Technical ID
cftc-part-49-swap-reporting
CHAPS RTGS (Payments)
"CHAPS (Clearing House Automated Payment System) is the UK's high-value, real-time gross settlement (RTGS) payment system. it is used for critical financial transactions, such as the interbank house purchases and the corporate the trades, ensuring the immediate and the irrevocable settlement of the funds through the Bank of England's the reserve accounts."
Technical ID
chaps-rtgs-high-val-london
CIPD (HR Standards)
"Adherence to this node mandates rigorous alignment with Chartered Institute of Personnel and Development standards, structurally integrated with foundational UK legislation. An organization's human resources framework requires `require_cipd_profession_map_alignment`, ensuring all practices reflect the Core Knowledge areas of Ethical Practice plus Culture & Behaviour from the CIPD Profession Map. This alignment is operationally enforced via an `ethical_practice_framework_implemented` and verified through a minimum of two `culture_and_behavior_audits_per_year`. Professional Integrity and Competence, as stipulated within the CIPD Code of Professional Conduct, are sustained by a `min_annual_cpd_hours` of 30 for practitioners. Data processing activities must be `technology_people_analytics_compliant`, activating `employee_data_privacy_controls_active` to satisfy principles of the UK General Data Protection Regulation under Article 5. Systematically, `evidence_based_decision_tracking_enabled` supports transparent, justifiable people management decisions. Conformity with the UK Equality Act 2010 concerning Protected Characteristics and Prohibited Conduct necessitates that `diversity_inclusion_metrics_tracked` are continually monitored. Employee relations procedures must respect the UK Employment Rights Act 1996 baseline, with performance thresholds enforcing a `max_grievance_resolution_days` of 28. Consistent with ISO 30414:2018 guidelines for human capital reporting, a `workforce_reporting_frequency_days` not exceeding 90 is mandatory. Finally, the node requires that `mandatory_wellbeing_assessments_enabled` are active, ensuring a holistic and compliant people strategy."
Technical ID
cipd-hr-standards
Least Privilege for AI Agents (CIS Companion Guide)
"Autonomous AI agents must be managed as Non-Human Identities (NHIs) with task-scoped, ephemeral privileges. The principle of Least Privilege ensures that an agent's access is restricted to the specific data and tools required for its current atomic task."
Technical ID
cis-ai-least-privilege
CIS Critical Security Controls Version 8
"Compliance with the Center for Internet Security (CIS) Critical Security Controls Version 8 provides a prioritized, risk-based framework for cyber defense, with this node mandating the foundational requirements of Implementation Group 1. Adherence necessitates maintaining a complete enterprise asset inventory and a detailed software asset inventory, alongside an active data classification program. The required operational security posture specifies automated vulnerability scans must occur at a maximum interval of 30 days, with critical patch deployment completed within a 14-day window. Secure access controls are paramount; multi-factor authentication is required for all administrative functions and any remote network access. For forensic and investigative readiness, audit logs must be preserved for a minimum of 90 days. Organizational resilience is further bolstered by requiring a formal incident response plan and ensuring all personnel complete security awareness training within a 365-day cycle. While this configuration does not explicitly require penetration testing, its implementation offers significant legal and regulatory advantages. Conformance may afford a legal safe harbor under state legislation like the Ohio Data Protection Act and Utah’s Cybersecurity Affirmative Defense Act. Moreover, these safeguards align heavily with federal enforcement under the FTC Safeguards Rule and are directly mapped to authoritative standards, including NIST Special Publication 800-53 and the NIST Cybersecurity Framework."
Technical ID
cis-controls-v8
Cross-Sector Cybersecurity Performance Goals
"The Cross-Sector Cybersecurity Performance Goals (CPGs) provide an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks. These goals are applicable across all critical infrastructure sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners. They are a minimum set of practices that all critical infrastructure entities—from large to small—should implement to get started on their path toward a strong cybersecurity posture. The CPGs are intended to be a floor, not a ceiling, for what cybersecurity protections organizations should implement to reduce their cyber risk. The CPGs do not constitute a comprehensive cybersecurity program but rather represent a minimum baseline of cybersecurity practices with known risk-reduction value. They are designed to be easy to understand and communicate with non-technical audiences, including senior business leadership, to help organizations focus investment toward the most impactful security outcomes. The goals are voluntarily adopted and can be used as a quick-start guide, particularly for small and medium organizations, to prioritize security investments in conjunction with broader frameworks like the NIST Cybersecurity Framework (NIST CSF)."
Technical ID
cisa-cross-sector-cybersecurity-goals
RANSOMWARE GUIDE
"This guide provides ransomware best practices and recommendations based on operational insight from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It is intended for information technology (IT) professionals and others involved in developing or coordinating cyber incident response. Ransomware is a form of malware designed to encrypt files on a device, rendering them and the systems that rely on them unusable, after which malicious actors demand a ransom for decryption. Ransomware incidents have become increasingly prevalent and can severely impact business processes, leaving organizations without the data needed to operate and deliver mission-critical services. Malicious actors have adjusted tactics to include threatening to release stolen data and publicly naming victims as secondary forms of extortion. The monetary value of demands has also increased, with some exceeding $1 million. These actors often engage in lateral movement to target critical data, propagate ransomware across entire networks, and use tactics like deleting system backups to make restoration more difficult. This guide is composed of two parts: Ransomware Prevention Best Practices and a Ransomware Response Checklist."
Technical ID
cisa-ms-isac-ransomware-guide
CLIA Cruise Ship Safety
"Compliance for cruise ship operations mandates comprehensive adherence to multifaceted international and domestic regulations governing safety, security, health, and environmental protection. Pursuant to the International Ship and Port Facility Security (ISPS) Code under SOLAS Chapter XI-2, vessels must maintain a current security plan, operating here at a verified ISPS Security Threat Level of 1. This framework is augmented by robust cyber risk management protocols, as stipulated by IMO Resolution MSC.428(98), requiring full integration into the Safety Management System, enforced operational and informational technology network segmentation, plus strict authentication for bridge access. The Cruise Vessel Security and Safety Act of 2010 further imposes stringent obligations, including a maximum 24-hour timeline for incident reporting and a minimum CCTV data retention period of 30 days. Passenger safety remains paramount, with SOLAS Chapter III, Regulation 19 mandating that a muster drill be completed prior to any departure and that lifeboat capacity must exceed a 125 percent minimum of the vessel's total complement. Health standards are rigorously monitored under the Centers for Disease Control and Prevention’s Vessel Sanitation Program, which requires a minimum sanitation score of 85, complemented by onboard medical services providing at least one qualified medical staff member per 1000 passengers. Finally, environmental stewardship is confirmed through verified adherence to the International Convention for the Prevention of Pollution from Ships, MARPOL 73/78, ensuring all discharge and waste management practices are compliant."
Technical ID
clia-cruise-ship-safety
CSA Cloud Matrix (v4)
"The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v4.0 is a cybersecurity control framework for the cloud computing sector. it provides a detailed set of the 17 domains, covering all aspects of the cloud technology, from the logical access to the supply chain, and the mapping to the global standards such as the ISO 27001, the NIST 800-53, and the GDPR."
Technical ID
cloud-security-matrix-csa
CMMC 2.0 Level 2 Cybersecurity (Advanced)
"A mandatory US Department of Defense (DoD) certification for contractors handling Controlled Unclassified Information (CUI), based on the 110 practices of NIST SP 800-171."
Technical ID
cmmc-2-audit
China CAC Generative AI & Algorithmic Registry
"Mandatory security assessment and algorithmic filing requirements for public-facing generative AI services and agents operating within or interacting with mainland China."
Technical ID
cn-cac-genai-measures
COBIT 5 (Governance IT)
"Compliance with this node validates the enterprise's implementation of a robust IT governance framework based on COBIT 5 principles. Successful attestation requires demonstrating a clear separation of governance from management functions, with board-level oversight of the Evaluate, Direct, and Monitor (EDM) domain occurring on at least a 90-day cycle. The framework's adoption as a single, integrated system must provide end-to-end enterprise coverage that cascades from assessed stakeholder needs. All relevant processes within the APO, BAI, DSS, and MEA domains must achieve a minimum Process Capability Level of 3, signifying an "Established Process" according to the Process Assessment Model derived from ISO/IEC 15504. Operational effectiveness is measured against stringent thresholds, including maintaining an IT-to-business alignment ratio of no less than 0.85 and conducting resource optimization reviews on a semi-annual basis. An active risk management framework must be operational, consistent with guidance from ISACA COBIT 5 for Risk, which is critical for satisfying internal control mandates such as those under Sarbanes-Oxley Section 404. Furthermore, defined value delivery metrics and active continuous monitoring through the MEA domain are mandatory. Fulfilling these requirements establishes an IT governance posture that directly aligns with the corporate governance principles outlined in ISO/IEC 38500:2015, ensuring that IT effectively supports organizational objectives."
Technical ID
cobit-5-governance-it
Codex Alimentarius Code
"Operational alignment with the Codex Alimentarius framework is achieved through stringent controls governing food safety, traceability, and international trade ethics. The configuration mandates adherence to the General Principles of Food Hygiene by requiring a minimum of eight hygiene training hours per employee and activating continuous HACCP sensor monitoring, which includes a temperature control polling interval set to 60 seconds. To support the Principles for Traceability/Product Tracing, the system enforces mandatory lot identification tracking coupled with an automated product recall capability; all related data must be retained for 1825 days within secure, tamper-evident digital logs. Compliance with the General Standard for Contaminants and Toxins in Food and Feed is managed via a strict maximum contaminant reporting latency of 24 hours. Furthermore, the node validates conformance with the General Standard for the Labelling of Prepackaged Foods by enabling active allergen labeling validation processes. System integrity and the efficacy of these measures are verified against the Guidelines for the Validation of Food Safety Control Measures through biannual supply chain audits and enabled OT/SCADA security controls. This entire schema operates under the ethical aegis of the Code of Ethics for International Trade in Food, with continuous monitoring of FAO/WHO guideline updates to ensure perpetual compliance."
Technical ID
codex-alimentarius-gen
Cold Chain Integrity Triage
"Automated compliance verification for temperature-sensitive assets is governed by a stringent rule set designed to meet international regulatory standards. The system enforces good distribution practice tenets outlined within EU GDP Guidelines and aligns with World Health Organization recommendations in Annex 9 for pharmaceutical storage, while also satisfying core requirements of the US FDA Food Safety Modernization Act for sanitary transportation and ISO 22000 food safety management principles. Shipments must maintain continuous product temperature between 2 and 8 degrees Celsius, with any excursion limited to a maximum deviation of 0.5 degrees Celsius. If a temperature breach occurs, it cannot persist beyond a 15-minute threshold before triggering an alert. To ensure data integrity and establish a secure, time-stamped audit trail consistent with FDA 21 CFR Part 11, continuous temperature monitoring is enabled, logging encrypted IoT sensor data at a 5-minute interval. The application of NIST SP 800-82 security principles is evident through active GPS tracking, the confirmed absence of detected cyber intrusions, and use of an immutable blockchain audit ledger for all telemetry records. Physical security is confirmed via verified tamper-evident seals, providing a holistic assessment of cold chain integrity from origin to destination for the immediate triage of non-conforming events."
Technical ID
cold-chain-integrity-logic
GDPR Data Processing Agreement (DPA) Checklist
"A compliant Data Processing Agreement establishes a legally binding contract defining the processor's obligations, consistent with European Data Protection Board Guidelines 07/2020. The processor must act exclusively upon documented controller instructions, a mandate under which `unauthorized_cross_border_transfers_blocked` is enforced. This requirement extends to personnel, for whom `personnel_confidentiality_verified` commitments are mandatory. Pursuant to Article 28(3)(c) and Article 32, security of processing is paramount, with `art_32_security_measures_active` representing a baseline condition. Engaging any sub-processor necessitates prior written authorization, as stipulated by Article 28(2); moreover, all data protection obligations must be flowed down contractually, ensuring `subprocessor_flow_down_liability_active`. The processor’s duty to assist its controller is fundamental. This includes enabling responses to data subject requests through `dsar_assistance_enabled` functionality and supporting Data Protection Impact Assessment consultations. Following a personal data breach, notification to the controller must occur without undue delay, respecting the `breach_notification_max_hours` threshold of 72 hours. Upon termination of services, `post_contract_data_deletion_required` is triggered, permitting a `retention_period_days_post_termination` of zero days to guarantee complete data removal. Finally, `controller_audit_rights_enabled` allows for verification of these ongoing compliance commitments."
Technical ID
compliance-gdpr-dpa
Constitutional AI Algorithm
"Constitutional AI (CAI) is an alignment training methodology developed by Anthropic (Bai et al., 2022) that trains AI systems to be helpful, harmless, and honest using a set of explicit behavioral principles (the 'Constitution') rather than relying exclusively on human feedback labeling of individual outputs. The method operates in two phases: a Supervised Learning from Constitutional AI (SL-CAI) phase where the model critiques and revises its own harmful outputs using principles as guidance, and a Reinforcement Learning from AI Feedback (RL-CAI) phase where an AI-generated preference dataset replaces or supplements human preference labels. CAI has been shown to reduce the need for human labeling of harmful content while producing models that are less harmful and more transparent about their reasoning. The constitutional approach is aligned with emerging AI governance requirements including EU AI Act Article 9 risk management and NIST AI RMF GOVERN function requirements for systematic safety assurance."
Technical ID
constitutional-ai-align
Contingency Planning Guide for Federal Information Systems
"This guide provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a disruption. It supports the requirement that identified services provided by information systems are able to operate effectively without excessive interruption. This guideline has been prepared for use by federal agencies but may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright. The core obligation for applicable organizations is to develop and maintain a viable contingency planning program through a seven-step process integrated into the system development life cycle. This process includes: 1) developing a formal contingency planning policy statement; 2) conducting a business impact analysis (BIA) to identify and prioritize critical systems; 3) identifying preventive controls to reduce disruption effects; 4) creating thorough recovery strategies; 5) developing a detailed information system contingency plan; 6) ensuring the plan is tested, personnel are trained, and exercises are conducted to validate capabilities; and 7) maintaining the plan as a living document. The guide presents sample formats based on low-, moderate-, or high-impact levels as defined by FIPS 199."
Technical ID
contingency-planning-federal-information-systems
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1, provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption, which may include relocation to an alternate site, recovery using alternate equipment, or performance of functions using manual methods. The guide defines a seven-step contingency planning process for organizations to develop and maintain a viable program: 1) Develop the contingency planning policy statement; 2) Conduct the business impact analysis (BIA) to identify and prioritize critical systems; 3) Identify preventive controls to reduce disruption effects; 4) Create thorough recovery strategies; 5) Develop a detailed information system contingency plan; 6) Ensure plan testing, training, and exercises to validate capabilities and improve preparedness; and 7) Ensure the plan is a living document, updated regularly. This guidance is for federal agencies and may be used by non-governmental organizations on a voluntary basis. It addresses specific contingency planning recommendations for client/server systems, telecommunications systems, and mainframe systems. The guidance presents sample formats for developing a contingency plan based on low-, moderate-, or high-impact levels as defined by FIPS 199. The core obligation is to establish thorough plans, procedures, and technical measures that enable a system to be recovered as quickly and effectively as possible following a service disruption, integrating these steps into each stage of the system development life cycle."
Technical ID
contingency-planning-guide-federal-systems
COPC CX Standard
"The COPC Customer Experience (CX) Standard is a performance management framework developed by COPC Inc. that defines operational excellence requirements for customer experience operations, contact centers, and outsourced service providers, covering service levels, quality, cost efficiency, and customer satisfaction metrics. The standard is organized around four key metric categories: Service (accessibility and speed — e.g., AHT, ASA, abandonment rate), Quality (accuracy of transactions and customer outcomes), Customer Experience (satisfaction scores, NPS, effort scores), and Cost (cost-per-transaction, productivity). COPC certification is recognized by major brands as evidence that a service operation meets globally benchmarked performance thresholds and is often required in BPO and CX outsourcing contracts. AI-augmented contact centers must demonstrate that AI-assisted interactions meet the same or superior quality metrics as human-only baselines."
Technical ID
copc-cx-standard
COPPA (Marketing to Kids)
"This operator's online service is explicitly designated as a child-directed service, thereby triggering stringent obligations under the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506. While a neutral age gate is implemented for users under the established `user_age_threshold_years` of 13 and a clear privacy policy is posted, the operation exhibits a critical compliance failure. Specifically, the operator's process neglects to provide direct notice to parents and subsequently does not obtain verifiable parental consent before collecting personal information from children, a direct contravention of core requirements stipulated within 16 CFR § 312.4 and 16 CFR § 312.5. This fundamental gap persists despite the presence of otherwise robust protective measures, such as enforced data minimization, a block on behavioral advertising, and a prohibition against third-party data sharing, which generally align with confidentiality principles in 16 CFR § 312.8. Additionally, the system enables parental review with deletion capabilities and adheres to a `data_retention_limit_days` of 180, consistent with data retention standards of 16 CFR § 312.10. Nevertheless, without foundational parental consent, these secondary controls are insufficient to cure the primary violation regarding collection and use of children's information as defined by 16 CFR § 312.3. The operator is not certified under any FTC-approved COPPA Safe Harbor program, placing full compliance liability upon the organization."
Technical ID
coppa-marketing-kids
Fair Use (U.S. Copyright)
"A proposed use of copyrighted material under these parameters presents a compelling case for the fair use affirmative defense, as delineated within 17 U.S.C. § 107, thereby not requiring mandatory legal review. The first statutory factor, the purpose and character of the use, weighs strongly in favor of fair use because the application is fundamentally transformative, consistent with the standard established in Campbell v. Acuff-Rose Music, Inc. This is reinforced by its non-commercial purpose and its function as parody or criticism, which serves statutory category discourse. Regarding the second factor, the nature of the copyrighted work, the subject material is published and not highly creative, making it more amenable to fair use than unpublished works, a principle highlighted in Harper & Row, Publishers, Inc. v. Nation Enterprises. The third factor, concerning the amount and substantiality of the portion used, also supports this determination; the use is limited to a mere 10 percent of the source and critically does not appropriate the qualitative heart of the work. Finally, the fourth factor, analyzing the effect on the potential market, is decisively favorable. With a market harm severity score of zero, the new creation does not act as a market substitute, preventing the usurpation of the original's value, a core concern that underpins the exclusive rights granted by 17 U.S.C. § 106. The application of these principles, also seen in transformative use contexts like Google LLC v. Oracle America, Inc. and Authors Guild v. Google, Inc., indicates a low-risk profile."
Technical ID
copyright-fair-use-us
Guidance on cyber resilience for financial market infrastructures
"The purpose of this document is to provide guidance for Financial Market Infrastructures (FMIs) to enhance their cyber resilience. It provides supplemental guidance to the CPMI-IOSCO Principles for Financial Market Infrastructures (PFMI), primarily in the context of governance, risk management, settlement finality, operational risk, and FMI links. This guidance details preparations and measures that FMIs should undertake to enhance their cyber resilience capabilities, with the objective of limiting the escalating risks that cyber threats pose to financial stability. The guidance is directly aimed at FMIs, which are defined as systemically important payment systems, central securities depositories (CSDs), securities settlement systems (SSSs), central counterparties (CCPs), and trade repositories (TRs). The guidance is structured around five primary risk management categories: governance, identification, protection, detection, and response and recovery, along with three overarching components: testing, situational awareness, and learning and evolving. A core expectation is that an FMI should design and test its systems and processes to enable the safe resumption of critical operations within two hours of a disruption and to enable itself to complete settlement by the end of the day of the disruption, even in the case of extreme but plausible scenarios. FMIs are expected to use a risk-based approach and develop concrete plans to meet these objectives within 12 months of the guidance's publication."
Technical ID
cpmi-iosco-cyber-resilience-fmi
Creative Commons (BY-SA)
"Compliance with the Creative Commons Attribution-ShareAlike 4.0 license is predicated on several core obligations, even though commercial use and the creation of derivative works are permitted. A primary condition is comprehensive attribution. Licensees are mandated to provide creator credit, retain all original copyright notices and warranty disclaimers, and furnish a link or URI to the license itself, reflecting the terms of Section 3(a)(1)(A). Any modifications to the licensed material must be clearly indicated, a requirement detailed in Section 3(a)(1)(B). The central ShareAlike component, governed by Section 3(b)(1), compels any derivative works to be distributed under a Creative Commons license with the same or compatible elements. The license also establishes clear prohibitions to preserve user freedoms. As outlined in Section 2(a)(5)(A), imposing additional or different legal restrictions on downstream recipients is not allowed. Moreover, applying Effective Technological Measures to the material in a way that legally prevents others from exercising their licensed rights is expressly forbidden by Section 2(a)(5)(B). Violation of these terms leads to immediate termination of rights, but Section 6(b)(1) provides a curative period; rights are automatically reinstated if the breach is remedied within a 30-day grace period."
Technical ID
creative-commons-by-sa
Cross-Chain Bridge Security
"Cross-chain bridges enable transfer of digital assets between distinct blockchain networks by locking assets on the source chain and minting equivalents on the destination. Bridge protocols are the most exploited attack surface in DeFi — over $2 billion stolen in 2022 alone (Ronin $625M, Wormhole $320M, Nomad $190M). Primary vectors are compromised validator keys, smart contract logic errors, oracle manipulation, and replay attacks. Secure bridge architecture mandates cryptographic proof verification (ZK proofs, light client proofs, or optimistic fraud proofs), M-of-N validator quorums with HSM-protected keys, formal smart contract verification, and mandatory independent security audits before mainnet deployment."
Technical ID
cross-chain-bridge-security
OECD CRS (Tax Exchange)
"The Common Reporting Standard (CRS) is the global benchmark for the automatic exchange of financial account information (AEOI) to combat tax evasion. Developed by the OECD, it requires financial institutions in participating jurisdictions to identify and report the account holders who are tax resident in other jurisdictions, ensuring the transparent flow of the tax data across the borders."
Technical ID
crs-oecd-tax-automatic
Crypto AML Travel Rule
"The FATF Travel Rule (Recommendation 16), as applied to Virtual Asset Service Providers (VASPs) through FATF Guidance on Virtual Assets (2019, updated 2021), requires that originating VASPs transmit specific identifying information about the sender and beneficiary alongside every virtual asset transfer above the applicable threshold (USD/EUR 1,000 for cross-VASP transfers; USD 3,000 for some jurisdictions). This information — analogous to the wire transfer travel rule in traditional finance — must be transmitted to the beneficiary VASP before or simultaneously with the transaction and must be securely stored. FATF member jurisdictions have implemented the Travel Rule through national legislation (EU: TFR/MiCA; US: FinCEN proposed rules; Singapore: MAS PSA; UK: FCA). VASPs failing to implement Travel Rule compliance face regulatory sanctions, license revocation, and banking relationship termination."
Technical ID
crypto-aml-travel-rule
CSRD / ESRS (EU Sustainability)
"The Corporate Sustainability Reporting Directive (CSRD) is the landmark EU regulation mandating detailed sustainability disclosure for large and listed companies. It introduces the European Sustainability Reporting Standards (ESRS), requiring 'Double Materiality'—reporting on both financial and environmental/social impact."
Technical ID
csrd-eu-sustainability
TAPA Transport Security Requirements
"Compliance with Transported Asset Protection Association (TAPA) Trucking Security Requirements (TSR) at Level 1 is mandatory for all in-scope transport operations, demanding a multi-layered security posture as defined by established protocols. This stringent certification requires that all conveyances be equipped with active GPS tracking systems reporting at an interval not to exceed 15 minutes, a covert panic alarm for driver safety, and an independent alarm for the cargo area. To maintain shipment integrity and provide an auditable chain of custody, operations must use high-security seals compliant with the ISO 17712 standard. Personnel vetting is also critical, mandating that every driver has a currently valid background check and has completed up-to-date security training. Operationally, all transport routes demand pre-planning and formal approval before departure, supported by a comprehensive secure parking plan for any stops. Consistent oversight is enforced through mandatory communication checks between the driver and control center at a maximum interval of 4 hours. Concurrently, a thoroughly documented incident response plan must be in place, providing clear, actionable procedures to mitigate security breaches, theft, or other emergencies and ensure a coordinated, effective reaction."
Technical ID
customs-tapa-transport-sec
Cyber Essentials Plus (UK)
"Cyber Essentials Plus (UK) certification establishes a high-assurance cybersecurity posture, validated through a mandatory independent technical audit as specified in the NCSC Cyber Essentials Plus: Illustrative Test Specification v3.1. This framework, frequently a prerequisite for UK government contracts under Procurement Policy Note 09/14, demonstrates technical controls that align with the security of processing obligations found in the UK Data Protection Act 2018. Compliance mandates stringent operational discipline across all in-scope devices, where the device compliance scope includes bring-your-own-device assets accessing organizational data. Critical security updates must be applied within a strict 14-day maximum patch application window, and the operation of unsupported software is strictly prohibited. The technical audit verifies that internet-facing services do not possess vulnerabilities exceeding a maximum CVSS score of 6.9. Access controls are rigorously enforced; multifactor authentication is mandatory for all cloud services, all default passwords must be changed from vendor settings, and user passwords require a minimum length of 8 characters. Furthermore, the daily use of administrative accounts for standard activities is disallowed. Protective measures, guided by NCSC's Requirements for IT Infrastructure v3.1 and IASME Consortium rules, necessitate that malware protection signatures are updated within a 24-hour frequency, and certification requires successful completion of both an external vulnerability scan and an internal vulnerability scan."
Technical ID
cyber-essentials-plus-uk
System Information Discovery (MITRE ATT&CK T1082)
"Adversaries attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture."
Technical ID
cyber-mitre-t1082
Account Management (NIST SP 800-53 AC-2)
"The Account Management control establishes a comprehensive framework, consistent with NIST Special Publication 800-53 AC-2, for managing the full lifecycle of information system accounts. This governance is essential for satisfying the identity management and access rights principles of ISO/IEC 27001, supporting the security of processing measures under GDPR Article 32, and meeting the logical access security criteria specified by SOC 2 CC6.3 and PCI DSS Requirement 8.1. System configuration mandates that all account provisioning actions must `require_manager_approval` and strictly `enforce_least_privilege`. To maintain operational integrity, the platform will `audit_account_creation_and_modification` activities, `alert_on_privileged_role_assignment`, and `enforce_separation_of_duties`. Access rights undergo a `periodic_review_interval_days` of every 90 days, while dormant accounts are subject to `auto_disable_inactive_days` after 35 days of inactivity. Temporary accounts are constrained by a `max_temporary_account_validity_hours` of 72 hours. Deprovisioning procedures are executed swiftly, with a mandate to `terminate_access_on_departure_hours` within 24 hours of notification and to `auto_remove_orphaned_accounts` systematically. Security is hardened by limiting `max_failed_login_attempts` to 3 and ensuring administrative functions `require_mfa_for_account_management`, thereby creating a robust, auditable system for managing identities and permissions."
Technical ID
cyber-nist-800-53-ac2
Asset Management Strategy (NIST CSF 2.0 ID.AM)
"Effective governance over the enterprise environment necessitates a comprehensive asset management strategy grounded in the NIST Cybersecurity Framework 2.0 Identify function. This approach mandates the maintenance of detailed hardware and software inventories, achieving a minimum coverage threshold of 95 percent for each category, consistent with CIS Controls v8. To ensure inventory integrity, asset discovery scans must execute at a maximum frequency of every 24 hours, and automated CMDB synchronization is required. Security posture is reinforced by enabling unauthorized asset alerting, with a strict mandate to quarantine any discovered rogue device within 60 minutes. In alignment with ISO/IEC 27001:2022 principles, mandatory data classification tags are required for all assets, facilitating risk-based management and supporting GDPR Article 30 record-keeping obligations. All designated critical assets must undergo a formal review at a maximum interval of 30 days. The strategy addresses the full asset lifecycle by requiring end-of-life and end-of-support tracking. Adherence to SOC 2 criteria and modern security practices like those in PCI DSS v4.0 is achieved through enforced mobile device management, enabled shadow IT discovery, and continuous external attack surface mapping, ensuring all logical and physical components are identified and managed."
Technical ID
cyber-nist-csf-2
Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)
"This Cybersecurity Profile identifies an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT), remote sensing, weather monitoring, and imaging. The Profile will consider the cybersecurity of all the interacting systems that form the HSN rather than the traditional approach of a single organization acquiring the entire satellite system. It applies to organizations that have already adopted the NIST Cybersecurity Framework (CSF), are familiar with it, or are unfamiliar but need to implement HSN services in a risk-informed manner. The purpose of the Profile is to provide practical guidance for organizations and stakeholders engaged in the design, acquisition, and operation of satellite buses or payloads that involve HSN. The core objectives are to help organizations identify systems, assets, data and threats that pertain to HSN; protect HSN services by adhering to basic principles of resiliency; detect cybersecurity-related disturbances or corruption of HSN services and data; respond to HSN service or data anomalies in a timely, effective, and resilient manner; and recover the HSN to proper working order at the conclusion of a cybersecurity incident."
Technical ID
cybersecurity-profile-hsn
NIST SPECIAL PUBLICATION 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
"This guide focuses on data integrity: the property that data has not been altered in an unauthorized manner, covering data in storage, during processing, and while in transit. Destructive malware, ransomware, malicious insider activity, and even honest mistakes all necessitate that organizations detect and respond to an event that impacts data integrity in a timely fashion. Attacks against an organization’s data can compromise emails, employee records, financial records, and customer information—impacting business operations, revenue, and reputation. Examples of data integrity attacks include unauthorized insertion, deletion, or modification of data. This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions during a detected data integrity cybersecurity event. The National Cybersecurity Center of Excellence (NCCoE) at NIST built a laboratory environment to explore methods to effectively detect and respond to a data integrity event in various IT enterprise environments. The guide demonstrates a solution that incorporates multiple systems working in concert to detect an ongoing data integrity cybersecurity event and provides guidance on how to respond to the detected event, enabling organizations to have the necessary tools to act during a data integrity attack."
Technical ID
data-integrity-detecting-responding-ransomware
DeFi Insolvency Logic
"DeFi insolvency logic governs the real-time health monitoring and liquidation execution in over-collateralized lending protocols (Aave, Compound, MakerDAO), using a Health Factor calculation to determine when a borrower's collateral value has declined sufficiently relative to their debt that the position must be liquidated to protect the protocol's solvency. The Health Factor (HF = Sum(Collateral_i × LT_i) / Total_Debt_USD) must remain above 1.0; when it falls to 1.0 or below, liquidators are incentivized to repay a portion of the debt and seize discounted collateral. Accurate insolvency logic requires manipulation-resistant price oracles, correct normalization of debt amounts (including accrued interest), precise liquidation threshold parameters per asset, and slippage estimation to ensure liquidation profitability. Protocol insolvency from cascading undercollateralized positions is an existential risk — MakerDAO's March 2020 'Black Thursday' resulted in $6 million in undercollateralized debt due to oracle failure and liquidation bot failures."
Technical ID
defi-tvl-ratio-logic
Delaware Corporate Law
"Delaware General Corporation Law (DGCL) is the leading U.S. corporate law, chosen by over 60% of Fortune 500 companies. It is defined by its enabling nature and the expertise of the Delaware Court of Chancery, which has developed a stable and predictable body of case law centered on the fiduciary duties of corporate directors."
Technical ID
delaware-corporate-law-basics
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve the protection of information system resources. This guide provides an overview of the security requirements for a system and describes the controls, either in place or planned, for meeting those requirements. The completion of system security plans is a requirement under the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA), applicable to all federal systems which have some level of sensitivity and require protection. The system security plan delineates responsibilities and expected behavior of all individuals who access the system, and should reflect input from managers with system responsibilities, including information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization to operate a system is based on an assessment of management, operational, and technical controls, for which the system security plan forms the basis. By authorizing a system, a manager accepts its associated risk. This authorization must be periodically reviewed and re-authorization should occur whenever there is a significant change in processing, and at a minimum of every three years. The plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system and is a living document that requires periodic review and modification."
Technical ID
developing-security-plans-federal-systems
DFARS 252.204-7012 (Cyber)
"DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) is the primary U.S. defense acquisition regulation for protecting CDI. It mandates the implementation of NIST SP 800-171 and requires rapid cyber incident reporting (within 72 hours) for all defense contractors handling sensitive military data."
Technical ID
dfars-7012-defense-cyber
DICOM Imaging Standard
"DICOM (Digital Imaging and Communications in Medicine) is the international standard for medical imaging and related information. It specifies the network protocols for image exchange (PACS/RIS integration), the media format for storage (PS3.10), and the web services (WADO-RS) for image retrieval across the healthcare enterprise."
Technical ID
dicom-imaging-standard
DICOM (Medical Imaging)
"Compliance with the ISO 12052:2017 standard for medical imaging necessitates a robust security posture, mandating specific technical controls for handling DICOM objects. This configuration enforces secure transport channels through the mandatory use of TLS, with a minimum accepted protocol version of 1.2, thereby satisfying a core tenet of the HIPAA Security Rule at 45 CFR § 164.312. Node-to-node communications must be authenticated using X.509 certificates, a principle outlined in the IHE IT Infrastructure Technical Framework's ATNA Profile. To ensure data integrity and non-repudiation, the node requires digital signatures for objects, supported by a minimum RSA key length of 2048 bits, as specified within NEMA PS3.15. Comprehensive audit trails are enforced, capturing security-relevant events consistent with this DICOM security profile. For data protection, all electronic protected health information stored at rest must utilize AES-256-GCM encryption. Furthermore, the node enables de-identification of protected health information based on the Basic Application Level Confidentiality Profile's Appendix E. Operational controls include strict validation of Service-Object Pair (SOP) Class UIDs per the data structures defined in NEMA PS3.5, blocking unencrypted Implicit VR Little Endian transfers over a Wide Area Network, and terminating any inactive network association after a maximum idle timeout of 60 seconds. These collective measures ensure that Information Object Definitions from NEMA PS3.3 are managed securely throughout their lifecycle."
Technical ID
dicom-medical-imaging
Digital Twin Fidelity Audit
"Digital twin fidelity refers to the degree of accuracy with which a virtual model replicates the real-time state, behavior, and physical properties of its physical counterpart, encompassing sensor data synchronization latency, physics simulation accuracy, historical data concordance, and predictive model calibration. NIST defines digital twin as a 'virtual representation of a real-world entity or process' (NIST IR 8356), and fidelity auditing ensures the twin remains trustworthy for decision-making in industrial operations, predictive maintenance, process optimization, and safety monitoring. Low-fidelity twins produce incorrect predictions, missed maintenance events, and dangerous process control decisions. Digital twin fidelity standards draw from ISO 23247 (Digital Twin for Manufacturing), IEC 61360 (data element specifications), and IEC 62443 (ICS security for connected twins)."
Technical ID
digital-twin-fidelity
DMCA (Safe Harbor)
"Qualification for liability limitations under the Digital Millennium Copyright Act safe harbor for information residing on systems at the direction of users necessitates strict adherence to several statutory conditions. Eligibility is predicated on satisfying requirements within 17 U.S.C. § 512(i), including the adoption and reasonable implementation of a published repeat infringer policy, under which subscriber accounts are terminated following a `3` strike threshold. Furthermore, the organization must accommodate standard technical measures. The platform qualifies for this safe harbor by ensuring it is a registered online service provider that does not receive a direct financial benefit attributable to infringing activity and lacks actual knowledge of it. A critical procedural component, mandated by 17 U.S.C. § 512(c)(2), is the designation of an active DMCA agent who is properly registered with the U.S. Copyright Office with publicly accessible contact information. Operationally, upon receipt of a takedown notice containing all statutory elements of notification outlined in 17 U.S.C. § 512(c)(3), the organization responds expeditiously to remove or disable access to specified material within a `72` hour service level agreement. Finally, pursuant to 17 U.S.C. § 512(g), the platform enables a compliant counter-notification process, mandating restoration of contested material in a window of not less than `10` but no more than `14` business days following receipt of a valid counter-notice, contingent upon the original complainant not filing for a court order."
Technical ID
dmca-safe-harbor
Volcker Rule (Prop Trading)
"The Volcker Rule (Section 619 of the Dodd-Frank Act) prohibits U.S. banking entities from engaging in proprietary trading or acquiring/sponsoring 'Covered Funds' (Hedge Funds or Private Equity). it is designed to separate commercial banking from high-risk investment activities, ensuring that deposit-taking institutions do not risk taxpayer-insured funds for their own gain."
Technical ID
dodd-frank-volcker-rule
DOI (Object ID)
"Digital Object Identifier (DOI) validation enforces strict adherence to international standards for persistent and actionable identification of digital assets. Compliance with ISO 26324:2012 is mandatory, requiring a valid prefix/suffix structure where the prefix begins with the directory indicator `10`. Each full DOI string must utilize `enforce_utf8_encoding` and shall not exceed a `max_doi_length_bytes` of 2048. While the prefix designates the registrant, the system does `permit_opaque_suffix_strings`, allowing for flexible local identification schemes. The core functionality mandates that every identifier be resolvable through the Handle System framework described in IETF RFCs 3650, 3651, and 3652. This resolution process must complete within a `handle_resolution_timeout_ms` of 5000, and the target resolution endpoint must be secured via HTTPS. Per the IDF DOI Handbook, the node further stipulates that `require_persistent_metadata` be associated with each DOI, ensuring long-term context and utility consistent with the European Open Science Cloud (EOSC) PID Policy. To guarantee authenticity, the system will `verify_authority_source` for the registration agency. Furthermore, `enable_content_negotiation` is a required service capability, allowing clients to request specific data formats from the resolved resource, thereby enhancing interoperability."
Technical ID
doi-digital-object-id
DORA — EU Digital Operational Resilience Act
"Regulation (EU) 2022/2554 (DORA — Digital Operational Resilience Act), published December 27, 2022 and directly applicable (no national transposition required) across all EU member states from January 17, 2025, establishes binding ICT risk management, incident reporting, resilience testing, and third-party risk oversight requirements for 20+ categories of EU financial entities. DORA applies to credit institutions, investment firms, payment institutions, e-money institutions, insurance/reinsurance undertakings, crypto-asset service providers (CASPs), central counterparties (CCPs), trade repositories, AIFMs, UCITS management companies, data reporting services providers, and more. Key obligations: (1) ICT risk management framework with governance, protection, detection, response, and recovery capabilities; (2) ICT-related incident classification and mandatory reporting — initial notification within 4 hours of classification as major incident, intermediate report within 72 hours, final report within 1 month; (3) Digital operational resilience testing including Threat-Led Penetration Testing (TLPT) every 3 years for significant entities; (4) ICT third-party risk management with contractual requirements for Critical ICT Third-Party Providers (CTPPs) who are directly supervised by an EU Lead Overseer (EBA, ESMA, or EIOPA depending on sector). DORA displaces NIS2 obligations for in-scope financial entities (lex specialis principle)."
Technical ID
dora-ict-risk
Drone Delivery Corridor Security
"Compliance within designated drone delivery corridors mandates a multi-layered approach to operational integrity and airspace safety, unifying stringent technical and procedural controls. Operations must strictly adhere to a maximum altitude of 400 feet AGL. In accordance with FAA 14 CFR Part 89 and technical specifications detailed in ASTM F3411-22, each unmanned aircraft system must broadcast Remote ID information at a minimum frequency of 1 Hz. Command and Control (C2) link security, conforming to RTCA DO-362A performance standards, is non-negotiable, requiring AES-256 encryption and limiting C2 latency to a maximum of 50 milliseconds. A C2 link loss condition is triggered after 3 seconds, necessitating redundant communication systems for operational continuity. Furthermore, systems must possess GNSS spoofing detection capabilities and execute an automatic return procedure upon jamming detection. The regulatory framework for the U-space, guided by EU Commission Implementing Regulation 2021/664, requires mandatory UTM integration and dynamic geofencing to ensure a minimum separation distance of 200 feet between aircraft. Finally, for any transit over people conducted under FAA 14 CFR Part 135 delivery exemptions, the maximum kinetic energy imparted upon impact must not exceed 80 joules, a critical safety threshold consistent with ISO 21384-3 operational procedures."
Technical ID
drone-delivery-corridor
DTSA (Trade Secret Protection)
"The Defend Trade Secrets Act (DTSA) of 2016 is a U.S. federal law extending the Economic Espionage Act of 1996 to provide a private right of action for trade secret misappropriation. It provides a standardized federal framework for protecting confidential business information, including 'Ex Parte Seizure' provisions to prevent the dissemination of trade secrets."
Technical ID
dtsa-trade-secret-protection
EAR Dual-Use Export Control
"The Export Administration Regulations (EAR) govern the export of 'Dual-Use' items—commercial commodities, software, and technology that also have potential military or proliferation applications. It is centered around the Commerce Control List (CCL) and the Export Control Classification Number (ECCN) to determine license requirements."
Technical ID
ear-dual-use-export
EASA Part 145 (Maintenance)
"EASA Part 145 is the European standard for the approval of maintenance organizations in civil aviation. It specifies the requirements for the organization, personnel, facility, and procedures to ensure the airworthiness of aircraft and components through safe and standardized maintenance practices."
Technical ID
easa-part-145-maintenance
EBA Outsourcing Guidelines
"The EBA Guidelines on Outsourcing Arrangements (EBA/GL/2019/02) apply a unified framework for the financial sector across the EU. it specifies the governance and the pre-outsourcing due diligence required for all credit institutions and the investment firms, with a specific focus on the 'Critical or Important' functions that affect the firm's the regulatory compliance."
Technical ID
eba-outsourcing-guide
CYBERSECURITY PROGRAM BEST PRACTICES
"ERISA-covered pension plans and health and welfare plans often hold millions of dollars or more in assets and store participant personally identifiable data, which can make them tempting targets for cyber-criminals. Responsible plan fiduciaries have an obligation to ensure proper mitigation of cybersecurity risks. This guidance provides best practices for use by recordkeepers and other service providers responsible for plan-related IT systems and data, and for plan fiduciaries making prudent decisions on the service providers they should hire. The core obligations include having a formal, well-documented cybersecurity program, conducting prudent annual risk assessments, obtaining a reliable annual third-party audit of security controls, and implementing strong technical controls and access procedures. Service providers must also ensure data stored in the cloud is subject to appropriate security reviews, conduct periodic cybersecurity awareness training, encrypt sensitive data, and appropriately respond to any cybersecurity incidents."
Technical ID
ebsa-cybersecurity-best-practices
EBU R128 (Loudness)
"Compliance with the EBU R 128 recommendation mandates rigorous audio loudness normalization to ensure content uniformity across broadcast platforms. The primary objective is achieving a Target Programme Loudness of -23.0 LUFS, with a standard tolerance of ±0.5 LU; for live material, this window is expanded to ±1.0 LU. A critical ceiling is the Maximum Permitted True Peak Level, which must never exceed -1.0 dBTP, demanding true peak metering as specified within the ITU-R BS.1770-4 standard. All loudness measurements must conform to this ITU algorithm, which employs a two-stage gating process. This mechanism includes an absolute gating threshold fixed at -70 LUFS alongside a relative gating block set -10 LU below the ungated measurement. To control dynamic peaks, particularly for short-form content as addressed by EBU R 128 s1, a Maximum Short-Term Loudness limit of -18.0 LUFS is enforced. Further analysis includes the measurement of Loudness Range (LRA), consistent with EBU Tech 3342, to characterize audio dynamics. The entire framework is supported by EBU Tech 3341 for metering specifications and EBU Tech 3343 for practical guidelines, culminating with the requirement to embed loudness metadata for signal chain integrity."
Technical ID
ebu-r128-audio-loudness
ECB Guide (Internal Models)
"The ECB Guide to Internal Models (EGIM) provides the foundational standard for the supervised banks in the Eurozone to the use of the 'Internal Ratings Based' (IRB) approach for calculating the regulatory capital. it specifies the risk parameter estimation (PD, LGD, EAD) and the validation requirements for the credit risk models."
Technical ID
ecb-guide-internal-models
Edge AI Security (NIST)
"Edge AI security encompasses the technical and operational controls required to securely deploy machine learning models on resource-constrained IoT and edge computing devices, where traditional cloud-based security architectures cannot be fully replicated due to limited compute, network, and power resources. NIST SP 800-213 (IoT Device Cybersecurity Guidance) and NIST IR 8259 (Foundational Cybersecurity Activities for IoT Device Manufacturers) provide the foundational requirements, supplemented by NIST SP 800-207 (Zero Trust Architecture) for network access control. Key risks include: AI model theft via physical device access, adversarial input attacks on on-device inference, insecure firmware update mechanisms, side-channel attacks on cryptographic operations, and supply chain compromise of edge AI hardware. Failure to secure edge AI creates attack vectors that bypass perimeter defenses entirely."
Technical ID
edge-ai-security-nist
EEOC (Employment Rule)
"Employers with 15 or more employees are subject to Title VII of the Civil Rights Act of 1964, which prohibits employment discrimination based on protected characteristics. This node enforces that prohibition, as platform configurations make protected class filtering impossible for candidate searches or other selection processes. Pursuant to guidelines on discrimination detailed in 29 CFR Part 1604, these protections extend to all aspects of employment, including sexual harassment. To comply with the Uniform Guidelines on Employee Selection Procedures (UGESP) in 29 CFR Part 1607 and recent EEOC technical assistance on AI, the system mandates an AI disparate impact audit. Such audits must demonstrate that selection rates for any subgroup are no less than an acceptable selection rate ratio minimum of 0.8, or four-fifths, of the rate for the highest-selected group. To support these audits while preventing misuse, demographic data isolation is required. Furthermore, based on EEOC Enforcement Guidance on retaliation, the system prevents any retaliatory action flags, meaning no adverse actions against individuals for engaging in protected activity are permissible. Recordkeeping obligations under 29 CFR Part 1602 are managed by retaining personnel records for one year and payroll records for three years. The platform supports the requirement for an annual EEO-1 filing and enforces a mandatory EEO policy acknowledgment for all users. Finally, it tracks the standard complaint filing limit of 180 days, which is extendable to 300 days in certain jurisdictions, for timely charge submission."
Technical ID
eeoc-employment-rule
Environmental Noise Directive
"Compliance with Directive 2002/49/EC, the Environmental Noise Directive (END), mandates a common framework for managing environmental noise to mitigate its adverse health effects. This obligation requires competent authorities to produce strategic noise maps for population agglomerations exceeding a 100,000 inhabitant threshold, major roads with traffic volumes over 3,000,000 vehicles per year, major railways seeing more than 30,000 train passages annually, and major airports with over 50,000 movements yearly. These maps must utilize the common assessment methods established in Commission Directive (EU) 2015/996 (CNOSSOS-EU), employing Lden and Lnight noise indicators. The assessment of harmful effects, as amended by Commission Directive (EU) 2020/367 and guided by World Health Organization evidence, specifically targets populations exposed to levels above an Lden indicator threshold of 55 dB and an Lnight indicator of 50 dB. Based on mapping results, a noise action plan is required, demanding the development of plans to manage noise issues. This process legally necessitates public consultation for transparency and also mandates that quiet areas preservation is addressed within these plans. The entire cycle of mapping and action planning operates on a reporting frequency of five years, with mandatory data submission to the European Environment Agency according to Regulation (EU) 2019/1010 and EEA Reportnet 3.0 guidelines."
Technical ID
environmental-noise-dir
ePrivacy (Cookie Directive)
"Compliance with the ePrivacy Directive mandates a strict consent-first framework for accessing or storing information on user terminal equipment, directly reflecting Article 5(3) of Directive 2002/58/EC. This node operationalizes such a requirement by enforcing that `require_prior_consent_non_essential` is true for all non-essential cookies and tracking technologies. By default, `default_non_essential_status` must be false, ensuring no data processing occurs without user affirmation. Exceptions are narrowly defined: the system will `allow_strictly_necessary_without_consent` for essential functions and also `exempt_transmission_communication_cookies`. The standard for valid consent, as clarified by Recital 66 of Directive 2009/136/EC and the Court of Justice of the European Union's Planet49 judgment, is high, demanding that a `require_explicit_opt_in_action` be configured. Consequently, the system must `prohibit_pre_ticked_boxes`. In line with EDPB Guidelines 05/2020, passive actions like scrolling do not constitute valid affirmative action. To uphold confidentiality of communications per Article 5(1) and address joint controllership liabilities from the Fashion ID case, it is imperative to `block_third_party_scripts_pre_consent`. User control is paramount, necessitating configurations to `enable_granular_consent_categories` and `require_easy_consent_withdrawal`. All consent events must `log_consent_audit_trail` for demonstrability, with a maximum validity period set at a `cookie_consent_validity_days_max` of 180 days before re-consent is necessary."
Technical ID
eprivacy-cookie-directive
ERISA (Retirement Security)
"Compliance with the Employee Retirement Income Security Act (ERISA) mandates a rigorous adherence to specific fiduciary, participation, vesting, reporting, and bonding standards to protect plan participants and beneficiaries. Plan fiduciaries must formally acknowledge their duty to act with the care, skill, and diligence of a prudent expert under 29 U.S.C. § 1104(a)(1)(B), a responsibility that now extends to maintaining robust cybersecurity controls as guided by the DOL EBSA. This includes conducting an annual cyber risk assessment, auditing third-party vendors, and enforcing multi-factor authentication for participant access. The plan's minimum participation standards are met, allowing employees entry upon attaining the maximum eligibility age of 21 and completing 1,000 minimum hours of annual service, consistent with 29 U.S.C. § 1052(a)(1)(A). Vesting schedules conform to 29 U.S.C. § 1053(a)(2)(B) by utilizing a maximum three-year cliff vesting period. Critical reporting and disclosure obligations are fulfilled through the annual filing of Form 5500 as required by 29 U.S.C. § 1023, and the proper distribution of a Summary Plan Description to all participants per 29 U.S.C. § 1022(a). Furthermore, the plan is secured by a fidelity bond in accordance with 29 U.S.C. § 1112(a), covering at least the minimum ten percent of funds handled, subject to a $500,000 maximum amount."
Technical ID
erisa-compliance-rep
Account Abstraction (EIP-4337)
"EIP-4337 (Account Abstraction Using Alt Mempool) is an Ethereum Improvement Proposal finalized in March 2023 that enables programmable smart contract wallets to replace externally owned accounts (EOAs) as the primary transaction signing mechanism, without requiring changes to the Ethereum protocol consensus layer. The standard introduces a new transaction object called a UserOperation, a permissionless Bundler network that aggregates UserOperations into standard transactions, a singleton EntryPoint contract that validates and executes UserOperations, and a Paymaster contract that enables third-party gas sponsorship. For AI agents, EIP-4337 is foundational because it enables agents to operate programmable wallets with built-in spending limits, multi-signature authorization requirements, social recovery, and gas abstraction — removing the requirement for agents to hold ETH for gas fees and enabling human-readable authorization rules enforced by smart contract logic."
Technical ID
ethereum-eip-4337
ETSI EN 304 223 - Securing AI (SAI)
"European telecommunications standards for mitigating attacks against AI models, including data poisoning, model evasion, and supply chain vulnerabilities."
Technical ID
etsi-en-304-223-sai
EU AI Act: Data Bias Mitigation (Article 10)
"Article 10 of the EU AI Act (2026 fully enforced) mandates strict controls to detect, prevent, and mitigate biases in training, validation, and testing datasets for high-risk AI systems."
Technical ID
eu-ai-act-bias
EU AI Act: High-Risk Conformity (Title III)
"Title III of the EU AI Act (2026 fully enforced) mandates rigorous conformity assessments for "High-Risk AI Systems," including mandatory requirements for data governance, technical documentation, and record-keeping."
Technical ID
eu-ai-act-high-risk
EU Antitrust & Competition Law
"EU Antitrust and Competition Law (based on Articles 101 and 102 of the TFEU) is the primary framework for ensuring fair competition within the EU's internal market. It prohibits cartels, anti-competitive agreements, and the abuse of a dominant position by major firms, with massive enforcement powers held by the European Commission."
Technical ID
eu-antitrust-competition-law
EU Digital Battery Passport
"Compliance with Regulation (EU) 2023/1542 mandates the creation of a unique Digital Battery Passport for specific battery categories placed on the market. This requirement applies if a product is an industrial, electric vehicle, or light means of transport (LMT) battery where `is_industrial_ev_or_lmt_battery` is true, and its capacity meets the `battery_capacity_kwh_min` of 2 kWh. Article 77 stipulates that each passport must be accessible through a `qr_code_permanently_affixed` to the unit, as detailed under labeling rules in Article 13. Economic operators are obligated to ensure `carbon_footprint_calculated_and_declared` information is available, fulfilling Article 7 provisions, while `recycled_content_percentages_documented` must align with directives from Article 8. Furthermore, a `supply_chain_due_diligence_active` policy is essential for responsible sourcing verification. The passport’s technical design and operation, governed by Article 78, demand a secure, interoperable system where `decentralized_data_registry_compliant` architecture is paramount. For operational transparency, `state_of_health_and_durability_metrics_live` data must be maintained and accessible. To protect sensitive information, robust `role_based_access_controls_implemented` are required, granting differential permissions to end-users, economic operators, and authorities. Crucially, the system architecture must embody data protection by design and default, enforcing principles like `gdpr_data_minimization_enforced` per Article 25 of Regulation (EU) 2016/679. Finally, comprehensive `end_of_life_dismantling_instructions_present` supports circular economy objectives by facilitating safe removal and recycling."
Technical ID
eu-battery-passport
EU Carbon Border Adjustment (CBAM)
"The EU Carbon Border Adjustment Mechanism (CBAM), established by Regulation (EU) 2023/956 and fully operational from January 2026, requires EU importers to purchase CBAM certificates corresponding to the carbon price that would have been paid under EU ETS rules if the goods had been produced in the EU. The mechanism applies to imports of cement, iron and steel, aluminium, fertilizers, electricity, and hydrogen, with potential expansion to additional sectors. During a transitional phase (October 2023 to December 2025), importers had quarterly reporting obligations without certificate purchase requirements. From 2026, importers must submit annual CBAM declarations and surrender CBAM certificates equivalent to the embedded emissions in their imports. The CBAM is designed to prevent carbon leakage and level the competitive playing field, and non-compliance results in penalties of EUR 10-50 per excess tonne of CO2 equivalent."
Technical ID
eu-cbam-calc
EU Copyright (Art 17)
"Article 17 of Directive (EU) 2019/790 establishes a specific liability regime for platforms classified as Online Content-Sharing Service Providers (OCSSPs), which perform an act of communication to the public when giving access to copyright-protected works uploaded by their users. To avoid direct liability for copyright infringement, OCSSPs must demonstrate having made 'best efforts' to obtain authorization from rightholders. In the absence of such authorization, liability can be exempted by making 'best efforts' in accordance with high industry standards of professional diligence to ensure the unavailability of specific works for which rightholders have provided relevant and necessary information. Furthermore, platforms must act expeditiously upon receiving a notice to take down notified works and implement 'notice and stay-down' procedures. A lighter liability regime applies to new micro and small enterprises that have been providing services in the Union for less than three years with an annual turnover below EUR 10,000,000 and fewer than 5,000,000 average unique monthly visitors. Importantly, these measures must not prevent the availability of user uploads that constitute legitimate uses under mandatory exceptions for quotation, criticism, review, caricature, parody, or pastiche. To safeguard user rights, as clarified by European Commission Guidance COM/2021/288, OCSSPs are mandated to provide users with an effective and expeditious complaint and redress mechanism for disputes over content removal, which must include provisions for human review."
Technical ID
eu-copyright-directive-art-17
Ecodesign for Sustainable Prod
"Regulation (EU) 2024/1781 establishes a comprehensive framework for setting ecodesign requirements for sustainable products, significantly expanding upon its predecessor, Directive 2009/125/EC. As a cornerstone of the Circular Economy Action Plan, this regulation mandates stringent performance and information criteria to promote durability, reusability, and environmental transparency. Compliance necessitates meeting specific performance thresholds, including achieving a `minimum_recycled_content_percentage` of 25 percent and ensuring `energy_efficiency_class_threshold_met` targets are satisfied. Durability is centrally addressed through obligations for a `minimum_spare_parts_availability_years` of 10 and a `minimum_firmware_support_years` of 5, supported by a calculated `reparability_score_calculated`. A critical information requirement, detailed within ESPR Articles 8-13, is that a `digital_product_passport_generated` must be produced, with its associated `dpp_data_carrier_accessible` for consumers and authorities. This passport discloses data from a required `lifecycle_assessment_completed`, a declared `product_carbon_footprint_declared`, and confirms `substances_of_concern_present_tracked` in alignment with frameworks like Regulation (EC) No 1907/2006 (REACH). Furthermore, under ESPR Article 25, a strict prohibition on the destruction of unsold consumer products, particularly apparel, is enforced; compliance is verified by the `unsold_consumer_goods_destroyed` metric being false. These integrated requirements ensure products placed on the Union market adhere to a holistic standard of environmental sustainability."
Technical ID
eu-espr-ecodesign
EU General Food Law (178/2002)
"Regulation (EC) No 178/2002 establishes the foundational principles and requirements of general food law, prioritizing a high level of protection for human health. Compliance hinges on strict adherence to the food safety requirements outlined in Article 14, which explicitly prohibits placing unsafe food on the market; this node's configuration requires that unsafe_food_quarantine_enforced is active. A cornerstone of this regulation is the traceability mandate from Article 18, requiring a fully active system with both one_step_back_tracking_enabled and one_step_forward_tracking_enabled capabilities, along with a traceability_data_retention_years period of at least five years. In the event of a food safety incident, Article 19 imposes clear responsibilities upon food business operators. This includes executing a documented withdrawal procedure, having a consumer_recall_notification_ready framework, and notifying competent authorities within an incident_notification_sla_hours of 24 hours. The entire framework operates on the principle of risk analysis as detailed in Article 6, necessitating a formal risk assessment with a minimum risk_assessment_frequency_months of 12. Finally, transparency obligations under Article 10 are met through measures such as a public_transparency_portal_active and RASFF_api_integration_active, facilitating effective risk communication. The SANCO/1628/2008 guidance document further clarifies implementation across these critical articles."
Technical ID
eu-food-law-178-2002
EU IVDR 2017/746 (Diagnostics)
"EU Regulation 2017/746 (In-Vitro Diagnostic Medical Device Regulation - IVDR) is the primary framework for diagnostic devices in the European Union. It replaces the previous 98/79/EC directive and dramatically increases the oversight of IVDs, requiring nearly 80% of devices to undergo notified body audit (vs. 20% previously)."
Technical ID
eu-ivdr-2017-746
EU MDR 2017/745 (Devices)
"EU Regulation 2017/745 (Medical Device Regulation - MDR) is the primary framework for medical device compliance in the European Union. It replaces the previous MDD/AIMDD directives, introducing more rigorous requirements for pre-market clinical evaluation, post-market surveillance (PMS), and traceability through the UDI system."
Technical ID
eu-mdr-2017-745
SFDR: Sustainable Finance Disclosure
"As a financial market participant and financial adviser under Regulation (EU) 2019/2088, this entity is subject to comprehensive sustainability-related disclosure obligations. Exceeding the 500-employee count makes compliance with SFDR Article 4 mandatory, requiring a published statement on due diligence policies for principal adverse impacts on sustainability factors, an obligation which is fulfilled. All financial products are classified under SFDR Article 6, indicating sustainability risks are integrated into investment decisions, but the products do not promote environmental or social characteristics as defined by Article 8, nor do they pursue a sustainable investment objective per Article 9. Consequently, disclosures confirm a zero percent alignment with the EU Taxonomy’s environmental objectives. The entity meets its transparency duties through published website information and completed pre-contractual documents, whose content and presentation adhere to the detailed requirements of Commission Delegated Regulation (EU) 2022/1288. Periodic reporting is also required, and the firm’s remuneration policy has been properly updated to reflect how it integrates sustainability risks."
Technical ID
eu-sfdr-reporting
EU Taxonomy for Sustainable Finance
"Regulation (EU) 2020/852 establishes a classification system to determine whether an economic activity is environmentally sustainable, imposing stringent disclosure obligations on entities subject to NFRD/CSRD (`is_subject_to_nfrd_csrd`:true). An activity qualifies as sustainable only if it meets four cumulative conditions under Article 3. First, it must make a substantial contribution to at least one of six environmental objectives defined in Article 9, a requirement demanding the targeting of a minimum of one such objective (`min_environmental_objectives_targeted`:1). Currently, the necessary substantial contribution criteria are not fulfilled (`substantial_contribution_criteria_met`:false). Second, it must not significantly harm any of the other five environmental objectives, a test which permits zero violations (`do_no_significant_harm_violations`:0). Commission Delegated Regulation (EU) 2021/2139 specifies the technical screening criteria for this assessment, including a mandatory climate risk assessment that remains incomplete (`climate_risk_assessment_completed`:false). Third, compliance with minimum social safeguards stipulated in Article 18 is required, a condition presently failed (`minimum_social_safeguards_passed`:false). Due to these deficiencies, all key performance indicators, including Taxonomy-aligned revenue, CapEx, and OpEx, report at zero percent (`taxonomy_aligned_revenue_percentage`:0). The entity is therefore not prepared for its transparency obligations (`article_8_disclosure_ready`:false) under Article 8, which are operationalized by Commission Delegated Regulation (EU) 2021/2178 concerning KPI calculation and reporting templates."
Technical ID
eu-taxonomy-sustainable
EXIF Standard (Metadata)
"Compliance with the Exchangeable image file format standard is rigorously enforced to ensure data integrity and interoperability for all digital still-camera image assets. This validation mandates strict adherence to the CIPA DC-008-2023 specification, requiring a valid Exif Version 3.0 signature for all processed files. The underlying file structure must conform to the TIFF/EP image data format described in ISO 12234-2:2001, with the TIFF header offset not exceeding a maximum of 8 bytes. Consistent byte order, whether little or big endian, must be maintained throughout the file structure to prevent data corruption. The node enforces the complete Section 4 image data structure, which includes the mandatory presence of a GPS Info IFD as specified in section 4.3 and an Interoperability IFD index to align with standards like the ISO/IEC 23000-3:2007 photo player application format. All textual metadata must use UTF-8 character encoding. Furthermore, critical photographic parameters are required, making the FNumber (aperture), ExposureTime, and PhotographicSensitivity (ISO) tags mandatory for validation. To mitigate security risks, any execution of proprietary MakerNote code is explicitly disallowed. The total metadata payload is constrained to a maximum size of 65536 bytes, with its storage and handling governed by principles analogous to those in NIST SP 800-111 for safeguarding sensitive information. This comprehensive approach ensures that image metadata is not only structurally sound per RFC 3950 but also complete, secure, and universally interpretable."
Technical ID
exif-standard-metadata
FAA Part 21 (Certification)
"FAA Part 21 (Certification Procedures for Products and Articles) is the primary U.S. regulation for the certification of aircraft, engines, propellers, and parts. it encompasses the entire life cycle from initial type certificate (TC) through production certificate (PC) and final airworthiness certificate issuance."
Technical ID
faa-part-21-certification
Fair Trade Tourism Audit
"Fair Trade Tourism Audit evaluates an entity's operational alignment with established international standards for ethical and sustainable tourism. The protocol mandates strict adherence to core labor practices, demanding verifiable minimum_wage_compliance and an absolute prohibition on child labor, principles reinforced by the ILO Declaration on Fundamental Principles and Rights at Work. It further stipulates that working schedules must not exceed a maximum_of_48_hours_per_week. Consistent with the Universal Declaration of Human Rights, the node requires active anti_discrimination_policies and upholds the right to freedom_of_association. Socio-economic contributions are quantified through specific thresholds, requiring a local_employment_ratio_min_pct of sixty and a local_procurement_ratio_min_pct of at least fifty, reflecting goals within the Global Sustainable Tourism Council Industry Criteria. As envisioned by the UNWTO Global Code of Ethics, entities must demonstrate a tangible commitment to host communities by establishing a community_benefit_sharing_fund and ensuring cultural_heritage_protection. The Fair Trade Tourism Standard v5.1 core criteria are further met through the implementation of a formal grievance_mechanism, a comprehensive environmental_sustainability_plan, and the provision of no less than twelve annual health_and_safety_training_hours. These requirements, guided by ISO 26000's framework on social responsibility, collectively ensure a holistic approach to fair trade principles, community involvement, and human rights."
Technical ID
fair-trade-tourism
FATCA IGA (Tax Compliance)
"The Foreign Account Tax Compliance Act (FATCA) is a U.S. federal law requiring foreign financial institutions (FFIs) to report the assets of U.S. account holders. The legislation is primarily implemented through Intergovernmental Agreements (IGAs) (Model 1 & Model 2), which provide a legal framework for FFIs to report to their national authority or the IRS, ensuring global tax transparency."
Technical ID
fatca-iga-compliance
AI Agent Anti-Money Laundering (AML) Compliance
"Autonomous agents performing financial functions are subject to the same FATF risk-based approach as traditional entities. Compliance requires 'Neural AML' – embedding real-time traceability, KYC verification, and transaction monitoring directly into the agentic workflow."
Technical ID
fatf-aml-agent
UPDATED GUIDANCE FOR A RISK-BASED APPROACH VIRTUAL ASSETS AND VIRTUAL ASSET SERVICE PROVIDERS
"In October 2018, the Financial Action Task Force (FATF) adopted changes to its Recommendations to explicitly clarify that they apply to financial activities involving virtual assets (VAs) and introduced definitions for 'virtual asset' and 'virtual asset service provider' (VASP). The amended FATF Recommendation 15 requires that VASPs be regulated for anti-money laundering and countering the financing of terrorism (AML/CFT) purposes, be licensed or registered, and subject to effective systems for monitoring or supervision. This guidance is intended to help national authorities develop regulatory and supervisory responses to VA activities and VASPs, and to assist private sector entities in understanding and complying with their AML/CFT obligations. The guidance outlines the need for countries and VASPs to understand and mitigate money laundering and terrorist financing (ML/TF) risks associated with VA activities. It details the full range of obligations applicable to VASPs, which are the same full set of obligations as financial institutions, including customer due diligence (CDD), recordkeeping, suspicious transaction reporting (STR), and the implementation of the 'travel rule' (Recommendation 16). The travel rule mandates that VASPs must obtain, hold, and transmit required originator and beneficiary information during VA transfers. The guidance also clarifies the specific requirement for VASPs to conduct customer due diligence for occasional transactions above a USD/EUR 1,000 threshold."
Technical ID
fatf-guidance-virtual-assets-vasp
GUIDANCE ON PROLIFERATION FINANCING RISK ASSESSMENT AND MITIGATION
"This non-binding Guidance from the Financial Action Task Force (FATF) aims to develop a common understanding of the amendments to FATF Recommendation 1, which require countries and private sector entities to identify, assess, understand, and mitigate their proliferation financing (PF) risks. In the context of this Guidance, proliferation financing risk refers strictly and only to the potential breach, non-implementation, or evasion of the targeted financial sanctions (TFS) obligations outlined in Recommendation 7, specifically concerning regimes for the Democratic People’s Republic of Korea (DPRK) and Iran. The document is intended for countries, competent authorities, supervisors, financial institutions, Designated Non-Financial Businesses and Professions (DNFBPs), and Virtual Asset Service Providers (VASPs). The core obligation for private sector entities is to have processes in place to identify, assess, monitor, manage, and mitigate these risks. These processes may be integrated within existing targeted financial sanctions and/or compliance programmes, and entities are not expected to establish duplicative processes. The Guidance recognizes that there is no one-size-fits-all approach and encourages countries and private sector entities to implement measures proportionate to the risks they face, having regard to their specific context, risk profile, and the materiality of different sectors. Full application of targeted financial sanctions as required by Recommendation 7 remains mandatory in all cases."
Technical ID
fatf-pf-risk-assessment-mitigation
FATF Recommendation 16 (Travel Rule)
"FATF Recommendation 16, also known as the 'Travel Rule', is the global AML/CFT standard for virtual assets. It requires Virtual Asset Service Providers (VASPs) to collect and transmit originator and beneficiary information for all virtual asset transfers exceeding $1,000 to prevent money laundering and terrorist financing."
Technical ID
fatf-travel-rule-v2
FATF Virtual Asset Red Flags
"The FATF Virtual Asset Red Flag Indicators (2020) provides a report to assist financial institutions and Virtual Asset Service Providers (VASPs) in identifying potential money laundering and terrorist financing activity. it categorizes indicators into transaction patterns, anonymity, and sender/recipient behavior to enhance risk-based monitoring."
Technical ID
fatf-virtual-asset-redfl
FCA Consumer Duty (2023)
"The FCA Consumer Duty (PS22/9) is a major U.S.-style 'fiduciary' reform for the UK retail financial sector. It introduces a new 'Consumer Principle' (Principle 12), requiring firms to act to deliver good outcomes for retail customers, setting higher and clearer standards of consumer protection across all financial services."
Technical ID
fca-consumer-duty-2023
FCPA Anti-Bribery (US)
"The Foreign Corrupt Practices Act (FCPA) of 1977 is a U.S. federal law prohibiting the payment of bribes to foreign officials to assist in obtaining or retaining business. It applies to all U.S. persons, issuers, and foreign firms operating within the U.S., enforced jointly by the SEC and the Department of Justice (DOJ)."
Technical ID
fcpa-anti-bribery-compliance
FDA 21 CFR Part 11 (Records)
"FDA 21 CFR Part 11 establishes the U.S. requirements for electronic records and electronic signatures. It defines the criteria under which the FDA considers electronic records, electronic signatures, and handwritten signatures executed to electronic records to be trustworthy, reliable, and generally equivalent to paper records."
Technical ID
fda-21-cfr-part-11-records
FDA 21 CFR Part 820 (QSR)
"FDA 21 CFR Part 820 is the Quality System Regulation (QSR) governing the manufacture and design of medical devices in the United States. It requires medical device manufacturers to establish a quality system to ensure that their products consistently meet applicable requirements and specifications."
Technical ID
fda-21-cfr-part-820-qsr
Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan
"This Action Plan outlines the U.S. Food and Drug Administration's (FDA) multi-pronged approach to advance its oversight of Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD). Developed in response to stakeholder feedback on a 2019 discussion paper, the plan applies to medical device manufacturers utilizing AI/ML technologies. Its core objective is to establish a total product lifecycle-based regulatory oversight framework that allows SaMD to learn from real-world use and improve its performance while ensuring safety and effectiveness. A central component of this framework is the "Predetermined Change Control Plan" to be included in premarket submissions. This plan consists of two key elements: the "SaMD Pre-Specifications" (SPS), which describe the anticipated modifications, and the "Algorithm Change Protocol" (ACP), which details the methodology for implementing changes in a controlled manner that manages patient risks. The document details a five-part action plan: (1) issuing a Draft Guidance on the Predetermined Change Control Plan; (2) encouraging the harmonization of Good Machine Learning Practice (GMLP); (3) promoting a patient-centered approach that incorporates transparency to users through device labeling; (4) supporting regulatory science to develop methods for addressing algorithm bias and robustness; and (5) advancing real-world performance monitoring through pilot programs with stakeholders."
Technical ID
fda-ai-ml-samd-action-plan
Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD) Action Plan
"This Action Plan from the U.S. Food & Drug Administration (FDA) outlines a five-part strategy to regulate Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD). Developed in response to stakeholder feedback on a 2019 discussion paper, the plan aims to ensure that AI/ML-based SaMD is safe and effective while supporting innovation. The core of the proposed framework is a "Predetermined Change Control Plan" submitted by manufacturers, which includes the "SaMD Pre-Specifications" (SPS) detailing anticipated modifications and an "Algorithm Change Protocol" (ACP) explaining how changes will be implemented and validated. The plan applies to medical device manufacturers utilizing AI/ML technologies in SaMD. The five key actions are: 1) updating the regulatory framework, including issuing draft guidance on the Predetermined Change Control Plan; 2) encouraging the harmonization of Good Machine Learning Practices (GMLP); 3) promoting a patient-centered approach that incorporates transparency for users; 4) supporting regulatory science to address algorithm bias and robustness; and 5) advancing Real-World Performance (RWP) monitoring through pilot programs. This approach is intended to provide a total product lifecycle-based regulatory oversight, enabling the FDA to monitor software from premarket development through postmarket performance."
Technical ID
fda-aiml-samd-action-plan
FDA Clinical Decision Software
"The FDA Guidance on Clinical Decision Support (CDS) Software (2022) provides the criteria under which software functions are NOT considered medical devices under Section 520(o)(1)(E) of the FD&C Act. It focus on ensuring that the healthcare professional (HCP) can independently review the basis for the software's recommendations to ensure patient safety."
Technical ID
fda-clinical-decision-support
Cybersecurity in Medical Devices: Quality Management System Considerations and Content of Premarket Submissions
"With the increasing integration of wireless, Internet- and network-connected capabilities, the need for robust cybersecurity controls to ensure medical device safety and effectiveness has become more important. Cybersecurity threats to the healthcare sector have become more frequent and severe, with incidents rendering medical devices and hospital networks inoperable. This guidance applies to devices with cybersecurity considerations, including those with software or programmable logic, across various premarket submission types such as 510(k), PMA, DeNovo, IDE, and HDE. It outlines the Food and Drug Administration's (FDA) recommendations for the cybersecurity information to be submitted to demonstrate a reasonable assurance of safety and effectiveness. The guidance emphasizes that cybersecurity is a shared responsibility and a key part of device safety and the Quality Management System Regulation (QMSR). It encourages manufacturers to adopt a Secure Product Development Framework (SPDF) to manage cybersecurity risks throughout the total product lifecycle (TPLC). For devices that meet the definition of a 'cyber device' under section 524B of the FD&C Act, sponsors are required to submit specific information. This includes a plan to monitor, identify, and address postmarket cybersecurity vulnerabilities; processes to provide reasonable assurance of device cybersecurity; and a Software Bill of Materials (SBOM) for all software components."
Technical ID
fda-cybersecurity-medical-devices-premarket
Guidance for Industry Electronic Source Data in Clinical Investigations
"This guidance provides recommendations to sponsors, Contract Research Organizations (CROs), clinical investigators, and others involved in the capture, review, and retention of electronic source data in FDA-regulated clinical investigations. To streamline and modernize clinical investigations, the guidance promotes capturing source data in electronic form, intending to assist in ensuring the reliability, quality, integrity, and traceability of data from the electronic source to electronic regulatory submission. The core recommendations address the identification and specification of authorized source data originators; the creation of data element identifiers to facilitate audit trail examination; methods to capture source data into an electronic case report form (eCRF) either manually or electronically; and the responsibilities of clinical investigators regarding the review, signature, and retention of electronic data. The guidance emphasizes that source data must be attributable, legible, contemporaneous, original, and accurate (ALCOA) and meet all regulatory requirements for recordkeeping. It is intended to be used in conjunction with other FDA guidance on computerized systems and regulations on electronic records and signatures."
Technical ID
fda-electronic-source-data
Guidance for Industry A Food Labeling Guide
"This guidance is a summary of the required statements that must appear on food labels under the Federal Food, Drug, and Cosmetic Act (FD&C Act) and the Fair Packaging and Labeling Act. The Food and Drug Administration (FDA) is responsible for assuring that foods sold in the United States, whether produced domestically or imported, are safe, wholesome, and properly labeled. This guidance applies to manufacturers, distributors, and importers of food products and uses a question-and-answer format to address the most frequently raised labeling questions. It is the responsibility of the food industry to remain current with all legal requirements for food labeling. The core obligations detailed include the placement of required statements on either the Principal Display Panel (PDP) or the information panel. Mandatory statements include the statement of identity (name of the food), the net quantity of contents, the name and address of the manufacturer, packer, or distributor, a complete ingredient list in descending order of predominance, and nutrition labeling as required by the Nutrition Labeling and Education Act (NLEA). Additionally, the Food Allergen Labeling and Consumer Protection Act (FALCPA) requires specific labeling for the eight major food allergens."
Technical ID
fda-food-labeling-guide
FDA Food Safety Modernization
"Compliance with the FDA Food Safety Modernization Act is established through the implementation of several key regulatory programs. A compliant Hazard Analysis and Risk-Based Preventive Controls food safety plan is operational under the authority of 21 CFR Part 117, developed and managed by a certified Preventive Controls Qualified Individual, with current staffing at one such expert. This framework mandates active allergen cross-contact controls, requisite environmental monitoring, and annually completed cGMP training. For import operations, an active Foreign Supplier Verification Program ensures supplier compliance pursuant to 21 CFR Part 1, Subpart L. Protection against intentional adulteration is addressed through a functioning food defense plan, consistent with the mitigation strategies required by 21 CFR Part 121. The operation demonstrates advanced traceability preparedness under FSMA Section 204, capable of providing critical tracking event records within a twenty-four-hour maximum response window. Logistics protocols adhere to the Sanitary Transportation of Human and Animal Food rule, with transport logs retained for a minimum of twelve months as stipulated by 21 CFR Part 1, Subpart O. Where applicable, agricultural practices align with standards in 21 CFR Part 112, including a mandated agricultural water testing frequency of every thirty days. All programs are supported by a documented and tested recall plan, and all requisite records are preserved for a minimum of two years to ensure comprehensive regulatory oversight."
Technical ID
fda-fsma-compliance
FRAMEWORK FOR FDA’S REAL WORLD EVIDENCE PROGRAM
"Pursuant to the 21st Century Cures Act, which added section 505F to the Federal Food, Drug, and Cosmetic Act (FD&C Act), the Food and Drug Administration (FDA) has created a framework for evaluating the potential use of real-world evidence (RWE). This framework is designed to help support the approval of a new indication for a drug already approved under section 505(c) of the FD&C Act, or to help support or satisfy drug postapproval study requirements. The framework applies to drugs and biological products but does not cover medical devices. Real-World Data (RWD) are defined as data relating to patient health status and/or the delivery of health care routinely collected from a variety of sources, such as electronic health records (EHRs) and medical claims. RWE is the clinical evidence about the usage and potential benefits or risks of a medical product derived from analysis of RWD. The core of the FDA's evaluation approach under this framework consists of a three-part assessment for any RWE submission. The considerations are: 1. Whether the RWD are fit for use, which involves assessing data reliability (data accrual and data assurance) and relevance. 2. Whether the trial or study design used to generate RWE can provide adequate scientific evidence to answer the regulatory question. 3. Whether the study conduct meets FDA regulatory requirements, such as for study monitoring and data collection. The FDA's RWE Program is multifaceted, involving demonstration projects, stakeholder engagement, internal processes for senior leadership input, and the development of guidance documents to assist developers."
Technical ID
fda-real-world-evidence-program
FDA Software as a Medical Device (SaMD) Risk Matrix
"A risk-based framework for classifying software intended for medical purposes independently of hardware, based on IMDRF categorizations and FDA safety standards."
Technical ID
fda-samd-risk
FDIC Part 370 (Records)
"FDIC Part 370 (Recordkeeping for Timely Deposit Insurance Determination) is a critical compliance standard for large U.S. banks (over 2 million deposit accounts). it requires institutions to maintain the account records in a specific format that allows the FDIC determine the insurance the amount for the account holder within 24 hours of a failure."
Technical ID
fdic-part-370-recordkeep
FedRAMP — US Federal Cloud Authorization
"The Federal Risk and Authorization Management Program (FedRAMP), established by OMB Memorandum M-11-33 (June 2011) and codified into law by the FedRAMP Authorization Act (December 2022, part of NDAA FY2023), is the US federal government's standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. All cloud services (IaaS, PaaS, SaaS) used by federal agencies must be FedRAMP authorized. FedRAMP defines three impact levels based on FIPS 199 categorization: Low (125 controls), Moderate (325 controls, most common — covers 80%+ of federal use cases), and High (421 controls, for sensitive unclassified data including law enforcement, financial, and health data). Two authorization paths: (1) Agency ATO (Authority to Operate) — a federal agency sponsors and issues an ATO, usable government-wide; (2) JAB (Joint Authorization Board) P-ATO — reviewed by GSA, DoD, and DHS CIOs, highest prestige. Third-Party Assessment Organizations (3PAOs) — accredited by the American Association for Laboratory Accreditation (A2LA) — conduct independent assessments. FedRAMP Rev 5 baselines (aligned to NIST SP 800-53 Rev 5) released January 2024. Continuous monitoring: monthly vulnerability scanning, annual penetration testing, and significant change reporting are mandatory post-authorization."
Technical ID
fedramp-authorization
FedRAMP Moderate (NIST)
"Adherence to the FedRAMP Moderate authorization baseline ensures cloud service offerings meet the stringent security and privacy controls defined in NIST Special Publication 800-53, Revision 5, for protecting controlled unclassified information. This compliance framework mandates the implementation of FIPS PUB 140-3 validated cryptographic modules, requiring all data in transit plus data at rest to be encrypted. System access controls are rigorously enforced; multi-factor authentication is mandatory for network access, and user sessions will automatically terminate following a 15-minute idle timeout period. Consistent with FedRAMP Vulnerability Scanning Requirements, systems must undergo comprehensive vulnerability scans at a minimum frequency of every 30 days. The remediation timeline for identified vulnerabilities is strict: high-risk findings must be resolved within 30 days, whereas moderate-risk findings are allotted 90 days. Incident response protocols demand immediate action, with a reporting window of just one hour from detection. Furthermore, a robust continuous monitoring program, guided by the Continuous Monitoring Strategy Guide and OMB Circular A-130's principles for managing information resources, must be maintained. This includes the retention of audit logs for a full 365 days and the submission of updated Plan of Action and Milestones (POAM) documentation at least every 30 days, coinciding with continuous monitoring reporting cycles."
Technical ID
fedramp-moderate-baseline
Cross-Border VAT/GST Calculation Logic
"Cross-border VAT/GST calculation logic for services and intangibles operates strictly under the destination principle for business-to-consumer (B2C) supplies, aligning with Chapter 3 of the OECD International VAT/GST Guidelines and mirrored in national legislation such as Australia's Tax and Superannuation Laws Amendment from 2016 and Singapore's Goods and Services Tax (Amendment) Act 2018. The place of supply determination for these B2C transactions hinges on robust customer location verification. Pursuant to frameworks like EU Council Implementing Regulation No 1042/2013, the system mandates collection of a minimum of two non-contradictory pieces of location evidence; transactions are automatically blocked if conflicting location data is presented. For auditability, both customer IP and billing addresses are stored. Within the European Union, a specific €10,000 annual turnover threshold exists for micro-businesses, below which B2C supplies may remain subject to home country VAT rules. For business-to-business (B2B) transactions, the system enforces the reverse charge mechanism as stipulated by regulations like the EU VAT Directive 2006/112/EC and Section 7A of the UK Value Added Tax Act 1994. This requires mandatory real-time validation of customer VAT numbers through systems like VIES, which the platform will attempt up to a maximum of three retries before failure. The logic disallows any exemptions for digital services, and should a conclusive tax jurisdiction not be determined, a default tax rate fallback of zero percent is applied to prevent erroneous charges."
Technical ID
finance-tax-logic
Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies
"The Financial Crimes Enforcement Network (FinCEN) is issuing this interpretive guidance to remind persons subject to the Bank Secrecy Act (BSA) how FinCEN regulations relating to money services businesses (MSBs) apply to certain business models involving money transmission denominated in value that substitutes for currency, specifically, convertible virtual currencies (CVCs). This guidance does not establish any new regulatory expectations or requirements; rather, it consolidates current FinCEN regulations and related administrative rulings and guidance issued since 2011, applying these rules to common business models involving CVC. The guidance clarifies that whether a person is a money transmitter is a matter of facts and circumstances, not labels. Exchangers and administrators of CVC generally qualify as money transmitters under the BSA, while users who obtain CVC to purchase goods or services on their own behalf do not. The core obligations for applicable persons include registering with FinCEN as an MSB within 180 days of engaging in money transmission and developing, implementing, and maintaining an effective written anti-money laundering (AML) program that is reasonably designed to prevent the MSB from being used to facilitate money laundering and the financing of terrorist activities. This program must be risk-based, approved by senior leadership, and include policies, a designated compliance officer, training, and independent review."
Technical ID
fincen-cvc-business-models
FINRA Rule 3110 (Supervision)
"FINRA Rule 3110 is the foundational U.S. standard for the supervision of the registered representatives and the offices of broker-dealers. it requires firms to establish and maintain a system of the supervisory procedures (WSPs) to ensure the compliance with the applicable securities laws and the FINRA rules, with a specific focus on the regular inspection and the oversight of the 'Offices of Supervisory Jurisdiction' (OSJ)."
Technical ID
finra-3110-supervision
Report on Selected Cybersecurity Practices – 2018
"This report continues FINRA’s efforts to share information that can help broker-dealer firms further develop their cybersecurity programs. Firms routinely identify cybersecurity as one of their primary operational risks, and this report presents FINRA’s observations regarding effective practices that firms have implemented to address selected cybersecurity risks, recognizing that there is no one-size-fits-all approach. The topics covered include strengthening cybersecurity controls in branch offices, limiting phishing attacks, identifying and mitigating insider threats, the elements of a strong penetration testing program, and establishing controls on mobile devices. The report highlights practices that should be evaluated in the context of a holistic firm-level cybersecurity program. It is intended for broker-dealer firms, with specific guidance for small firms provided in an appendix titled “Core Cybersecurity Controls for Small Firms.” The core obligations involve implementing robust controls across various domains, such as developing written supervisory procedures (WSPs) for branches, conducting regular training, maintaining asset inventories, establishing technical controls like multi-factor authentication and encryption, conducting penetration tests, and managing mobile device security."
Technical ID
finra-cybersecurity-practices-2018
SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
"This standard specifies the security requirements for a cryptographic module utilized within a security system protecting sensitive but unclassified information. It is applicable to all federal agencies that use cryptographic-based security systems and shall be used in designing and implementing cryptographic modules that federal departments and agencies operate or that are operated for them under contract. The standard provides four increasing, qualitative levels of security (Level 1, Level 2, Level 3, and Level 4) intended to cover a wide range of potential applications and environments. The core obligation is for federal agencies to use cryptographic modules that have been validated by the Cryptographic Module Validation Program (CMVP), a joint effort between the National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security. The security requirements cover areas related to the secure design, implementation, and operation of a cryptographic module, including its specification, interfaces, roles, services, authentication, software/firmware security, operating environment, physical security, non-invasive security, sensitive security parameter management, self-tests, life-cycle assurance, and mitigation of other attacks. In the CMVP, vendors use independent, accredited Cryptographic and Security Testing (CST) laboratories to have their modules tested for conformance."
Technical ID
fips-140-3-cryptographic-modules
Advanced Encryption Standard (AES)
"The Advanced Encryption Standard (AES) specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data. The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) digital information. The standard specifies three members of the Rijndael family: AES-128, AES-192, and AES-256. Each transforms data in blocks of 128 bits, and the numerical suffix indicates the bit length of the associated cryptographic keys. The algorithm is capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data in blocks of 128 bits. This standard applies to information systems used or operated by federal agencies, a contractor of an agency, or other organization on behalf of an agency, but not to national security systems. It may be used by federal agencies to protect information when they have determined that encryption is appropriate. The algorithm specified in this Standard may be implemented in software, firmware, hardware, or any combination thereof and shall be used in conjunction with a FIPS-approved or NIST-recommended mode of operation. This standard may also be adopted and used by non-Federal Government organizations."
Technical ID
fips-197-advanced-encryption-standard
Standards for Security Categorization of Federal Information and Information Systems
"FIPS Publication 199 establishes standards for categorizing federal information and information systems to provide a common framework for expressing security. The categorization is based on the objectives of providing appropriate levels of information security according to a range of risk levels. This is accomplished by assessing the potential impact (Low, Moderate, or High) on organizational operations, assets, or individuals should a breach of security occur, defined as a loss of confidentiality, integrity, or availability. These standards apply to all information within the federal government (other than classified national security information) and all federal information systems. The core obligation for agency officials is to use these security categorizations whenever a federal requirement exists to categorize information or systems. The security category for an information system is determined by taking the highest potential impact value ('high water mark') from all information types resident on that system for each of the three security objectives: confidentiality, integrity, and availability."
Technical ID
fips-199-security-categorization
Minimum Security Requirements for Federal Information and Information Systems
"This standard, mandated by the Federal Information Security Management Act (FISMA) of 2002, specifies minimum security requirements for information and information systems supporting the executive agencies of the federal government. It is applicable to all federal information and information systems, excluding those designated as national security systems or containing classified information. The core obligation for federal agencies is to develop, document, and implement an enterprise-wide program to provide information security for their systems and assets. This involves a risk-based process that begins with categorizing information systems as low, moderate, or high impact based on the security objectives of confidentiality, integrity, and availability, as defined in FIPS Publication 199. Following categorization, agencies must meet the minimum security requirements across seventeen security-related areas, including access control, incident response, configuration management, and contingency planning. The standard mandates the use of security controls from NIST Special Publication 800-53. Agencies must select and tailor a baseline of security controls corresponding to their system's impact level (low, moderate, or high). The goal is to establish minimum levels of due diligence for information security and facilitate a more consistent, comparable, and repeatable approach for selecting and specifying security controls for information systems that meet these minimum requirements."
Technical ID
fips-200-minimum-security-requirements
Personal Identity Verification (PIV) of Federal Employees and Contractors
"This document establishes a standard for a Personal Identity Verification (PIV) system that meets the control and security objectives of Homeland Security Presidential Directive-12 (HSPD-12). It is based on secure and reliable forms of identity credentials issued by the Federal Government to its employees and contractors. These credentials are used by mechanisms that authenticate individuals who require access to federally controlled facilities, information systems, and applications. The standard is applicable to all federal departments and agencies for identification issued to federal employees and contractors, except for national security systems. The core obligation is to implement a PIV system that issues credentials based on sound criteria for verifying an individual's identity, including prerequisite background investigations and in-person identity proofing. The credentials must be strongly resistant to fraud and tampering, be rapidly authenticated electronically, and be issued only by providers whose reliability has been established by an official accreditation process. The Standard specifies implementation and processes for binding identities to authenticators, such as integrated circuit cards (PIV Cards) and derived PIV credentials, and outlines the lifecycle activities for PIV identity accounts, from initial proofing and registration to issuance, maintenance, and termination."
Technical ID
fips-201-3-piv-federal-employees
SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
"This Standard specifies the Secure Hash Algorithm-3 (SHA-3) family of functions on binary data, based on the KECCAK algorithm selected by NIST. The SHA-3 family consists of four cryptographic hash functions (SHA3-224, SHA3-256, SHA3-384, and SHA3-512) and two extendable-output functions or XOFs (SHAKE128 and SHAKE256). These functions supplement the SHA-1 and SHA-2 families specified in FIPS 180-4, providing resilience against future advances in hash function analysis through fundamentally different design principles. This standard is applicable to all Federal departments and agencies for protecting sensitive unclassified information. The core obligation is that either this Standard or FIPS 180 must be implemented wherever a secure hash algorithm is required for Federal applications, including as a component within other cryptographic algorithms and protocols. Implementations may be in software, firmware, hardware, or any combination thereof, but only implementations validated by the Cryptographic Algorithm Validation Program (CAVP) will be considered compliant. This standard may also be adopted and used by non-Federal Government organizations."
Technical ID
fips-202-sha-3-standard
FIPS 203 (ML-KEM Quantum)
"FIPS 203 (Module-Lattice-Based Key-Encapsulation Mechanism) is the final NIST standard for quantum-resistant key encapsulation. Based on the CRYSTALS-Kyber algorithm, it is designed to protect sensitive information from future decryption by large-scale quantum computers, providing the foundational layer for PQC secure communication."
Technical ID
fips-203-ml-kem-quantum
Module-Lattice-Based Key-Encapsulation Mechanism Standard
"This standard specifies a key-encapsulation mechanism (KEM) called ML-KEM, which is a set of algorithms that can be used by two parties to establish a shared secret key over a public channel. The security of ML-KEM is related to the computational difficulty of the Module Learning with Errors problem, and it is presently believed to be secure, even against adversaries who possess a quantum computer. The standard specifies three parameter sets, ML-KEM-512, ML-KEM-768, and ML-KEM-1024, which offer different trade-offs in security strength versus performance. All three are approved to protect sensitive, non-classified communication systems of the U.S. Federal Government. This standard applies to information systems used or operated by federal agencies or by a contractor of an agency on behalf of an agency, but not to national security systems. It shall be used wherever the establishment of a shared secret key is required for federal applications, including for use with symmetric-key cryptographic algorithms. The core obligation is for implementations to conform to the specified algorithms and employ other approved cryptographic functions. Conforming implementations may replace the given set of steps with any mathematically equivalent set of steps, but must not use the component public-key encryption scheme (K-PKE) as a stand-alone scheme."
Technical ID
fips-203-ml-kem-standard
Post-Quantum Cryptography (FIPS 203)
"National standards for the Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), ensuring security in the era of Cryptographically Relevant Quantum Computers (CRQC)."
Technical ID
fips-203-quantum-kem
Module-Lattice-Based Digital Signature Standard
"This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. ML-DSA is a lattice-based digital signature algorithm believed to be secure, even against adversaries in possession of a large-scale quantum computer. The recipient of signed data can use a digital signature as evidence in demonstrating to a third party that the signature was, in fact, generated by the claimed signatory, a property known as non-repudiation. This standard is applicable to all federal departments and agencies for the protection of sensitive unclassified information. The core obligation is that either this standard, FIPS 205, FIPS 186-5, or NIST Special Publication 800-208 shall be used in designing and implementing public-key-based signature systems that federal departments and agencies operate or that are operated for them under contract. The standard specifies the mathematical steps for key generation, signature generation, and signature verification. The adoption and use of this standard are also available to private and commercial organizations. Digital signature key pairs created under this standard shall not be used for other purposes."
Technical ID
fips-204-digital-signature-standard
FIPS 204 (ML-DSA Quantum)
"FIPS 204 (Module-Lattice-Based Digital Signature Algorithm) is the final NIST standard for quantum-resistant digital signatures. Based on the CRYSTALS-Dilithium algorithm, it is designed to ensure authenticity and non-repudiation in a post-quantum world, replacing or augmenting RSA and ECDSA signatures for core internet infrastructure."
Technical ID
fips-204-ml-dsa-quantum
Module-Lattice-Based Digital Signature Standard
"This standard specifies ML-DSA, a set of algorithms that can be used to generate and verify digital signatures which are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. ML-DSA is a lattice-based digital signature algorithm believed to be secure, even against adversaries in possession of a large-scale quantum computer, and provides for non-repudiation. The standard specifies the mathematical steps that need to be performed for key generation, signature generation, and signature verification. ML-DSA can be used in electronic mail, electronic funds transfer, software distribution, data storage, and other applications that require data integrity assurance and data origin authentication. This standard is applicable to all federal departments and agencies for the protection of sensitive unclassified information. The core obligation is that either this standard, FIPS 205, FIPS 186-5, or NIST Special Publication 800-208 shall be used in designing and implementing public-key-based signature systems that federal departments and agencies operate or that are operated for them under contract. Implementations must employ cryptographic algorithms approved for protecting Federal Government-sensitive information. The security of a digital signature system depends on maintaining the secrecy of the signatory’s private keys, and signatories shall guard against the disclosure of their private keys. The adoption and use of this standard are also available to private and commercial organizations."
Technical ID
fips-204-ml-dsa-standard
Post-Quantum DSA (FIPS 204)
"Compliance with Federal Information Processing Standard 204 mandates a strict implementation of the Module-Lattice-Based Digital Signature Algorithm (ML-DSA). Systems must exclusively employ one of the three standardized parameter sets—ML-DSA-44, ML-DSA-65, or ML-DSA-87—and satisfy a minimum security strength where the selected set corresponds to NIST security category 3 or 5, reflecting a policy threshold where the value must be greater than or equal to 3. The foundational cryptographic operations are equally prescribed: the internal hash function must be SHAKE-256 per FIPS 202, and randomness for key generation or randomized signing must originate from a DRBG compliant with NIST SP 800-90A. For utilization in U.S. Federal contexts, the entire cryptographic implementation needs to be encapsulated within a FIPS 140-3 validated module. Verification requires that the implementation correctly process all relevant Known Answer Test vectors from the NIST CAVP for its claimed parameter set. Furthermore, component sizes are non-negotiable; the public key, private key, and signature dimensions must exactly match byte specifications detailed in FIPS 204, such as the 4000-byte private key for ML-DSA-65. Finally, operational security dictates that generated ML-DSA keys are single-purpose and must be disallowed for any other cryptographic function."
Technical ID
fips-204-quantum-dsa
Quantum SPHINCS+ (FIPS 205)
"Compliance with Federal Information Processing Standard 205 is affirmed through the correct implementation of the Stateless Hash-Based Digital Signature Algorithm (SLH-DSA). The system utilizes a cryptographic module formally validated for FIPS 205 compliance, employing a NIST-approved parameter set that achieves security level 3. This algorithm is properly restricted exclusively to digital signature generation and verification operations, precluding its use for encryption or key establishment purposes. A critical security control is met, as the implementation is confirmed to be stateless, thereby preventing catastrophic key reuse vulnerabilities associated with stateful hash-based schemes. The underlying cryptographic primitives, specifically the hash functions, are FIPS-approved. Furthermore, private key lifecycle management is contained within a FIPS 140-3 validated cryptographic boundary. Randomness for key generation adheres to NIST Special Publication 800-90A by using a compliant deterministic random bit generator. System architecture has been verified to accommodate the characteristically large signature sizes produced by SPHINCS+, and as part of a prudent transitional strategy outlined in NIST Special Publication 800-208, this SLH-DSA implementation is deployed within a hybrid scheme, operating alongside a classical signature algorithm to ensure robust security during migration to post-quantum cryptography."
Technical ID
fips-205-quantum-sphincs
FIPS 205 (SLH-DSA Quantum)
"FIPS 205 (Stateless Hash-Based Digital Signature Algorithm) is a NIST-standardized quantum-resistant signature mechanism based on the SPHINCS+ construction. Unlike lattice-based schemes, it relies solely on the security of cryptographic hash functions, providing a robust backup against potential cryptanalytic breakthroughs in other PQC families."
Technical ID
fips-205-slh-dsa-quantum
Fleet Telematics Audit Protocol
"Fleet Telematics Audit Protocol establishes a comprehensive framework for verifying compliance with critical cybersecurity, data privacy, and operational mandates. The system enforces stringent cybersecurity controls aligned with ISO/SAE 21434, requiring that CAN bus network isolation is enabled to mitigate internal threats. In-transit data integrity is protected through mandatory AES-256 IoT transmission encryption, a standard advocated by NIST SP 800-213 for device security. To address lifecycle management principles within UNECE WP.29 Regulation 155 and Regulation 156, this protocol mandates that over-the-air firmware updates must have digital signatures and that continuous monitoring is performed with vulnerability scans at an interval not exceeding 30 days. Regarding data protection, the protocol adheres to GDPR Article 5 and Article 32, enforcing a strict 180-day maximum for telemetry data retention and utilizing data anonymization for aggregate reports. California Privacy Rights Act provisions are met through an active driver data access portal, and where applicable, ensuring that explicit driver biometric consent is logged. Operationally, this protocol guarantees full adherence to the FMCSA Electronic Logging Device Rule; systems are confirmed to be ELD mandate compliant, Hours of Service tamper detection is enabled, and the GPS polling interval has a minimum of 30 seconds. A critical alert latency maximum of 500 milliseconds ensures timely notifications consistent with safety obligations."
Technical ID
fleet-telematic-audit
FLSA (Fair Labor)
"The Fair Labor Standards Act (FLSA) establishes critical nationwide standards for wages and hours, recordkeeping obligations, and youth employment. Under 29 U.S.C. § 206, covered non-exempt employees are entitled to a federal minimum wage of at least $7.25 per hour. Furthermore, 29 U.S.C. § 207 mandates overtime compensation for work exceeding a standard forty-hour work week, requiring payment at a rate of one and one-half times the employee's regular rate; private sector compensatory time off is not a permissible substitute. Specific classifications of employees may be exempt from these wage and hour provisions if they meet criteria outlined in 29 CFR Part 541, which includes a minimum weekly salary threshold of $844. Employers must adhere to stringent data collection and recordkeeping rules pursuant to 29 U.S.C. § 211(c) and detailed in 29 CFR Part 516. This includes maintaining accurate time tracking for all non-exempt personnel and requires secure data storage for personally identifiable information. Payroll records must be preserved for three years, whereas timekeeping data mandates a two-year retention period. The child labor provisions of 29 U.S.C. § 212 set the minimum working age at fourteen for most occupations but increase that minimum age to eighteen for designated hazardous roles. Compliance also necessitates the prominent display of a workplace poster detailing these employee rights."
Technical ID
flsa-compliance-labor
Coverage under the Fair Labor Standards Act (FLSA)
"The Fair Labor Standards Act (FLSA) establishes standards for minimum wage, overtime pay, recordkeeping, and child labor. This guidance, provided in Fact Sheet #14, explains the coverage of the FLSA, detailing which employers and employees are covered by the law. Coverage can be established on an enterprise basis, covering all employees of a business, or on an individual basis, covering specific employees whose work involves interstate commerce. The guidance clarifies that certain exemptions may apply to specific positions, removing them from minimum wage or overtime protections. In addition to defining coverage, the fact sheet emphasizes the recordkeeping requirements for employers. Under the FLSA, employers must maintain accurate records of hours worked and wages paid for all covered, non-exempt employees. Compliance with these provisions is crucial, as misclassification of employees or failure to adhere to wage, hour, and recordkeeping standards can result in liability for back wages and other penalties. The act's protections ensure that workers receive proper compensation for their labor, including premium pay for overtime hours worked."
Technical ID
flsa-coverage
FMLA (Family Leave)
"The Family and Medical Leave Act mandates that covered employers provide eligible employees with job-protected, unpaid leave for specified family and medical reasons. A covered employer under 29 U.S.C. § 2611 is one employing 50 or more individuals. To qualify as an "eligible employee" pursuant to 29 CFR § 825.110, an individual must have worked for the employer for at least 12 months, which need not be consecutive, and for a minimum of 1,250 hours during the 12-month period preceding the leave. Qualifying employees are entitled to a total of 12 workweeks of leave in a 12-month period. This entitlement extends to 26 workweeks during a single 12-month period for military caregiver leave under 29 U.S.C. § 2612. While this is an unpaid leave standard, the statute permits intermittent leave usage when medically necessary. Critical protections under 29 U.S.C. § 2614 require that employers maintain the employee's group health benefits during leave and ensure job restoration to an equivalent position upon return. For foreseeable leave, an employee must provide 30 days' advance notice. Following a leave request, the employer must furnish eligibility notice within 5 business days as part of its comprehensive notice obligations outlined in 29 CFR § 825.300. Because medical certification is required, the employee generally has 15 calendar days to provide sufficient documentation of a serious health condition as stipulated by 29 CFR § 825.305."
Technical ID
fmla-compliance-leave
Food Allergen Labeling Law
"Regulatory frameworks governing food allergen labeling establish non-negotiable compliance obligations for manufacturers. The primary U.S. authority, the Food Allergen Labeling and Consumer Protection Act of 2004 (FALCPA), as amended by the FASTER Act of 2021, mandates explicit declaration of nine major food allergens, a requirement which now includes sesame. This legislation requires plain language naming for allergens and permits disclosure using either an inline parenthetical format within the ingredient list or an adjacent “Contains” statement format. Meanwhile, European Union regulations, chiefly Regulation (EU) No 1169/2011, are more expansive, identifying a total of fourteen major allergens requiring declaration. The EU uniquely mandates typographical emphasis, such as bolding or underlining, for allergenic ingredients listed and specifies a minimum font size of 1.2mm for mandatory particulars. While FALCPA generally exempts highly refined oils derived from major allergens, such specific carve-outs are narrowly defined. Beyond finished product labeling detailed in 21 CFR Part 101.9, broader food safety mandates under 21 CFR Part 117 compel manufacturers to implement robust preventive controls. This operational requirement mandates cross-contact prevention measures throughout production and also necessitates a rigorous supplier allergen verification program to ensure the integrity of raw materials and mitigate undeclared allergen risks from the supply chain."
Technical ID
food-allergen-label-law
The Federal Reserve reminds firms of safe and sound practices for counterparty credit risk management in light of the Archegos Capital Management default
"In light of the Archegos Capital Management default, which caused over $10 billion in losses across several large banks, the Federal Reserve is issuing guidance to remind firms of supervisory expectations for counterparty credit risk management. This letter is intended for use by banking organizations with large derivatives portfolios and relationships with investment funds, as well as for supervisors. It is generally not applicable to community banking organizations. The guidance addresses concerns with practices where firms accept incomplete and unverified information from investment funds, particularly regarding strategy, concentrations, and relationships with other market participants. The core obligations emphasize that firms should obtain and verify critical information regarding a fund's size, leverage, and concentrated positions. If a client refuses to provide this information, firms should reconsider the relationship or apply strong compensating measures, such as more stringent contractual terms. The Federal Reserve also reminds firms that poor communication frameworks, inadequate risk management functions, and ineffective governance hamper their ability to identify and address risk. Firms must ensure risk management functions have the experience and stature to control risks, and that margin terms are appropriate, risk-sensitive, and do not prevent the firm from improving its margin position or closing out positions quickly."
Technical ID
frb-sr-21-19-counterparty-credit-risk
Freight Forwarding Ethics (FIATA)
"Freight forwarding operations must exhibit strict adherence to a comprehensive ethical framework grounded in international standards. All engagements mandate `requires_fiata_standard_documents`, with the legal basis for the FIATA FBL established by the UNCTAD/ICC Rules for Multimodal Transport Documents, and all electronic versions necessitate `digital_fbl_signature_validation`. In accordance with the FIATA Model Rules for Freight Forwarding Services, carrier liability for goods is strictly circumscribed, establishing a `max_permitted_liability_sdr_per_kg` of 2. A robust anti-corruption posture is non-negotiable, evidenced by an `anti_bribery_certification_active` status and conformance with principles from the FIATA Code of Business Conduct and Anti-Corruption Advisory. This posture must account for the extraterritorial reach of the US Foreign Corrupt Practices Act and UK Bribery Act 2010, demanding a rigorous `subcontractor_audit_frequency_months` cycle of 12. Security protocols must align with the WCO SAFE Framework of Standards, necessitating diligent `requires_kyc_shipper_verification` for all clients. To prevent illicit trade, continuous screening of all parties against the United Nations Security Council Consolidated Sanctions List must occur within a `sanctions_screening_interval_hours` of 24. Further operational prerequisites include mandatory `hazardous_materials_declaration_required` submissions, verification that `antitrust_compliance_training_completed` is current, and ensuring `environmental_impact_reporting_enabled` is active. For auditability, all commercial records are subject to a `data_retention_commercial_docs_years` term of 5."
Technical ID
freight-forwarder-fiata
FSB Key Attributes (Resolution)
"The FSB Key Attributes of Effective Resolution Regimes for Financial Institutions are the international standards for the orderly resolution of failing systemically important financial institutions (SIFIs). it provides the mandatory powers and tools for national authorities to resolve banks without taxpayer bailouts, ensuring the continuity of the critical functions."
Technical ID
fsb-key-attributes-res
FSB TCFD (Banking)
"The TCFD (Task Force on Climate-related Financial Disclosures) Banking Sector Disclosures provide a specific framework for banks to report on the financial implications of the climate change. it requires detailed transparency on how banks identify, assess, and manage the 'Physical' and 'Transition' risks within their lending and investment portfolios, ensuring the global market stability during the green transition."
Technical ID
fsb-tcfd-banking-disc
FSC Chain of Custody (STD-40-004)
"Compliance with the Forest Stewardship Council's standard for Chain of Custody Certification, FSC-STD-40-004 V3-1, necessitates a verifiable control system for tracking certified materials throughout production and trade. Organizations must implement a `management_system_documented` in full, encompassing a `material_accounting_system_active` and a clearly `fsc_volume_control_method_defined` to manage inputs and outputs. Critical to this system is the monitoring of conversion factors, where variance cannot exceed a `max_conversion_factor_variance_percent` of five. Comprehensive record-keeping is mandated, with a `record_retention_years_min` of five years, and an `annual_volume_summary_required` must be compiled for reconciliation. All `sales_documents_include_fsc_claim` information must accurately reflect product status, supported by a robust `nonconforming_product_procedure_active`. Adherence extends to external requirements, including `fsc_trademark_use_approved` as specified in FSC-STD-50-001 V2-1, and risk mitigation for uncertified inputs per FSC-STD-40-005 V3-1 for Sourcing Controlled Wood. As stipulated by Part IV of the core standard and the Directive on Chain of Custody Certification, FSC-DIR-40-004, firms must ensure `core_labor_requirements_met` status and maintain an `occupational_health_safety_active` program. The successful implementation of a `supply_chain_due_diligence_active` system is foundational, aligning with evolving regulations like the European Union Deforestation Regulation (EUDR) 2023/1115."
Technical ID
fsc-chain-of-custody
FSSC 22000 (Food Packaging)
"FSSC 22000 certification for food packaging manufacturers establishes a comprehensive framework for food safety management, recognized by the Global Food Safety Initiative. Compliance necessitates an organization's full implementation and certification of a Food Safety Management System (FSMS) according to the requirements of ISO 22000:2018. This system must be built upon a foundation of prerequisite programs (PRPs) specifically designed for packaging, as detailed in ISO/TS 22002-4:2013. A core operational component is an active, continually validated HACCP plan developed from Codex Alimentarius principles. Beyond these core standards, FSSC 22000 Scheme Version 6 mandates several additional requirements for demonstrable control. These include an active allergen management control program to mitigate cross-contact risks and an active, risk-based environmental monitoring program. Organizations must also execute a TACCP-based food defense threat assessment and a corresponding VACCP-based food fraud vulnerability assessment. Operational integrity requires a robust traceability system, tested for effectiveness at least every 12 months, alongside formal supplier performance reviews conducted with a minimum frequency of every 12 months. Reflecting modern risks, active security controls for ICT and SCADA systems are mandatory, supported by data integrity protocols ensuring backups occur at least every 24 hours. The entire framework is underpinned by a formal, implemented Food Safety Culture Plan designed to influence positive behavioral change across the organization, aligning with GFSI Benchmarking Requirements."
Technical ID
fssc-22000-food-pack
How to Make Effective Disclosures in Digital Advertising
"The general principles of advertising law apply online, and this guidance addresses how businesses can develop ads for online media in compliance with the law. The same consumer protection laws applicable to other media apply online, including the mobile marketplace. The FTC Act’s prohibition on “unfair or deceptive acts or practices” encompasses all online advertising, marketing, and sales. The core obligation for advertisers is to ensure that products and services are described truthfully and that consumers understand what they are paying for. Required disclosures must be clear and conspicuous. To meet this standard, advertisers must consider a disclosure's placement and proximity to the relevant claim, its prominence, and whether it is unavoidable. Other factors include whether distractions in the ad diminish the disclosure's effectiveness, the need for repetition, the adequacy of volume and cadence for audio disclosures, sufficient duration for visual disclosures, and the use of understandable language. If a disclosure is necessary to prevent an ad from being deceptive or unfair, and it is not possible to make that disclosure clearly and conspicuously on a particular platform, then that platform should not be used to disseminate the advertisement."
Technical ID
ftc-digital-advertising-disclosures
FTC (Endorsement Guides)
"An evaluation of this endorsement content reveals a significant compliance failure under Federal Trade Commission authority, as established by Section 5(a) of the FTC Act, which prohibits unfair or deceptive practices. Pursuant to 16 CFR § 255.5, the existing material connection between the endorser and advertiser necessitates a disclosure that is both clear and conspicuous. This content violates that standard because the `material_connection_disclosed` parameter is false, constituting a deceptive omission. Furthermore, the analysis indicates the `disclosure_clear_and_conspicuous` requirement has not been met, as any potential disclosure is not `unavoidable_before_engagement` for consumers and the language used is ambiguous. Operational guidance from documents like the FTC's 'Disclosures 101 for Social Media Influencers' demands explicit markers which are difficult to miss; the confirmed absence of a `video_includes_superimposed_disclosure` or an `audio_includes_spoken_disclosure` exemplifies this critical deficiency. While the review confirms the message `reflects_honest_opinion_or_experience` from an `endorser_bona_fide_user` and that `substantiated_performance_claims` are present, consistent with principles in 16 CFR § 255.1 and 16 CFR § 255.2, these positive factors do not mitigate the primary violation. The communication satisfies the 'endorsement' definition from 16 CFR § 255.0, but its lack of proper disclosure renders it misleading. Despite an `advertiser_monitoring_program_active` status, this specific execution remains non-compliant and poses significant regulatory risk."
Technical ID
ftc-endorsement-guides
Facing Facts: Best Practices For Common Uses of Facial Recognition Technologies
"In October 2012, the Federal Trade Commission's Bureau of Consumer Protection issued a staff report titled 'Facing Facts: Best Practices For Common Uses of Facial Recognition Technologies.' This report establishes recommended best practices for companies that use facial recognition technologies to promote consumer protection and safeguard consumer privacy. The guidance addresses key issues within privacy and security, focusing on responsible data handling and transparency for common commercial uses of these technologies. It encourages businesses to implement privacy-by-design, be transparent about their data practices, provide consumers with appropriate choices, and secure the data they collect and maintain."
Technical ID
ftc-facing-facts-facial-recognition
Fundamental review of the trading book
"This consultative document presents the initial policy proposals emerging from the Basel Committee’s fundamental review of trading book capital requirements, intended to strengthen capital standards for market risk and contribute to a more resilient banking sector. The review was initiated because the financial crisis exposed material weaknesses in the design of the framework for capitalising trading activities, where the level of capital proved insufficient to absorb losses. The proposals address shortcomings in the overall design of the regime as well as weaknesses in risk measurement under both the internal models-based and standardised approaches. The Committee's key areas of focus include a reassessment of the trading book/banking book boundary, with proposals for a "trading evidence-based" or a "valuation-based" boundary. It intends to move to a capital framework that is calibrated to a period of significant financial stress. A significant proposal is moving from Value-at-Risk (VaR) to Expected Shortfall (ES) to better capture "tail risk". The proposals also seek a comprehensive incorporation of the risk of market illiquidity, using "liquidity horizons" defined as the time required to exit or hedge a risk position in a stressed market. The Committee is also considering the treatment of hedging and diversification, and strengthening the relationship between the standardised and internal models-based approaches, potentially by introducing the standardised approach as a floor."
Technical ID
fundamental-review-of-the-trading-book
US GAAP Framework
"United States Generally Accepted Accounting Principles establish the definitive standards for financial accounting and reporting as promulgated by the Financial Accounting Standards Board. This framework mandates a systematic evaluation of an entity's adherence to core tenets through a series of qualitative verifications and quantitative assessments. Compliance requires confirmation that the `revenueRecognitionPrincipleMet` aligns with performance obligations and that the `matchingPrincipleApplied` correctly aligns expenses with revenues. Furthermore, the evaluation validates whether the `fullDisclosurePrincipleFollowed` ensures transparency and if the `historicalCostPrincipleUsed` is appropriately maintained for asset valuation. Specific procedural checks confirm if `inventoryValuationMethodConsistent` application is present and that `assetDepreciationCalculated` follows acceptable methodologies. The framework’s integrity also rests on foundational assumptions, such as verifying the `goingConcernAssumptionValid` status for the reporting entity. A critical output is the boolean determination `isMaterialMisstatementDetected`, which signals significant reporting inaccuracies. The node quantifies compliance through several metrics, including the total `requiredFinancialStatementsGenerated`, an `internalControlsEffectivenessRating` score, and a final `auditTrailIntegrityScore` to measure the immutability and completeness of financial records. These combined checks provide a comprehensive attestation of conformity with authoritative accounting standards."
Technical ID
gaap-us-framework
GDPR Art 21 (Opt-out)
"GDPR Article 21 grants data subjects an absolute right to object to the processing of their personal data for direct marketing purposes. When a `data_subject_objected` flag is triggered within a context where `is_direct_marketing_context` is true, which explicitly includes instances of `is_profiling_for_marketing`, the organization must cease all related processing activities. As stipulated by GDPR Recital 70 and Article 21(3), this right is unconditional; consequently, the schema configuration `allow_legitimate_interest_override` is set to false, meaning no compelling legitimate grounds can supersede the data subject's objection. The cessation must be immediate, reflected by the `halt_processing_immediate` parameter being true. Compliance with the request, as mandated by GDPR Article 12(3), must occur without undue delay and within a maximum timeframe of `max_response_time_days` set to 30. Reinforcing GDPR Recital 70 and principles from the ePrivacy Directive, no charge may be levied, with `fee_applicable_euros` fixed at 0. To ensure the objection's effectiveness, the data subject's details must be placed on a suppression list (`add_to_suppression_list` is true) and their marketing consent state must be locked (`lock_marketing_consent_state` is true) to prevent future processing for these purposes. Furthermore, the obligation extends to downstream entities, requiring that organizations `notify_third_party_processors` of the objection. The obligation to explicitly and clearly present this right, separate from other information per GDPR Article 21(4), underscores its importance, and for this specific action, `require_strict_identity_verification` is configured as false to minimize friction in exercising this fundamental right."
Technical ID
gdpr-art-21-marketing-optout
GDPR DPO Requirements
"The EU GDPR (General Data Protection Regulation) requires certain organizations to designate a Data Protection Officer (DPO) (Article 37). The DPO acts as an independent compliance champion, advising the organization on its data protection obligations and serving as a contact point for data subjects and supervisory authorities."
Technical ID
gdpr-data-protection-officer
GDPR: Health Data (Art. 9)
"GDPR Article 9 establishes a general prohibition on processing special categories of personal data, with 'data concerning health' (including mental health, genetic data, and biometric data used for identification) receiving the highest level of protection. Processing is only permitted under ten exhaustive exemptions including explicit consent, vital interests, medical purposes under professional secrecy, public health, and scientific research under appropriate safeguards. AI systems processing health data — including medical AI, diagnostic tools, health chatbots, and research analytics platforms — must identify a specific Article 9(2) exemption, implement appropriate technical and organizational measures, and in most cases conduct a Data Protection Impact Assessment (DPIA) under Article 35. Violations involving special category health data attract the highest GDPR fines: up to €20 million or 4% of global annual turnover under Article 83(5)."
Technical ID
gdpr-health-data
GDPR Health Data (EU)
"The EU GDPR 2016/679 (General Data Protection Regulation) classifies health data as a 'special category' of personal data. Article 9 generally prohibits the processing of such data unless a specific legal exemption is met, necessitating a high level of security and stricter compliance requirements compared to general personal data."
Technical ID
gdpr-health-data-compliance
GDPR (Hospitality Specifics)
"Significant compliance deficiencies exist regarding the lawful basis for processing personal data within a hospitality context. Current configuration confirms `guest_consent_marketing_obtained` is false, violating GDPR Article 6(1)(a) requirements for consent in marketing communications, a gap mirrored by the `loyalty_program_explicit_opt_in` also being false. More critically, explicit consent for special categories of data under Article 9(2)(a), such as guest health information, is not being obtained, since `special_category_data_consent_obtained` registers false. While essential controls like enabling `pii_encryption_at_rest_enabled` and meeting processor stipulations per Article 28 through a signed `ota_data_sharing_agreement_signed` are in place, these consent failures present substantial regulatory risk. Positive measures include adherence to data minimisation principles from Article 5(1)(c), evidenced by `passport_copy_deleted_after_verification` being true and a defined `guest_data_retention_days_limit` of 1095 days. Furthermore, the framework correctly supports an individual's right to erasure under Article 17, as `right_to_erasure_supported` is confirmed true, `guest_profiling_automated_opt_out_honored` procedures are operational, and `minor_guest_data_processing_restricted` is active. Breach notification protocols align with Article 33, mandating supervisory authority contact within the `breach_notification_max_hours` threshold of 72. Immediate remediation must focus on implementing compliant consent collection mechanisms to rectify these critical gaps."
Technical ID
gdpr-hospitality-nuance
GFSI Benchmarking Requirements
"Global Food Safety Initiative (GFSI) Benchmarking Requirements Version 2020.1 mandates a comprehensive framework for food safety, ensuring organisations implement and maintain a robust Food Safety Management System (FSMS). Compliance necessitates that all FSMS documentation is approved, with a fully operational HACCP system founded on principles from the Codex Alimentarius General Principles of Food Hygiene. Beyond traditional hazards, the framework integrates preventative controls against intentional contamination, requiring an active food defense plan consistent with frameworks like BSI PAS 96:2017 and regulations such as the FDA Food Safety Modernization Act's rule on Mitigation Strategies to Protect Food Against Intentional Adulteration. Similarly, an active food fraud mitigation program must be in place. Critical operational controls specified by ISO 22000:2018 must be demonstrably effective, including an active supplier approval program, a documented allergen control plan, and continuous environmental monitoring. The system's traceability capabilities must permit full retrieval within a maximum timeframe of four hours. Continuous improvement and verification are enforced through a strict cadence: internal audits and management reviews must occur at a minimum frequency of 365 days, with product recall tests also conducted within that same 365-day period. Any identified non-conformities require corrective action resolution within a maximum of 30 days. These rigorous standards, defined in Part III, are upheld by certification organisations adhering to the governance structure detailed in GFSI Benchmarking Requirements Version 2020.1, Part IV."
Technical ID
gfsi-benchmarking
Global Financial Stability Report, October 2021: COVID-19, Crypto, and Climate
"This report assesses global financial stability, noting that while risks have been contained due to ongoing policy support and economic rebound, vulnerabilities remain elevated in several sectors. Optimism has faded due to concerns about the strength of the global recovery, supply chain disruptions, and inflation. Stretched asset valuations persist, and there are pockets of vulnerabilities in the nonbank financial sector. Chapter 2 specifically discusses the opportunities and challenges of the crypto ecosystem. Key risks identified include those to consumers arising from crypto asset providers’ lack of operational or cyber resilience. Additionally, significant data gaps, stemming from anonymity and limited global standards, pose risks to financial integrity. For emerging markets and developing economies, the adoption of crypto assets and stablecoins may accelerate dollarization risks. The chapter concludes by noting it provides a set of actionable policy recommendations to address these challenges."
Technical ID
gfsr-crypto-financial-stability-challenges
GHG Scope 3 Accounting Strategy
"Standardized methodology for measuring and reporting greenhouse gas emissions across the entire corporate value chain (Categories 1–15), accounting for 70–90% of total enterprise footprint."
Technical ID
ghg-protocol-scope3
GIPS (Investment Perf)
"Asserting compliance with the Global Investment Performance Standards (GIPS) signifies a firm-wide commitment to fair representation and full disclosure of investment performance, a claim this node validates as true. Adherence requires firms to maintain rigorously documented composite definitions, a foundational element within the GIPS Standards for Firms. The calculation methodology must be systematic and verifiable, mandating trade-date accounting for all transactions and accrual accounting for fixed-income securities. Furthermore, portfolio valuations must occur on a monthly frequency, with established policies for large cash flow adjustments to ensure temporal accuracy of time-weighted returns. Performance presentation necessitates calculation and disclosure of both gross-of-fees and net-of-fees returns. A compliant presentation must show a minimum track record of five years, annually adding performance until a ten-year target is achieved. To bolster this assertion, independent verification is required, ensuring a third party attests that compliance policies are designed and implemented correctly. Comprehensive supporting records must be maintained for a retention period of ten years, substantiating all historical data. Adherence to this comprehensive framework not only provides global comparability but also aligns with the SEC Advisers Act Rule 206(4)-1 by establishing a disciplined process for producing performance advertising that is not materially misleading."
Technical ID
gips-investment-perf-std
Global Alliance (PR Ethics)
"Operational adherence to this node's framework necessitates stringent compliance with the Global Alliance Code of Ethics, beginning with the foundational directive of Working in the public interest and creating societal value. Systemic verification, confirming public_interest_alignment_verified is true, underpins this mandate. Concurrently, Guiding Principle 2, which demands respect for diversity and local customs, is procedurally enforced through a mandatory cross_cultural_sentiment_review_required for all communications. The professional standard of Integrity, outlined in Principle of Professional Practice 1, is maintained via continuously active system controls where integrity_safeguards_active is confirmed. All external messaging must exhibit unwavering commitment to Honesty and Accuracy per Principle of Professional Practice 2. This is algorithmically validated through a compulsory accuracy_fact_check_required, a validated honesty_in_communication_validated status, and a strict remediation protocol allowing a max_time_to_correct_inaccuracies_hrs of 24. Upholding Principle of Professional Practice 3, Confidentiality, requires that all sensitive data be secured with confidential_data_encryption_bits of at least 256. To mitigate risks under Principle of Professional Practice 4, Conflict of Interest, every engagement undergoes a systematic review where conflict_of_interest_scanned is affirmed. Transparency obligations are met by maintaining a transparency_disclosure_level of 1 and ensuring any third_party_sponsorship_disclosed is explicitly declared. Sustained compliance also requires personnel to complete recurrent training, as reflected by the ethics_training_validity_days cycle of 365."
Technical ID
global-alliance-pr-ethics
Gold Standard Carbon Credits
"Compliance with this node ensures carbon credits adhere to the rigorous Gold Standard for the Global Goals framework. Project validation requires that `project_additionality_verified` is true, demonstrating emission reductions beyond a business-as-usual scenario as guided by the UNFCCC Clean Development Mechanism’s Additionality Tool. Furthermore, each project must deliver a `minimum_sdg_contributions` of three, where `includes_sdg_13_climate_action` is a mandatory component to ensure holistic environmental and social co-benefits. Adherence to Gold Standard Safeguarding Principles is confirmed through mandatory `local_stakeholder_consultation_completed` and an operational `continuous_grievance_mechanism_active`. An `independent_vvb_audit_passed` is compulsory, aligning with ISO 14064-2:2019 specifications for project-level greenhouse gas quantification and monitoring. To meet CORSIA Emissions Unit Eligibility Criteria, a `double_counting_safeguard_active` must be functional, preventing any single credit's duplicative use. Issuance is governed by a `standard_crediting_period_years_max` of five years, necessitating subsequent re-evaluation for continued validity. Systemic integrity requires that `mrv_telemetry_encryption_enabled` protects all monitoring data streams, while secure registry communications must utilize a `registry_api_tls_version_minimum` of 1.2. Lastly, market access and participation are contingent upon a verified `kyc_aml_clearance_for_trading` for all transacting entities, upholding financial probity."
Technical ID
gold-standard-carbon
Good Machine Learning Practice for Medical Device Development: Guiding Principles
"The U.S. Food and Drug Administration (FDA), Health Canada, and the United Kingdom’s Medicines and Healthcare products Regulatory Agency (MHRA) have jointly identified 10 guiding principles that can inform the development of Good Machine Learning Practice (GMLP). These principles aim to promote safe, effective, and high-quality medical devices that use artificial intelligence and machine learning (AI/ML). AI/ML technologies have the potential to transform health care by deriving new insights from vast amounts of data, but they also present unique considerations due to their complexity and the iterative, data-driven nature of their development. These 10 guiding principles are intended to lay the foundation for developing GMLP that addresses the unique nature of these products and to cultivate future growth in this rapidly progressing field. They identify areas where international bodies could work to advance GMLP, including research, creating educational tools, international harmonization, and consensus standards. The principles may be used to adopt good practices from other sectors, tailor them for medical technology, or create new practices specific to the healthcare sector."
Technical ID
good-machine-learning-practice-medical-devices
Google Ads (Data Terms)
"Adherence to Google Ads data terms necessitates a stringent controller-processor framework, formalized through an electronically signed Data Processing Agreement that reflects the processor obligations under GDPR Article 28. Consent acquisition must be managed via the required implementation of Consent Mode v2, ensuring that both ad user data and ad personalization are not granted by default; this aligns with the conditions for consent outlined in GDPR Article 7 and the Google EU User Consent Policy. Technical security controls are mandatory, consistent with the Google Ads Data Processing Terms Article 5, requiring all personally identifiable information to be hashed using SHA-256 pre-transit and all offline conversion uploads to be secured through SSL enforcement. Operational policy enforces a minimum audience of 1000 for Customer Match, a maximum user data retention period of 390 days, and strictly prohibits unconsented remarketing. To satisfy regional legislation, compliance with the California Consumer Privacy Act is maintained by enabling Restricted Data Processing, thereby honoring the right to opt-out per Cal. Civ. Code § 1798.120. Furthermore, an active LGPD data processing agreement is required to fulfill operator responsibilities and consent requirements as stipulated in Brazil’s Lei Geral de Proteção de Dados Pessoais Articles 39 and 8, respectively."
Technical ID
google-ads-data-proc-terms
Green Key Eco-Rating
"Compliance with the Green Key Eco-Rating standard requires adherence to stringent environmental management and operational benchmarks, harmonized with recognized frameworks like the Global Sustainable Tourism Council Industry Criteria. The node validates implementation of an environmental management system, reflecting principles within ISO 14001:2015, which must include a publicly available environmental policy and active guest communications. Water conservation mandates are strict, stipulating maximum flow rates for taps at 8 liters per minute, showers at 9 liters per minute, and toilets at 6 liters per flush. Energy efficiency measures, contextualized by commitments under the Glasgow Declaration on Climate Action in Tourism, demand a minimum of 75% of all lighting be high-efficiency LED technology and that HVAC systems utilize active automatic shutoff sensors. Waste management protocols necessitate sorting into at least three distinct categories. Procurement policies must demonstrate a minimum of 70% of cleaning chemicals are certified with a recognized eco-label, a standard echoed by the EU Ecolabel for Tourist Accommodation Establishments. Furthermore, a complete elimination of single-use plastic toiletries is required, supporting the objectives of the Global Tourism Plastics Initiative. The standard also mandates annual staff sustainability training conducted within a 12-month cycle and requires providing at least two local or organic food options, fulfilling a comprehensive set of the Foundation for Environmental Education’s mandatory criteria."
Technical ID
green-key-tourism-eco
GRI 1: Foundation (2021)
"GRI 1: Foundation 2021 is the core standard in the Global Reporting Initiative (GRI) framework that establishes the foundational concepts, principles, and requirements organizations must follow when reporting on their environmental, social, and governance (ESG) impacts. GRI 1 introduces the concept of 'double materiality' through its impact materiality focus — organizations must report on their significant impacts on the economy, environment, and people, regardless of whether those impacts are financially material to the organization. GRI is used by over 10,000 organizations globally and is required or referenced by the EU Corporate Sustainability Reporting Directive (CSRD), the UN SDGs monitoring framework, and stock exchange ESG disclosure requirements in over 50 markets. Organizations using GRI must make a statement of use specifying which GRI Standards were used and the reporting period covered; false or misleading GRI claims expose organizations to greenwashing liability."
Technical ID
gri-1-foundation
GRI Universal Standards
"The Global Reporting Initiative (GRI) Universal Standards 2021 are the global baseline for modular sustainability reporting. They cover impact materiality—how an organization impacts the economy, environment, and people—ensuring consistent, high-quality disclosure for stakeholders and communities."
Technical ID
gri-universal-standards
ENTSO-E Grid Code Compliance
"Entities connecting to the European interconnected grid must demonstrate rigorous adherence to harmonized technical and security standards. This compliance framework, principally defined by Commission Regulation (EU) 2016/631 on requirements for grid connection of generators, mandates stringent operational performance. Power-generating modules must ensure continuous operation between 49 Hz and 51 Hz and prove fault-ride-through capability for a minimum of 150 ms. The system validates that active power control is enabled (`active_power_control_enabled`) and that reactive power capability is verified (`reactive_power_capability_verified`), consistent with protocols from the ENTSO-E Implementation Guidance Document on Compliance Testing and Monitoring. Similar obligations for other participants are outlined within Commission Regulation (EU) 2016/1388 on Demand Connection and Commission Regulation (EU) 2016/1447 for HVDC systems. Augmenting these operational rules, Delegated Regulation (EU) 2024/1183, the Network Code on Cybersecurity, alongside the overarching Directive (EU) 2022/2555 (NIS2 Directive), establishes critical digital resilience criteria. These mandates necessitate a certified ISMS (`cybersecurity_isms_certified`), enforced SCADA access MFA (`scada_access_mfa_enforced`), and required communication encryption (`communication_encryption_required`). Organizations are further obligated to complete an annual cyber risk assessment (`annual_cyber_risk_assessment_required`) and report significant incidents within a 24-hour maximum timeframe. This verification extends to critical system restoration, confirming that black start capability is tested (`black_start_capability_tested`)."
Technical ID
grid-code-entsoe
GS1 EPCIS: Supply Chain Visibility
"Compliance with global supply chain visibility mandates requires strict adherence to standardized data exchange protocols and security controls. This node enforces alignment with the GS1 EPC Information Services (EPCIS) Standard, Release 2.0, also codified as ISO/IEC 19987:2017, which forms the technical backbone for interoperable electronic tracing as required by regulations such as the US FDA Drug Supply Chain Security Act (DSCSA) and the Food Safety Modernization Act (FSMA) Section 204. It also supports compliance with the European Union Falsified Medicines Directive. All inbound data transmissions must be EPCIS 2.0 compliant, utilize TLS 1.2 or higher for transport security, and require OAuth2 authentication for access control. Data integrity is paramount; the system validates all XML and JSON-LD submissions against the official schema, enforces the GS1 Core Business Vocabulary standard, and verifies GS1 check digits. To ensure event uniqueness and non-repudiation, each event must possess a hash ID generated using the SHA-256 algorithm. System performance is managed by limiting event payloads to a maximum of 10 MB and maintaining a data capture error rate below a 1 percent threshold. Furthermore, strict redaction is enabled for unauthorized queries to protect sensitive business information. All captured event data is subject to a 2190-day retention period, fulfilling long-term record-keeping obligations under these diverse regulatory frameworks."
Technical ID
gs1-epcis-transparency
GSTC Sustainability Criteria
"Compliance with the Global Sustainable Tourism Council (GSTC) framework necessitates a comprehensive approach to operational sustainability, integrating key principles from international agreements. This node validates the implementation of an active sustainable management system (has_sustainable_management_system: true), subject to a mandatory annual reporting cycle (sustainability_reporting_frequency_months: 12). Socio-economic responsibilities, reflecting the UNWTO Global Code of Ethics for Tourism, demand a local_purchasing_and_employment_policy_active is maintained and that measures for commercial_exploitation_prevention_enforced are effective. Cultural integrity is paramount, requiring that cultural_heritage_protection_documented procedures are in place and the trade of sensitive items is strictly controlled, wherein historical_artifact_sales_prohibited is enforced consistent with the Convention on International Trade in Endangered Species of Wild Fauna and Flora. Environmental performance, aligned with the ISO 14001:2015 standard and United Nations Sustainable Development Goals, mandates that greenhouse_gas_emissions_measured are tracked against a minimum ghg_reduction_target_percentage of 5. Furthermore, water_consumption_monitoring_active systems must be operational, alongside policies confirming single_use_plastics_eliminated from operations and a solid_waste_reduction_policy_active is implemented to promote responsible consumption. Finally, ethical wildlife interactions are confirmed by ensuring captive_animal_welfare_standards_met are upheld."
Technical ID
gstc-tourism-criteria
Guidance on Model Risk Management
"This supervisory guidance, issued by the Federal Reserve and the Office of the Comptroller of the Currency (OCC), is intended for use by banking organizations and supervisors to assess the management of model risk. It applies to all banking organizations supervised by the Federal Reserve, taking into account each organization’s size, nature, complexity, and the extent of its use of models. The guidance defines a model as a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates. The core obligation is for banking organizations to be attentive to the possible adverse consequences of decisions based on models that are incorrect or misused. Organizations must address these consequences through active model risk management, which includes robust model development, implementation, and use; effective validation; and sound governance, policies, and controls. Model risk is the potential for adverse consequences from decisions based on incorrect or misused model outputs, which can lead to financial loss, poor business and strategic decision-making, or damage to a banking organization’s reputation. A guiding principle is the 'effective challenge' of models, which involves critical analysis by objective, informed parties that can identify model limitations and produce appropriate changes."
Technical ID
guidance-on-model-risk-management
Guide to Computer Security Log Management
"A log is a record of the events occurring within an organization’s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network. This document provides guidance on computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. This guidance is primarily for Federal agencies to comply with legislation like the Federal Information Security Management Act of 2002 (FISMA), but may also be useful for non-governmental organizations subject to regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS). A fundamental problem with log management is effectively balancing limited resources with a continuous supply of log data. This involves challenges in log generation and storage, protection, and analysis. Implementing the recommendations should assist in facilitating more efficient and effective log management."
Technical ID
guide-computer-security-log-management
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. This guidance applies to federal agencies and is designed for program managers, system owners, and security personnel. It provides basic information on how to prepare a system security plan, which should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Since the system security plan establishes and documents the security controls, it should form the basis for the authorization to operate, supplemented by an assessment report and a plan of actions and milestones. Management authorization should be based on an assessment of management, operational, and technical controls. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-developing-security-plans
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. This guidance is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). All federal systems have some level of sensitivity and require protection as part of good management practice, and the protection of a system must be documented in a system security plan. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. It should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. The plan establishes and documents security controls, forming the basis for authorization by a senior management official, who accepts the associated risk by authorizing the system to operate. This authorization should be based on an assessment of management, operational, and technical controls. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-developing-security-plans-federal
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection, which must be documented in a system security plan as required by OMB Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization for a system to operate is based on an assessment of management, operational, and technical controls documented in the system security plan. By authorizing processing, a manager accepts the system's associated risk. The plan forms the basis for this authorization, supplemented by an assessment report and a plan of actions and milestones. Re-authorization should occur whenever there is a significant change in processing, but at least every three years. This guidance applies to federal agencies, program managers, system owners, and security personnel, and may be used by non-governmental organizations on a voluntary basis."
Technical ID
guide-developing-security-plans-federal-information-systems
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources, as all federal systems have some level of sensitivity and require protection. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system, reflecting input from various managers including information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization to operate a system is based on an assessment of management, operational, and technical controls documented in the system security plan. By authorizing processing, a manager accepts the associated risk. The system security plan, supplemented by an assessment report and a plan of actions and milestones, forms the basis for this authorization. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-developing-security-plans-federal-systems
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. It should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system and reflect input from various managers, including information owners, the system owner, and the senior agency information security officer (SAISO). This guidance is for federal agencies and is intended for program managers, system owners, and security personnel. The system security plan establishes and documents the security controls and forms the basis for the authorization to operate, granted by a management official who accepts the associated risk. A senior management official must authorize a system to operate based on an assessment of management, operational, and technical controls. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
guide-for-developing-security-plans
Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories
"This guideline has been developed to assist Federal government agencies to categorize information and information systems. The guideline’s objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information or information system. It addresses the Federal Information Security Management Act (FISMA) direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. This guideline applies to all Federal information systems other than national security systems. This publication is intended to serve a diverse federal audience of information system and information security professionals including individuals with oversight responsibilities (e.g., chief information officers), organizational officials (e.g., mission and business area owners), individuals with development responsibilities, and individuals with implementation and operational responsibilities. It provides a structured, yet flexible framework for satisfying the requirements of FISMA. Security categorization is the key first step in the Risk Management Framework because of its effect on all other steps, from the selection of security controls to the level of effort in assessing security control effectiveness."
Technical ID
guide-mapping-information-types-security
Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
"For many organizations, their employees, contractors, business partners, vendors, and other users utilize enterprise telework technologies to perform work from external locations, using remote access technologies to interface with an organization’s non-public computing resources. The nature of telework and remote access technologies—permitting access to protected resources from external networks and often externally controlled hosts—generally places them at higher risk. All components of these solutions, including organization-issued and bring your own device (BYOD) client devices, remote access servers, and internal resources, should be secured against expected threats as identified through threat models. Major security concerns include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, and the availability of internal resources to external hosts. This publication provides information on security considerations for several types of remote access solutions and makes recommendations for securing telework, remote access, and BYOD technologies. It also gives advice on creating related security policies, which should be based on the assumption that external environments contain hostile threats. An organization should assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization’s data and resources. Organizations should plan policies that define permitted forms of remote access, restrictions on client devices, and how servers are secured and configured to enforce these policies."
Technical ID
guide-telework-remote-access-byod
Guide to Storage Encryption Technologies for End User Devices
"This publication assists organizations in understanding, planning, implementing, and maintaining storage encryption technologies for end user devices, including personal computers, consumer devices like smart phones, and removable storage media. It addresses threats to information confidentiality such as device loss or theft, insider attacks, and malware. The primary security controls discussed for restricting access to sensitive information, particularly personally identifiable information (PII), are encryption and authentication. The guide provides practical, real-world guidance for three classes of storage encryption: full disk encryption, volume and virtual disk encryption, and file/folder encryption. It makes recommendations for implementing and using each type. Key recommendations for Federal departments and agencies include using centralized management for most deployments to ensure policy verification, key management, and data recovery. Organizations should ensure all cryptographic keys are secured and managed properly throughout their lifecycle, from generation to destruction, to support data recovery. Appropriate user authenticators should be selected, with a preference for two-factor authentication, as using a single-factor authenticator for both OS login and encryption significantly weakens protection. Storage encryption by itself is considered insufficient; it must be complemented by other security controls, such as securing device operating systems, revising organizational policies, and making users aware of their responsibilities."
Technical ID
guide-to-storage-encryption-technologies
Guidelines for Securing Wireless Local Area Networks (WLANs)
"A wireless local area network (WLAN) is a group of wireless networking devices within a limited geographic area that exchange data through radio communications, based on the IEEE 802.11 standard. The security of each WLAN is heavily dependent on how well each WLAN component—including client devices, access points (APs), and wireless switches—is secured throughout the WLAN lifecycle. This publication provides recommendations for improving the security of their WLANs through security configuration and monitoring, supplementing other NIST publications by consolidating and strengthening their key recommendations. Core obligations for organizations include having standardized security configurations for common WLAN components, considering how a WLAN may affect the security of other networks, and implementing logically separated WLANs for internal and guest use. Organizations should have policies that clearly state which forms of dual connections are permitted or prohibited for WLAN client devices and enforce these policies through appropriate security controls. It is crucial to ensure that the organization’s WLAN client devices and APs have configurations at all times that are compliant with the organization’s WLAN policies. To support this, organizations must perform both attack monitoring and vulnerability monitoring, and conduct regular periodic technical security assessments for their WLANs, at least annually, to evaluate overall security."
Technical ID
guidelines-securing-wireless-local-area-networks
Good Clinical Practice (GCP)
"Good Clinical Practice (GCP) is an international ethical and scientific quality standard for designing, conducting, recording, and reporting trials that involve human subjects. Based on the ICH E6(R2) guideline, compliance provides public assurance that the rights, safety, and well-being of trial subjects are protected and that the clinical trial data are credible."
Technical ID
gxp-clinical-practice
Good Mfg Practice (GMP)
"Good Manufacturing Practice (GMP) (21 CFR Parts 210 and 211) is the primary U.S. and global standard for ensuring that pharmaceutical and medical device products are consistently produced and controlled according to high-quality standards. it is designed to minimize the risks involved in production that cannot be eliminated through testing the final product."
Technical ID
gxp-mfg-practice
HACCP (Food Safety)
"Compliance with Hazard Analysis and Critical Control Point (HACCP) systems mandates a systematic, science-based approach to food safety management, aligning with global standards like Codex Alimentarius CXC 1-1969 and specific regulatory frameworks such as the EU's Regulation (EC) No 852/2004. This methodology is also codified in United States regulations, including 21 CFR Part 117 for human food under FSMA, 9 CFR Part 417 governing meat and poultry, 21 CFR Part 120 for juice processing, and 21 CFR Part 123 pertaining to fish products. Conformance requires that a multidisciplinary HACCP team is assembled and that robust prerequisite programs are implemented. A comprehensive, documented hazard analysis must be conducted, leading to the identification of at least one Critical Control Point (CCP) for which validated critical limits are established. Continuous process control is demonstrated through monitoring procedures executed at a maximum frequency of 24 hours, supported by an active corrective action plan to address any deviations. System integrity is validated through annual verification audits conducted within a 365-day cycle, frequent sensor calibration at 30-day intervals, and confirmation that the product recall plan is tested. All relevant documentation must be maintained according to a record retention period of 2 years, while personnel competency is upheld with a minimum of 8 annual employee training hours."
Technical ID
haccp-food-safety
Hague System (Designs)
"Compliance with the Hague System for international design registration necessitates strict adherence to the Geneva Act of the Hague Agreement (1999), mandating the filing of a WIPO international application. Entitlement to file, as stipulated by Article 3, requires an applicant maintain a genuine connection through nationality, domicile, or industrial establishment within a Contracting Party. The international application itself, governed by Article 5 and Common Regulations Rule 7, may contain up to 100 distinct designs, provided they all belong within a single Locarno class. A critical component involves furnishing standardized reproductions of the industrial design, which must conform to the specifications outlined in Common Regulations Rule 9 and the data formats prescribed by Administrative Instructions Section 401. Applicants can request a deferment of publication for a period not exceeding 30 months from the filing or priority date, a provision found in Article 11 that also enforces pre-publication confidentiality. Upon registration, an initial protection term of five years is granted, with subsequent renewals ensuring a minimum total protection term of fifteen years in each designated Contracting Party. All associated fee payments must be made in Swiss francs (CHF), as currency settlement is mandated. This framework provides a centralized, cost-effective mechanism for securing multinational design protection through a single procedural submission."
Technical ID
hague-system-designs
Hague-Visby Rules
"The Hague-Visby Rules are a set of international rules for the carriage of goods by sea. They define the rights and duties of the carrier and holder of a bill of lading, particularly regarding the liability for loss or damage to goods. They updating the original 1924 Hague Rules and are widely adopted globally for sea freight contracts."
Technical ID
hague-visby-rules
Hospitality Liquor Licensing
"Compliance within this domain mandates adherence to stringent federal, state, and international alcohol service regulations. A foundational requirement is maintaining a valid_liquor_license_active status per Title 27 CFR Part 1 of the Federal Alcohol Administration Act, supported by an active liability insurance policy. Operational controls are paramount, restricting service hours between 0800 and 0200 military time and prohibiting any self_service_alcohol dispensing. Transactions are limited to a maximum_drinks_per_transaction of two. Staffing protocols require a minimum_server_age_required of 18 and that mandatory_staff_training_certification_completed status is maintained. The protection of children from harm, a principle underscored by the UK Licensing Act 2003, is enforced through a strict minimum_customer_age_required of 21. This is operationalized by the requirement to perform ID verification for any patron appearing under age 30. Furthermore, prohibitions against selling alcohol to minors are explicitly governed by statutes like California Business and Professions Code Section 25658. Responsible vendor obligations extend to refusing service to intoxicated persons, as stipulated by New York State ABC Law Section 65, with all such actions recorded in a required incident log for refusals to mitigate civil liability under general Dram Shop Act standards. All liquor purchase records must be retained for 36 months, and any point-of-sale data, including age verification scans and payment details, must comply with Payment Card Industry Data Security Standard v4.0 for secure handling."
Technical ID
hcll-hospitality-licensing
HIPAA Breach Notification Rule
"A breach of unsecured protected health information, as defined under 45 CFR § 164.402, has been confirmed following a risk assessment that did not demonstrate a low probability of compromise. Given this event affects 500 individuals, immediate and specific notification obligations are triggered for the covered entity, which retains the burden of proof for compliance according to 45 CFR § 164.414. Pursuant to 45 CFR § 164.404, individual notifications must be issued without unreasonable delay and, at 60 days since discovery, are now due; the content of this notification must adhere to prescribed federal requirements. Concurrently, because the number of affected persons meets the threshold, 45 CFR § 164.408 requires immediate notice to the Secretary of Health and Human Services. This action is separate from the annual logging of smaller breaches. Furthermore, with 500 individuals affected within a single jurisdiction, compliance with 45 CFR § 164.406 is mandatory, necessitating notice to prominent media outlets serving the relevant State or locality within the same 60-day timeframe. These stringent timelines underscore the importance of prompt reporting from business associates to covered entities, a process governed by 45 CFR § 164.410 that enables downstream regulatory adherence."
Technical ID
hipaa-breach-notification
HIPAA Privacy Rule
"The HIPAA Privacy Rule establishes national standards governing the use and disclosure of protected health information (PHI) by covered entities and their business associates. General rules articulated within 45 CFR § 164.502 mandate the implementation of appropriate safeguards and require formal business associate agreements for any third-party handling PHI. A foundational principle is the minimum necessary standard, enforced pursuant to 45 CFR § 164.514, which limits PHI use or disclosure to the minimum required for a specific purpose. Specific authorizations from individuals are mandated under 45 CFR § 164.508 for certain uses, including nearly all marketing communications, while the unauthorized sale of PHI is strictly prohibited. The regulation further grants individuals significant rights over their health information. Covered entities must provide a clear Notice of Privacy Practices as specified in 45 CFR § 164.520. Individuals have a right to access their designated record set, with such provision required within a maximum of 30 days per 45 CFR § 164.524. An accounting of disclosures must also be furnished upon request within 60 days, according to 45 CFR § 164.528. Entities have up to 60 days to act upon an individual’s amendment request. Compliance requires appointing a privacy officer, conducting workforce training, and retaining all related documentation for a period of six years."
Technical ID
hipaa-privacy-rule
HIPAA Security Rule
"The HIPAA Security Rule (45 CFR Part 160 and Part 164) establishes U.S. national standards for the protection of Electronic Protected Health Information (ePHI). It focuses on ensure the confidentiality, integrity, and availability of ePHI through three pillars: Administrative, Physical, and Technical Safeguards."
Technical ID
hipaa-security-rule
HKMA TM-G-1 (Tech Risk)
"HKMA TM-G-1 (General Principles for Technology Risk Management) is a Supervisory Policy Manual (SPM) issued by the Hong Kong Monetary Authority. it provides minimum standards for the management of the technology risks that institutions face, specifically covering the oversight of the e-banking, the logical access controls, and the third-party providers."
Technical ID
hkma-tm-g-1-tech-risk
HL7 FHIR Interoperability (Release 4)
"Standardized RESTful API architecture for electronic health information exchange, using modular Resources to enable computable healthcare data across disparate systems."
Technical ID
hl7-fhir-interop
HL7 FHIR v4 (Interoperability)
"HL7 FHIR (Fast Healthcare Interoperability Resources) Release 4 is the global standard for electronic healthcare data exchange. It defines a set of 'Resources' that represent granular clinical and administrative data, accessible via a RESTful API to enable seamless interoperability between EHRs, mobile apps, and analytics platforms."
Technical ID
hl7-fhir-v4-interop
Hotelstars Union Criteria
"Compliance with Hotelstars Union (HSU) Classification Criteria for the 2020-2025 period mandates adherence to a harmonized set of operational, digital, and quality management standards across member countries. Establishments must achieve a minimum point threshold, starting from 90 points for one-star classification and reaching 600 points for a five-star rating. Foundational service obligations require daily room cleaning, and that the reception is reachable 24 hours. Digital infrastructure is critically assessed, demanding mandatory internet access in public areas and ensuring hotel websites are accurate and bilingual, consistent with information requirements under Directive 2011/83/EU on Consumer Rights. Financial and data security protocols are paramount; cashless payment acceptance is required and must align with Strong Customer Authentication per Directive (EU) 2015/2366 (PSD2), while any enabled secure online booking system dictates guest data privacy be GDPR-compliant in accordance with security of processing principles found in Regulation (EU) 2016/679. For "Superior" status, evidence of a formal quality management system is obligatory, often referencing frameworks like ISO 9001:2015. Furthermore, four- and five-star properties are subject to mandatory mystery guest audits to validate service consistency under the European Hospitality Quality framework from HOTREC."
Technical ID
hotel-stars-union-crit
HOTSEC Hotel Security Logic
"HOTSEC Hotel Security Logic enforces a comprehensive security posture for hospitality environments by integrating critical controls from leading standards and regulations. In alignment with NIST SP 800-153 guidelines, network segmentation is mandated, requiring that guest WiFi be logically isolated from the Property Management System (PMS) and all Internet-of-Things (IoT) devices must operate on a separate VLAN. Full adherence to Payment Card Industry Data Security Standard version 4.0 is necessary for securing cardholder data, which means any vendor remote access must utilize a required VPN connection and PMS access itself mandates multi-factor authentication. Physical and logical access controls, reflecting ISO/IEC 27001:2022 principles, are strictly defined: keycard encryption must be AES-128 or higher, access is revoked after a maximum of five failed keycard attempts, and every electronic safe override procedure must be fully audited. Data governance adheres to data minimization principles outlined in GDPR Article 5(1)(c), setting a maximum retention period of 90 days for guest personally identifiable information, a policy which also supports the consumer right to deletion under the California Consumer Privacy Act. For physical surveillance, a minimum CCTV retention of 30 days is required. The framework, consistent with the AHLA 5-Star Promise concerning employee safety, also dictates that annual staff security training is mandatory. Finally, an operational readiness component requires that a formal incident response plan must be activated within a 60-minute service level agreement."
Technical ID
hotsec-hotel-security
Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)
"The objective of this Cybersecurity Profile is to identify an approach to assess the cybersecurity posture of Hybrid Satellite Networks (HSN) that provide services such as satellite-based systems for communications, position, navigation, and timing (PNT), remote sensing, weather monitoring, and imaging. The Profile considers the cybersecurity of all the interacting systems that form the HSN rather than the traditional approach of a single organization acquiring the entire satellite system. It is intended to provide practical guidance for organizations and stakeholders engaged in the design, acquisition, and operation of satellite buses or payloads that involve HSN. The Profile applies to organizations that have already adopted the NIST Cybersecurity Framework (CSF), are familiar with the CSF and want to improve their cybersecurity postures, or are unfamiliar with the CSF but need to implement HSN services in a risk-informed manner. Use of the HSN Profile will help organizations identify systems, assets, data and threats that pertain to HSN; protect HSN services by adhering to basic principles of resiliency; detect cybersecurity-related disturbances; respond to service anomalies in a timely manner; and recover the HSN to proper working order following a cybersecurity incident. The Profile does not prescribe regulations or mandatory practices, nor does it carry any statutory authority."
Technical ID
hsn-cybersecurity-framework-profile
Hydrogen Safety (ISO 22734)
"Adherence to ISO 22734:2019 establishes a comprehensive safety and operational framework for hydrogen generators utilizing water electrolysis. This regimen necessitates stringent control over process variables, including a hydrogen concentration alarm limit not exceeding 4000 ppm and a maximum permissible oxygen impurity in produced hydrogen of 20000 ppm. Functional safety integrity, as defined by IEC 61508, mandates an emergency shutdown system achieving a Safety Integrity Level of 2, a requirement substantiated by having fail_safe_valves_verified. For operation within potentially explosive environments, equipment must be atex_zone_certified under Directive 2014/34/EU. Installation safety, guided by principles from NFPA 2 and basic considerations within ISO/TR 15916:2015, requires continuous mechanical ventilation providing a minimum of 10 air changes per hour. System integrity is maintained through active system pressure monitoring and the use of feed water with conductivity below 5 µS/cm. Furthermore, purge gas systems must operate with a minimum pressure of 5 bar. Cybersecurity for the industrial control system is validated because iec_62443_compliance_met standards are satisfied, which includes having telemetry_encryption_enabled to secure operational data."
Technical ID
hydrogen-safety-iso
Audit Quality (ISQM 1)
"Compliance with International Standard on Quality Management 1 requires the establishment and operation of a comprehensive System of Quality Management (SOQM). Central to this framework is governance and leadership, mandating that ultimate responsibility and accountability for the SOQM are explicitly assigned. The firm must implement a dynamic risk assessment process, inclusive of an active client acceptance and continuance policy, to establish quality objectives and to identify and assess quality risks. A foundational component involves fulfilling all responsibilities under relevant ethical requirements, ensuring independence is continually tracked per the IESBA Code. The standard further dictates that technological resources, including those from managed service providers, necessitate robust controls; IT applications require enforced security and appropriate environmental controls must be established to maintain audit data confidentiality. A critical, ongoing element is the active monitoring and remediation process, which includes mandated engagement quality reviews to evaluate system effectiveness. Findings from these monitoring activities are evaluated to identify deficiencies, which then enter a remediation workflow that must be completed within a maximum of 60 days. The entire SOQM is subject to a holistic evaluation at least annually, based on a 365-day cycle, to confirm its continued suitability and operational effectiveness."
Technical ID
iaasb-isqm-1-quality
IAB Ads.txt (Auth)
"Compliance with the IAB Tech Lab's Ads.txt Specification Version 1.1 is a mandatory control under the Trustworthy Accountability Group's Certified Against Fraud Guidelines. The BIDDA platform enforces strict validation, requiring the file's location exclusively at the domain root path per Uniform Resource Identifier generic syntax. Secure delivery over HTTPS is mandatory, with server responses conforming to a 5000-millisecond timeout threshold, a 100-kilobyte maximum file size, and no more than five sequential redirects. Per IETF RFC 7231, the HTTP Content-Type header must be explicitly 'text/plain', and file contents must utilize UTF-8 encoding. Syntactically, each record requires a minimum of three fields and must not exceed four, while comments initiated by a hash symbol are permitted. Field-level validation enforces a strict relationship boolean, where the relationship field must contain either 'DIRECT' or 'RESELLER'; case-insensitive processing is applied to this field. These declarations are critical for programmatic verification, mapping the publisher ID against the Sellers.json specification and validating cryptographic nodes within the OpenRTB SupplyChain Object to ensure a transparent, fraud-free advertising ecosystem."
Technical ID
iab-ads-txt-authorization
IAB MRAID (Mobile Ads)
"Compliance with this node mandates strict adherence to the IAB Mobile Rich Media Ad Interface Definition (MRAID) v3.0 specification and pertinent data privacy regulations. All ad creatives must support a `min_mraid_version_supported` of 3.0 and complete the `mraid_ready_timeout_ms` within 5000 milliseconds, following a `require_mraid_js_initialization` of true. Security is paramount; therefore, the node will `enforce_https_all_assets` loading via HTTPS as stipulated in Section 5.3 of the MRAID v3.0 specification. To align with IAB LEAN Ads Program principles for non-invasive ads, this configuration sets `allow_auto_expand_ads` to false and `require_user_interaction_for_audio` as true. Furthermore, creatives must not use a custom close button when expanded (`allow_custom_close_button_on_expand` is false) and are limited to a `max_resize_width_percentage` and `max_resize_height_percentage` of 100 percent. Performance optimization is enforced, as the policy will `block_background_network_requests_when_hidden`. The standardized API, detailed in MRAID v3.0 Section 7, governs functionality, with the node requiring that implementations `enforce_viewability_exposure_api` for accurate measurement. Regarding data privacy, the configuration mandates `require_explicit_location_consent` before accessing geolocation data, a control directly informed by GDPR Article 6(1)(a) and Article 7 on valid consent, MRAID v3.0 Section 4.5 on location privacy, and the Children's Online Privacy Protection Act (COPPA), which prohibits precise location data collection for ads targeting children."
Technical ID
iab-mraid-mobile-ads
IAB OpenRTB
"Enforcement of the IAB OpenRTB protocol ensures rigorous adherence to technical specifications and global privacy regulations. This configuration mandates compliance with key structural elements from the OpenRTB API Specification Version 2.5, requiring that every bid request contain a unique identifier (`require_bid_request_id`) and an impression array (`require_impression_array`), with a corresponding bid response ID (`require_bid_response_id`). The maximum auction timeout is strictly limited to 120 milliseconds. Security of processing, a core tenet of GDPR Article 32, is upheld through the mandatory use of Transport Layer Security encryption (`require_tls_encryption`) consistent with RFC 8446 standards. Further aligning with GDPR Article 5(1)(f), user IP addresses undergo pseudonymization by masking 24 bits from IPv4 and 56 bits from IPv6 addresses. Regulatory compliance is managed through the strict interpretation of specific flags and consent mechanisms. The node enforces the `regs.coppa` flag when its value is 1, which aligns with the Children's Online Privacy Protection Act per 16 CFR § 312.5. It also processes the IAB Tech Lab US Privacy String for CCPA/CPRA compliance and parses the IAB Europe Transparency and Consent Framework v2.2 consent string from `user.ext.consent`. User-level privacy choices are respected by enforcing the Limit Ad Tracking `lmt` flag. To ensure creative quality and brand safety, the node validates all ad markup (`validate_ad_markup_adm`) and blocks prohibited advertiser categories (`block_bcat_categories`)."
Technical ID
iab-openrtb-standard
IAB Sellers.json
"Adherence to the IAB Tech Lab Sellers.json Final Specification v1.0 is a critical mechanism for promoting transparency and combating fraud within the programmatic advertising ecosystem, a concern underscored by the Association of National Advertisers' Programmatic Media Supply Chain Transparency Study. This compliance node validates that exchange-provided files align with industry best practices, including the Trustworthy Accountability Group's Certified Against Fraud Guidelines and the General Data Protection Regulation's Article 5(1)(a) principle of transparency. Key structural mandates require publishing the file at the domain root, enforcing TLS/HTTPS encryption, and serving it with a proper `http_content_type_json` header. The schema verifies that each seller entry contains a mandatory `seller_id` and a `seller_type`, with an allowance for three distinct enumerated values. For any transparent entities, the configuration enforces the inclusion of both `name` and `domain` fields, while also supporting the `is_confidential` flag for parties choosing anonymity. This framework, which complements the OpenRTB SupplyChain Object and ads.txt specifications, further requires that either a contact email or address is provided, respects a `max_cache_duration_seconds` of 86400, and allows for vendor-specific data through a passthrough `ext` object."
Technical ID
iab-sellers-json-standard
IAB SIMID (Interactive)
"Configuration within this compliance node mandates rigorous security controls for interactive advertisements employing the IAB's Secure Interactive Media Interface Definition (SIMID), with a `minimum_simid_version` of 1. Pursuant to IAB Tech Lab guidance on the SIMID protocol, all communication between a media player and interactive creative must utilize the standardized `postMessage` protocol, a policy enforced by the `require_postmessage_protocol` parameter. To mitigate cross-site scripting (XSS) vulnerabilities in alignment with OWASP prevention rules and W3C HTML5 specifications for the iframe element, this node activates a strict sandboxed environment through `enforce_iframe_sandbox`. This configuration explicitly forbids the `allow_same_origin_sandbox` token while permitting necessary script execution via `allow_scripts_sandbox` to maintain ad functionality. The integrity of cross-document messaging is paramount; therefore, `validate_message_origin` is enabled, ensuring all communications are authenticated against their source origin as stipulated by W3C Web Messaging standards. The player and ad initialization handshake, critical for VAST 4.2 SIMID integration, must complete within a `max_initialization_timeout_ms` of 2000 milliseconds. Further security layers include `require_cors_headers` for all resource requests, a stringent Content Security Policy via `enforce_strict_csp`, and a control to `block_top_navigation_without_activation` which safeguards user experience from unsolicited redirects, while `enable_asset_prefetching` is permitted to optimize performance."
Technical ID
iab-simid-interactive-ads
IAB TCF v2.2 (Consent)
"Compliance with IAB Europe's Transparency and Consent Framework v2.2 is enforced according to its governing TCF Policy Version 4, establishing a valid legal basis for data processing pursuant to General Data Protection Regulation Article 6(1)(a) and ePrivacy Directive Article 5(3). This configuration directly reflects critical mandates from the Belgian Data Protection Authority’s decision against IAB Europe, which fundamentally reshaped the framework’s lawful processing requirements. Consequently, the node implements a mandatory block on legitimate interest as a legal basis for purposes three through six. Upholding the strict conditions for consent under GDPR Article 7, this module prohibits manipulative interface designs by disallowing pre-ticked boxes and mandates an accessible mechanism for users to revoke consent at any time. A requirement for explicit consent is enforced for Purpose 1, covering the storage or access of information on a device. Technical specifications are rigorously applied, mandating CMP API version 2, using TC String header version 2, and blocking the deprecated getTCData call. For enhanced transparency, a disclosure of the vendor count is required on the first layer. Ongoing vendor list integrity is maintained through a mandatory check for GVL updates. Finally, consent signal duration is strictly limited, enforcing a maximum retention period of 390 days."
Technical ID
iab-tcf-v2-2-consent
IAB VAST (Video Ads)
"This configuration establishes rigorous compliance standards for digital video advertising by mandating strict adherence to the IAB Tech Lab's VAST 4.3 specification. It requires every creative to contain a `UniversalAdId` for unique tracking and expressly disallows the obsolete VPAID architecture, instead favoring modern SIMID and OMID frameworks. To satisfy Media Rating Council viewability guidelines, each ad response must include an `AdVerifications` node and declare support for the Open Measurement SDK. Performance is strictly governed by capping the ad serving chain at a maximum of 5 wrapper redirects and enforcing a total ad resolution latency under 1500 milliseconds. Security protocols demand that all URIs utilize secure HTTPS, a requirement that supports data protection principles outlined in GDPR Article 5(1)(f), while any tracking pixels must operate under the consent framework of GDPR Article 7. For Server-Side Ad Insertion, a high-bitrate mezzanine file of at least 15000 kbps is mandatory. Accessibility, in accordance with the FCC's CVAA rules, is addressed by requiring a `ClosedCaptionFiles` node in all responses. Finally, the use of server-side macros for dynamic parameter substitution is compulsory."
Technical ID
iab-vast-video-ads
IATA Dangerous Goods Regulations (DGR)
"Assessment against the International Air Transport Association Dangerous Goods Regulations (DGR) confirms the consignment's adherence to standards derived from ICAO Annex 18. Compliance is predicated on personnel holding valid certification under the competency-based training and assessment approach specified in IATA DGR Section 1.5. The article is correctly identified with an assigned UN number per the List of Dangerous Goods found within Section 4.2. Based on criteria from Section 3, it falls under Hazard Class 9 with a low danger Packing Group III designation. Packaging meets all UN specification requirements mandated by Section 5, which outlines general packing provisions alongside specific Packing Instructions. Although the declared quantity per package is zero kilograms, the consignment is forbidden on passenger aircraft, necessitating a Cargo Aircraft Only label. A fully compliant Shipper's Declaration for Dangerous Goods has been provided as stipulated by documentation rules in Section 8. Furthermore, all relevant state and operator variations have been checked, required emergency response information is available for immediate use, and the digital Notification to Captain (NOTOC) has been successfully transmitted to the flight crew. This comprehensive validation ensures every facet of the shipment meets the stringent international framework for the safe air transport of dangerous goods."
Technical ID
iata-dangerous-goods
IATA Passenger Service (Reso)
"Compliance with International Air Transport Association (IATA) passenger service resolutions is mandated to ensure operational uniformity and data integrity across the global air transport system. This framework requires mandatory electronic ticketing for all carriers, a principle reinforced by Resolution 722f, which also necessitates support for interline electronic ticketing to facilitate seamless multi-carrier journeys. Conformance with Resolution 792 dictates that all Passenger Name Record (PNR) data require a standardized PNR format and secure data exchange protocols; the system must also enable EDIFACT to XML conversion for interoperability. Under Resolution 700 concerning passenger acceptance, handling procedures for passengers with reduced mobility (PRM) demand that PRM data encryption is required, and all Special Service Request (SSR) communications must adhere to a maximum SSR code length of four characters. Resolution 735d establishes a maximum ticket validity of 12 months for transport documents and governs the auto-cancellation for no-show process, while Resolution 740 specifies the form of interline baggage tags, mandating the baggage tag barcode standard be Code 128. Finally, operational procedures must align with Recommended Practice 1708, which provides guidelines for Advanced Passenger Information (API) systems and stipulates a maximum API data retention period of 30 days post-travel to balance security needs with privacy obligations."
Technical ID
iata-passenger-svcs
ICAO Annex 17: Aviation Security
"Compliance with ICAO Annex 17 mandates each Contracting State establish a National Civil Aviation Security Programme (NCASP) managed by an appropriate authority, consistent with Standard 3.1.1. The programme's effectiveness hinges upon the rigorous implementation of preventive security measures across all aviation operations. Fundamental preventive measures as detailed in Chapter 4 include comprehensive access control, where `airport_security_restricted_areas_controlled` must be true to safeguard Security Restricted Areas, a status contingent upon a `background_checks_completed_percent` rate of 100 for personnel. Standard 4.4.1 prescribes a universal screening mandate, requiring both `passenger_screening_rate_percent` and `hold_baggage_screening_rate_percent` to equal 100. In parallel, Standard 4.6.1 directs that security controls apply to airfreight, validating compliance when `cargo_supply_chain_security_validated` is true. Addressing modern risks, Standard 4.9.1 requires protection of critical aviation information systems; compliance stipulates that `avsec_cybersecurity_measures_implemented` is true, supported by a `cyber_risk_assessment_frequency_months` cycle not exceeding 12. Overall programme integrity is maintained through a national aviation security quality control programme as required by Standard 3.4.1, demonstrated when `quality_control_audits_active` is true and reinforced by a `national_threat_assessment_frequency_months` interval of 12 and confirmation that the `incident_response_plan_tested_annually` is performed."
Technical ID
icao-annex-17-security
ICAO Annex 19 (Safety Management)
"ICAO Annex 19 establishes the international standard for Safety Management Systems (SMS) and State Safety Programmes (SSP) in civil aviation. It focuses on the proactive management of safety risks through the collection, analysis, and exchange of safety data and safety information, ensuring absolute flight safety integrity."
Technical ID
icao-safety-annex-19
ICAO safety management system (SMS)
"An organization's compliance with the International Civil Aviation Organization (ICAO) safety management system framework mandates a systematic approach to managing safety, including necessary organizational structures, accountabilities, policies, and procedures. As detailed in ICAO Annex 19 and supported by guidance within ICAO Doc 9859, a compliant SMS is a fundamental requirement for service providers. This system necessitates that an accountable executive is appointed, ensuring ultimate responsibility for safety performance resides at the highest level, and a safety policy is documented, clearly stating the organization's commitment. The core of the SMS involves a robust safety risk management process where a hazard identification system is active, enabling proactive identification of potential dangers before they result in incidents. Subsequently, risks are assessed, and mitigation actions are triggered when their severity exceeds a defined risk mitigation threshold score of 3. Safety assurance, a critical component detailed in regulations like EASA Part-ORO and 14 CFR Part 5, is maintained through continuous monitoring. This requires that safety performance indicators are defined and a safety data collection system is implemented, providing data to measure performance against targets. A formal management of change process must be active to manage risks associated with operational changes. The system's effectiveness is verified through internal audits, with an audit frequency of 12 months, and at least one annual continuous improvement review conducted by management. Furthermore, safety promotion activities are essential, demanding that safety training compliance achieves 100 percent to ensure all personnel are competent. Finally, an emergency response plan must be active, ensuring readiness for accidents and incidents, a requirement echoed across Annex 6 and Annex 14 for aircraft operators and aerodromes respectively."
Technical ID
icao-safety-mgt-system
Incoterms 2020 Master
"Adherence to the eleven official trade terms within the International Chamber of Commerce Incoterms® 2020 rules is systematically enforced, defining critical obligations, costs, and the transfer of risk consistent with principles in the United Nations Convention on Contracts for the International Sale of Goods. The node's configuration mandates mode-specific rule application, such as requiring FCA for containerized shipments, while also formally recognizing the transition from DAT to DPU by blocking the former. Insurance obligations are strictly validated, requiring minimum coverage at 110 percent of contract value under Institute Cargo Clauses (A) for CIP transactions and Institute Cargo Clauses (C) for CIF. Furthermore, the system mandates a precisely specified named place to prevent ambiguity in risk transfer. Security-related clearance costs and responsibilities are allocated according to the A9/B9 provisions within each rule, reflecting standards from the World Customs Organization SAFE Framework. The configuration permits parties to utilize their own transport where applicable. To mitigate compliance failures, the node flags significant liabilities associated with EXW and DDP terms, particularly concerning export and import declarant status under frameworks like the Union Customs Code, offering a clear delineation from domestic commercial law such as the U.S. Uniform Commercial Code Article 2."
Technical ID
icc-incoterms-master
Green Bond Principles (ICMA)
"Compliance with the International Capital Market Association's Green Bond Principles mandates a rigorous framework for ensuring transparency and integrity in the green bond market. Issuers must demonstrate that `require_eligible_green_project_mapping` is satisfied, with `environmental_objectives_documented` clearly and specifically, often utilizing the ICMA Guidance Handbook for mapping to Sustainable Development Goals. A `project_evaluation_process_formalized` within the issuer's operations is critical, under which `esg_risk_mitigation_assessed` for nominated projects must be conducted. The management of proceeds demands that funds are `proceeds_tracked_via_dedicated_sub_account` or managed via an equivalent formal internal process, and any `unallocated_proceeds_strategy_disclosed` transparently to investors. Post-issuance, `annual_allocation_reporting_required` must occur at a minimum `reporting_frequency_months` of twelve, supplemented by disclosures on `material_developments_ad_hoc_reporting` when necessary. This reporting should include `impact_reporting_metrics_defined` as recommended by the Harmonised Framework for Impact Reporting. To bolster credibility, the voluntary guidelines strongly recommend that a `pre_issuance_external_review_obtained` from an independent party, followed by a `post_issuance_allocation_verification_required` to confirm the use of funds. These practices, detailed in the Guidelines for External Reviews, align with stricter frameworks such as the Climate Bonds Standard Version 4.0 and form the foundational architecture for mandatory regimes like the European Union's Regulation 2023/2631 on European Green Bonds."
Technical ID
icma-green-bond
Identity and Access Management for Electric Utilities
"The National Cybersecurity Center of Excellence (NCCoE) developed this example solution for electric utilities to more securely and efficiently manage access to the networked devices and facilities on which power generation, transmission, and distribution depend. The guidance is informed by best practices from standards organizations, including the North American Electric Reliability Corporation’s (NERC’s) Critical Infrastructure Protection (CIP) Version 5 standards. As the electric power industry increases operational technology (OT) and information technology (IT) convergence, it challenges departments to efficiently manage identities and access. Many utilities run fragmented Identity and Access Management (IdAM) systems, leading to a lack of traceability, increased risk of attack, and an inability to identify problem sources. This NIST Cybersecurity Practice Guide demonstrates how to implement a converged IdAM platform using multiple commercially available products. The goal is to provide a comprehensive view of all users within the electric utility, across all silos (OT, IT, and physical access), and of the access rights that they have been granted. The core objective is to provide the right person with the right degree of access to the right resources at the right time. This allows for rapid provisioning and de-provisioning of access from a converged platform, reducing the risk of malicious or untrained people gaining unauthorized access to critical infrastructure components."
Technical ID
identity-and-access-management-electric-utilities
IEC 62304 (Medical Software)
"IEC 62304 is the international standard for medical device software lifecycle processes. It defines the framework of processes, activities, and tasks for the safe design and maintenance of medical software, regardless of whether the software is a standalone product (SaMD) or embedded within a hardware device."
Technical ID
iec-62304-medical-software
Industrial Automation Security (IEC 62443)
"Operationalizing a comprehensive Industrial Automation and Control Systems (IACS) security program, in accordance with IEC 62443-2-1, demands adherence to a stringent set of technical and procedural controls that align closely with guidance in NIST Special Publication 800-82 Revision 3. A foundational element is the security risk assessment for system design, detailed in IEC 62443-3-2, which requires that high-level risk assessments possess a maximum age of 12 months and mandates strict enforcement of network partitioning into Zones and Conduits. System security requirements defined by IEC 62443-3-3 necessitate that all components achieve a minimum Target Security Level (SL-T) of 2. To secure access, multi-factor authentication is mandatory for all remote access, with account lockout triggered after a maximum of 3 consecutive failed login attempts and interactive sessions terminating after 15 minutes of inactivity; moreover, the principle of least privilege must be implemented through enforced role-based access control. The technical security requirements for IACS components, drawn from IEC 62443-4-2, stipulate that cryptographic encryption is required for all data in transit, and continuous visibility is supported through enabled automated asset discovery plus centralized security information and event monitoring (SIEM). Supporting the secure product development lifecycle requirements of IEC 62443-4-1, a 30-day service level agreement for patching critical vulnerabilities is enforced, while system resilience is bolstered by an IACS backup retention period of no less than 90 days."
Technical ID
iec-62443-iacs
IEC 82304-1 (Health Software)
"IEC 82304-1:2016 is the international standard for general health software product safety. It is designed for software products that do not have dedicated hardware and are used in health environments (e.g., lifestyle, wellness, or administrative software), ensuring safety, reliability, and security across the product lifecycle."
Technical ID
iec-82304-1-health-software
Ethical Design of Agents (IEEE)
"IEEE 2817-2024 is the IEEE Standard for Pilot Qualification and Assessment of Autonomous Systems in Safety-Critical Applications, providing a framework for qualifying autonomous AI agents operating in safety-critical domains including transportation, industrial automation, healthcare, and public safety. The standard draws on the broader IEEE Ethically Aligned Design framework (EAD1e) which establishes that autonomous and intelligent systems must be designed to prioritize human wellbeing, be transparent in their decision-making, be accountable, avoid harm, and be controllable by humans. For AI agents, the standard requires demonstration that the agent's behavior aligns with its stated ethical commitments across a range of operational scenarios, that potential harms can be detected and mitigated, that the agent can be overridden by human operators, and that the agent's decision-making can be audited."
Technical ID
ieee-2817-agent-ethics
Agent Discovery & Capability Registry (IEEE P3931 ADDR)
"The IEEE P3931 standard for Agent Description, Discovery, and Registry (ADDR) defines a universal, platform-agnostic framework for how autonomous agents describe their capabilities and how they are discovered within cross-platform ecosystems."
Technical ID
ieee-3931-discovery
IEEE Ethics (AI Systems)
"Compliance verification for this node mandates adherence to a comprehensive framework of IEEE standards governing ethical AI system development and deployment. The process begins by prioritizing human well-being, a principle central to Ethically Aligned Design, requiring both an approved human_rights_impact_assessment_approved and active wellbeing_metrics_defined_and_tracked. Stakeholder values are integrated through a formal process, outlined in IEEE 7000-2021, which necessitates no fewer than the stakeholder_engagement_sessions_min of three completed sessions. System transparency, a core tenet of IEEE 7001-2021, is quantitatively enforced by a transparency_explainability_score_min threshold of 0.85, supported by enabled accountability_traceability_logging_enabled and an available automated_decision_appeal_mechanism. In alignment with the IEEE 7002-2022 standard, data privacy is upheld by ensuring data_agency_user_control_enabled is active. To address fairness, algorithmic bias considerations from IEEE 7003-2023 impose a strict algorithmic_bias_variance_max of 0.05 between specified groups. Finally, system safety and reliability are governed by IEEE 7009-2024 principles for fail-safe design, mandating a human_override_capability_active, a completed misuse_risk_simulation_completed analysis, and a validated system performance achieving a system_competence_validation_score_min of 0.9 before operational clearance is granted."
Technical ID
ieee-ethics-ai-system
IETF Hybrid PQC Drafts
"IETF Hybrid PQC Drafts define the mechanisms for combining 'Classical' cryptography (e.g., X25519, Ed25519) with 'Post-Quantum' algorithms (e.g., ML-KEM, ML-DSA). This 'Defense-in-Depth' approach ensures security even if a quantum-resistant algorithm is found to be vulnerable or if the classical algorithm is broken by a quantum computer."
Technical ID
ietf-hybrid-pqc-drafts
IFAC Ethics for Accountants
"Compliance with the IESBA International Code of Ethics for Professional Accountants is operationalized through the acknowledgment of five fundamental principles: integrity, objectivity, professional competence and due care, confidentiality, and professional behavior. This conceptual framework requires accountants to identify, evaluate, and address threats to these principles by applying necessary safeguards. For professional accountants in public practice, stringent protocols under Section 310 govern the clearance of conflicts of interest, while inducements are assessed per Section 340 to prevent any compromise of professional judgment. Independence for audit, review, and other assurance engagements, as detailed in Parts 4A and 4B, is paramount. Verification extends across all network firms, and fee dependency is managed with a strict 15% cap on total fees from a Public Interest Entity audit client for two consecutive years. The system enforces a 7-year rotation for key audit partners, succeeded by a mandatory minimum 3-year cooling-off period. Concurrently, the NOCLAR reporting protocol from Section 260 guides responses to non-compliance with laws and regulations. Active confidentiality safeguards are maintained throughout all professional services, upholding a primary ethical obligation."
Technical ID
ifac-ethics-accountants
IFRS 17: Insurance Contracts
"IFRS 17 is the first truly international accounting standard for insurance contracts, replacing IFRS 4. It provides a consistent framework for recognizing profit and measuring insurance liabilities, using a current value approach to improve financial transparency and comparability across the global insurance sector."
Technical ID
ifrs-17-contracts
IFRS 9: Expected Credit Loss (ECL)
"IFRS 9 introduces the Expected Credit Loss (ECL) model for financial instruments, replacing the older 'Incurred Loss' model. It requires organizations to recognize impairments based on forward-looking macroeconomic forecasts and probability-weighted outcomes, reflecting a more realistic and proactive approach to credit risk management."
Technical ID
ifrs-9-impairment
IFRS Global Standards
"Comprehensive adherence to International Financial Reporting Standards is mandated to ensure global financial integrity and transparency. This control framework requires strict application of foundational accounting principles, including the revenue recognition model stipulated by IFRS 15: Revenue from Contracts with Customers and the required capitalization of operating leases under IFRS 16: Leases. Organizations must implement the forward-looking expected credit loss impairment model as specified within IFRS 9: Financial Instruments, and also prepare consolidated financial statements adhering to the control principles of IFRS 10: Consolidated Financial Statements. All disclosures are required to follow the presentation structure governed by IAS 1: Presentation of Financial Statements, with a maximum reporting lag of 30 days. Furthermore, all digital submissions necessitate XBRL tagging aligned with the current IFRS Taxonomy 2023. Supporting these accounting mandates are stringent technical controls: financial data encryption at rest, mandatory role-based access controls, and enforced multi-factor authentication for financial systems access. To maintain data integrity and auditability, cryptographic journal entry signing is required, and complete audit trails must be preserved for a minimum retention period of 7 years."
Technical ID
ifrs-global-accounting
Sustainability (IFRS S1)
"IFRS S1 General Requirements for Disclosure of Sustainability-related Financial Information, issued by the ISSB (International Sustainability Standards Board) in June 2023 and effective for reporting periods beginning January 1, 2024, establishes the foundational framework for sustainability-related financial disclosures that are material to investors in assessing enterprise value. IFRS S1 requires entities to disclose sustainability-related risks and opportunities that could reasonably be expected to affect the entity's cash flows, access to finance, and cost of capital — the financial materiality lens, distinct from GRI's impact materiality approach. The standard requires disclosure across four core areas derived from the TCFD framework: governance, strategy, risk management, and metrics and targets. IFRS S1 is being adopted by over 40 jurisdictions and is foundational for entities listing on capital markets with sustainability disclosure requirements; failure to provide material sustainability disclosures exposes companies to securities law liability."
Technical ID
ifrs-s1-general
Climate Disclosures (IFRS S2)
"Entities must provide comprehensive disclosures concerning significant climate-related risks and opportunities to meet investor information needs under IFRS S2. This mandate requires a detailed exposition of governance processes, controls, and procedures used for monitoring climate issues. The standard necessitates a robust strategy involving the identification and mapping of both physical risks plus transition risks. An entity’s climate resilience assessment must utilize scenario analysis, evaluating its strategy against a maximum temperature alignment scenario of 1.5 degrees Celsius. Quantitative disclosures are central, demanding the measurement of absolute gross Scope 1, Scope 2, and also Scope 3 greenhouse gas emissions, calculated in accordance with the GHG Protocol Corporate Standard. Furthermore, organizations must quantify the current and anticipated financial impacts of identified climate factors on their financial position, performance, and cash flows. These climate-related financial disclosures are to be reported concurrently with an entity’s annual financial statements, permitting a reporting lag of zero days. To ensure relevance, the disclosures must incorporate industry-specific metrics, leveraging the SASB Standards where applicable, thereby providing a complete picture of an enterprise's climate exposure and management approach."
Technical ID
ifrs-s2-climate
IFS Food (International Featured)
"International Featured Standards (IFS) Food certification provides a framework for ensuring food product safety and quality, aligned with the Global Food Safety Initiative's GFSI Benchmarking Requirements Version 2020.1. Compliance mandates a robust governance structure, as articulated in IFS Food Standard Version 8, Section 1, where senior management review must occur at a maximum interval of 12 months. Central to this standard is the food safety and quality management system, requiring a fully implemented and active HACCP system based on the General Principles of Food Hygiene from the Codex Alimentarius Commission. Beyond process controls, organizations must address intentional threats. This includes implementing a comprehensive food defense plan per Section 4.21 and maintaining an active food fraud vulnerability assessment as specified in Section 4.20. Operational effectiveness is verified through stringent programmatic controls, including an active internal audit program and an active supplier approval monitoring process. Furthermore, an active allergen management control system and an active environmental monitoring program are non-negotiable prerequisites. System responsiveness is rigorously tested; traceability must enable a full recall test within a maximum of 4 hours. All identified non-conformities necessitate closure of corrective actions within a 30-day maximum period, and product specifications demand a formal review at least every 12 months to ensure continued accuracy and compliance."
Technical ID
ifs-food-standard
IIA Internal Audit (IPPF)
"Operational integrity and governance are upheld through rigorous adherence to the Institute of Internal Auditors' International Professional Practices Framework (IPPF), which establishes mandatory guidance for the professional practice of internal auditing. This compliance framework mandates that the internal audit activity remains independent and objective, requiring the chief audit executive to report functionally to the board or its equivalent governing body. Performance is systematically evaluated against key metrics; for instance, the annual audit plan must achieve a completion rate exceeding 95 percent to be considered satisfactory. Furthermore, a robust quality assurance and improvement program is obligatory, entailing continuous internal monitoring and a formal external quality assessment at least once every five years to affirm conformance with the Standards. Personnel competence is also a critical component, with each auditor required to complete a minimum of 40 hours of continuing professional education each year, ensuring their skills remain current. The BIDDA platform systematically verifies these requirements, analyzing submitted evidence to confirm the audit function’s charter, resource adequacy, and adherence to the Code of Ethics, thereby providing assurance that the internal audit activity effectively adds value and improves an organization’s operations."
Technical ID
iia-internal-audit-ippf
ILO (Core Conventions)
"BIDDA’s compliance architecture for International Labour Organization core conventions operationalizes the tenets established within the ILO Declaration on Fundamental Principles and Rights at Work. To enforce the Minimum Age Convention, 1973 (No. 138), the system mandates a `min_worker_age_general` of 15 and elevates this threshold to a `min_worker_age_hazardous` of 18 for dangerous occupations. In alignment with the Forced Labour Convention, 1930 (No. 29) and its subsequent 2014 Protocol, `forced_labor_supply_chain_audits_enabled` is an active control, extending scrutiny across a `supply_chain_audit_depth_tiers` of 3 levels to mitigate coercive practices, further supported by a `max_standard_weekly_hours` limit of 48. The node upholds the Freedom of Association and Protection of the Right to Organise Convention, 1948 (No. 87) by ensuring `freedom_of_association_traffic_unfiltered` is true, allowing for unimpeded monitoring of communications for anti-unionization activities, while `whistleblower_anonymity_enforced` protects reporting individuals. Measures against workplace bias are governed by principles from the Discrimination (Employment and Occupation) Convention, 1958 (No. 111), with `anti_discrimination_ai_bias_testing_enabled` to validate algorithmic fairness and a mandated `pay_equity_audit_frequency_days` of 365 for annual reviews. Finally, reflecting the Occupational Safety and Health Convention, 1981 (No. 155), the system requires `osh_incident_reporting_active` and continuous `safety_telemetry_monitoring_active` to maintain a safe and healthy working environment for all personnel."
Technical ID
ilo-core-conventions
ILO Fundamental Rights at Work
"The ILO Declaration on Fundamental Principles and Rights at Work (1998, amended 2022) identifies five categories of fundamental principles and rights that all ILO Member States must respect and promote. These rights are the foundation of decent work and fair globalization, applicable even if a member state has not ratified the specific core conventions."
Technical ID
ilo-fundamental-rights-work
IMDRF SaMD Risk Framework
"The IMDRF Software as a Medical Device (SaMD) Risk Categorization Framework provides a globally harmonized method for classifying the risk of independent medical software. It categorizes SaMD into four levels (I, II, III, IV) based on the criticality of the clinical situation and the impact of the information provided by the software on patient care."
Technical ID
imdrf-samd-risk-framework
IMO 2020 Sulphur Limit
"IMO 2020 refers to the significant reduction in the global limit for sulphur content in ships' fuel oil, from 3.50% m/m to 0.50% m/m. This MARPOL Annex VI regulation aims to improve air quality and protect human health by reducing emissions of sulphur oxides (SOx) from shipping."
Technical ID
imo-2020-sulphur-limit
MARPOL: Marine Pollution Prevention
"Compliance with the International Convention for the Prevention of Pollution from Ships is confirmed across all applicable annexes based on governing maritime regulations. Pertaining to Annex I, the vessel maintains both a valid International Oil Pollution Prevention Certificate and a current Oil Record Book. All machinery space bilge water discharges are processed through filtering equipment to ensure effluent oil content does not exceed the 15 parts per million threshold, a fact corroborated by operational data indicating the vessel is not inside a designated special area for oil. For Annex V, waste handling is executed under an approved Garbage Management Plan, with all activities recorded in a current Garbage Record Book and an absolute prohibition on plastics discharge strictly enforced. Annex VI requirements are met with a valid International Air Pollution Prevention Certificate and verification that fuel oil sulphur content remains at or below the 0.50% global limit, consistent with operations outside a SOx Emission Control Area. Under Annex IV, a certified sewage treatment plant is operational, and any discharge of treated effluent occurs no closer than 12 nautical miles from land, satisfying international protocols for sanitation systems."
Technical ID
imo-marpol-pollution
SOLAS: Safety of Life at Sea
"Vessel conformity with the International Convention for Safety of Life at Sea (SOLAS) mandates rigorous verification of critical operational, structural, and procedural controls. This node's assessment confirms the presence of a valid safety certificate, a foundational requirement for lawful operation. Per maritime security protocols in Chapter XI-2, an approved Ship Security Plan must be in place, with its last review documented within the preceding 365 days. Safety management systems, governed by Chapter IX, are scrutinized to ensure cyber risk management is fully integrated. Navigational integrity under Chapter V depends upon a functional Automatic Identification System and an operational voyage data recorder. Vessel identification is validated by confirming its IMO number is permanently marked as stipulated by special safety measures. Emergency preparedness, a core component of Chapter III, requires that both lifeboat drills and fire drills have been conducted within the 30-day interval. Radiocommunications capabilities specified in Chapter IV are confirmed via a passed Global Maritime Distress and Safety System equipment self-test. Finally, structural integrity and fire safety standards from Chapters II-1 and II-2 are met when the fire detection system is operational and the most recent watertight door test has been successfully passed."
Technical ID
imo-solas-safety-at-sea
STCW: Seafarer Competency Standards
"Compliance with the International Convention on Standards of Training, Certification and Watchkeeping for Seafarers (STCW) mandates a comprehensive verification of personnel qualifications and operational readiness. This involves confirming every crew member holds a valid certificate of competency and a current medical certificate, which are foundational requirements under international maritime regulations. Furthermore, verification must extend to ensuring each certificate possesses a corresponding flag state endorsement where applicable, and that all watchkeeping personnel are certified for their specific roles. Records also confirm every individual has completed security awareness training as stipulated by the Code. Established experience thresholds are met, with a demonstrated seagoing service of 36 months for key personnel, while the subject seafarer’s age of 24 years satisfies all prerequisites. Work and rest hour logs are critical; regulatory adherence is confirmed with a minimum daily rest of 10 hours recorded and maximum work hours in any 7-day period not exceeding 72, aligning directly with provisions detailed in the Convention. Training currency is also validated, showing the last basic safety refresher occurred 730 days ago, well within mandated five-year revalidation cycles. Crucially, a systemic review confirms that all records are maintained and accessible for auditing by port state control or other competent authorities, demonstrating end-to-end regulatory adherence."
Technical ID
imo-stcw-seafarer-training
India MeitY IT Rules (Synthetic Content Amendment)
"Mandatory disclosure, verification, and visual/audio labelling requirements for AI-generated synthetic content by Significant Social Media Intermediaries (SSMIs) operating in India."
Technical ID
in-meity-synthetic-content
Incoterms: CIP (Carriage & Insurance Paid)
"CIP 2020 is a multimodal Incoterm where the seller delivers to a carrier and pays for carriage and insurance to the named destination. Unlike CPT, CIP 2020 mandates 'Clause A' (All-risk) insurance coverage, reflecting modern trade demands for higher protection in high-value shipments."
Technical ID
incoterms-2020-cip-logic
Incoterms 2020: CIP (Carriage Insurance Paid)
"Carriage Insurance Paid (CIP) under the Incoterms® 2020 framework dictates that a seller fulfills its delivery obligation and completes the transfer of risk once goods are handed to the initial carrier engaged by the seller. This critical transfer point, which is consistent with delivery stipulations within the UN Convention on Contracts for the International Sale of Goods, occurs at origin, even though the seller arranges and pays freight to a named destination as stipulated in Article A9/B9. A central seller responsibility under Article A5 involves procuring comprehensive cargo insurance; this policy must satisfy the stringent Institute Cargo Clauses (A) framework, representing an "all risk" standard, and provide coverage for a minimum of 110 percent of the commercial invoice value. The insurance currency must also match the contract's currency. While the seller is responsible for export clearance formalities, the buyer assumes all risk from the moment the consignment is with the first carrier and is therefore responsible for completing all import clearance procedures and settling associated duties upon arrival. The rule's schema confirms the seller arranges main carriage and provides insurance, but risk transfers early, making the buyer’s awareness of this dichotomy paramount for compliance."
Technical ID
incoterms-2020-cip-v2
Incoterms 2020: CPT (Carriage Paid To)
"Under the Carriage Paid To (CPT) rule, a seller's primary obligations encompass arranging and paying for freight to a specified destination, while the critical transfer of risk from seller to buyer occurs at a fundamentally different, earlier point. Per Incoterms 2020 Article A2/B2, delivery is completed, and pursuant to Article A3/B3, all risk transfers when goods are handed over to the first carrier nominated by the seller. This principle, where risk transfers upon first carrier handover, aligns with the United Nations Convention on Contracts for the International Sale of Goods, specifically Article 67. Consequently, although the seller bears the freight cost to the destination, the buyer bears all transit risk for any loss or damage after this initial handover. The seller’s maximum risk liability post-handover is therefore configured as zero USD, underscoring the finality of this transfer. The seller’s duties, outlined in Article A7/B7, also mandate responsibility for export clearance, while the corresponding import clearance obligation rests with the buyer. It is crucial to note there is no mandatory insurance obligation for either the seller or buyer. Regarding unloading costs, the seller pays if these charges are included within the contract of carriage; otherwise, the buyer is responsible for these costs. For regulatory compliance, the transaction requires the explicit naming of both the place of destination where carriage is paid to, and critically, the place of delivery to the carrier where risk actually passes."
Technical ID
incoterms-2020-cpt
Incoterms: DDP Compliance
"Delivered Duty Paid (DDP) is the maximum-obligation Incoterm for the seller. The seller delivers the goods at the disposal of the buyer at the named place of destination, cleared for import, and including all taxes and duties paid. Use with extreme caution as it requires the seller to navigate import regulations in the buyer's country."
Technical ID
incoterms-2020-ddp-logic
Incoterms 2020: DDP (Delivered Duty Paid)
"Incoterms 2020 rule DDP (Delivered Duty Paid) imposes the maximum obligation upon the seller, who assumes all costs and risks until the goods are delivered to the named destination, ready for unloading. Per this rule, risk transfers when the consignment is destination-ready for unloading; the seller bears responsibility for both export and import customs formalities. Consequently, the seller pays all import duties plus any applicable VAT or GST, while the buyer does not provide import clearance. For the seller to fulfill these duties in jurisdictions like the United States, they often must qualify as a non-resident importer pursuant to U.S. Customs regulations under 19 CFR § 141.1, thereby directly incurring customs debt as outlined in frameworks such as the European Union's Union Customs Code. This extensive control over the entire transit places absolute liability on the seller for compliance with export controls, like the U.S. Export Administration Regulations and OFAC Sanctions Programs, making robust automated sanctions screening required. Furthermore, adherence to modern trade facilitation standards, including the WCO SAFE Framework, necessitates secure data exchange; therefore, cross-border EDI encryption using AES-256 is mandated for all electronic records, whose legal validity is recognized under principles like the UNCITRAL Model Law on Electronic Transferable Records. All related customs documentation must be maintained for a minimum of five years, fulfilling the specified customs record retention period."
Technical ID
incoterms-2020-ddp-v2
Incoterms 2020: EXW (Ex Works)
"Ex Works (EXW) under the ICC Incoterms® 2020 rules establishes a transaction imposing maximum obligation on the buyer and minimal responsibility on the seller, whose delivery duty consistent with principles in CISG Article 31 is fulfilled by placing goods at the buyer’s disposal alongside a provided commercial invoice. Consequently, both risk transfer and cost transfer occur at origin before loading commences. The schema dictates there is no seller loading obligation; should assistance be provided, maximum liability for resultant damage is zero USD. The buyer assumes all subsequent duties, including arranging carriage, bearing complete transit insurance risk, and managing both export plus import clearance procedures. This seller explicitly retains no export clearance obligation. Since the transaction is flagged as a routed export transaction, US Export Administration Regulations under 15 CFR § 758.3 apply, which requires buyer export license validation. Such buyer responsibility for customs formalities, including declarations per EU Union Customs Code Article 166, is absolute. For digital compliance, any EDI transmission security must utilize TLS 1.2 or a superior protocol, conforming to information management standards from ISO/IEC 27001:2022. Finally, electronic record retention is mandated for five years, with data protection following controlled unclassified information guidelines outlined within NIST SP 800-171 Rev. 3."
Technical ID
incoterms-2020-exw
Incoterms: FAS (Free Alongside Ship)
"Maritime-only logic where the seller delivers when goods are placed alongside the vessel at the named port of shipment."
Technical ID
incoterms-2020-fas-logic
Incoterms: FAS (Free Alongside Ship)
"Free Alongside Ship (FAS) is a maritime-only Incoterm where the seller delivers the goods when they are placed alongside the vessel nominated by the buyer at the named port of shipment. FAS 2020 requires the seller to clear the goods for export, making it a common choice for liquid bulk or heavy-lift cargo shipments."
Technical ID
incoterms-2020-fca-logic
Incoterms 2020: FCA (Free Carrier)
"Free Carrier (FCA) compliance mandates the seller deliver goods cleared for export, as `seller_export_customs_clearance_required` is true, unto a carrier designated by the buyer. A critical operational parameter is that `fca_named_place_explicitly_defined` must be satisfied, articulating the handover point with precision. According to the ICC Incoterms® 2020 Explanatory Notes for Users, this named location determines loading duties; if delivery transpires at the seller’s facility, the `seller_loading_obligation_at_premises` is triggered, whereas at any alternative place, the buyer’s `buyer_unloading_obligation_at_other_place` is engaged. The transfer of risk, governed by Article A2/B2 stipulations, aligns with this delivery to the first carrier—a concept consistent with the United Nations Convention on Contracts for the International Sale of Goods under Article 31 (a). This transfer must finalize inside the `max_delivery_delay_window_days` of 14. The buyer’s responsibilities encompass all subsequent costs and arranging for `buyer_import_customs_clearance_required`. Authenticating the carrier selection, where `carrier_nominated_by_buyer_verified` is configured, demands robust validation; `mfa_required_for_carrier_nomination` supports this process, with its legal effect on electronic signatures recognized under frameworks like the eIDAS Regulation. Moreover, transmission of digital transport records must uphold stringent confidentiality, necessitating an `electronic_shipping_doc_encryption_aes_min` standard of 256-bit AES encryption consistent with NIST Special Publication 800-171 Rev 2. While Incoterms® 2020 Article A6/B6 introduces a mechanism for an on-board bill of lading, the parameter `on_board_bill_of_lading_requested` being false renders it inapplicable. Finally, no `insurance_obligation_mandated` is imposed upon either counterparty."
Technical ID
incoterms-2020-fca-v2
Incoterms: FOB Risk Transfer
"Free On Board (FOB) is an Incoterm limited to sea and inland waterway transport. Under FOB 2020, the seller delivers the goods on board the vessel nominated by the buyer at the named port of shipment, at which point the risk of loss or damage and the costs transfer to the buyer."
Technical ID
incoterms-2020-fob-logic
India DPDP Act 2023
"The Digital Personal Data Protection (DPDP) Act of 2023 is India's principal statute for digital personal data, prioritizing individual rights and organizational obligations. It introduces the role of Consent Managers and Data Fiduciaries, with significant penalties (up to ₹250 crore) for non-compliance."
Technical ID
india-dpdp-act
Third-Party Relationships: Interagency Guidance on Risk Management
"The Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation issued the "Interagency Guidance on Third-Party Relationships: Risk Management." This guidance applies to all banks with third-party relationships, which collectively refers to national banks, federal savings associations, covered savings associations, and federal branches and agencies of foreign banking organizations. The guidance promotes consistency in the agencies’ supervisory approach and outlines the third-party risk management life cycle, identifying principles applicable to each stage. The core obligation for banks is to develop and implement third-party risk management practices based on sound principles. These practices must be commensurate with the bank’s risk profile and complexity, as well as the criticality of the activity supported by the third party. The guidance clarifies that not all third-party relationships present the same level of risk or criticality, necessitating a risk-based approach. This bulletin, OCC Bulletin 2023-17, formally rescinds OCC Bulletin 2013-29, "Third-Party Relationships: Risk Management Guidance," and OCC Bulletin 2020-10."
Technical ID
interagency-guidance-third-party-risk-management
Intermodal Container Standards (ISO)
"Compliance with intermodal container standards mandates strict adherence to a framework of structural integrity, operational safety, and cybersecurity protocols. All units must possess a valid Convention for Safe Containers (CSC) safety approval plate and ensure their external dimensions conform to ISO 668 specifications. Critical structural elements, such as corner fittings, are required to meet ISO 1161 manufacturing and maintenance standards. Furthermore, containers must demonstrate significant structural resilience, verified by a minimum superimposed stacking capacity of 192,000 kilograms and a floor strength capable of withstanding a 7,260 kg axle load per ISO 1496-1. For cargo protection, a successful watertightness test is obligatory, and proper identification is enforced through a mathematically valid ISO 6346 marking. For units designated as smart containers, enhanced digital security is non-negotiable; this includes encrypted data-in-transit from IoT devices, cryptographically signed firmware against unauthorized modification, and, if equipped with electronic locks, adherence to resilience standards like ISO 17712 for high-security seals. Finally, operational limits must be respected, ensuring the current gross weight never exceeds the maximum value marked on its CSC plate."
Technical ID
intermodal-container-std
Agentic Economic Order Quantity
"The Economic Order Quantity (EOQ) model is a deterministic inventory optimization formula that calculates the optimal order quantity that minimizes total inventory cost (ordering cost + holding cost) for a single product with constant, known demand and instantaneous replenishment. The classical Wilson EOQ formula (EOQ = √(2DS/H)) was developed in 1913 and remains the baseline for inventory management in agentic commerce systems where autonomous agents make procurement decisions. For AI agents, EOQ provides a principled, auditable basis for order quantity decisions, replacing ad-hoc ordering with cost-optimal, mathematically justified quantities. Extensions for probabilistic demand (newsvendor model), quantity discounts, backorder allowance, and multi-echelon supply chains are implemented as modifications of the core formula. Incorrect EOQ implementation results in excess inventory costs (if order quantity is too large) or stockouts with associated lost sales penalties (if too small)."
Technical ID
inventory-eoq-deterministic
IOSCO Principles (Benchmarks)
"The IOSCO Principles for Financial Benchmarks (2013) are the global standards for the governance, quality, and integrity of the benchmarks used in financial markets (e.g., LIBOR transition rates, indices). They are designed to prevent the manipulation of market benchmarks and ensure their transparency and reliable methodology."
Technical ID
iosco-bench-interest-rate
IPTC Photo Metadata
"Verification of IPTC photo metadata ensures digital assets comply with international intellectual property conventions and mitigate significant legal risks. This compliance framework mandates that specified metadata is embedded directly within the file itself. Key validation points include the mandatory presence of a creator field with a minimum length of three characters. A credit line field is also required and must explicitly contain the designated copyright entity. Rights management is enforced through several rules: a web statement of rights must exist as a valid, functional URL, the copyright status needs to be clearly defined, and comprehensive licensing terms must be accessible either through a direct link or via embedded data. For provenance and accountability, contact information for the rights holder is a required component, and the asset's creation date must adhere to the ISO 8601 standard for unambiguous temporal records. Satisfying these stringent data requirements establishes a machine-readable record of authorship and usage rights, thereby aligning with global digital media standards and protecting the enterprise from liability."
Technical ID
iptc-photo-metadata
IPTC Video Meta
"Regulatory compliance for video assets under this control requires stringent adherence to established IPTC metadata protocols and digital rights frameworks. Each asset is mandated to contain a complete hasIPTCVideoMetadataBlock. The integrity of this data must be cryptographically verifiable via a metadataDigitalSignaturePresent and its timeliness confirmed, falling within the metadataRecencyDaysMax threshold of 365 days. For rights management, isRightsDataEmbedded must be true, with an associated hasWebStatementOfRights pointing to a valid URI, a condition confirmed by the isWebStatementOfRightsURLValid check. Asset provenance demands both a hasVerifiedSourceOfAuthority and that the source itself be trusted, where isSourceOfAuthorityTrusted is true. Unambiguous attribution is enforced through a mandatory hasCreatorIdentifier. Furthermore, content-level description requirements, derived from media accountability standards, necessitate both a hasMandatoryPeopleInVideoField and hasMandatoryVideoRegionField. The system enforces a minPeopleIdentifiedCount of 1 to ensure principal subjects are identified for consent and privacy verification purposes."
Technical ID
iptc-video-metadata
IRAP (Australia Cloud)
"Achieving an Information Security Registered Assessors Program (IRAP) assessment confirms a cloud service's alignment with Australian Government security requirements for handling data up to the PROTECTED classification. This rigorous process, governed by the Australian Signals Directorate (ASD), mandates the formal engagement of a current, ASD-certified IRAP assessor. A foundational requirement is a complete System Security Plan (SSP) that comprehensively maps system controls to the Australian Cyber Security Centre's Information Security Manual (ISM). Compliance requires demonstrating that a minimum of 95% of applicable ISM controls for the PROTECTED level are implemented and effective. The full assessment's validity is contingent on its age, which must not exceed 24 months. Further, Protective Security Policy Framework (PSPF) principles are upheld through strict mandates: all personnel with privileged system access must hold a minimum Negative Vetting 1 (NV1) security clearance, and all PROTECTED customer data must be stored and processed entirely within Australian sovereign borders, a key tenet of the DTA's Secure Cloud Strategy. Ongoing security posture management is non-negotiable, necessitating a formal continuous monitoring program, a documented risk management framework, and comprehensive vulnerability scans conducted at a frequency of 30 days or less. The system’s Cyber Security Incident Response Plan must be fully tested at least every 12 months, and all cryptographic modules must be on the ACSC's Evaluated Products List or otherwise approved for use. This framework ensures robust protection consistent with national security and information management standards from bodies like the National Archives of Australia."
Technical ID
irap-australia-cloud
ISAN (Audiovisual)
"Compliance with this node dictates that all qualifying `is_audiovisual_content` must be uniquely identified with a valid International Standard Audiovisual Number. As stipulated by governing international agreements, this requirement is absolute, meaning the `requires_isan_identifier` control is enforced without exception for applicable works. Adherence to the identifier's composition is also mandatory; conforming to established technical standards where the `isan_structure_is_mandatory`, the full identifier comprises a `isan_total_bit_length` of 96 bits. This structure universally necessitates that a `isan_root_segment_required` is present. Further, as detailed in relevant regulatory frameworks, an `episode_segment_required_for_series` and a `version_segment_required_for_variants` must be appended for serial productions and derivative works, respectively. Operationally, the asset's core `metadata_must_contain_isan`, ensuring the identifier is persistently associated with its descriptive data. In accordance with official protocols, each assigned number `is_registered_with_isan_ra` to ensure global uniqueness and resolution. A critical directive derived from industry best practices mandates that both the enterprise `rights_management_system_uses_isan` and its corresponding `archival_system_uses_isan` for consistent lifecycle management. It is important to note a key distinction clarified within the controlling specifications: the `distribution_watermark_uses_isan` control is inactive, signifying no obligation exists to embed the ISAN within a visual watermark for distribution."
Technical ID
isan-audiovisual-number
ISBN (Book Standard)
"Compliance with the International Standard Book Number (ISBN) system mandates a multi-faceted validation process to ensure data integrity and interoperability across the global publishing supply chain. An identifier must adhere to strict structural requirements defined by authoritative standards, including a precise length of exactly 13 characters composed exclusively of numeric digits. International guidelines require the string to begin with a valid GS1 prefix, which must be either '978' or '979'. The final digit's validity is confirmed by a successful Modulo 10 checksum calculation using alternating weights of 1 and 3. Beyond structural syntax, governing standards stipulate that the registration group and registrant elements within the number must correspond to valid codes assigned by the official agency. Normative documents further obligate that each ISBN resolves to a unique bibliographic record in a recognized industry database and is not a duplicate assignment for any single publication manifestation. For commercial and legal viability, specified protocols demand the identifier have associated rights management information accessible via system lookup. Finally, regulatory frameworks mandate the ISBN must be active in global retail systems for verified sales reporting, confirming its operational readiness for commerce. Failure to meet any of these criteria constitutes a significant compliance deviation."
Technical ID
isbn-book-standard
ISDS (Investor-State Dispute)
"Investor-State Dispute Settlement (ISDS) is an international legal mechanism that allows foreign investors to bring claims against a host state for alleged violations of a bilateral investment treaty (BIT) or free trade agreement (FTA). It provides investors with a neutral forum (e.g., ICSID) to resolve disputes regarding expropriation or unfair treatment."
Technical ID
isds-investor-state-dispute
ISM Code (Vessel Safety)
"The International Safety Management (ISM) Code provides an international standard for the safe management and operation of ships and for pollution prevention. It requires the 'Company' to establish a 'Safety Management System' (SMS) and mandates the 'Designated Person Ashore' (DPA) to provide a direct link between the ship and higher management."
Technical ID
ism-code-vessel-safety
ISMP Medication Safety
"The ISMP (Institute for Safe Medication Practices) Best Practices provide a set of consensus-based national standards for reducing medication errors in hospitals and healthcare settings. They focus on high-alert medications, 'Look-Alike/Sound-Alike' (LASA) drug nomenclature, and the implementation of error-reduction strategies across the medication-use process."
Technical ID
ismp-medication-safety
ISO 10002 (Complaints)
"Compliance with ISO 10002 mandates a structured, transparent, and customer-focused complaints-handling framework, grounded in established international standards. Foundational principles require an organization's complaints-handling policy to be publicly accessible, ensuring transparency for all stakeholders. Upon receipt, every grievance necessitates the mandatory assignment of a unique complaint identifier for systematic tracking. The process stipulates an initial acknowledgement must be dispatched to the complainant within a service-level agreement of 48 business hours. Organizational accountability is formally established by designating a specific complaint officer role vested with ultimate responsibility. To maintain impartiality, procedural guidelines dictate that the individual investigating a complaint should, where practicable, be segregated from its subject matter. A clearly documented escalation path must be available for complainants dissatisfied with an initial outcome. Furthermore, a core tenet of this framework is that verifiable staff training records exist and are maintained. Protecting sensitive data is paramount; therefore, all personally identifiable information collected requires robust protection consistent with prevailing privacy regulations. The organization must adhere to a resolution target SLA of 30 calendar days for closing complaints. For continuous improvement, a systematic complaint trend analysis must occur with a frequency not exceeding 90 days to identify root causes. Finally, governing statutes emphasize that the final resolution communication is mandatory and must always be conveyed to the complainant, ensuring complete process closure."
Technical ID
iso-10002-complaints-mgt
ISO 10004 (Feedback)
"Compliance with ISO 10004 necessitates a structured and comprehensive framework for monitoring and utilizing customer feedback to enhance satisfaction. Organizational adherence requires a formally documented feedback process that incorporates clearly defined satisfaction indicators. This framework must employ both direct measurement methods, such as surveys, and indirect measurement methods, like market share analysis, to capture a holistic view of customer sentiment. A critical component involves analyzing the gap between customer expectations and their actual perceptions, a process mandated by authoritative guidelines. Derived insights must inform corrective and preventive actions, for which a system to track all improvement actions is mandatory. The entire feedback process itself must undergo periodic review to ensure ongoing effectiveness, with management review of feedback insights being a required governance step. According to core tenets for effective monitoring, analysis of collected feedback must occur at a minimum frequency of every 90 days. To facilitate collection, organizations must provide a minimum of four distinct and accessible customer feedback channels. Furthermore, data handling protocols are stringent, demanding at least an 80 percent feedback data anonymization level to protect privacy, consistent with established best practices. A clearly defined feedback retention policy is also required to govern the data lifecycle. These integrated controls ensure a systematic approach to managing customer feedback, driving continuous improvement and aligning with international standards for quality management."
Technical ID
iso-10004-feedback-mgt
ISO 10008 (B2C E-commerce)
"ISO 10008 establishes a comprehensive framework for business-to-consumer electronic commerce transactions, emphasizing consumer trust, transparency, and effective redress mechanisms. Foundational guidance stipulates that adherence requires organizations to publish a clear privacy policy and maintain unambiguous terms of service. For transactional integrity, the total cost must be fully displayed pre-payment, leaving no ambiguity for the consumer. Security protocols are paramount, mandating the use of strong encryption for transactions and strict adherence to PCI DSS compliance for all payment processing activities. A robust data breach notification policy must also be in place to govern incident response. To foster consumer confidence, enterprises must provide easily accessible contact information and a well-defined return policy. The standard places significant emphasis on post-transaction support systems. This necessitates a formal, defined complaint handling process, which requires that any customer grievance receives acknowledgement within a maximum 48-hour timeframe. Furthermore, organizations are obligated to offer a clear dispute resolution mechanism and implement a fair customer review moderation policy. Collectively, these controls create a reliable, secure, and fair online commercial environment, mitigating operational risks and aligning with international best practices for consumer protection in digital commerce."
Technical ID
iso-10008-b2c-ecommerce
ISO 10668 (Brand Value)
"Adherence to ISO 10668 for monetary brand valuation mandates a rigorous and auditable framework, ensuring transparency, consistency, and reliability in all assessments. This compliance node enforces these normative requirements through a series of procedural gates. Every valuation engagement must commence with the explicit definition of its purpose, a formal declaration of the basis of value, and the establishment of a fixed valuation date. A thorough legal rights analysis is compulsory to substantiate ownership and protections associated with the brand asset. Methodologically, the valuation approach must be specified, with the engagement employing a minimum of one recognized valuation technique. Data integrity is paramount across all methods: any income approach necessitates verified inputs, the market approach is contingent upon the availability of suitable comparables, and cost approach data must be formally audited. To satisfy the standard’s transparency principles, complete disclosure of financial projections is required, alongside a comprehensive exposition of all critical assumptions underpinning the analysis. The process must conclude with the generation of a final report, memorializing the valuation’s scope, methodology, and conclusion in a defensible, standard-compliant document."
Technical ID
iso-10668-brand-valuation
ISO 12639 (TIFF/IT)
"Compliance with ISO 12639, governing the Tag Image File Format for Image Technology (TIFF/IT), mandates strict adherence to a specific set of structural and content-based rules for digital graphic arts data exchange. A file must present a valid profile declaration, which is restricted to Line Work (LW), High-resolution Continuous-tone (HC), or Binary Picture (BP) profiles. Each profile carries distinct technical prerequisites. For instance, LW files necessitate monochrome photometric interpretation and CCITT Group 4 compression. HC files, conversely, demand either CMYK or RGB colorspace and must use uncompressed or LZW compression schemes. BP profile validation hinges upon the presence of an Image File Directory pointer and valid linked image data. Universally, all conforming files must contain mandatory geometry tags, possess defined colorimetric data, and exhibit a compliant Image File Directory (IFD) structure. Furthermore, the standard imposes a hard ceiling on image fidelity, stipulating that resolution cannot exceed a maximum of 9600 DPI. These constraints ensure consistent and predictable file interchange within professional prepress workflows, and BIDDA's validation logic rigorously enforces every one of these requirements."
Technical ID
iso-12639-tiff-it
Beach Management (ISO 13009)
"Compliance with international beach operation standards necessitates a comprehensive framework for safety, environmental management, and service quality. ISO 13009:2015 requires a formalized beach management plan that integrates multiple operational facets. Water quality monitoring, a cornerstone of public health as outlined by World Health Organization guidelines and the European Union Bathing Water Directive, must occur at a minimum frequency, with the maximum water quality test interval set to 15 days. Safety protocols demand mandatory lifeguard coverage with a minimum density of two lifeguard towers per kilometer and a readily accessible first aid station to ensure a rapid response, capped at a maximum emergency response time of five minutes. Environmental stewardship, reflecting principles from ISO 14001:2015 and the Foundation for Environmental Education Blue Flag Programme, mandates daily cleaning operations and robust waste management infrastructure, including waste segregation bins placed no further apart than a maximum distance of 50 meters. Furthermore, operators must establish environmental protection zones to conserve sensitive coastal ecosystems. Inclusive access requires providing wheelchair accessibility to key facilities. Lastly, clear risk communication is obligatory through prominent hazard information signage detailing potential dangers to beach users, fulfilling a key recommendation for user safety and awareness across all cited standards."
Technical ID
iso-13009-beach-mgmt
ISO 13485 (Medical QMS)
"ISO 13485:2016 is the global standard for Medical Device Quality Management Systems (QMS). It specifies requirements for a QMS where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements."
Technical ID
iso-13485-medical-qms
Medical Quality (ISO 13485)
"ISO 13485:2016 is the internationally recognized Quality Management System standard specifically designed for organizations in the medical device industry, covering the full lifecycle of medical devices from design and development through manufacturing, installation, and servicing. Unlike ISO 9001 which focuses on customer satisfaction, ISO 13485 emphasizes regulatory compliance and patient safety, imposing mandatory requirements for design controls, supplier qualification, risk management (linked to ISO 14971), sterility assurance, and post-market surveillance. Certification to ISO 13485 is required for EU CE marking (MDR 2017/745 and IVDR 2017/746), accepted by Health Canada, TGA, and NMPA, and recognized by the FDA as evidence of quality system compliance. AI-based Software as a Medical Device (AIaMD) developers must implement ISO 13485 to demonstrate that their development process meets regulatory quality expectations."
Technical ID
iso-13485-qms
Env Management (ISO 14001)
"ISO 14001:2015 is the international standard for Environmental Management Systems (EMS), providing a framework for organizations to manage their environmental responsibilities systematically and contribute to the environmental pillar of sustainable development. The standard follows the Plan-Do-Check-Act (PDCA) cycle and requires organizations to identify their significant environmental aspects and impacts, establish environmental objectives and targets, implement operational controls, monitor performance against targets, and drive continual improvement. ISO 14001 is certified by accredited third-party certification bodies and is required by major customers in automotive, electronics, and manufacturing supply chains. For AI and data center operators, ISO 14001 applies to energy consumption (Scope 1 and 2 GHG emissions), water usage for cooling, e-waste management, and supply chain environmental impacts. Certification demonstrates to investors, regulators, and customers that environmental risks are systematically managed."
Technical ID
iso-14001-ems
Env Management (ISO 14001)
"International standard for environmental management systems (EMS)."
Technical ID
iso-14001-ems-v2
Water Footprint (ISO 14046)
"An assessment of the water footprint, conducted in alignment with the comprehensive principles of international environmental management standards, confirms substantial conformance. The analysis established a defined goal and scope, including a clearly delineated system boundary and a specific functional unit for consistent measurement. All evaluations are grounded within a specified geotemporal context, ensuring relevance and accuracy. The life cycle inventory analysis achieved a completeness level of 98.5 percent, providing a robust dataset for subsequent phases. Following a specified impact assessment methodology, the evaluation quantified potential environmental impacts across three distinct categories, such as water scarcity and degradation. A thorough data quality assessment was performed to validate inputs, and a sensitivity analysis was also conducted to test the stability of the results against key assumptions. A final report has been generated, documenting all phases, data, methods, and findings. However, it must be noted that a critical review remains incomplete at this stage. Consequently, the findings are not intended for, nor should they be used in, any public comparative assertion against competing products or services until such independent verification is finalized per established protocols."
Technical ID
iso-14046-water-footprint
GHG Verification (ISO 14064)
"Successful completion provides reasonable assurance over an organization's greenhouse gas statement through a rigorous third-party verification process aligned with specifications from ISO 14064-3:2019. This is critical for meeting mandatory disclosure obligations under frameworks such as the EU's Corporate Sustainability Reporting Directive and the U.S. Securities and Exchange Commission's climate rule, which mandates attestation for Scope 1 and Scope 2 emissions. Foundational prerequisites, guided by ISO 14064-1:2018 and The Greenhouse Gas Protocol, demand that a complete GHG inventory is established with defined organizational boundaries and a formal base year. The inventory must include quantified Scope 1 emissions and Scope 2 emissions, with other indirect emissions being properly documented. Procedural maturity requires an active GHG information management system, a conducted uncertainty assessment, and a completed internal audit before engaging external verifiers. The verification body itself must be accredited under ISO 14065:2020, ensuring competency and impartiality. During its assessment of the final generated GHG report, this body applies a quantitative materiality threshold of five percent to identify material misstatements. To ensure a complete audit trail and support ongoing compliance, all relevant data must be maintained according to a minimum seven-year retention policy."
Technical ID
iso-14064-ghg-quantify
ISO 14064 (GHG Reporting)
"ISO 14064-1 specifies principles and requirements for the design, development, management, and reporting of organization-level GHG inventories. It provides a common set of requirements for GHG quantification and reporting, ensuring consistency and credibility for carbon footprint claims."
Technical ID
iso-14064-ghg-reporting
Climate Adaptation (ISO 14090)
"Compliance with the Climate Adaptation (ISO 14090) framework mandates a structured, iterative process beginning with pre-planning activities outlined in Section 5. This initial stage requires verified leadership commitment, where `leadership_commitment_verified` is true, and a minimum resource allocation of five percent (`resource_allocation_percentage_min`:5) for adaptation initiatives. Subsequently, Section 6 governs the assessment of climate change impacts, demanding a completed climate risk assessment (`climate_risk_assessment_completed`:true) where impact uncertainty has been quantified (`impact_uncertainty_quantified`:true). Organizational exposure is managed by ensuring any single vulnerability does not surpass a twenty-five percent maximum threshold (`vulnerability_threshold_max_percent`:25). Based on these assessments, Section 7 requires that a formal adaptation plan is established (`adaptation_plan_established`:true), which then moves into execution per Section 8, verified when `adaptation_actions_implemented` is true. Ongoing performance management under Section 9 is contingent upon defined climate indicators (`climate_indicators_defined`:true) and a mandatory monitoring evaluation frequency not exceeding twelve months (`monitoring_evaluation_frequency_months`:12). To maintain stakeholder transparency according to Section 10, a formal reporting cycle of twelve months (`reporting_cycle_months`:12) must be upheld, ensuring that `continuous_improvement_enforced` is true through this rigorous cycle of planning, implementation, evaluation, and communication."
Technical ID
iso-14090-climate-adapt
ISO 14721 (OAIS)
"Compliance with the ISO 14721 reference model mandates the establishment of a comprehensive framework for long-term digital preservation and access. An organization must first fulfill the `requiresDesignatedCommunityDefinition` prerequisite, explicitly identifying the user base for whom information is being preserved. The entire archival lifecycle is governed by strict procedural controls, as outlined in several key information science texts. Ingest processes demand a `requiresSipToAipTransformation`, converting submission packages into robust archival information packages, where each `aipHasUniquePersistentIdentifier` is assigned for unambiguous tracking. To maintain integrity, `fixityChecksScheduled` must be performed regularly, and a complete `requiresAuditTrailOnAip` must log all modifications. Preservation Description Information is critical; `requiresPdiVerification` is mandatory and must achieve a `minimumPdiCompletenessScore` of four. The system's preservation strategy is proactive, where the `mandatesPreservationPlanningFunction` necessitates continuous `requiresTechnologyWatchMonitoring` to mitigate format obsolescence. Crucially, a `maxAcceptableInformationLossRatio` of zero establishes a no-tolerance standard for data corruption. For user access, a governed `requiresAipToDipTransformation` process prepares dissemination packages from the archival master, while a stringent `accessControlPolicyEnforced` policy protects information according to its classification. This holistic approach, grounded in established digital curation principles, ensures information remains independently understandable and available over extended periods."
Technical ID
iso-14721-oais-archival
ISO 14971 (Medical Risk)
"ISO 14971:2019 is the international standard for the application of risk management to medical devices. It provides a framework for manufacturers to identify hazards, estimate and evaluate risks, control these risks, and monitor the effectiveness of these controls throughout the entire product lifecycle."
Technical ID
iso-14971-medical-risk
ISO 15189 (Medical Labs)
"ISO 15189:2022 is the international standard for medical laboratories, specifying requirements for quality and competence. It addresses both the technical competence of the laboratory and its ability to deliver technically valid results, focusing on patient safety and the clinical utility of laboratory testing."
Technical ID
iso-15189-medical-labs
ISO 15930 (PDF/X)
"ISO 15930 establishes the compliance framework for graphic content exchange, ensuring predictable and reliable print reproduction. Conformance mandates that documents explicitly declare their status via a `PDFXVersionIdentifier` and must also include an `OutputIntent` describing the intended printing condition. A `TrappedKey` is required, indicating the file’s trapping state. For visual consistency, the `requiresAllFontsEmbedded` rule necessitates that all fonts be fully embedded within the file. Every page must define its final dimensions using either a `TrimBoxOrArtBox`. Furthermore, the standard enforces `requiresDeviceIndependentColor` spaces to prevent color shifts across different systems. To maintain a static and reliable state for printing, several features are explicitly forbidden. The `isEncryptionDisallowed` parameter prohibits any use of encryption. Active content, such as `JavaScript` or embedded `multimedia`, is prohibited. Interactive elements including `forms` and any `nonPrintAnnotations` are similarly restricted from the final document. Lastly, the `isTransferCurveDisallowed` setting forbids color alterations through a transfer curve, solidifying the document's colorimetric integrity for final output. Adherence to these strict parameters guarantees a file is a complete, self-contained digital master ready for print without further intervention."
Technical ID
iso-15930-pdf-x
ISO 16363 (Trust Repo)
"Adherence to ISO 16363 certifies a digital repository’s trustworthiness across its organizational infrastructure, digital object management, and technology frameworks. The audited entity demonstrates comprehensive compliance, evidenced by a defined mission statement and an enacted succession plan, which are further reinforced by a strong financial sustainability score of 4. Rigorous digital object management is confirmed through a documented accession policy, the mandatory enforcement of a minimum metadata schema, and consistent validation for each submission information package. Object persistence is addressed via an overarching preservation plan, with data integrity checks executed at a stringent 90-day frequency. Security and operational resilience are underpinned by a defined access control policy, a recurring security risk assessment performed within a 12-month cycle, and an annually tested disaster recovery plan. The architecture’s robustness is solidified by maintaining a minimum of 2 geographically separate backups, safeguarding digital assets against catastrophic loss and ensuring sustained accessibility."
Technical ID
iso-16363-trusted-digital-repo
ISO 16684 (XMP)
"ISO 16684 establishes the framework for embedding extensible metadata within digital assets using the Extensible Metadata Platform (XMP) specification. Compliance mandates a strict structural and semantic adherence to ensure interoperability and data integrity across systems. The standard requires that all XMP metadata be enclosed within a valid packet wrapper, serialized specifically as RDF/XML, and universally encoded in UTF-8 for character set compatibility. A foundational rule dictates that the main rdf:Description element possesses an empty rdf:about attribute, designating the metadata as pertaining to the enclosing document. Furthermore, all namespace declarations must be valid to prevent ambiguity. For data representation, property values must strictly conform to their designated datatypes, and any embedded binary information is required to be encoded as Base64. When representing ordered lists, the standard obligates the use of rdf:Seq containers. Core content requirements stipulate the presence of a minimum of three critical properties to achieve baseline compliance: dc:creator for authorship, dc:rights for copyright information, and xmpMM:DocumentID for unique asset identification. This node rigorously validates these technical prerequisites to certify that digital files meet the comprehensive requirements for metadata interchange as defined by the governing international standard."
Technical ID
iso-16684-xmp-metadata
Tourism Services (ISO 18513)
"Compliance with ISO 18513 for tourism services mandates a comprehensive framework for hotel operations centered on international standardization and guest welfare, as defined by established global best practices. This assessment verifies adherence to critical communication protocols, requiring the use of standard room terminology and uniform meal plan descriptions, plus confirms the implementation of ISO 7001 pictograms for universal understanding. Safety information is a primary focus, necessitating that emergency procedures be multilingual, displayed in both the local language and at least one major international language. Personnel competency is evaluated through the `reception_multilingual_support_level`, which must meet a minimum threshold of one international language spoken by staff. Operational requirements stipulate that a 24-hour reception or an equivalent emergency contact must always be available to guests. Furthermore, entities must provide clear information on electrical voltage within each room and ensure reservation confirmations are standardized. Hygiene and security are addressed through mandates for a documented cleaning protocol and a formalized guest complaint procedure. The `safe_deposit_box_availability` parameter must achieve a score of at least one, indicating that either centralized or in-room secure storage is provided, thereby prohibiting a complete absence of this facility."
Technical ID
iso-18513-tourism-svc
Audit Guidelines (ISO 19011)
"Compliance with this node ensures the establishment and management of a systematic audit programme guided by the core principles articulated in ISO 19011:2018. A foundational requirement is that an `audit_program_established` configuration is active, with objectives defined through a `risk_based_approach_applied` as mandated by Clause 4. Audit activities must be executed on a recurring cycle where `audit_frequency_months` is configured to 12. Pursuant to Clause 6 on conducting an audit, execution requires an `audit_plan_approved` prior to commencement. A fundamental tenet is the evidence-based approach, supported by the system’s `evidence_collection_automated` setting to ensure findings are verifiable. Auditor impartiality is paramount; therefore, `auditor_independence_verified` must be true, reflecting the principles of independence and integrity from Clause 4. The competence of audit personnel, as specified in Clause 7, must be formally confirmed with `auditor_competency_documented`. This structured process fulfills the internal audit mandates of management systems such as ISO/IEC 27001 Clause 9.2 and ISO 9001 Clause 9.2. Upon completion, `nonconformity_tracking_active` is mandatory, and any required remediation plan must be formulated within the `max_days_remediation_plan` threshold of 30. Final oversight is confirmed once `management_review_completed` is true, with all related documentation preserved confidentially according to the `audit_records_retention_years` policy of 3, thereby upholding principles of due professional care and fair presentation."
Technical ID
iso-19011-audit-guidelines
ISO 20000-1 (Service Mgt)
"Compliance with ISO 20000-1 mandates the establishment and operation of a comprehensive Service Management System (SMS) to plan, design, transition, deliver, and improve services. Foundational requirements stipulate that an organization must formalize its commitment through a documented service management policy and clearly delineate the SMS scope. Governance is further solidified by ensuring all roles and responsibilities are explicitly defined. Core operational processes must be implemented, including a robust incident management process for restoring normal service operation, a structured change enablement process to manage modifications, and a formal supplier management process for overseeing third-party contributions. The framework necessitates the creation and maintenance of key artifacts such as a defined service catalog, active Service Level Agreements (SLAs), and an accurate Configuration Management Database (CMDB) to track service components. To ensure ongoing effectiveness and alignment with strategic objectives, the standard imposes strict oversight cycles. Management reviews must be conducted at a minimum frequency of every twelve months, and a complete internal audit cycle must also conclude within a twelve-month period. Continuous enhancement is a central tenet, evidenced by the requirement that a continual improvement register is actively maintained. Adherence to these integrated processes and governance structures is essential for certification and demonstrating mature service delivery capabilities."
Technical ID
iso-20000-service-mgt
ISO 20022 Messaging
"ISO 20022 is the global standard for financial messaging, providing a methodology and XML/JSON-based message catalog for financial communication between financial institutions, central banks, payment infrastructures, and increasingly, AI agents executing financial transactions. The standard is being adopted globally as the replacement for legacy formats (SWIFT MT, FedWire, CHIPS) — SWIFT completed its ISO 20022 coexistence period in November 2023, with full migration mandated by November 2025. ISO 20022 messages carry richer structured data than legacy formats (full originator/beneficiary details, purpose codes, regulatory identifiers), enabling better straight-through processing, AML screening, and sanctions compliance. AI agents generating or processing payments must produce ISO 20022-compliant messages to interface with modern payment infrastructure, or face message rejection and transaction failure."
Technical ID
iso-20022-messaging
ISO 20022 MX Messaging
"ISO 20022 is the universal standard for financial industry messaging. It provides a platform-independent model for financial business processes and is the standard for modern high-value payment systems (HVPS) and cross-border payments, replacing the legacy MT messaging with richer XML-based MX messages to enhance transparent data and compliance."
Technical ID
iso-20022-mx-messaging
Remanufactured Goods (ISO 20245)
"Compliance with remanufacturing standards necessitates a comprehensive, documented process and verifiable end-product quality. The core operational requirement mandates that a product undergoes full disassembly into its individual components. Following this teardown, process documentation must confirm all parts have been thoroughly cleaned and subjected to rigorous inspection against established specifications. Any components failing to meet these criteria are required to be replaced or properly reconditioned. The resulting final product has to pass testing which confirms it meets or exceeds original equipment manufacturer (OEM) performance specifications. For applicable items, safety-critical components must undergo specific verification and validation protocols. Transparency with the end-user is paramount; therefore, the remanufacturer’s identity and contact information must be clearly stated. The product or its packaging needs to be explicitly and permanently marked as 'remanufactured' using a label that is durable enough for the product's expected life and is easily visible. Furthermore, consumer protection standards require that the provided warranty be equivalent to or better than one for the original new product, with the specific `minimumWarrantyPeriodMonths` value serving as a key verification metric against the new equivalent's terms. The existence of comprehensive `remanufacturingProcessDocumentation` is essential for substantiating adherence to every procedural step."
Technical ID
iso-20245-remanufactured
ISO 20252 (Market Research)
"Conformance with the international standard for market, opinion, and social research necessitates a verifiable, quality-managed framework governing the entire research lifecycle from inception through archival. Effective compliance requires establishing a formal `hasDocumentedProposalProcess` where every proposal explicitly details its approach, as mandated by the `proposalIncludesMethodology` control. Execution of fieldwork is contingent upon both a formal `hasDataCollectorTrainingProgram` for personnel and a clearly defined `consentManagementProcessDefined` for all respondents. Data integrity must be ensured through systematic `dataValidationProceduresInPlace` and strict adherence to a `hasDocumentedDataProcessingSpec` for subsequent handling. Critical data protection measures stipulate a defined `dataAnonymizationLevel` for respondent information and a maximum `dataRetentionPolicyDays` limit for any personally identifiable information retained post-project. Furthermore, organizations must ensure `subcontractorComplianceVerified` for any third-party involvement to maintain the chain of compliance. The final deliverables are equally regulated; each `reportIncludesMethodologyDisclosure` and must ensure the analysis `reportDistinguishesFindingsFromInterpretation` with absolute clarity. To complete the cycle, all essential `projectRecordsArchived` according to a defined procedure, ensuring end-to-end traceability and accountability consistent with core regulatory principles."
Technical ID
iso-20252-market-research
ISO 20252 (Opinion)
"An assessment of the current state reveals profound non-conformance with core tenets of the ISO 20252 standard for market, opinion, and social research. The research process exhibits systemic deficiencies across multiple critical domains, undermining its validity and reliability. Methodological rigor is absent, as evidenced by the lack of a defined sampling methodology and a documented sampling frame. Transparency requirements are unmet due to the failure to disclose data collection dates, any weighting methodology, or make the questionnaire available for inspection. Key performance metrics remain unreported; specifically, the response rate is not calculated, which contravenes the established minimum_response_rate_threshold of 0.05. Furthermore, neither the margin of error nor an effective sample size has been reported. Data integrity and respondent protection are compromised through the absence of a formal data quality check process and an established anonymization protocol. Operational oversight also fails to extend to third parties, as subcontractor compliance has not been verified. These cumulative failures indicate the research outputs cannot be considered credible or compliant with internationally recognized standards for opinion polling."
Technical ID
iso-20252-opinion-research
Sustainable Procure (ISO 20400)
"Organizational adherence to ISO 20400 guidance, as informed by authoritative frameworks, requires a comprehensive and verifiable sustainable procurement system. Compliance is predicated on establishing a formal sustainable procurement policy, ensuring it is actively communicated to all suppliers, and assigning designated accountability for its implementation. Internal capability must be demonstrated through metrics tracking the procurement team training percentage on sustainability principles. A documented supply chain risk assessment process is mandatory for identifying and mitigating environmental, social, and economic threats. This due diligence must also address contemporary digital risks by ensuring supplier assessments include cybersecurity and data privacy controls. Operationally, sustainability criteria must be integrated into supplier pre-qualification, and a significant percentage of RFPs must contain specific sustainability clauses. Financial evaluations for high-value procurements must employ life-cycle costing methodologies to capture total ownership expense. Post-award, a system for supplier performance monitoring against sustainability KPIs is required, and contracts for relevant goods must include clauses for responsible e-waste disposal, thereby ensuring end-to-end alignment with global best practices and regulatory expectations."
Technical ID
iso-20400-sustainable-proc
ISO 20400 (Sustainable Procure)
"Adherence to the ISO 20400 (Sustainable Procure) node requires an organization to integrate sustainability principles throughout its procurement lifecycle, substantiated by verifiable controls and performance metrics. The framework mandates establishing a formal, management-approved sustainable procurement policy and a corresponding Supplier Code of Conduct articulating environmental, social, and governance expectations. Procedurally, sustainability criteria must be embedded within Request for Proposal (RFP) and contract templates. A critical performance metric involves conducting sustainability or social responsibility assessments for at least 85% of strategic tier-1 suppliers within the preceding 24 months. Furthermore, procurement processes must mandate a Life Cycle Cost (LCC) analysis for significant capital expenditures. Human capital is addressed by requiring documented training on the policy and ISO 20400 principles for a minimum of 90% of the procurement team. Risk management protocols must include supply chain risk mapping to identify high-risk categories concerning issues like forced labor or deforestation. Operational controls necessitate a system for monitoring key supplier performance against defined sustainability KPIs and providing an accessible grievance mechanism for supply chain workers. Finally, governance requires that sustainable procurement objectives and overall performance are formally reviewed by senior management at least annually to ensure continuous improvement and alignment with strategic goals."
Technical ID
iso-20400-sustainable-procure
ISO 20671 (Brand)
"Adherence to the ISO 20671 standard requires a comprehensive framework for brand evaluation, encompassing legal, financial, market, and stakeholder dimensions. This module verifies the robustness of an organization's brand governance by examining critical data points. The assessment confirms legal protections by validating isTrademarkRegistered status and the trademarkGeographicCoverageRatio. A crucial control involves affirming that the organization hasTrademarkMonitoringProcess to safeguard against infringement. Market performance is quantified through objective metrics, including the brandAwarenessScore, the netPromoterScore reflecting customer loyalty, and the entity’s overall marketSharePercentage. Financially, the node mandates scrutiny of valuation practices, confirming that isBrandValuationConductedAnnually and that isBrandValueInFinancials has been properly reported. The brandRevenueAttributionRatio further links brand equity directly to economic performance. Stakeholder management effectiveness is gauged by confirming the organization hasStakeholderMap, adheres to a defined stakeholderSurveyFrequencyMonths for systematic feedback, and measures the internal employeeBrandAdvocacyScore. Any deficiency in these areas indicates a material deviation from the standard's principles for sustainable brand management."
Technical ID
iso-20671-brand-evaluation
Adventure Tourism (ISO 21101)
"Adventure tourism providers must establish and maintain a comprehensive safety management system, confirming `safety_management_system_active` is true to align with ISO 21101. Top management holds accountability for creating and disseminating a core safety policy, as stipulated by Clause 5.2. A critical operational component involves the systematic, ongoing process for hazard identification and risk assessment mandated under Clause 6.1.2, which requires execution at an interval not to exceed 12 months. Conformance also hinges on personnel; Clause 7.2 necessitates that providers determine and verify necessary competence for all persons affecting safety performance, where `staff_competency_verified` must be affirmed. Documented information requires strict controls per Clause 7.5, encompassing logged equipment maintenance records and a participant waiver retention period of 7 years. Intersecting with this, the processing of special categories of personal data like health information, regulated by GDPR Article 9, demands that `participant_medical_data_encrypted` is perpetually enabled. Clause 8.2 governs emergency preparedness, compelling organizations to test response plans annually and maintain a `secure_communications_channel_active` for reliable crisis communication. Any safety incidents necessitate immediate action, with reporting required within a maximum of 24 hours. This compliance framework extends to supply chains, obligating verification of contractor safety protocols. The system's integrity is validated through internal audits conducted at least every 12 months."
Technical ID
iso-21101-adventure-tour
Sustainable Tourism (ISO 21401)
"Compliance with the Sustainable Tourism standard necessitates the establishment and maintenance of a comprehensive sustainability management system (SMS). An organization must demonstrate a formal sustainability policy, documented and endorsed by top management, that has been effectively communicated throughout the enterprise. A clearly defined sustainability scope is also mandatory, outlining the system's precise boundaries. Critical stakeholder engagement requires a documented analysis of interested parties along with their relevant requirements. Performance improvement depends on setting specific, measurable, achievable, relevant, and time-bound objectives. Operational controls must include systematic monitoring procedures for key environmental indicators; organizations must track total energy consumption in kWh, total water consumption in cubic meters (m³), and total waste generation in kilograms (kg). A key performance metric to be calculated annually is the wasteDiversionRatePercentage, which quantifies refuse diverted from landfills. To ensure system efficacy, a documented employee training program covering sustainability roles is essential. Continual improvement is verified through periodic assessments, including a full internal audit plus a formal management review, both conducted within the last 12 months. A documented corrective action process for identifying nonconformities and implementing remedies is required to maintain system integrity and achieve ongoing sustainability goals."
Technical ID
iso-21401-tourism-sustain
ISO 21500 (Project Gov)
"ISO 21500 (Project Gov) evaluates an organization's adherence to international standards for project, programme, and portfolio governance. Compliance mandates the establishment of a formal framework; validation through `isFrameworkAlignedWithISO21500` confirms if concepts are explicitly referenced in the `hasDocumentedGovernanceFramework` documentation. A critical control, `hasDefinedOrganizationalContext`, verifies a documented context outlines how projects support strategic business objectives. This node further stipulates the existence of a `hasCentralProjectPortfolioRegister`, ensuring all initiatives are centrally tracked. A key verification, `areProjectsLinkedToStrategicObjectives`, confirms each project within this register maps to a specific strategic goal. The governance structure's integrity is assessed by checking if `hasDefinedGovernanceRoles`, like Sponsor and PMO, are formally defined with their responsibilities. Operational discipline requires that `isRiskManagementProcessStandardized` across all projects and that the `resourceAllocationProcessDocumented` is formalized. A `isBenefitRealizationPlanMandatory` requirement ensures value delivery is planned for all programmes and significant projects. Formal portfolio performance reviews must occur within a specified cadence, governed by the `portfolioReviewCycleMonths` threshold. Finally, a `hasStandardProjectClosureProcess` must be in place, which includes a mechanism for capturing lessons learned, thereby completing the governance lifecycle."
Technical ID
iso-21500-project-gov
Project Management (ISO 21500)
"Conformance with this node mandates adherence to structured project management principles benchmarked against ISO 21500. Enterprise initiatives must be formally authorized via an evidence-based requirement that a project charter exists, and all relevant parties are managed through a process where stakeholders are identified and mapped. Rigorous planning, a cornerstone of the PMBOK Guide, is substantiated by a defined scope statement, an approved resource plan, and a complete work breakdown structure, complemented by an active communication plan. Operational governance during execution, reflecting best practices from PRINCE2 and ITIL v4, requires that a change control process is active. Risk management, aligning with the diligence found in NIST SP 800-53, is enforced by ensuring a risk register is maintained and subjected to a mandatory risk review frequency not to exceed 30 days. To provide continuous oversight consistent with COBIT 5 control objectives, a project status reporting frequency of every 14 days is obligatory. The project lifecycle concludes only upon obtaining a formal project closure signoff and the compulsory creation of a lessons learned report to institutionalize knowledge and drive process improvement."
Technical ID
iso-21500-project-mgt
ISO 21502 (Project Mgt)
"Conformance with governing ISO 21502 guidance for project, program, and portfolio management mandates a rigorous framework of controls and documented procedures. The standard requires that every project be initiated with a formal project charter and operate under a clearly defined and controlled scope. An organization must implement a quality management plan, a resource management plan, and a benefits realization plan to ensure outcomes align with strategic objectives. Continuous governance is enforced through a mandatory change control process for managing scope modifications and a meticulously maintained risk register. Quantitative thresholds for performance are strictly defined: any budget variance must not exceed 10 percent, and schedule variance is limited to a 15 percent tolerance before corrective actions are triggered. Furthermore, risk management protocols demand that risk response plan coverage extends to a minimum of 90 percent of identified threats. Stakeholder engagement policies necessitate a minimum communication frequency of four times per designated cycle. To foster continuous improvement, a formal lessons learned process is also required, ensuring knowledge from project execution is systematically captured and applied to future endeavors."
Technical ID
iso-21502-project-mgt
Food Safety Mgt (ISO 22000)
"Conformance with ISO 22000 requires a comprehensive Food Safety Management System (FSMS) built upon a documented food safety policy, as mandated by Clause 5.2, which must be communicated and understood. Organizations shall establish and maintain prerequisite programmes (PRPs) according to Clause 8.2 to manage the operational environment. A core system element is the hazard control plan, derived from a documented hazard analysis and fully implemented per Clause 8.5; this includes monitoring Critical Control Points (CCPs), with all associated records retained for a minimum duration of three years. To ensure product integrity throughout the supply chain, a robust traceability system must remain active, consistent with Clause 8.3. Concurrently, emergency preparedness and response procedures, stipulated under Clause 8.4, need to be active, enabling recall initiation within a maximum threshold of 24 hours from incident identification. System effectiveness is verified through internal audits, required by Clause 9.2, at a minimum frequency of every 12 months. This verification process is further supported by mandatory supplier evaluations, formal management reviews conducted at least every 12 months, and a consistently maintained corrective action log to address any identified nonconformities and foster continual system improvement."
Technical ID
iso-22000-food-mgt
Biz Continuity (ISO 22301)
"Compliance with this node mandates the implementation and maintenance of a comprehensive Business Continuity Management System (BCMS) in alignment with ISO 22301 requirements. Top management must formally establish and endorse a documented business continuity policy appropriate for the organization's purpose, as stipulated by Clause 5.2. Foundational to this system are a completed business impact analysis and a formal risk assessment. Per Clause 8.2.2, the BIA must determine critical recovery parameters, with BIDDA enforcing a maximum Recovery Time Objective (RTO) of 24 hours, a Recovery Point Objective (RPO) within 12 hours, and a Maximum Tolerable Period of Disruption (MTPD) not exceeding 48 hours. The risk assessment, a requirement of Clause 8.2.3, must identify and evaluate disruption risks to prioritize strategic responses. Clause 8.4 necessitates the creation of documented business continuity plans and procedures, which must be supported by an assigned incident response team and include verification of supply chain resilience. To ensure ongoing effectiveness and validate these strategies, Clause 8.5 requires an exercise programme, with testing conducted at a minimum frequency of every 365 days. Finally, to maintain conformity and facilitate continual improvement, the BCMS must undergo periodic internal audits and management reviews, both scheduled at least annually (every 365 days), consistent with the principles of Clause 9.2."
Technical ID
iso-22301-biz-continuity
ISO 22301 (Business Cont)
"ISO 22301:2019 is the premier international standard for Business Continuity Management Systems (BCMS). it specifies requirements for the organization to the 'Plan, Do, Check, Act' for the business resilience, ensuring that the organization can protect itself from, and the respond to, the disruptive the incidents through the standardized 'Impact Analysis' and the 'Recovery Procedures'."
Technical ID
iso-22301-business-cont
Social Responsibility (ISO 26000)
"An organization's alignment with ISO 26000 principles is assessed through a multi-faceted verification of governance structures, operational practices, and public disclosures. Compliance necessitates a formal, publicly available Social Responsibility policy and the designation of a specific officer or committee for SR oversight. The framework's evaluation extends to supply chain integrity by quantifying the percentage of tier-1 suppliers screened for human rights risks. Internally, the node scrutinizes labor standards through key metrics, including the reported gender pay gap percentage and the Lost Time Injury Frequency Rate. Environmental stewardship is gauged by confirming public reporting of Scope 1 and Scope 2 Greenhouse Gas emissions and measuring the operational waste diversion rate percentage. Fair operating practices are confirmed through evidence of mandatory anti-corruption training, the coverage percentage of Data Privacy Impact Assessments on new projects, and the existence of a confidential whistleblower protection policy. A formal stakeholder engagement framework must also be operative. Finally, community contribution is quantified by community investments as a percentage of pre-tax profits, completing a holistic review of the entity's commitment."
Technical ID
iso-26000-social-resp
ISO 26000 (Social Resp)
"Organizational alignment with ISO 26000 principles necessitates a comprehensive assessment of integrated social responsibility frameworks, verified through specific data points. Foundational governance is evidenced by an affirmative `has_sr_policy_endorsed_by_leadership` status, coupled with a systematic `has_stakeholder_identification_map` to guide engagement. Core human rights commitments are substantiated when a `human_rights_due_diligence_process_in_place` is operational. For labor practices, the node verifies both a structural `has_formal_employee_grievance_mechanism` and a performative, low `workplace_safety_incident_rate`. Environmental accountability is determined by the public disclosure within a `has_published_environmental_impact_report` and the establishment of a meaningful `greenhouse_gas_emission_reduction_target_pct`. Fair operating practices mandate a clear `has_anti_corruption_and_bribery_policy` and demand a high `supply_chain_sr_audit_coverage_pct` to mitigate upstream risks. In addressing consumer issues, the existence of a `has_consumer_data_privacy_policy` is a critical control. The organization's contribution to community involvement is quantified through its `community_investment_as_pct_of_pretax_profit`. Ultimate transparency and accountability are contingent upon whether `is_sr_performance_in_public_annual_report` is true, completing the cycle of commitment, action, and reporting. Non-conformance with these boolean and numeric thresholds signals a significant gap in an entity's social responsibility posture according to international guidance."
Technical ID
iso-26000-social-resp-mgt
ISO/IEC 27001:2022 — Information Security Management
"ISO/IEC 27001:2022 (published October 2022, replacing ISO 27001:2013) is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It applies to any organization regardless of size or sector and is administered by ISO/IEC Joint Technical Committee 1, Subcommittee 27. The standard uses the Annex SL high-level structure shared with ISO 9001 and ISO 14001. Annex A contains 93 controls organized into four themes: Organizational (37 controls), People (8 controls), Physical (14 controls), and Technological (34 controls). The 2022 revision added 11 new controls including threat intelligence (A.5.7), ICT readiness for business continuity (A.5.30), web filtering (A.8.23), data masking (A.8.11), data leakage prevention (A.8.12), and secure coding (A.8.28). Certification is achieved through a Stage 1 documentation review and Stage 2 on-site audit by an IAF-accredited certification body, with 3-year recertification and annual surveillance audits. Non-compliance with contractual ISMS requirements can result in contract termination and regulatory liability under GDPR, NIS2, and DORA."
Technical ID
iso-27001-2022
ISO/IEC 27017 (Cloud Controls)
"The organizational posture concerning ISO/IEC 27017 establishes a comprehensive framework for cloud security controls, yet presents a material deviation regarding data jurisdiction. Adherence to controls for provider-customer relationships is demonstrated through a formally defined shared responsibility model and support for customer identity federation. Technical safeguards are systematically enforced, including logical customer data segregation and applied virtual machine hardening, consistent with leading virtualization security protocols. A coherent security posture is maintained by aligning network security controls across both physical and virtual environments. In line with incident management specifications, Service Level Agreements mandate a security incident response time not to exceed 24 hours, while proactive monitoring is ensured through configured alerts. Operational diligence, reflecting guidance on cloud service customer information security, includes providing customer access to security logs, conducting privileged access reviews at a 90-day frequency, and executing data restoration tests every 6 months. A secure asset removal procedure is also defined. The primary non-conformity is the system’s current inability to enforce customer-specified jurisdictions, a critical control for data sovereignty that remains unimplemented."
Technical ID
iso-27017-cloud-controls
Cloud Security for Defense (ISO 27017)
"ISO/IEC 27017:2015 is an international code of practice for information security controls applicable to cloud services, providing cloud-specific implementation guidance for 37 controls from ISO/IEC 27002 and introducing 7 new cloud-specific controls not found in the base standard. In defense contexts, ISO 27017 governs how defense organizations and their contractors securely use cloud services to process, store, and transmit sensitive defense information, extending CMMC and NIST 800-171 requirements to cloud service provider relationships. The standard addresses the unique security challenges of shared-responsibility cloud models including: asset ownership in the cloud, decommissioning and secure disposal of cloud assets, virtual machine hardening, administrator privilege management, and customer-side monitoring of cloud environments. Organizations using cloud infrastructure for defense AI workloads must apply ISO 27017 controls to demonstrate appropriate cloud security governance to defense customers and regulators."
Technical ID
iso-27017-cloud-defence
ISO/IEC 27018 (PII Cloud)
"ISO/IEC 27018 establishes a comprehensive code of practice for protecting Personally Identifiable Information (PII) within public cloud computing environments, acting as a guide for PII processors. The framework mandates that processors operate solely based upon documented customer instructions, ensuring all processing remains within authorized bounds. A central principle prohibits any PII use for marketing or advertising unless a customer provides explicit consent; this requirement extends to all data processing activities. Transparency is enforced through the mandatory disclosure of any subprocessor identities involved in handling customer information. To safeguard data confidentiality and integrity, this compliance node verifies that PII is encrypted both in transit and at rest. Contractual obligations are stringent, requiring the secure return or complete deletion of PII upon contract termination. In an event of a data breach, customers must receive notification without undue delay. The framework also empowers data subjects by supporting mechanisms for them to access, correct, and request erasure of their personal information. Internal controls must enforce strict confidentiality obligations upon all personnel with PII access. Furthermore, system integrity is monitored through enabled logging for all PII access events, which are retained for a minimum period of 90 days to support forensic analysis and compliance verification."
Technical ID
iso-27018-pii-cloud
ISO/IEC 27031 (ICT Readiness)
"ISO/IEC 27031:2011 (superseded by modern resilience standards but still foundational) provides the guidelines for Information and Communication Technology Readiness for Business Continuity (IRBC). it specifies the required the strategies to ensure that the digital infrastructure remains available and the resilient during the disasters, providing the bridging between the IT disaster recovery and the overall the business continuity management."
Technical ID
iso-27031-dr-readiness
ISO 27799 (Health InfoSec)
"ISO 27799:2016 (Health informatics — Information security management in health using ISO/IEC 27002) is the primary standard for implementing ISO 27001 in healthcare. It provides specific guidance on the additional security controls and management practices needed to protect personal health information (PHI) within healthcare organizations and their suppliers."
Technical ID
iso-27799-health-info-sec
Supply Chain Security (ISO 28000)
"ISO 28000 is the specification for security management systems in the supply chain. It provides a formal framework to assess and manage security risks, such as theft, terrorism, and piracy, aimed at ensuring the integrity and continuity of global logistics operations across all stakeholders."
Technical ID
iso-28000-supply-chain
Supply Chain Security (ISO 28000)
"Security management system for the entire supply chain."
Technical ID
iso-28000-supply-chain-sec
Human Capital Reporting (ISO 30414)
"ISO 30414 is the first international standard that allows organizations (SMEs, large enterprises, and public bodies) to get a clear view of their human capital's contribution. It provides a standardized framework for HR metrics across 11 core areas including recruitment, leadership, and diversity."
Technical ID
iso-30414-human-capital
ISO 30414 (Human Capital)
"Compliance with the ISO 30414 standard demands a systematic approach to human capital reporting, establishing transparent and comparable metrics for internal governance and external stakeholder review. Foundational requirements include the documented existence of a formal policy for human capital governance and verification that data collection spans all 11 core areas defined within the standard, such as Costs, Diversity, and Leadership. Organizational transparency is assessed by whether a public human capital report is published. Furthermore, a critical control mandates that robust data privacy safeguards are consistently applied to all collected human capital information. Quantitative evaluations form the core of this framework, requiring that the total cost of the workforce is calculated annually and tracked against performance indicators. Key metrics for continuous monitoring include the annual turnover rate percentage, the lost-time injury frequency rate per million hours worked, and the gender pay gap percentage. Leadership effectiveness and organizational culture are measured through a quantifiable leadership trust score, which must meet a target greater than 75. Strategic readiness is evaluated by the percentage of critical roles with succession plan coverage, while workforce investment is measured by the average training hours per employee. A deficiency in these areas constitutes a significant gap in human capital management, potentially impacting strategic alignment, investor confidence, and regulatory scrutiny."
Technical ID
iso-30414-human-capital-rep
Risk Management (ISO 31000)
"Organizational compliance with established international risk management principles necessitates a structured, integrated, and dynamic approach to identifying, analyzing, and treating uncertainty. The BIDDA compliance framework mandates the existence of a formal risk management policy and a thoroughly documented framework that is demonstrably integrated with overall corporate governance structures. A board-approved risk appetite statement must be established to guide strategic decision-making and operational boundaries. Clear accountability is required through explicitly defined risk management roles and responsibilities. Operationally, the organization must maintain a comprehensive risk register, subject to systematic risk assessments at a minimum frequency of every 12 months. Furthermore, the entire risk framework itself must undergo a comprehensive review no less than every 24 months to ensure its continued relevance and effectiveness. A critical control requires that 100 percent of all identified high-level risks possess a formally documented and active treatment plan. Supporting this entire lifecycle, a dedicated communication and consultation plan must be in place to engage stakeholders appropriately. Finally, evidence of a continual improvement process for risk management activities is mandatory, ensuring the framework evolves with the organization's context and the external environment, consistent with leading global standards for managing risk."
Technical ID
iso-31000-risk-mgt
ISO 31000 (Risk Mgt)
"Adherence to governing risk management principles mandates a structured, enterprise-wide approach to identifying, analyzing, and treating uncertainty. This control node verifies the existence of foundational governance documents, including a formal, board-approved Risk Management Policy and a clearly defined Risk Appetite Statement. Operational execution requires that a centralized risk register is actively maintained, with formal management reviews occurring at a frequency not to exceed 12 months. Furthermore, accountability is enforced by stipulating that all risks classified as 'High' or 'Critical' must have a named individual assigned as the designated risk owner. The framework's integrity hinges upon formally established risk criteria for evaluating significance and achieving a minimum acceptable effectiveness threshold for risk treatment plans. Successful implementation also necessitates verifiable integration of the risk management process into the strategic planning cycle and the presence of a documented risk communication plan for all relevant internal and external stakeholders. Continuous improvement is validated through evidence of a defined process for enhancing the framework itself, supported by periodic internal or external audits conducted within a maximum interval, such as 18 months, to ensure ongoing relevance and efficacy."
Technical ID
iso-31000-risk-mgt-std
Anti-Bribery Systems (ISO 37001)
"ISO 37001 is the international standard for anti-bribery management systems (ABMS). It specifies measures to help organizations prevent, detect, and address bribery by establishing a culture of integrity, transparency, and compliance."
Technical ID
iso-37001-anti-bribery
ISO 37001 (Anti-Bribery)
"Conformance with the ISO 37001 standard requires establishing and maintaining a robust anti-bribery management system (ABMS). This operational framework mandates a formally documented ABMS policy and oversight by a designated compliance function. Leadership commitment is demonstrated through management reviews conducted at a minimum frequency of every 12 months. Central to the system is a comprehensive bribery risk assessment performed at least annually, which informs the implementation of requisite financial and non-financial controls designed to mitigate identified threats. The organization must execute due diligence on all business associates, with associated records maintained for a minimum retention period of 7 years. To ensure workforce competence in this area, the standard stipulates that 100 percent of high-risk personnel receive specific anti-bribery training. A confidential reporting mechanism must be established for raising concerns, and the organization is obligated to investigate all reported bribery issues thoroughly. System integrity and effectiveness are continually verified via internal ABMS audits, which must occur within a 12-month cycle. Adherence to these interconnected controls provides a reasonable and proportionate defense against bribery risk."
Technical ID
iso-37001-anti-bribery-mgt
ISO 37001 (Anti-Bribery MS)
"ISO 37001:2016 is the international standard for anti-bribery management systems (ABMS). It provides a framework for organizations to prevent, detect, and respond to bribery by establishing a culture of integrity, transparency, and compliance, applicable to small, medium, and large organizations in all sectors."
Technical ID
iso-37001-anti-bribery-ms
Compliance Mgt (ISO 37301)
"Effective implementation of an ISO 37301 compliant framework mandates demonstrated leadership and commitment from top management and its governing body, evidenced by verified commitment and a published compliance policy. The foundation requires a systematic process to identify and evaluate legal requirements, with confirmation that a register of compliance obligations is maintained. Per the standard's emphasis on roles, responsibilities and authorities, the compliance function must possess verified independence to operate effectively. A continual process to address risks and opportunities is central, necessitating a formal compliance risk assessment performed at a minimum frequency of every twelve months. This risk-based approach informs operational controls like required third-party due diligence and achieving a ninety-five percent training completion rate. To foster integrity, the framework for raising concerns must include an active whistleblowing mechanism backed by an enforced anti-retaliation policy, ensuring investigations of noncompliance conclude within the thirty-day service level agreement. To ensure the CMS's ongoing suitability, adequacy, and effectiveness, a completed management review by leadership is mandatory, supplemented by independent audits occurring at least once per twelve-month cycle."
Technical ID
iso-37301-compliance
ISO 37301 (Compliance)
"Conformance with ISO 37301 necessitates a robust and effective Compliance Management System (CMS) built upon a culture of integrity and accountability. This evaluation verifies foundational governance structures, including a board-approved, accessible compliance policy and an operationally independent compliance function with a direct reporting line to the governing body. A comprehensive, documented register of all compliance obligations is essential for cataloging legal and regulatory duties. Proactive risk management is evidenced through formal compliance risk assessments conducted at a frequency of 12 months or less. Operational effectiveness hinges on achieving a mandatory training completion rate of at least 95 percent among all relevant personnel and maintaining a secure, anonymous reporting channel for confidential issue escalation without fear of retaliation. Furthermore, the framework requires a risk-based approach to third-party due diligence, tailoring scrutiny according to partner profiles. Continuous improvement is validated through systematic oversight, demanding a minimum of one formal management review per year and confirmation that an internal audit of the CMS has been conducted. The system must also possess a documented process for investigating non-compliance and demonstrate that key performance indicators for compliance are actively monitored and reported, proving an organization’s commitment to managing its obligations and consistently enhancing its compliance posture per leading international standards."
Technical ID
iso-37301-compliance-mgt
ISO 37301 (Compliance MS)
"ISO 37301:2021 is the global standard for Compliance Management Systems (CMS). It specifies requirements and provides guidelines for establishing, developing, implementing, evaluating, maintaining, and improving an effective CMS within an organization, superseding ISO 19600 and making it a certifiable standard."
Technical ID
iso-37301-compliance-ms
Road Traffic Safety (ISO 39001)
"Adherence to the ISO 39001:2012 standard for Road Traffic Safety (RTS) management systems requires a comprehensive, documented framework designed to eliminate or significantly reduce death and serious injuries from road traffic incidents. This system's effectiveness, which aligns with principles from the WHO global plan for road safety and UNECE transport guidelines, is predicated on several key verifiable controls. The organization must demonstrate the existence of a formal RTS policy endorsed by top management and supported by specific, measurable objectives. A documented risk assessment process is mandatory, as is the continuous monitoring of RTS performance factors such as vehicle speed and driver fatigue, a practice recommended in OSHA guidelines. Procedural discipline is enforced through stringent timelines; for instance, a complete root cause analysis for any serious incident must be finished within a maximum of 30 days. Furthermore, top management must conduct formal performance reviews of the RTS system at a frequency not exceeding 12 months. The framework mandates a cycle of continuous improvement, evidenced by annual internal audits, a documented corrective action process, current training records for critical personnel, and a tested emergency preparedness plan, all reflecting best practices from sources like the NHTSA countermeasures guide and the FMCSA's Compliance, Safety, Accountability program."
Technical ID
iso-39001-road-traffic
AIMS Improvement (ISO 42001)
"ISO/IEC 42001:2023 Clause 10 (Improvement) mandates that organizations operating an AI Management System (AIMS) establish systematic processes for identifying, addressing, and preventing nonconformities — including AI safety incidents, bias events, harmful outputs, and performance degradation — and for driving continual improvement of the AIMS over time. Clause 10 requires organizations to react to nonconformities with documented corrective actions, perform root cause analysis to prevent recurrence, and evaluate the effectiveness of actions taken. Continual improvement requires using outputs from internal audits, management reviews, monitoring data, and stakeholder feedback to identify opportunities to enhance AI system performance, safety, and alignment. This clause is activated by incidents identified through the monitoring requirements of Clause 9 and is essential for demonstrating to regulators, customers, and auditors that the organization's AI systems become safer and more aligned over time, not static."
Technical ID
iso-42001-improvement
AIMS Performance Eval (ISO 42001)
"ISO/IEC 42001:2023 Clause 9 (Performance Evaluation) requires organizations operating an AI Management System (AIMS) to establish monitoring and measurement programs for AI systems and the AIMS itself, conduct internal audits of AIMS conformity, and hold management reviews that use performance data to make informed governance decisions. Clause 9.1 requires determining what needs to be monitored and measured, the methods to be used, when evaluations occur, and when results are analyzed and communicated. Clause 9.2 mandates an internal audit program covering all AIMS elements at risk-determined intervals. Clause 9.3 requires management reviews that consider: audit results, AI system performance data, incident trends, regulatory changes, stakeholder feedback, and risk treatment effectiveness. Without systematic performance evaluation, AIMS nonconformities may go undetected, AI systems may drift from aligned behavior, and regulators may determine the AIMS is nominal rather than effective."
Technical ID
iso-42001-performance
AI System Impact & Risk Assessment (ISO/IEC 42001:2023)
"The AI System Impact Assessment (Clause 6.1.2) is a mandatory requirement to identify, analyze, and evaluate the potential consequences of an AI system on individuals, groups, and society, focusing on fairness, privacy, safety, and security."
Technical ID
iso-42001-risk-assess
AI Transparency & Communication (ISO/IEC 42001:2023 Annex A.8)
"Transparency controls (Annex A.8) mandate the provision of clear, accessible information regarding the AI system’s intent, capabilities, and limitations to ensure stakeholders can make informed decisions."
Technical ID
iso-42001-transparency
Collaborative Ops (ISO 44001)
"Operationalizing collaborative business relationships under ISO 44001 demands rigorous adherence to a structured framework for joint activities and governance. Compliance mandates an active relationship management plan, which according to Clause 8.5, must articulate a minimum of three defined collaborative objectives, and a joint governance committee must be established to oversee these partnerships. Per Clause 8.2 on operational awareness and readiness, this framework also requires a tested joint business continuity plan, ensuring partner incident notifications are issued within a maximum of 24 hours. The joint risk management process detailed in Clause 8.4 is enforced through periodic assessments occurring at intervals not to exceed 180 days. To satisfy Clause 8.3 concerning knowledge sharing and information management, all shared data must have encryption enforced, and partner access controls must be verified to uphold least-privilege principles. Furthering these controls, a completed partner compliance audit is necessary. The value creation process, guided by Clause 8.8, is institutionalized via assessments conducted at a minimum annual frequency, with a period not exceeding 365 days. Finally, in line with Clause 8.9 on disengagement, a documented and fully tested exit strategy must be in place to manage the relationship lifecycle conclusion methodically."
Technical ID
iso-44001-collaborative
Occupational Health & Safety (ISO 45001)
"ISO 45001:2018 is the global standard for occupational health and safety (OH&S), designed to prevent work-related injuries and illnesses while promoting a safe work environment through risk-based resource allocation."
Technical ID
iso-45001-health-safety
ISO 45001 (Work Safety)
"Organizational adherence to the ISO 45001 standard for occupational health and safety (OHS) management is systematically demonstrated through a comprehensive and well-documented framework. The compliance posture is fundamentally supported by an established OHS policy and unequivocal, demonstrated leadership commitment, which are cornerstones of the governing frameworks. Worker engagement is confirmed by an active participation mechanism, while proactive hazard management is evidenced through a documented identification process and recurring risk assessments conducted at a maximum frequency of every 12 months. Competency and awareness are maintained at a high level, with a verified 95.5 percent of workers having completed requisite OHS training. The organization’s procedural maturity extends to reactive and preparatory measures, including a defined incident investigation procedure and a tested emergency preparedness plan. Continuous improvement and governance are rigorously upheld through an implemented internal audit program, a formal change management process for OHS matters, and defined OHS objectives that are actively tracked. Management oversight is consistently applied, with formal review meetings conducted at a minimum 6-month frequency, ensuring the OHS management system’s ongoing suitability, adequacy, and effectiveness in mitigating workplace risks. This integrated approach confirms a robust and compliant OHS program."
Technical ID
iso-45001-work-safety
Water Efficiency (ISO 46001)
"Adherence to the Water Efficiency (ISO 46001) standard necessitates the implementation of a systematic Water Efficiency Management System (WEMS). Verification requires evidence of a formal water efficiency policy, endorsed by top management and communicated throughout the organization. The WEMS must have clearly defined and documented boundaries, establishing its specific applicability. A foundational prerequisite is the completion of a comprehensive water balance assessment, which quantifies all water inflows, uses, and outflows to establish a defensible baseline for measuring performance. Based upon this baseline, the organization must set specific, measurable, and time-bound objectives for improvement. Operational control is critically evaluated by the percentage of significant water users that are actively metered and monitored, alongside the existence of documented procedures for the operation of facilities related to this significant use. The framework also demands a program to ensure personnel are competent and aware of their roles. Continual improvement and system viability are confirmed by the timely execution of internal audits and formal management reviews, measured in months since their last completion, and by maintaining a robust process for identifying non-conformities and implementing corrective actions to prevent recurrence."
Technical ID
iso-46001-water-eff
Energy Management (ISO 50001)
"ISO 50001:2018 is the international standard for Energy Management Systems (EnMS), providing a framework for organizations to continuously improve energy performance — energy efficiency, energy consumption, and energy intensity — through systematic planning, implementation, monitoring, and review. The standard follows the Plan-Do-Check-Act cycle and requires organizations to establish an energy baseline, define Energy Performance Indicators (EnPIs), set energy objectives and targets, implement operational and maintenance controls for significant energy uses, and drive continual improvement. For AI data centers and large-scale compute facilities, ISO 50001 is directly relevant as AI training and inference workloads represent some of the fastest-growing energy consumers globally. ISO 50001 certification demonstrates systematic energy management to regulators, investors, and customers; EU energy efficiency regulations increasingly require EnMS for large energy consumers."
Technical ID
iso-50001-energy
Energy Management (ISO 50001)
"ISO 50001 is the international standard for energy management systems (EnMS). It provides a framework for organizations to improve energy performance, including efficiency, use, and consumption, through a systematic approach aimed at reducing operational costs and greenhouse gas emissions."
Technical ID
iso-50001-energy-mgmt
Energy Management (ISO 50001)
"Requirements for establishing, implementing, and improving energy management systems."
Technical ID
iso-50001-energy-v2
Asset Management (ISO 55001)
"Effective asset management system implementation necessitates a comprehensive framework grounded in understanding the organization and its context as stipulated by ISO 55001:2014 clause 4.1. Verifiable leadership commitment, a core tenet of clause 5.1, must be confirmed, for which the `leadership_commitment_verified` flag is true. The foundation of this system is a documented and approved Strategic Asset Management Plan (SAMP), a direct requirement of clause 6.2.2, which is satisfied when `samp_documented_and_approved` is true. Operational planning and control, governed by clause 8.1, demands rigorous execution, including maintaining one hundred percent `asset_inventory_completeness_percentage`, enabling full `asset_lifecycle_tracking_enabled` functionality, and applying `asset_criticality_rating_applied` universally. A mandatory `risk_assessment_conducted` process supports these operational controls. Furthermore, personnel competency is ensured through a minimum of forty `competence_training_hours_per_role`. Control extends to externally provided services per clause 8.3, where `outsourced_activities_controlled` must be affirmatively managed. The system's efficacy is continuously evaluated through monitoring, measurement, and analysis, as outlined in clause 9.1, which requires `performance_metrics_defined`. A robust governance structure mandates an `audit_frequency_days` not exceeding 365, with a strict thirty-day `corrective_actions_sla_days`. Finally, all `continuous_improvement_evidence_logged` must be captured to demonstrate ongoing system enhancement and alignment with strategic objectives."
Technical ID
iso-55001-asset-mgt
AI Quality Management (ISO 9001 Extension)
"ISO 9001:2015 provides the foundational Quality Management System (QMS) framework for organizations. Applying these principles to AI-generated output requires rigorous documentation, performance monitoring, and iterative corrective actions."
Technical ID
iso-9001-ai-quality
ISO 9001 (Quality Mgt)
"Compliance with the ISO 9001 standard necessitates the establishment and maintenance of a comprehensive Quality Management System (QMS). A fundamental requirement is that organizations must possess a documented QMS scope and a formally defined quality policy. The framework mandates a proactive approach to planning through a required risk and opportunity analysis, alongside the establishment of measurable quality objectives to drive performance. Continuous improvement is underpinned by a mandatory corrective action process. Operational integrity demands rigorous monitoring, including a requirement for customer satisfaction monitoring and the implementation of defined supplier evaluation criteria for managing external providers. Governance and oversight are enforced through structured internal audits, which international standards specify must be conducted at a minimum frequency of every 12 months. Similarly, a formal management review process is compulsory, also with a minimum 12-month interval, to assess QMS effectiveness. Finally, the standard stipulates that an organization maintain robust controls over all documented information to ensure its availability, integrity, and confidentiality. These interconnected requirements form the basis for achieving certification and demonstrating a commitment to quality."
Technical ID
iso-9001-quality-mgt
Lab Competence (ISO 17025)
"Compliance with ISO 17025 necessitates a comprehensive framework for establishing and maintaining laboratory competence. The standard mandates that formal, documented competence requirements exist for all personnel involved in laboratory activities, and that there is an ongoing process for monitoring personnel competence, as detailed in sections 6.2.2 and 6.2.4. For equipment, a formal calibration program is essential per section 6.4.7, with complete technical records of calibration history maintained according to 6.4.13. All measurement results must demonstrate established metrological traceability to the International System of Units through an unbroken chain, a core tenet of section 6.5.1. Furthermore, laboratories are required to evaluate and account for measurement uncertainty in all relevant tests, as specified in 7.6. Information management systems, such as LIMS, must undergo validation for functionality, data integrity, and security before implementation, and robust controls must protect information from unauthorized access or tampering, both under section 7.11.2. The management system itself requires a formal process to identify and address risks and opportunities pursuant to 8.5.1, a planned internal audit program to verify operational conformity per 8.8.1, and periodic management reviews conducted at a defined frequency, which must not exceed a threshold like 12 months, in accordance with section 8.9.1."
Technical ID
iso-iec-17025-lab
ISO/IEC 24027: Bias and Fairness in AI
"The mathematical and technical playbook for mitigating human cognitive bias, data bias, and engineering bias through quantitative fairness metrics like demographic parity and equalized odds."
Technical ID
iso-iec-24027-bias-fairness
Open Source (ISO 5230)
"ISO/IEC 5230:2020 (OpenChain) is the international standard for open source software license compliance, defining the minimum requirements for a quality open source compliance program that enables organizations to trust open source software they receive from third parties and to manage the open source they distribute. The standard requires organizations to establish an Open Source Program Office (OSPO) or equivalent function, implement Software Composition Analysis (SCA) tooling to identify open source components in software, manage license obligations (attribution notices, source code distribution, patent grant notices), maintain a Software Bill of Materials (SBOM), and train personnel on open source license compliance. For AI systems, ISO 5230 applies to AI frameworks (PyTorch, TensorFlow, JAX), pre-trained model weights distributed under open licenses, and training data packages with open data licenses — license violations risk injunctions, damages, and product recall. SBOM requirements under US Executive Order 14028 and EU Cyber Resilience Act directly build on ISO 5230 principles."
Technical ID
iso-iec-5230-openchain
ISPS Code (Vessel Security)
"The International Ship and Port Facility Security (ISPS) Code is a mandatory set of measures to enhance the security of ships and port facilities. It provides a standardized framework for evaluating risk, enabling governments to offset changes in threat with changes in security level for ships and port facilities."
Technical ID
isps-code-vessel-security
ISRC (Recording Code)
"International Standard Recording Code (ISRC) compliance necessitates rigorous validation against its established global standard for identifying sound recordings and music videos. For accurate automated processing, the code must first be stripped of any separators, such as hyphens. The resulting sanitized string must conform to a precise 12-character length and consist exclusively of uppercase alphanumeric characters (A-Z, 0-9). The structure is segmented into four distinct parts: the initial two characters must represent a valid ISO 3166-1 alpha-2 country code; the subsequent three characters form an alphanumeric Registrant Code; the sixth and seventh characters are two digits for the Year of Reference, which cannot specify a year beyond the current one; and the final five characters comprise a numeric Designation Code. Crucially, governance rules mandate absolute uniqueness, requiring that an ISRC is assigned to only one asset, with an asset assignment count that must equal one. This principle strictly prohibits reuse. Additionally, the embedded Registrant Code must be verifiable against an official database maintained by a recognized national ISRC agency, confirming the rightsholder's registration. Any deviation from these formatting or registration prerequisites renders an ISRC invalid."
Technical ID
isrc-recording-code
ISSB S1/S2 Standards
"The International Sustainability Standards Board (ISSB) issued its inaugural standards, IFRS S1 and IFRS S2, to provide a global baseline for sustainability disclosures. IFRS S1 covers general requirements for sustainability-related financial information, while IFRS S2 focuses on climate-related disclosures, aiming for high-quality, investor-grade reporting."
Technical ID
issb-s1-s2-standard
ISSN (Serial Standard)
"International Standard Serial Number (ISSN) compliance mandates stringent data integrity and structural validation for all applicable serial publications. A designated 'issn' field must be present and conform to the canonical 'NNNN-NNNC' format, where the final character is a digit or an uppercase 'X'. The unhyphenated string must possess a length of exactly 8 characters, comprising seven initial digits and a final valid check character. Correctness is further enforced through a 'Modulo 11' checksum calculation, which algorithmically validates the eighth digit based upon the preceding seven. An ISSN is required for asset types classified as 'serial', 'journal', 'magazine', 'newsletter', or 'periodical'. Procedurally, the existence of an ISSN implies the mandatory presence of a corresponding, non-null publication title. Uniqueness is paramount; the system prohibits duplicate ISSN assignment across distinct publication titles. For external verification, each ISSN must be confirmed as officially registered and active through an API lookup against the ISSN International Centre's portal. Finally, if a single publication title has more than one format-specific identifier, the designation of a linking ISSN-L becomes a requirement to ensure cohesive resource identification. This comprehensive rule set ensures all managed serials adhere to global cataloging and identification standards."
Technical ID
issn-serial-standard
ITAR Compliance Workflow
"The International Traffic in Arms Regulations (ITAR) control the export and temporary import of defense articles and defense services on the United States Munitions List (USML). Compliance is mandatory for all U.S. manufacturers, exporters, and brokers of defense articles to prevent unauthorized access by foreign persons and ensure national security integrity."
Technical ID
itar-compliance-workflow
ITAR Export Control Logic
"Mandatory controls for the export, re-export, and brokering of defense articles, services, and technical data listed on the United States Munitions List (USML)."
Technical ID
itar-license-check
ITIL v4 (Value System)
"ITIL v4 (Information Technology Infrastructure Library) is the world's the premier the framework for the IT service management (ITSM). it shifts the focus from the traditional process-based management to a 'Service Value System' (SVS) that integrates the '7 Guiding Principles', 'Governance', and the 'Service Value Chain' to the co-create the business value for the stakeholders."
Technical ID
itil-v4-service-value
ITU-R BT.2020 (UHD)
"Regulatory conformance with the ITU-R BT.2020 standard for Ultra High Definition (UHD) video mandates strict adherence to a comprehensive set of technical specifications. An asset’s spatial resolution must precisely match either 3840x2160 pixels or 7680x4320 pixels, presented with a required display aspect ratio of 16:9 and utilizing a progressive scan type. The colorimetry system is rigorously defined, requiring the exclusive use of ITU-R BT.2020 color primaries along with the corresponding ITU-R BT.2020 non-constant luminance matrix coefficients. While the specification’s native transfer characteristics are defined as ITU-R BT.2020 for standard dynamic range, high dynamic range (HDR) implementations must instead employ a compliant electro-optical transfer function, specifically SMPTE ST 2084 or ARIB STD-B67. Signal quantization is limited to a valid bit depth of either 10 or 12 bits per component. Acceptable digital video formats include chroma subsampling schemes of 4:2:0, 4:2:2, or 4:4:4. Finally, temporal resolution is restricted to an enumerated set of compliant frame rates: 23.976, 24, 25, 29.97, 30, 50, 59.94, 60, 100, 119.88, and 120 frames per second. Failure to satisfy any one of these interdependent criteria constitutes a definitive deviation from the BT.2020 UHD compliance framework."
Technical ID
itu-r-bt-2020-uhdtv
ITU-R BT.709 (HDTV)
"Compliance with the foundational ITU-R Recommendation BT.709 mandates strict adherence to several key colorimetry and signal format parameters for high-definition television systems. Verification procedures confirm that video assets conform to the standard's specifications for color representation, beginning with the color primaries, which must precisely match the CIE 1931 xy coordinates defined for red (0.64, 0.33), green (0.3, 0.6), and blue (0.15, 0.06). Furthermore, the white point chromaticity must align with the D65 illuminant, corresponding to xy coordinates of 0.3127 and 0.329. The Opto-Electronic Transfer Function is audited against the specified piecewise function, requiring a linear segment slope of 4.5 for signal values below the 0.018 threshold, alongside a non-linear segment governed by a gamma curve exponent of 0.45 and a scale factor of 1.099. The derivation of luminance (Y') from R'G'B' components is also scrutinized, with required matrix coefficients of 0.2126 for red, 0.7152 for green, and 0.0722 for blue. Finally, technical encoding parameters are inspected; an asset's bit depth per channel must meet a minimum value of 8, and its chroma subsampling format must be one of the allowed values, either "4:2:2" for production or "4:2:0" for distribution, to ensure full system conformity."
Technical ID
itu-r-bt-709-hdtv
Kanban Replenishment Algorithm
"Compliance with this node's Kanban Replenishment Algorithm mandates adherence to a comprehensive set of security protocols and operational thresholds designed for ensuring supply chain integrity and data protection in line with governing frameworks. System integrity is upheld through stringent controls, including enforced role-based access controls and mandatory multi-factor authentication for any changes to Kanban parameters. Pursuant to established data handling regulations, all information is secured via active data-in-transit and data-at-rest encryption. The algorithm stipulates that every demand signal source must be authenticated to prevent unauthorized inventory adjustments. Operational execution is strictly governed; replenishment orders cannot deviate beyond a 10 percent maximum order quantity variance, while lead time projections must remain within a 20 percent maximum allowable lead time deviation. Furthermore, a minimum required safety stock of 15 percent is maintained to mitigate disruptions. A 99.9 percent system availability service level agreement guarantees performance, with all transactions recorded in an immutable audit log. System stability is further reinforced through active input data validation and enabled API rate limiting for secure, reliable processing."
Technical ID
kanban-replenishment
KCS Evolve Loop
"Knowledge-Centered Service (KCS) v6, developed by the Consortium for Service Innovation, defines the Evolve Loop as the organizational and strategic activities that ensure the KCS program itself continuously improves and delivers increasing value — distinct from the Solve Loop which focuses on capturing knowledge during individual interactions. The Evolve Loop encompasses content health assessment, alignment of knowledge strategy with product and business strategy, measurement of KCS program maturity and adoption, leadership enablement, and the reward and recognition structures that sustain the KCS culture. For AI-augmented knowledge bases, the Evolve Loop governs how AI-generated knowledge articles are reviewed, validated, and integrated into the authoritative knowledge base, ensuring that machine-created content meets the same quality standards as human-created content."
Technical ID
kcs-evolve-loop
KCS Solve Loop
"Knowledge-Centered Service (KCS) v6 Solve Loop defines the practices agents follow during each customer interaction to search, reuse, create, improve, and contribute knowledge as an integral part of solving customer problems — not as a separate activity. The Solve Loop embeds knowledge management into the support workflow so that every interaction both consumes and contributes to the organizational knowledge base. The four core Solve Loop practices are: search early and often (search before acting, search as you think), link the incident to the relevant article (even if it doesn't perfectly describe the issue), create if nothing exists (capture knowledge in context, in the customer's language), and improve what's already there (if the article is inaccurate, incomplete, or unclear, fix it). For AI-augmented support, the Solve Loop governs how AI suggestions are validated, how agent corrections train the AI, and how the AI contributes to real-time knowledge capture."
Technical ID
kcs-solve-loop
South Korea PIPA
"The Personal Information Protection Act (PIPA) of South Korea is one of the world's strictest data protection regimes, mandating specific opt-in consent for sensitive information and imposing criminal penalties for data misuse. It is overseen by the PIPC (Personal Information Protection Commission)."
Technical ID
korea-pipa-standard
Last-Mile Delivery Ethics
"Operational governance of last-mile delivery activities necessitates rigorous adherence to established ethical and performance standards. This compliance framework ensures all logistical operations, from dispatch to final customer handover, are executed with fairness, transparency, and accountability. The system continuously monitors key performance indicators against predefined operational parameters to proactively identify and mitigate risks associated with driver conduct, delivery accuracy, and customer interaction protocols. It enforces policies concerning fair labor practices for delivery personnel, including equitable route allocation and prevention of over-scheduling, thereby promoting a safe and sustainable working environment. Furthermore, the framework mandates transparent communication with consumers regarding delivery timelines, potential delays, and service modifications. Data privacy is a core component, stipulating stringent controls over the collection, use, and storage of customer information obtained during the delivery process. Any deviation from these codified standards triggers an automated alert for immediate review and corrective action, ensuring consistent regulatory alignment and safeguarding corporate reputation. This comprehensive oversight mechanism serves to uphold consumer trust, maintain operational integrity, and demonstrate a commitment to responsible business practices within the complex last-mile ecosystem."
Technical ID
last-mile-algorithm-ethics
Conveyancing Quality (UK)
"Evaluation of a firm's adherence to UK conveyancing standards necessitates a multi-faceted compliance assessment, centered on the Law Society Conveyancing Quality Scheme Core Practice Management Standards. Verifiable active CQS accreditation is mandatory, alongside confirmation that designated fee earners have completed requisite CQS training. Rigorous client due diligence, pursuant to The Money Laundering Regulations 2017, must be evidenced through completed AML and KYC checks and a fully verified source of funds. Ethical obligations under the SRA Code of Conduct for Solicitors demand a passed conflict of interest check and strict handling of client money as outlined in Section 8. Firms must demonstrate robust operational protocols, including the issuance of a client care letter within fourteen days of instruction and the validation of all requisite property searches. Adherence to lender obligations, as stipulated in the UK Finance Mortgage Lenders' Handbook, is confirmed via complete lender disclosure. Furthermore, robust cyber-security measures are critical; firms must maintain an active cyber fraud prevention policy and utilize secure transmission for bank details, reflecting guidance from both The Law Society on preventing fraud and HM Land Registry Practice Guide 81. Procedural integrity requires maintaining an active HM Land Registry priority throughout the transaction and retaining a complete SDLT audit trail for a minimum of six years post-completion to ensure a comprehensive and defensible record."
Technical ID
law-society-conveyancing
Liquidity coverage ratio disclosure standards
"This disclosure framework sets out requirements for the Liquidity Coverage Ratio (LCR) to improve transparency, reinforce the Sound Principles for sound liquidity risk management, enhance market discipline, and reduce market uncertainty. The LCR standard aims to promote the short-term resilience of a bank’s liquidity risk profile by ensuring that it has sufficient high-quality liquid assets (HQLA) to survive a significant stress scenario lasting for 30 days. These standards are an essential component of the reforms introduced by Basel III and will increase banks’ resilience to liquidity shocks and promote a more stable funding profile. The disclosure requirements apply to all internationally active banks on a consolidated basis. The core obligation is for these banks to publish their LCR according to a common template. The LCR will be introduced on 1 January 2015, with a minimum requirement set at 60%, rising in equal annual steps to reach 100% on 1 January 2019. Banks must publish this disclosure at the same frequency as, and concurrently with, their financial statements. The framework requires quantitative information in a common template and sufficient qualitative discussion to facilitate understanding of the results and data provided."
Technical ID
lcr-disclosure-standards
LEED Green Building Rating
"The LEED Green Building Rating system establishes a framework of performance-based prerequisites and optional credits for certifying sustainable building projects. Foundational compliance requires executing multiple non-negotiable measures, starting with verification that a site assessment is complete to inform design and that a construction activity pollution prevention plan meeting NPDES guidelines is in place. Resource efficiency mandates a minimum indoor water use reduction percentage of 20, substantiated by building-level water metering for total potable water consumption. Energy prerequisites demand a certified minimum energy performance percentage improvement over the ASHRAE 90.1 baseline, supported by building-level energy metering. System integrity necessitates fundamental refrigerant management by prohibiting any use of CFC-based refrigerants in new equipment. Occupant welfare is addressed through strict environmental tobacco smoke control, which bans smoking within facilities and 25 feet of building openings. Additionally, a dedicated area for the storage and collection of recyclables must be provided. Credits for advanced performance are attainable by achieving a high construction waste diversion percentage, increasing the number of low-emitting materials categories met to limit VOC emissions, or implementing a building automation system security protocol as an innovation strategy."
Technical ID
leed-green-building
Deterministic NDA Review
"Deterministic NDA review is an AI-assisted legal workflow that systematically extracts, analyzes, and scores the key clauses of a Non-Disclosure Agreement (NDA) — including confidentiality definition, permitted disclosures, exclusions, term and termination provisions, return/destruction of materials, governing law, and mutuality — to identify departures from market standard positions and flag unacceptable risk provisions for human attorney review. The methodology applies natural language processing to identify clause presence and extract key terms, then compares extracted terms against a firm's approved clause library or market-standard benchmarks. Deterministic NDA review enables faster, more consistent pre-signature risk assessment, reduces attorney time on routine NDAs, and creates an auditable record of the review rationale. AI-generated NDA scores must be validated by an attorney before the organization executes the agreement — AI review is advisory, not determinative."
Technical ID
legal-nda-deterministic
LinkedIn Ads (Policies)
"Enforcement of LinkedIn's advertising policies is paramount, with this compliance node systematically evaluating campaign assets against rigorous standards for quality, transparency, and user safety. The assessment protocol mandates that ad copy must be devoid of any misleading claims and avoid unsubstantiated guarantees. A strict content quality benchmark is enforced, permitting a maximum of two grammatical errors. The user journey post-click is also scrutinized, requiring that the landing page URL matches the ad's domain to prevent deceptive routing and that its content remains congruent with the initial creative. Concerning data privacy, lead generation forms must feature a conspicuous and functional privacy policy link, as the `privacy_policy_url_is_active_and_valid` check is critical. Furthermore, the collection of sensitive PII within forms is strictly forbidden. Additional prohibitions codified within this node prevent discriminatory ad targeting based on protected characteristics, the impersonation of LinkedIn or other legitimate entities, the deployment of creatives containing spam indicators, and any promotion of prohibited goods or services. Successful validation against these automated checks is a prerequisite for campaign approval and platform integrity."
Technical ID
linkedin-ads-policy-std
Liquidity Staking Risk (LST)
"Liquid Staking Tokens (LSTs) represent a user's claim on staked cryptocurrency (primarily Ethereum via protocols like Lido's stETH, Rocket Pool's rETH, and Coinbase's cbETH) that can be freely traded, used as DeFi collateral, or compounded while the underlying stake earns validation rewards. LST security risks are multi-dimensional: smart contract risk (protocol code vulnerabilities), validator slashing risk (validator misconduct reducing the underlying ETH backing), peg de-pegging risk (LST trading below its theoretical ETH redemption value), governance risk (DAO parameter changes affecting economics), and re-hypothecation risk (LSTs deposited as collateral in DeFi protocols creating cascading liquidations during stress events). The March 2023 stETH depeg event and Lido's systemic dominance (>30% of all staked ETH) illustrate both the scale and concentration risks inherent in LST protocols. AI agents managing DeFi positions involving LSTs must monitor all five risk dimensions continuously."
Technical ID
liquidity-staking-security
3PL Service Provider Selection
"Selection of Third-Party Logistics (3PL) service providers mandates a rigorous due diligence process aligned with established cybersecurity and operational resilience frameworks. This control enforces procurement criteria consistent with guidance from NIST Special Publication 800-161r1 and CISA Information and Communications Technology Supply Chain Risk Management Task Force recommendations, ensuring supply chain integrity. Prospective partners must demonstrate robust information security postures, substantiated by mandatory ISO 27001 certification plus a current SOC 2 Type 2 audit report. In adherence to processor obligations under EU General Data Protection Regulation Article 28, a fully executed Data Processing Addendum is required for any engagement involving personal data. Contractual service level agreements must guarantee a minimum uptime of 99.9 percent and stipulate a maximum incident response commitment of 24 hours. The financial and operational resilience requirements, reflecting principles within the Digital Operational Resilience Act's chapter on ICT third-party risk, demand suppliers maintain a minimum liability insurance coverage of five million USD and evidence annual business continuity with disaster recovery plan testing. In line with the supply chain security requirements detailed in Article 21 of EU Directive 2022/2555 (NIS2), a comprehensive assessment of the provider's ecosystem is necessary, limiting dependencies to a maximum fourth-party subcontractor tier of 2. Furthermore, a minimum cyber risk score of 85 out of 100 is required, alongside a minimum physical security audit score of 90 percent. Compliance also necessitates strict adherence to local data residency rules, which reinforces information security guidelines for supplier relationships found in ISO/IEC 27036-3."
Technical ID
logistics-3pl-matrix
Automated 3PL Performance SLAs
"Third-Party Logistics (3PL) Service Level Agreements (SLAs) define the contractually binding performance thresholds that logistics service providers must meet for order fulfillment, warehousing, transportation, and returns management on behalf of their clients. For AI-managed logistics operations, these SLAs must be integrated into automated monitoring systems that track performance in real-time, detect violations, apply contractual penalties automatically, and escalate systemic failures to human supply chain managers. Key performance metrics typically include: order fill rate (target ≥99%), on-time-in-full (OTIF) delivery rate (target ≥98%), return processing time (target ≤24 hours), inventory accuracy (target ≥99.9%), and order cycle time. SLA penalties in logistics contracts typically range from 1-5% of the monthly service fee per percentage point below threshold, creating direct financial incentives for both parties to maintain AI-assisted monitoring."
Technical ID
logistics-3pl-slas
Bonded Warehouse Audit Protocol
"Mandatory compliance protocols for bonded warehouse operations are established to ensure strict adherence to international and national customs regulations. Under the authority of 19 U.S.C. § 1555 and the detailed requirements outlined in 19 CFR Part 19, operators must maintain absolute control over merchandise. Similarly, the EU Union Customs Code, through Articles 240-242, imposes rigorous obligations on warehouse keepers for proper procedure and fiscal supervision. The node operationalizes these legal frameworks by mandating that `duty_liability_tracking_enabled` is active and `strict_segregation_bonded_goods` is enforced to prevent commingling. Security management aligns with the ISO 28000:2007 specification and the WCO SAFE Framework principles for Customs-to-Business partnerships. This includes implementing robust C-TPAT Minimum Security Criteria, such as ensuring `perimeter_fencing_min_height_feet` is no less than 8 feet and that `physical_access_controls_active` systems are fully functional. Digital security requires that `cybersecurity_access_mfa_required` is implemented for all relevant systems. Operational integrity demands that `unauthorized_manipulation_blocked` policies are in effect, `customs_seal_logging_enforced`, and all `personnel_background_checks_valid` remain current. For continuous compliance, inventory reconciliation must occur within a period where `inventory_reconciliation_max_days` does not exceed 365, supported by `edi_customs_reporting_active` for timely declarations. Furthermore, video surveillance data requires a `cctv_retention_minimum_days` of 90, and any security incident necessitates reporting with a `max_incident_reporting_delay_hours` of no more than 24."
Technical ID
logistics-bonded-warehouse
Logistics Carbon Accounting (GLEC)
"Logistics carbon accounting practices demonstrate strong methodological alignment with the Global Logistics Emissions Council (GLEC) Framework and full compliance with ISO 14083 standards. The operational boundary for emissions calculation is clearly defined, crucially encompassing Scope 3 outsourced logistics activities, which represents a comprehensive approach to value chain reporting. An allocation method has been properly specified, relying on a physical metric basis to distribute emissions accurately across transport services. Furthermore, the emissions calculation methodology commendably includes Well-to-Tank (WTT) values, ensuring a more complete fuel lifecycle assessment. This process utilizes mode-specific emission factors whose source has been appropriately verified, enhancing the granularity and credibility of reported figures. Data aggregation occurs on an annual basis, and the underlying information carries a data quality score of 3, indicating a moderate level of assurance. However, a significant governance gap exists due to the absence of any third-party verification statement. This lack of independent assurance presents a material risk, undermining the overall defensibility of the reported emissions data despite robust foundational adherence to recognized industry protocols and international standards for quantifying greenhouse gas emissions from transport chains."
Technical ID
logistics-carbon-glec
Logistics EDI Standards (ANSI X12)
"Adherence to Logistics EDI Standards under ANSI X12 mandates a comprehensive framework of technical controls and governance protocols to ensure secure, reliable, and auditable electronic data interchange. The required configuration enforces implementation of critical transaction sets, including 856 for Advance Ship Notices, 214 for Transportation Carrier Shipment Status messages, and 997 for Functional Acknowledgments. System performance must meet a minimum functional acknowledgement reconciliation rate of 99.5%, a metric upheld by an active EDI message validation engine to preserve data integrity. Security measures are stringent, requiring the use of a secure transport protocol, full data encryption in transit, and enforced access control to the EDI gateway. Operational oversight is established through documented trading partner agreements and the consistent application of EDI map version control. For auditability and regulatory compliance, enabling a complete EDI transaction audit log is obligatory, alongside a mandated transaction archival period of 2555 days. These collective requirements ensure that all EDI communications align with prevailing industry best practices for data security, operational reliability, and long-term record retention."
Technical ID
logistics-edi-messaging
Automated HS Classification
"The Harmonized System (HS) Classification node provides a deterministic logic framework based on the WCO General Rules for the Interpretation (GRI) to classify goods for global customs, ensuring accurate duty calculation and regulatory compliance."
Technical ID
logistics-hs-classification
Automated HS Code Classification
"The Harmonized System (HS) is the international nomenclature for classifying traded products, administered by the World Customs Organization (WCO) and used by over 200 countries as the basis for customs tariffs, trade statistics, and trade compliance. Every internationally traded product must be assigned a 6-digit HS code (which countries extend to 8-10 digits for national tariff schedules), and the correct code determines: the applicable import duty rate, eligibility for trade agreement preferential tariffs (e.g., US-EU MFN rates, CPTPP preferential rates), import/export permit requirements, and whether the product is subject to antidumping duties or safeguard measures. AI agents automating customs declarations must produce accurate HS classifications — misclassification results in customs duty underpayment/overpayment, customs examination delays, penalties, and import license violations. The WCO updates the HS every five years; the current edition is HS 2022."
Technical ID
logistics-hs-codes
Just-In-Time (JIT) Inventory Logic
"Just-In-Time (JIT) Inventory Logic codifies the essential operational and technical controls governing automated inventory management to ensure full compliance and mitigate risk. The node's configuration mandates that on-hand supply levels must not exceed a 5-day threshold, with procurement actions contingent upon predictive models achieving a minimum demand forecast accuracy of 95 percent. Furthermore, supplier qualification is strictly regulated, requiring a minimum reliability score of 0.98 and enforcing a maximum lead time variance of 5 percent. Systemic execution via an enabled automated order trigger is conditional upon verifiable data; consequently, data integrity validation is required for all transactional inputs. The security posture is fortified through adherence to contemporary API authentication standards, mandatory TLS 1.3 encryption for all data in transit, and strict enforcement of least privilege access controls. For comprehensive auditability and non-repudiation, an immutable transaction log is active. System performance standards demand real-time monitoring with latency not exceeding 500 milliseconds, while operational resilience is confirmed as the disruption contingency plan has been tested and verified. These interdependent rules establish a secure, efficient, and auditable framework for JIT operations."
Technical ID
logistics-jit-inventory
Madrid System (Trademarks)
"Compliance with the Madrid System for the International Registration of Marks is affirmed based on current data parameters. The application fulfills essential procedural and jurisdictional prerequisites, as the system confirms the applicant possesses a basic mark and originates from a member contracting party. The filing correctly extends protection to 5 designated countries, all verified as Madrid Union members. Substantive review shows the application's scope of goods and services is valid and its filing language is permissible. The registration's lifecycle is proceeding without administrative or legal friction; WIPO has issued no irregularity notice, and critically, no jurisdiction has issued a provisional refusal of protection. The international registration remains within the five-year dependency period, linking its validity to the foundational home mark, while the holder's ownership data is current. No immediate maintenance is required, as its 10-year renewal is not due in the next 12 months, indicating a compliant and stable international trademark registration under the Protocol's centralized framework."
Technical ID
madrid-system-trademarks
Guide to Malware Incident Prevention and Handling for Desktops and Laptops
"Malware, also known as malicious code, refers to a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. Malware is the most common external threat to most hosts, causing widespread damage and disruption and necessitating extensive recovery efforts within most organizations. This publication provides recommendations for improving an organization’s malware incident prevention measures. It also gives extensive recommendations for enhancing an organization’s existing incident response capability so that it is better prepared to handle malware incidents, particularly widespread ones. This revision of the publication updates material throughout to reflect the changes in threats and incidents. Unlike most malware threats several years ago, which tended to be fast-spreading and easy to notice, many of today’s malware threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to exfiltration of sensitive data and other negative impacts. Organizations should develop and implement an approach to malware incident prevention based on current and future attack vectors, incorporating policy, awareness programs, vulnerability and threat mitigation, and defensive architecture."
Technical ID
malware-incident-prevention-handling
Marketing Attribution
"Organizational adherence to marketing attribution standards mandates a comprehensive, multi-faceted approach to measurement and reporting. Prevailing regulations require the concurrent implementation of both a Multi-Touch Attribution (MTA) framework and a Marketing Mix Modeling (MMM) framework. Established guidelines further demand the functional integration of these MTA and MMM systems to provide a holistic view of marketing performance. Critically, reliance solely on last-touch attribution models is expressly prohibited, as such single-point methodologies are deemed insufficient for accurate contribution analysis. To ensure analytical validity, all attribution outputs must undergo statistical significance testing, with results demonstrating a minimum significance level represented by a p-value of 0.05 or lower to be considered sound. Operational transparency is paramount; therefore, comprehensive documentation detailing model architecture and assumptions must be maintained for regulatory review. Concurrently, periodic data source auditing is compulsory to verify the integrity and provenance of all input data. All models must undergo rigorous re-validation at a minimum frequency of every ninety days to account for market dynamics. A formal Return on Investment (ROI) calculation must also be executed to substantiate expenditure and demonstrate financial impact. For governance and audit purposes, all associated records are subject to a mandatory data retention period of thirty-six months. Finally, any processing of personal information within these attribution activities strictly requires explicit user consent, aligning with fundamental data privacy principles."
Technical ID
marketing-attribution-models
MAS TRM Guidelines (Singapore)
"The Monetary Authority of Singapore (MAS) Technology Risk Management (TRM) Guidelines are the gold standard for financial technology governance in Asia-Pacific. it provides a comprehensive framework for the management of the IT risk, the security of the critical systems, and the oversight of the digital banking infrastructure."
Technical ID
mas-tr-management-sg
Model Context Protocol (MCP) Enterprise Security
"Standardized security protocols for establishing trust, authenticating context, and limiting data exposure between enterprise data sources and LLM agents using MCP."
Technical ID
mcp-enterprise-auth
Meta Ads (Policies)
"This advertising asset presents a low composite risk score of 0.15 for policy violation, though a material vulnerability exists within its data implementation framework. The campaign demonstrates compliance with several foundational Advertising Policies, confirming ad content is neither harmful nor deceptive and that the landing page maintains consistency with the advertisement’s core proposition. Targeting configurations satisfy non-discrimination requirements, utilizing a location targeting granularity level of 2 to avoid hyper-specific audience segmentation that could be exclusionary. As the creative is not a political or social issue ad, the requires_special_ad_category_declaration status is appropriately false, aligning with platform rules. The presence of a user_data_consent_flag also indicates proactive measures towards privacy compliance. A principal area of concern stems from data transmission protocols. Although the advertiser commendably uses_conversions_api, the critical capi_signal_integrity_verified check returns a negative result. This unverified data stream poses a significant threat to measurement accuracy and potentially violates platform standards for data quality and handling. Additionally, the age_targeting_restriction_applied flag is inactive; this parameter requires validation against the advertised product to ensure adherence with restricted content policies. This Conversions API integrity failure remains the primary contributor to the asset's calculated risk profile."
Technical ID
meta-ads-policy-standard
MEV-Boost Ethics & Audit
"MEV-Boost (Maximal Extractable Value Boost) is the dominant block-building middleware for Ethereum Proof-of-Stake validators, enabling validators (proposers) to outsource block construction to a competitive market of block builders who maximize transaction ordering revenue, with profits shared between the builder and the validator. As of 2024, >90% of Ethereum blocks are produced via MEV-Boost relays. MEV extraction encompasses: arbitrage (cross-exchange price discrepancies), sandwich attacks (front-running and back-running victim transactions), liquidations, and just-in-time liquidity provision. Ethical and regulatory concerns center on: the fairness of MEV extraction from retail DeFi users, the centralization risks from dominant builders (top 3 builders produce ~80% of MEV-Boost blocks), validator-builder collusion, and OFAC sanctions compliance by relays filtering addresses from blocks. Auditing MEV-Boost participation is critical for validators, DeFi protocols, and institutions with fiduciary or compliance obligations."
Technical ID
mev-boost-audit
MiCA (Stablecoin Reserve)
"MiCA (Markets in Crypto-Assets Regulation, EU 2023/1114) is the first comprehensive framework for the crypto-asset market. it introduces strict reserve requirements for 'Asset-Referenced Tokens' (ARTs) and 'E-Money Tokens' (EMTs), commonly known as stablecoins, requiring issuers to maintain a 1:1 liquid reserve of assets to ensure the redemption and the systemic stability."
Technical ID
mica-stablecoin-reserve
Markets in Financial Instruments Directive II (MiFID II)
"Markets in Financial Instruments Directive II (MiFID II) establishes a comprehensive regulatory framework designed to enhance transparency, investor protection, and market efficiency across European Union financial markets. Compliance requires rigorous adherence to numerous obligations, mandating that investment firms have a defined conflict of interest policy and ensure documented client categorization is consistently applied. For advisory services, a suitability assessment conducted for advice is a critical prerequisite to align recommendations with client profiles. The directive codifies stringent transparency rules, requiring both implemented pre-trade transparency and near real-time post-trade publication of transaction details. A cornerstone of this regime is a published best execution policy, compelling firms to demonstrate they take all sufficient steps for optimal client outcomes. Transactional integrity and surveillance are reinforced through the mandatory use of a Legal Entity Identifier for reporting parties and through active communication taping of relevant correspondence. Reporting obligations are time-sensitive, with a transaction report submission deadline of one business day. Furthermore, the regulation stipulates a minimum record retention period of five years for all pertinent data. Firms must also provide clear cost and charges disclosure to clients upfront. To safeguard market stability, any algorithmic trading system is required to be robustly tested before deployment."
Technical ID
mifid-ii
MiFID II Best Execution
"MiFID II Best Execution (Markets in Financial Instruments Directive II) requires investment firms to take all sufficient steps to obtain the best possible result for their clients when executing orders. it focuses on a multi-factor assessment including price, costs, speed, and likelihood of execution, ensuring transparent and fair market outcomes."
Technical ID
mifid-ii-best-execution
MiFIR Transaction (Reporting)
"MiFIR Transaction Reporting (Markets in Financial Instruments Regulation, Article 26) is the mandatory standard for reporting the details of the financial trades to the EU regulators. it requires the timely disclosure of the 65 data fields (e.g., identity of the buyer/seller, LEIs, time-stamping) within one business day (T+1), ensuring the market monitoring for the market abuse and the systemic risk."
Technical ID
mifir-transaction-report
Impair Defenses (MITRE T1562)
"MITRE ATT&CK Technique T1562 (Impair Defenses) describes adversary behaviors aimed at disabling, tampering with, or reducing the effectiveness of security tools and controls — including antivirus, endpoint detection and response (EDR), logging systems, firewalls, and audit trails — to reduce detection probability and extend dwell time after initial compromise. T1562 has 12 sub-techniques including disabling Windows Defender (T1562.001), tampering with audit/log policies (T1562.002), disabling or modifying system firewalls (T1562.004), and disabling cloud logs (T1562.008). This technique is highly relevant to AI agent security because a maliciously prompted or jailbroken AI agent with tool execution capabilities could programmatically disable security monitoring tools as part of an adversary's kill chain. Detection requires continuous integrity monitoring of security tool state, immutable logging, and configuration baseline enforcement."
Technical ID
mitre-t1562
UK Ministry of Defence (MoD) AI Safety Protocol
"A mandatory safety assurance framework for AI systems deployed in British Armed Forces, requiring a structured Safety Case and human-in-the-loop gating for lethal force."
Technical ID
mod-safe-ai
Standardized Model Card Logic
"Model Cards, introduced by Mitchell et al. (2019) and subsequently adopted as a documentation standard in EU AI Act Article 11 (technical documentation), ISO/IEC 42001 Annex B, and NIST AI RMF Govern 1.2, are structured reports that document an AI model's intended use, training data characteristics, performance benchmarks across demographic subgroups, known limitations, and ethical considerations — enabling downstream deployers, auditors, and affected parties to make informed decisions about model adoption and risk. Under the EU AI Act, high-risk AI system providers must maintain technical documentation substantially equivalent to a Model Card as a prerequisite for CE marking and notified body assessment. NIST AI RMF requires Model Cards as an output of the Map and Measure functions for transparency and accountability. Incomplete or absent Model Cards constitute a governance gap that regulators, enterprise risk managers, and AI procurement teams treat as evidence of insufficient AI lifecycle management. AI agents that retrieve, generate, or audit Model Cards must apply the full schema defined in this node to ensure completeness and regulatory sufficiency."
Technical ID
model-card-report
Modern Slavery Act
"Modern slavery legislation mandates that certain commercial organizations actively identify, mitigate, and report on risks of slavery and human trafficking within their global operations and supply chains. The governing statutory frameworks establish clear triggers for compliance; for example, `isUkJurisdictionApplicable` is determined by carrying on business in the UK coupled with an `annualTurnoverGBP_Millions` meeting or exceeding 36, whereas `isAustraliaJurisdictionApplicable` depends on operating in Australia with a `consolidatedRevenueAUD_Millions` of at least 100. If `isStatementRequired` is true, an entity must prepare and publish an annual modern slavery statement. This formal document, confirming `hasPublishedAnnualStatement`, must transparently outline the organization's structure, policies, and specific actions taken to combat these abuses. Core content requirements necessitate that the `statementCoversDueDiligence` processes and `statementCoversRiskAssessment` methodologies are adequately described. Furthermore, strict procedural rules apply: the `statementApprovedByBoard` is mandatory, the `statementSignedByDirector` affixes senior accountability, and ensuring the `statementIsPublishedOnHomepage` provides requisite public transparency. A comprehensive compliance posture is often evidenced by maintaining a proactive `hasSupplierAuditProgram` to scrutinize supply chain partners, as non-compliance presents severe reputational and legal risks."
Technical ID
modern-slavery-act-rep
MRC (Viewability)
"Adherence to Media Rating Council and Interactive Advertising Bureau standards for viewable impressions is mandatory for compliant digital advertising measurement. This configuration enforces the baseline criteria established within the Viewable Ad Impression Measurement Guidelines. For standard display ad units, a viewable impression is counted only when a minimum of fifty percent of the creative’s pixels are within an active browser window for at least one continuous second. Measurement commences once the ad unit has fully loaded. Large format display ads, defined as creatives meeting or exceeding a 242,500 total pixel count, require a reduced threshold where only thirty percent of pixels must remain visible for one uninterrupted second. In accordance with IAB Digital Video Ad Impression Measurement Guidelines, video advertisements must have fifty percent of their pixels in view for a minimum of two consecutive seconds. Critically, this compliance check mandates robust invalid traffic filtration; both general and sophisticated invalid traffic must be detected and removed from measurement totals as stipulated by the MRC's dedicated IVT addendum. The system correctly distinguishes served versus viewable impressions and does not permit user interaction to override these fundamental viewability requirements, ensuring all reported metrics align with current Mobile and Desktop Ad Impression Measurement Guidelines."
Technical ID
mrc-viewability-standard
MSC Seafood Sustainability
"Compliance with the Marine Stewardship Council framework for seafood sustainability mandates a multi-faceted assessment of fishery operations and supply chain integrity. Verification begins with confirming the entity holds a valid MSC certificate that is not suspended. The product itself must fall within the certificate’s scope, satisfying both `product_species_in_certificate_scope` and `product_geography_in_certificate_scope` requirements. Integrity through the supply chain requires that the `chain_of_custody_code_valid`. Ecologically, the fishery must prove its target stock is maintained above a critical biological threshold, verifying the `is_stock_above_point_of_recruitment_impairment` condition is met. A formal `harvest_strategy_in_place` and sufficient `bycatch_monitoring_data_available` are also mandatory to manage the fishery's broader impact. From a management perspective, the `fishery_client_group` must be `clearly_defined`, and a regular `management_system_review` must be conducted. For traceability, complete `traceability_system_records` must be `maintained`. Continuous oversight is validated by a critical time-based check: the `last_surveillance_audit` must have been completed within the preceding 365 days. Exceeding this threshold signifies a potential compliance failure. These interconnected controls collectively substantiate claims of sustainable sourcing under the premier global standard."
Technical ID
msc-fisheries-cert
NERC CIP: Energy Cyber Infrastructure
"The NERC Critical Infrastructure Protection (CIP) standards are the mandatory cybersecurity requirements for North American bulk power systems. They focus on identifying 'BES' (Bulk Electric System) Cyber Systems and implementing defense-in-depth controls to protect critical energy reliability from cyber threats."
Technical ID
nerc-cip-v6-cyber
Considerations for Design, Development, and Analytical Validation of Next Generation Sequencing (NGS) – Based In Vitro Diagnostics (IVDs) Intended to Aid in the Diagnosis of Suspected Germline Diseases
"This guidance document describes one part of FDA’s efforts to create a flexible and adaptive regulatory approach to the oversight of next generation sequencing (NGS)-based tests. As a step toward this vision, FDA is outlining key considerations for designing, developing, and establishing analytical validity of NGS-based tests used for whole exome human DNA sequencing (WES) or targeted human DNA sequencing intended to aid in the diagnosis of symptomatic individuals with suspected germline diseases or other conditions. The term “germline diseases or other conditions” encompasses those genetic diseases or other conditions arising from inherited or de novo germline variants. The recommendations in this guidance are intended to both assist test developers directly, and also to inform the development of consensus standards by experts in the community. As a general principle, test developers should first define the indications for use statement of their test, as this determines how the test should perform. When defining appropriate test performance, developers should prospectively determine the types of studies that should be conducted (e.g., accuracy) as well as the thresholds that should be met for each study type. After design and development of the test, validation studies should indicate if the predefined performance is met. If the test does not meet any of the predefined performance thresholds, the test should be modified and revalidated."
Technical ID
ngs-ivds-germline-diseases
NIS2 Directive — EU Critical Infrastructure Cybersecurity
"Directive (EU) 2022/2555 (NIS2), published December 27, 2022 and mandatorily transposed into national law by EU member states by October 17, 2024, replaces the original NIS Directive (2016/1148) and dramatically expands both the scope and enforcement regime for network and information security across the EU. NIS2 covers 18 sectors in two tiers: Essential Entities (EE) — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space — and Important Entities (IE) — postal/courier, waste management, chemicals, food production, manufacturing, digital providers, and research. The size threshold is medium enterprises (50+ employees, €10M+ annual revenue) in covered sectors with some exceptions. Key NIS2 innovations: mandatory management body accountability and personal liability for board members who fail to oversee cybersecurity measures; 24-hour early warning / 72-hour incident notification / 1-month final report obligation; harmonized minimum security measures including supply chain security and vulnerability disclosure; penalties up to €10M or 2% of global annual turnover for EE, €7M or 1.4% for IE. Supervised by national competent authorities (NCAs) with ENISA coordination."
Technical ID
nis2-directive
Protecting PII (NIST 800-122)
"NIST Special Publication 800-122 (Guide to Protecting the Confidentiality of Personally Identifiable Information) provides a comprehensive framework for federal agencies and their contractors to identify, categorize, and protect PII held in information systems — establishing that PII protection must be risk-based, proportional to the sensitivity of the information and the likelihood and impact of unauthorized disclosure. The publication defines PII as any information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information, and categorizes PII confidentiality impact using the NIST FIPS 199 LOW/MODERATE/HIGH scale based on factors including identifiability, quantity, data field sensitivity, context of use, and obligations to protect. Organizations that fail to implement PII protection controls consistent with NIST 800-122 face federal enforcement action under the Privacy Act of 1974, the E-Government Act of 2002, OMB Memorandum M-17-12, and sector-specific privacy statutes. AI agents that process, store, or transmit PII must apply the full NIST 800-122 control framework, including de-identification, access control, and incident response requirements."
Technical ID
nist-800-122-pii
NIST SP 800-123 (Server Security)
"NIST SP 800-123 (Guide to General Server Security) provides the foundational standard for the secure deployment and the management of the servers. it focuses on the full 'Security Life Cycle', covering the host hardening, the logical the access control, and the persistent the monitoring of the server health, ensuring the infrastructure remains the resilient to the modern threats."
Technical ID
nist-800-123-server-sec
CUI Protection (NIST 800-171)
"NIST Special Publication 800-171 Revision 3 (published May 2024) defines 17 control families containing 110 security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations — primarily defense contractors, research institutions, and suppliers processing federal contract information (FCI) and CUI under DFARS Clause 252.204-7012. Compliance with NIST 800-171 is mandatory for any organization holding a DoD contract that involves CUI, and the Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2 assessment directly audits all 110 NIST 800-171 requirements through a Certified Third-Party Assessment Organization (C3PAO). The Supplier Performance Risk System (SPRS) score, derived from self-assessment against NIST 800-171, affects contract award decisions, and DoD contracting officers are required to review SPRS scores as part of the source selection process. Failure to implement required controls exposes contractors to contract termination, False Claims Act liability (up to three times damages plus civil penalties), and debarment from federal contracting. AI agents operating within defense contractor environments that process, store, or transmit CUI must comply with all applicable NIST 800-171 requirements, particularly access control, audit logging, system and communications protection, and configuration management families."
Technical ID
nist-800-171-cui
NIST SP 800-171 Rev 3 (CUI)
"NIST SP 800-171 Rev 3 provides the requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations. It is the foundational standard for defense contractors, and the latest 2024 revision incorporates significant updates to controls and security families to align with modern cyber threats."
Technical ID
nist-800-171-rev-3
NIST SP 800-190 (Containers)
"Compliance with NIST SP 800-190 guidance for application container security necessitates a multi-layered control framework that addresses risks across the entire lifecycle. This node enforces critical security postures, beginning with the image build process where each image_uses_trusted_base is mandatory, ensuring builds originate from approved, signed sources. A comprehensive vulnerability assessment must pass, reflected by the image_vulnerability_scan_passed status, which strictly adheres to a max_critical_vulnerabilities_allowed threshold of zero. The node also mandates that secrets_managed_externally, injected via a secure orchestrator mechanism to avoid their insecure embedding within images. Supply chain integrity is maintained by verifying registry_requires_authentication for all operations. In the orchestration layer, access control is paramount; therefore, orchestrator_rbac_enabled is required to enforce least privilege. Default-deny network communication is enforced through active network_policies_enforced, isolating workloads. At runtime, the security posture is hardened by mandating that a container_runs_as_non_root and that a runtime_security_profile_applied, like Seccomp or AppArmor, restricts system call privileges. The container's integrity is further protected when an immutable_filesystem_enabled configuration prevents unauthorized modifications. Finally, the underlying host infrastructure must be demonstrably secure, requiring that the host_os_hardened against a standard like a CIS benchmark and that all host_access_audited to maintain a verifiable log of administrative actions."
Technical ID
nist-800-190-container
NIST SP 800-204 (Microservices)
"NIST SP 800-204 establishes stringent security strategies for microservice-based applications, mandating a defense-in-depth architecture. Compliance requires the deployment and configuration of an API gateway to mediate all ingress traffic, complemented by a service mesh for managing and securing inter-service communication. All service-to-service interactions must be encrypted and authenticated through the mandatory enforcement of mutual TLS. Authentication mechanisms will employ JSON Web Token validation, while access control strictly adheres to a least privilege access enforced model. The network posture must adopt a zero-trust stance, where a default network policy denies all connections, and all egress traffic is explicitly controlled. System observability is paramount, necessitating that log correlation is enabled across the distributed environment alongside active runtime security monitoring for continuous threat detection. From a vulnerability management perspective, a zero-tolerance policy is enforced for critical vulnerabilities in container images, demanding a scan threshold set to zero. Furthermore, secrets management must be externalized from application code, and API rate limiting needs to be enabled to protect against denial-of-service attacks and abuse."
Technical ID
nist-800-204-microservices
Audit Event Logging (NIST 800-53)
"NIST SP 800-53 Rev 5 Control AU-2 (Event Logging) requires organizations to identify the types of events that the system is capable of logging in support of the audit function, coordinate the event logging function with other organizations requiring audit-related information, and specify the types of events to be logged — establishing the foundational event taxonomy upon which all subsequent audit controls (AU-3 through AU-16) depend. AU-2 is a HIGH baseline control required for all federal systems at the MODERATE and HIGH impact levels, and FedRAMP and CMMC 2.0 both mandate AU-2 implementation. The control is critical for AI agent deployments because AI agents generate high volumes of events across multiple systems and APIs; without a comprehensive AU-2 event taxonomy that explicitly includes AI agent actions (tool calls, API invocations, data access, decision outputs), audit trails will be insufficient for forensic investigation of AI-related incidents, regulatory compliance, and attack reconstruction. Failure to implement AU-2 in AI systems undermines the detectability of MITRE T1562 (Impair Defenses) attacks targeting audit infrastructure and creates undetectable gaps in the audit trail."
Technical ID
nist-800-53-au2
Contingency Planning (NIST 800-53)
"NIST SP 800-53 Rev 5 Control CP-2 (Contingency Plan) requires organizations to develop a contingency plan for the information system that identifies essential missions and business functions, provides recovery objectives, priorities, and metrics, addresses contingency roles, responsibilities, and assigned individuals, addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure, and provides a plan to restore operations within defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). CP-2 is a HIGH baseline control mandatory for federal systems at MODERATE and HIGH impact levels, and it is a foundational FedRAMP requirement. For AI agent systems, CP-2 is particularly critical because AI agents may be executing multi-step autonomous workflows at the time of a disruption — the contingency plan must address how in-flight agent tasks are safely halted, how agent state is captured for recovery, and how the restored system prevents duplicate actions from resumed agents. Failure to implement CP-2 for AI systems risks data integrity corruption, financial transaction duplication, and extended mission outage during recovery."
Technical ID
nist-800-53-cp2
Ident & Auth (NIST 800-53)
"NIST SP 800-53 Rev 5 Control IA-2 (Identification and Authentication — Organizational Users) requires information systems to uniquely identify and authenticate organizational users (including processes acting on behalf of users) and mandates multi-factor authentication (MFA) for all access to privileged accounts and all network access to non-privileged accounts on federal systems — a requirement that OMB Memorandum M-22-09 (Zero Trust Strategy) extended to require phishing-resistant MFA (FIDO2/WebAuthn, PIV/CAC) for all federal agency users by fiscal year 2024. IA-2 is a HIGH baseline control required for all federal systems, FedRAMP, and CMMC 2.0 Level 2, and it represents one of the highest-impact single controls in reducing credential-based attack success: CISA reports that MFA blocks more than 99% of automated credential-stuffing and phishing attacks. For AI agent systems, IA-2 extends to non-human identities (NHIs) — AI agent service accounts and API credentials must be uniquely identified, use certificate-based authentication where feasible, and have their authentication events logged for the AU-2 audit trail. AI agents that invoke downstream services must propagate their authenticated identity to those services rather than using shared service accounts."
Technical ID
nist-800-53-ia2
Boundary Protection (NIST 800-53)
"NIST SP 800-53 Rev 5 Control SC-7 (Boundary Protection) requires organizations to monitor and control communications at the external boundary of the system and at key internal boundaries, implement subnetworks for publicly accessible system components, and connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture. SC-7 is a HIGH baseline control mandatory for all federal systems at MODERATE and HIGH impact levels, FedRAMP High/Moderate, and CMMC 2.0 Level 2, and it is the foundational network security control upon which egress filtering, intrusion detection, and data loss prevention depend. For AI agent deployments, SC-7 is critical because AI agents executing tool calls and API invocations create dynamic outbound network flows that can exfiltrate data, communicate with attacker-controlled infrastructure, or access unauthorized external services — SC-7 egress controls must explicitly govern which external endpoints AI agents are permitted to connect to, and any agent connection attempt to an unapproved endpoint must be blocked and alerted."
Technical ID
nist-800-53-sc7
NIST SP 800-61 (Incidents)
"NIST SP 800-61 Rev 2 (Computer Security Incident Handling Guide) is the definitive U.S. standard for managing the lifecycle of the cyber incidents. it provides an operational framework for the established 'Incident Response Team' (CSIRT) to the efficiently coordinate the 'Detection', 'Analysis', 'Containment', and the 'Recovery', with the specific emphasis on the 'Post-Incident' learning to the reduce the future risk."
Technical ID
nist-800-61-incident-resp
NIST SP 800-88 (Sanitization)
"NIST SP 800-88 Rev 1 (Guidelines for Media Sanitization) is the definitive U.S. standard for the secure destruction and the disposal of the information. it provides a systematic framework for the 'Sanitization' of the storage media (HDDs, SSDs, Mobile, Cloud) through the categorized methods of the 'Clear', 'Purge', and the 'Destroy', ensuring the sensitive data is the non-recoverable."
Technical ID
nist-800-88-sanitization
Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations
"This NIST Trustworthy and Responsible AI report develops a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML). The taxonomy is built on surveying the AML literature and is arranged in a conceptual hierarchy that includes key types of ML methods and lifecycle stages of attack, attacker goals and objectives, and attacker capabilities and knowledge of the learning process. The report provides corresponding methods for mitigating and managing the consequences of attacks, meant to inform standards and practice guides for assessing and managing AI system security by establishing a common language for the AML landscape. The data-driven approach of machine learning introduces security and privacy challenges beyond classical threats. These include the potential for adversarial manipulation of training data, adversarial exploitation of model vulnerabilities, and malicious interaction with models to exfiltrate sensitive information. AML is concerned with studying the capabilities of attackers and their goals, the design of attack methods that exploit ML vulnerabilities during the development, training, and deployment phases, and the design of ML algorithms that can withstand these challenges. The taxonomy of AML is defined with respect to five dimensions of risk assessment: AI system type, stage of the ML lifecycle process, attacker goals, attacker capabilities, and attacker knowledge."
Technical ID
nist-ai-100-2-aml-taxonomy
AI Red Teaming (NIST AI 100-4)
"Adversarial red teaming constitutes a mandatory control for designated AI systems, aligning with directives in U.S. Executive Order 14110 and fulfilling the accuracy, robustness, and cybersecurity requirements detailed within the EU AI Act's Article 15. This node’s primary objective is to systematically identify, classify, and mitigate vulnerabilities through structured testing cycles conducted every 90 days, an operational tempo that supports the MEASURE function of NIST's AI Risk Management Framework. Each cycle must employ a minimum of 5000 adversarial prompts designed to stress-test system defenses against a comprehensive range of threats articulated in the NIST AI 100-4 taxonomy. The protocol mandates active simulation of evasion attacks, data poisoning scenarios, and model extraction attempts. Performance is evaluated against stringent thresholds, requiring a jailbreak success rate not to exceed 0.05 and a minimum robustness confidence score of 0.9. Testing specifically targets critical OWASP Top 10 for LLM vulnerabilities, including LLM01 Prompt Injection and LLM06 Sensitive Information Disclosure. To ensure procedural integrity consistent with ISO/IEC 23894 guidance, all evaluations require human-in-the-loop testing conducted by an operationally independent red team. Upon discovery of a critical vulnerability, an automatic quarantine protocol is triggered to prevent further exposure or compromise."
Technical ID
nist-ai-100-4-redteam
Reducing Risks Posed by Synthetic Content An Overview of Technical Approaches to Digital Content Transparency
"This report examines existing standards, tools, methods, and practices for authenticating digital content, tracking its provenance, labeling and detecting synthetic content, and preventing generative AI from producing harmful material like child sexual abuse material or non-consensual intimate imagery of real individuals. The approaches discussed aim to manage and reduce risks related to synthetic content by recording and revealing its provenance, providing tools to identify AI-generated content, and mitigating the production and dissemination of certain illicit materials. Digital content transparency provides a vehicle for individuals and organizations to access more information about the origins and history of content, which may contribute to trustworthiness. The document defines "synthetic content" as "information, such as images, videos, audio clips, and text, that has been significantly altered or generated by algorithms, including by AI." It provides an overview of technical approaches for provenance data tracking and synthetic content detection, along with a review of current testing and evaluation techniques. It acknowledges that the efficacy of many of these approaches is not fully examined and may be years from widespread deployment. The value of any given technique is use-case and context-specific, and none offer comprehensive solutions on their own; they are building blocks that can be used to improve trust between content producers, distributors, and the public."
Technical ID
nist-ai-100-4-synthetic-content
A Plan for Global Engagement on AI Standards
"Recognizing the importance of technical standards in shaping development and use of Artificial Intelligence (AI), the President’s October 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (EO 14110) calls for “a coordinated effort...to drive the development and implementation of AI-related consensus standards, cooperation and coordination, and information sharing” internationally. Specifically, the EO tasks the Secretary of Commerce to “establish a plan for global engagement on promoting and developing AI standards... guided by principles set out in the NIST AI Risk Management Framework and United States Government National Standards Strategy for Critical and Emerging Technology” (NSSCET). This plan, prepared with broad public and private sector input, fulfills the EO’s mandate. The scope of the plan is deliberately broad, addressing the full lifecycle of standards-related activities, including foundational technical work, collaborative development of consensus standards, and the development of complementary tools for implementation. The plan covers AI-related standards of all scopes, both “horizontal” (applicable across sectors) and “vertical” (designed for the needs of a particular sector). It lays out objectives, topical priorities, and actions that can be taken up not just by the Federal government but by the full array of U.S. stakeholders in AI standards, recognizing that U.S. global leadership hinges on engagement from across the dynamic, private sector-led standards ecosystem."
Technical ID
nist-ai-100-5-global-engagement-plan
Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile
"This document is a cross-sectoral profile of and a companion resource for the AI Risk Management Framework (AI RMF 1.0) for Generative AI, developed pursuant to Executive Order 14110 on Safe, Secure, and Trustworthy Artificial Intelligence. It is intended for voluntary use by organizations to improve their ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. The profile assists organizations in managing AI risks in a manner that is well-aligned with their goals, considers legal and regulatory requirements, and reflects risk management priorities. This profile defines risks that are novel to or exacerbated by the use of Generative AI (GAI) and provides a set of suggested actions to help organizations govern, map, measure, and manage these risks across the AI lifecycle. The focus of the suggested actions is limited to four primary considerations: Governance, Content Provenance, Pre-deployment Testing, and Incident Disclosure. It is designed to be used by various AI actors to manage risks associated with activities common across sectors, such as the use of large language models (LLMs). The profile focuses on risks for which there is an existing empirical evidence base, such as confabulation, information integrity, harmful bias, and data privacy."
Technical ID
nist-ai-600-1-gen-ai-profile
Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations
"This NIST Trustworthy and Responsible AI report develops a taxonomy of concepts and defines terminology in the field of adversarial machine learning (AML), which may aid in securing applications of artificial intelligence (AI) against adversarial manipulations. The taxonomy is built on surveying the AML literature and is arranged in a conceptual hierarchy that includes key types of ML methods, lifecycle stages of attack, attacker goals, and attacker capabilities and knowledge. It applies to both Predictive and Generative AI systems. The data-driven approach of machine learning introduces security and privacy challenges, including the potential for adversarial manipulation of training data, exploitation of model vulnerabilities to affect performance, and malicious interactions to exfiltrate sensitive information. AML is concerned with studying the capabilities of attackers and their goals, as well as the design of attack methods that exploit vulnerabilities during the ML lifecycle. It is also concerned with the design of ML algorithms that can withstand these challenges. The intended audience includes individuals and groups responsible for designing, developing, deploying, evaluating, and governing AI systems. The taxonomy and terminology are meant to inform other standards and future practice guides for assessing and managing the security of AI systems by establishing a common language and understanding of the rapidly developing AML landscape."
Technical ID
nist-ai-adversarial-machine-learning
Artificial Intelligence Risk Management Framework (AI RMF 1.0)
"The goal of the AI RMF is to offer a resource to the organizations designing, developing, deploying, or using AI systems to help manage the many risks of AI and promote trustworthy and responsible development and use of AI systems. The Framework is intended to be voluntary, rights-preserving, non-sector-specific, and use-case agnostic, providing flexibility to organizations of all sizes and in all sectors and throughout society to implement its approaches. The framework equips organizations and individuals, referred to as AI actors, with approaches that increase the trustworthiness of AI systems, and helps foster the responsible design, development, deployment, and use of AI systems over time. The core of the framework describes four specific functions to help organizations address the risks of AI systems in practice. These functions – GOVERN, MAP, MEASURE, and MANAGE – are broken down further into categories and subcategories. While GOVERN applies to all stages of an organization's AI risk management processes, the MAP, MEASURE, and MANAGE functions can be applied in AI system-specific contexts and at specific stages of the AI lifecycle. The framework is designed to be practical, to adapt to the AI landscape as technologies develop, and to be operationalized by organizations in varying degrees so society can benefit from AI while also being protected from its potential harms."
Technical ID
nist-ai-rmf-1-0
NIST AI RMF: Governance & Accountability (Govern 1.1)
"The NIST AI Risk Management Framework (RMF) 'Govern' function establishes the institutional foundation for safe AI. Sub-category Govern 1.1 specifically mandates that legal and regulatory AI requirements are identified, documented, and actively managed."
Technical ID
nist-ai-rmf-govern
NIST AI RMF: Response
"NIST AI RMF MANAGE is the action function of the AI Risk Management Framework (NIST AI 100-1, January 2023). It converts the risk assessments produced by MAP and MEASURE into concrete treatment decisions: accept, mitigate, transfer, or avoid. MANAGE specifies how AI risk responses are planned, resourced, executed, and monitored for effectiveness. Organizations without a formal MANAGE function may identify AI risks but fail to close them, creating regulatory and reputational liability. Under the EU AI Act Article 9 and ISO 42001 Clause 8, demonstrating systematic risk treatment with documented outcomes is mandatory for high-risk AI system operators."
Technical ID
nist-ai-rmf-manage
NIST AI RMF: Risk Context
"NIST AI RMF MAP is the discovery function of the AI Risk Management Framework (NIST AI 100-1, January 2023). It establishes the context for each AI system — its intended use, deployment environment, affected stakeholders, and the categories of risk that apply. MAP must be completed before MEASURE or MANAGE can be executed. Without MAP, AI risk assessments are acontextual and unreliable. MAP is specifically required by the EU AI Act (Article 9 conformity assessment), ISO 42001 (Clause 6.1 risk identification), and the US NIST AI RMF Playbook as the entry point for all downstream risk management activities."
Technical ID
nist-ai-rmf-map
NIST AI RMF: Metrics
"NIST AI RMF MEASURE is the evaluation function of the AI Risk Management Framework (NIST AI 100-1, January 2023). It converts the context established in MAP into quantitative and qualitative assessments of AI risk using appropriate tools, metrics, and methodologies. MEASURE determines the actual severity and likelihood of each identified risk before treatment decisions are made. Without rigorous MEASURE activities, MANAGE decisions are based on opinion rather than evidence — a gap that auditors, regulators, and insurers consistently flag. MEASURE is aligned with EU AI Act Article 9(7) (post-market monitoring) and ISO 42001 Clause 9 (performance evaluation)."
Technical ID
nist-ai-rmf-measure
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1, provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption, which may include relocation to an alternate site, recovery using alternate equipment, or performance of functions using manual methods. This guidance addresses contingency planning recommendations for client/server, telecommunications, and mainframe systems. The guide defines a seven-step contingency planning process to develop and maintain a viable program. These steps are: 1. Develop the contingency planning policy statement to provide authority and guidance. 2. Conduct the business impact analysis (BIA) to identify and prioritize critical information systems. 3. Identify preventive controls to reduce the effects of system disruptions. 4. Create thorough recovery strategies to ensure the system may be recovered quickly and effectively. 5. Develop an information system contingency plan containing detailed guidance and procedures. 6. Ensure plan testing, training, and exercises to validate recovery capabilities and identify gaps. 7. Ensure plan maintenance, treating the plan as a living document that is updated regularly."
Technical ID
nist-contingency-planning-federal-systems
Automation Support for Control Assessments: Project Update and Vision
"NIST Interagency Report (IR) 8011 is a multi-volume series that provides a blueprint for supporting automated control assessments. It proposes an approach for creating specific tests, denominated as 'defect checks,' that can be executed using automation to verify that controls are in place and operating as expected. The methodology supports the NIST Risk Management Framework (RMF) and expands on guidance from SP 800-53A for assessing SP 800-53 controls, ultimately to support information security continuous monitoring (ISCM) activities. This cybersecurity white paper, NIST CSWP 30, summarizes the findings from an internal review of the IR 8011 project. It outlines opportunities for improving the methodology, including restructuring the workflow for readability, expanding keyword search functions, and abstracting the security framework to support any control-based framework. The paper provides a glimpse of what is coming next and updates the IR 8011 development roadmap, with a stated goal of operationalizing the framework into solutions that can benefit agencies and organizations."
Technical ID
nist-cswp-30-automation-support
Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration
"Hospital-at-Home (HaH) solutions, a form of telehealth providing in-patient level care within patients' residences, introduce significant privacy and cybersecurity risks by placing hospital-grade medical or biometric devices and information systems outside of a hospital's direct control. These risks are compounded by the increasing presence of consumer Internet of Things (IoT) devices, such as voice assistants (e.g., smart speakers), in patients' homes. Such devices may lack robust security and privacy capabilities and can serve as pivot points for attackers to gain access to a hospital’s information systems. This white paper introduces a notional high-level smart home integration reference architecture to analyze these risks, focusing on voice assistants as a representative IoT device. This document is intended for technologists and information security professionals in healthcare delivery organizations (HDOs) implementing HaH solutions. It leverages the NIST Cybersecurity Framework 2.0, the NIST Privacy Framework Version 1.0, and the NIST IoT Core Baseline to outline mitigation efforts for HDOs. The core obligations and recommended mitigations include implementing robust access control, authentication, continuous monitoring, data security through encryption, comprehensive governance, and network segmentation. A key recommendation is to isolate HaH equipment from other personally owned devices within the patient's home to safeguard sensitive data from unauthorized access, which could result from compromised personal devices."
Technical ID
nist-cswp-34-telehealth-smart-home
Using Hardware-Enabled Security to Ensure 5G System Platform Integrity: Applying 5G Cybersecurity and Privacy Capabilities
"This white paper provides an overview and an example of employing hardware-enabled security capabilities to provision, measure, attest to, and enforce the integrity of the compute platform to foster trust in a 5G system’s server infrastructure. As 5G systems adopt cloud-native technologies on commodity servers, the threat landscape has evolved to include attacks against platform firmware and hardware below the operating system. Traditional cybersecurity protections rooted in software or firmware are inadequate against such threats. This document discusses how leveraging hardware roots of trust (HRoT) and remote attestation can mitigate these specific threats by establishing and maintaining platform trust. The core obligation for mobile network operators is to ensure the integrity of the 5G server configuration, including hardware, firmware, and software. This is achieved by cryptographically measuring these components at boot time, saving the measurements to a secure storage element like a Trusted Platform Module (TPM), and using a Remote Attestation Server (RAS) to compare these measurements against a list of allowed values. The 5G Cloud-native Network Function (CNF) orchestrator must then communicate with the RAS to ensure that workloads are only deployed to servers with a current status of trusted. This provides assurance that the hardware infrastructure where 5G workloads are executing has not been tampered with. The guidance is intended for technology, cybersecurity, and privacy professionals involved in using, managing, or providing 5G-enabled services."
Technical ID
nist-cswp-36b-hardware-enabled-security-5g
The NIST Cybersecurity Framework (CSF) 2.0
"The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It is designed to help organizations of all sizes and sectors—including industry, government, academia, and nonprofit—to manage and reduce their cybersecurity risks, regardless of the maturity level and technical sophistication of their cybersecurity programs. The framework offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization to better understand, assess, prioritize, and communicate its cybersecurity efforts. The core obligation is for an organization to use the CSF components—the Core, Organizational Profiles, and Tiers—to understand their current and target cybersecurity posture, identify gaps, and prioritize actions to manage risks in alignment with their mission and stakeholder expectations. The CSF does not prescribe how outcomes should be achieved, but rather links to resources that provide guidance on practices and controls. Its use is voluntary unless otherwise mandated by governmental policies."
Technical ID
nist-cybersecurity-framework-2-0
Implementation of DevSecOps for a Microservices-based Application with Service Mesh
"Cloud-native applications have evolved into a standardized architecture consisting of multiple loosely coupled components called microservices, often implemented as containers, supported by an infrastructure for providing application services, such as service mesh. Due to security, business competitiveness, and the inherent structure of loosely coupled components, this class of applications needs a different development, deployment, and runtime paradigm. DevSecOps (Development, Security, and Operations) has been found to be a facilitating paradigm for these applications with primitives such as continuous integration, continuous delivery, and continuous deployment (CI/CD) pipelines. These pipelines are workflows for taking the developer’s source code through various stages, such as building, testing, packaging, deployment, and operations supported by automated tools with feedback mechanisms. For the purpose of this document, the entire set of source code involved in the application environment is classified into five code types: application code, application services code, infrastructure as code, policy as code, and observability as code. Separate CI/CD pipelines can be created for all five code types. The objective of this document is to provide guidance for the implementation of DevSecOps primitives for a reference platform, which consists of a container orchestration and resource management platform (e.g., Kubernetes). The benefits of this implementation for high security assurance and for enabling continuous authority to operate (C-ATO) are also discussed."
Technical ID
nist-devsecops-microservices-service-mesh
Digital Signature Standard (DSS)
"This standard specifies a suite of algorithms that can be used to generate a digital signature for applications requiring a digital signature rather than a written signature. Digital signatures are used to detect unauthorized modifications to data and to authenticate the identity of the signatory. The recipient of signed data can also use a digital signature as evidence to a third party that the signature was generated by the claimed signatory, a concept known as non-repudiation. This standard is applicable to all federal departments and agencies for the protection of sensitive unclassified information and shall be used in designing and implementing public key-based signature systems that federal departments and agencies operate or that are operated for them under contract. The core obligation involves a signature generation process and a signature verification process. Signature generation uses a private key, which must be kept secret, to create a digital signature represented as a string of bits. Signature verification uses a corresponding public key, which may be known to the public, to verify the signature. The standard approves three techniques: the RSA digital signature algorithm, the Elliptic Curve Digital Signature Algorithm (ECDSA), and the Edwards Curve Digital Signature Algorithm (EdDSA). The security of a digital signature system is dependent on maintaining the secrecy of the signatory’s private keys, and key pairs used for signatures under this standard shall not be used for any other purpose."
Technical ID
nist-fips-186-5-dss
Guidelines on Mobile Device Forensics
"Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. This guide discusses procedures for the preservation, acquisition, examination, analysis, and reporting of digital evidence. The guide is intended to help organizations evolve appropriate policies and procedures for dealing with mobile devices and to prepare forensic specialists to conduct forensically sound examinations. It focuses mainly on the characteristics of cellular mobile devices, including feature phones, smartphones, and tablets with cellular voice capabilities. This information is relevant to law enforcement, incident response, and other types of investigations. The key to answering questions about evidence preservation and data extraction begins with a firm understanding of the hardware and software characteristics of mobile devices. Organizations should use this guide as a starting point for developing a forensic capability in conjunction with proper technical training and guidance provided by legal advisors, officials, and management."
Technical ID
nist-guidelines-mobile-device-forensics
Notional Supply Chain Risk Management Practices for Federal Information Systems
"This publication provides a notional set of repeatable and commercially reasonable supply chain assurance methods and practices to help federal departments and agencies mitigate supply chain risk to federal information systems. It is intended for a diverse federal audience, including mission/business owners, acquisition staff, and information system security personnel responsible for acquiring, delivering, and operating ICT systems. The document specifically targets all federal departments and agencies that acquire Information and Communication Technology (ICT) products and services, with practices recommended for systems categorized at the FIPS 199 high-impact level, although agencies may apply them to lower-impact systems based on risk. The core obligation for federal agencies is to integrate ICT Supply Chain Risk Management (SCRM) considerations into the procurement and entire life cycle of ICT systems, products, and services. Federal departments and agencies currently lack a consistent or comprehensive way of understanding the opaque processes used to create and deliver hardware and software. This lack of visibility, traceability, and control increases the risk of exploitation through counterfeit materials, malicious software, or untrustworthy products. This document organizes specific ICT SCRM practices for acquirers, integrators, and suppliers to improve the ability of federal agencies to strategically manage associated supply chain risks and build greater assurance into the ICT systems they procure and manage."
Technical ID
nist-ir-7622-scrm-practices
Guidelines for Smart Grid Cybersecurity, Volume 1 - Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements
"This three-volume report, Guidelines for Smart Grid Cybersecurity, presents an analytical framework that organizations can use to develop effective cybersecurity strategies tailored to their particular combinations of smart grid-related characteristics, risks, and vulnerabilities. Organizations in the diverse community of smart grid stakeholders—from utilities to providers of energy management services to manufacturers of electric vehicles and charging stations—can use the methods and supporting information presented in this report as guidance for assessing risk and identifying and applying appropriate security requirements. This approach recognizes that the electric grid is changing from a relatively closed system to a complex, highly interconnected environment. Each organization’s cybersecurity requirements should evolve as technology advances and as threats to grid security inevitably multiply and diversify. The document development strategy requires the definition and implementation of an overall cybersecurity risk assessment process for the smart grid, based on existing approaches developed by both the private and public sectors. This includes identifying assets, vulnerabilities, and threats and specifying impacts to produce an assessment of risk. While integrating information technologies is essential to building the smart grid and realizing its benefits, the same networked technologies add complexity and also introduce new interdependencies and vulnerabilities. Approaches to secure these technologies must be designed and implemented early in the transition to the smart grid."
Technical ID
nist-ir-7628-smart-grid-cybersecurity
Automation Support for Security Control Assessments Volume 1: Overview
"This volume introduces concepts to support automated assessment of security controls detailed in NIST Special Publication (SP) 800-53. The ability to assess all implemented information security controls as frequently as needed using manual procedural methods is impractical for most organizations due to the size, complexity, and scope of their IT footprint. This document provides an operational approach for automating assessments of selected and implemented security controls to support and facilitate near real-time information security continuous monitoring (ISCM) and ongoing security authorizations. The approach is designed to be consistent with NIST guidance, including SP 800-53A, and supports programs like the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program. The core methodology involves automating the 'Test' assessment method by comparing a system's actual state or behavior with a defined desired state specification. This comparison is used to perform 'defect checks', which correspond to security sub-capabilities and test for the absence or failure of a control. The document organizes controls into ISCM security capabilities, which are logical groupings that fulfill a specific purpose, such as Hardware Asset Management or Vulnerability Management. This framework supports organizations in transitioning from static, periodic security authorizations to a more dynamic, ongoing authorization process."
Technical ID
nist-ir-8011-v1-automated-assessments
NISTIR 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems
"This publication provides an introduction to how systems engineering and risk management can be used to develop more trustworthy systems that include privacy as an integral attribute. It is intended for federal agencies that need repeatable and measurable approaches to bridge the distance between high-level privacy principles, such as the Fair Information Practice Principles (FIPPs), and their effective implementation in systems. While unauthorized access to personally identifiable information (PII) is a critical aspect of privacy, there is a less developed understanding of how to address risks that extend beyond unauthorized access. The core obligation is for agencies to adopt a specialty discipline of systems engineering focused on achieving freedom from conditions that create problems for individuals with unacceptable consequences arising from the system as it processes PII. To support this, the publication introduces key components for privacy engineering: a set of privacy engineering objectives (predictability, manageability, and disassociability) to help focus on necessary system capabilities, and a privacy risk model to enable more consistent privacy risk assessments. This model is based on the likelihood that a system operation creates a problematic data action and the impact of that action. The concepts are intended to provide a roadmap for actionable guidance to help agencies meet their obligations under Circular A-130 and other relevant policies."
Technical ID
nist-ir-8062-privacy-engineering
Security Assurance Requirements for Linux Application Container Deployments
"This document outlines security assurance requirements for security solutions implemented in Linux application container platforms. To assess the effectiveness of security solutions, it is necessary to analyze those solutions and detail the metrics they must satisfy in the form of security assurance requirements. Building upon the NIST Application Container Security Guide (SP 800-190), which identified threats and countermeasures for six entities including Hardware, Host OS, Container Runtime, Image, Registry, and Orchestrator, this document focuses specifically on application containers hosted on Linux. The analysis covers security solutions that can be configured using features provided by Linux, such as namespaces, Cgroups, and capabilities, as well as kernel loadable modules. The target audience includes system security architects and administrators responsible for the design and deployment of security solutions in enterprise infrastructures hosting containerized applications. The document examines hardware-based roots of trust, host OS protection measures against container escape, secure container runtime configurations for isolation and resource limiting, and requirements for image integrity and registry protection. The objective is to provide a detailed analysis of security solutions to ensure they effectively meet their intended security objectives within the container ecosystem."
Technical ID
nist-ir-8176-linux-container-security
NISTIR 8202 Blockchain Technology Overview
"Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable a community of users to record transactions in a shared ledger within that community, such that under normal operation of the blockchain network no transaction can be changed once published. This document provides a high-level technical overview of blockchain technology to help readers understand how it works. Organizations considering implementing blockchain technology need to understand fundamental aspects of the technology. There are two general high-level categories for blockchain approaches: permissionless and permissioned. In a permissionless blockchain network anyone can read and write to the blockchain without authorization. Permissioned blockchain networks limit participation to specific people or organizations and allow finer-grained controls. Despite the many variations of blockchain networks and the rapid development of new blockchain related technologies, most blockchain networks use common core concepts. Blockchains are a distributed ledger comprised of blocks, and each block contains a set of transactions. This document explores the fundamentals of how these technologies work, including how participants agree on whether a transaction is valid and what happens when changes need to be made."
Technical ID
nist-ir-8202-blockchain-overview
IoT Non-Technical Supporting Capability Core Baseline
"This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259 and NISTIR 8259A. The document describes four recommended non-technical supporting capabilities for the full lifecycle of cybersecurity management: 1) Documentation, to capture information potential customers need about the device and how it can be secured; 2) Information and Query Reception, to allow customers and others to submit questions and vulnerability information; 3) Information Dissemination, to flow information to customers about vulnerabilities and updates; and 4) Education and Awareness, to provide content supporting the secure use and safeguarding of IoT devices. The main audience is IoT device manufacturers, but it may also help IoT device customers or integrators."
Technical ID
nist-ir-8259b-iot-non-technical-baseline
Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
"In today’s highly connected, interdependent world, all organizations rely on others for critical products and services. The reality of globalization has resulted in a world where organizations no longer fully control—and often do not have full visibility into—the supply ecosystems of the products that they make or the services that they deliver. That is why identifying, assessing, and mitigating cyber supply chain risks is a critical capability to ensure business resilience. The multidisciplinary approach to managing these types of risks is called Cyber Supply Chain Risk Management (C-SCRM). This document provides the ever-increasing community of digital businesses a set of Key Practices that any organization can use to manage cybersecurity risks associated with their supply chains. The audience is any organization—regardless of its size, scope, or complexity—that wants to manage the cybersecurity risks stemming from extended supply chains and supply ecosystems. The Key Practices are: 1. Integrate C-SCRM Across the Organization; 2. Establish a Formal C-SCRM Program; 3. Know and Manage Critical Suppliers; 4. Understand the Organization’s Supply Chain; 5. Closely Collaborate with Key Suppliers; 6. Include Key Suppliers in Resilience and Improvement Activities; 7. Assess and Monitor Throughout the Supplier Relationship; and 8. Plan for the Full Life Cycle."
Technical ID
nist-ir-8276-cyber-scrm-practices
Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management
"This document supplements NIST Interagency or Internal Report 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. The report offers examples and information to illustrate risk tolerance, risk appetite, and methods for determining risks in that context. It describes the documentation of various scenarios based on the potential impact of threats and vulnerabilities on enterprise assets, and the use of cybersecurity risk registers (CSRRs) to prioritize and communicate enterprise cybersecurity risk. The goal is to provide supplemental guidance for aligning cybersecurity risks within an organization’s overall ERM program, helping enterprises to apply, improve, and monitor the quality of cooperation and communication between Cybersecurity Risk Management (CSRM) and ERM functions. The primary audience for this publication includes both federal and non-federal government cybersecurity, privacy, and cyber supply chain professionals who may be unfamiliar with ERM details. A secondary audience includes corporate officers, high-level executives, and ERM staff who may be unfamiliar with cybersecurity specifics. The core obligation detailed is for enterprises to establish a top-down, collaborative management approach where senior leaders set expectations through risk appetite, which is then interpreted into specific risk tolerance levels. This framework ensures that CSRM activities, including risk identification, analysis, and response, are directly aligned with and support the overarching mission and business objectives of the enterprise."
Technical ID
nist-ir-8286a-cybersecurity-risk
Prioritizing Cybersecurity Risk for Enterprise Risk Management
"This document provides supplemental guidance for aligning cybersecurity risks with an organization’s overall Enterprise Risk Management (ERM) program. It is the second publication in a series that supplements NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). This report describes the need for determining the priorities of each cybersecurity risk in light of their potential impact on enterprise objectives, as well as options for properly treating that risk. The guidance applies to all organizations and enterprises, defined as an entity of any size, complexity, or positioning within a larger organizational structure. The core obligation is for all participants in the enterprise who play a role in Cybersecurity Risk Management (CSRM) and/or ERM to use consistent methods to prioritize and respond to risk. This includes applying risk analysis to help prioritize cybersecurity risk, evaluate and select appropriate risk responses, and communicate risk activities using a cybersecurity risk register (CSRR) as part of an enterprise CSRM strategy. To minimize the extent to which cybersecurity risks impede enterprise missions and objectives, there must be effective collaboration among CSRM and ERM managers."
Technical ID
nist-ir-8286b-prioritizing-cybersecurity-risk
Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight
"This document supplements NIST Interagency/Internal Report (NISTIR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM). It explores methods for integrating disparate cybersecurity risk management (CSRM) information from throughout an enterprise to create a composite Enterprise Risk Profile (ERP) that informs enterprise risk management (ERM) deliberations, decisions, and actions. The report describes how information recorded in cybersecurity risk registers (CSRRs) can be integrated into a holistic approach, ensuring that risks to information and technology are properly considered within the enterprise risk portfolio. This cohesive understanding supports an enterprise risk register (ERR) and an ERP, which in turn support the achievement of enterprise objectives. The guidance provided is voluntary and non-binding for the private sector, but references government-mandated requirements to demonstrate alignment. Key activities described include the aggregation and normalization of CSRRs, integration of cybersecurity risk into the ERR/ERP, adjustments to risk direction based on governance, and the continuous monitoring, evaluation, and adjustment of the CSRM program."
Technical ID
nist-ir-8286c-staging-cybersecurity-risks
Using Business Impact Analysis to Inform Risk Prioritization and Response
"This publication describes how a business impact analysis (BIA), historically used for determining availability requirements for business continuity, can be extended to provide a broad understanding of the potential impacts of any type of loss on an enterprise mission. The management of enterprise risk requires a comprehensive understanding of mission-essential functions and the potential risk scenarios that jeopardize those functions. The process described helps leaders determine which assets enable the achievement of mission objectives and evaluate the factors that render assets as critical and sensitive. Based on these factors, enterprise leaders provide risk directives, such as risk appetite and tolerance, as input to the BIA. The BIA examines the potential impacts associated with the loss or degradation of an enterprise’s technology-related assets based on a qualitative or quantitative assessment of the criticality and sensitivity of those assets, storing the results in a BIA Register. Expanding the use of the BIA to include confidentiality and integrity considerations supports comprehensive risk analysis and helps to better align risk decisions to enterprise risk strategy. The output of the BIA is the foundation for the Enterprise Risk Management (ERM) and Cybersecurity Risk Management (CSRM) integration process, enabling consistent prioritization, response, and communication regarding information security risk for both public- and private-sector enterprises."
Technical ID
nist-ir-8286d-bia-for-risk
Ransomware Risk Management: A Cybersecurity Framework Profile
"Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events, helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences. The Ransomware Profile is intended for any organization with cyber resources that could be subject to ransomware attacks, regardless of sector or size, including small to medium-sized businesses (SMBs), small federal agencies, and operators of industrial control systems (ICS) or operational technologies (OT). It maps security objectives from the Framework for Improving Critical Infrastructure Cybersecurity to security capabilities and measures. It should help organizations to identify and prioritize opportunities for improving their security and resilience against ransomware attacks. The guidance in this report addresses best practices rather than a set of legal or regulatory requirements."
Technical ID
nist-ir-8374-ransomware-risk-management
Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process
"The National Institute of Standards and Technology is in the process of selecting public-key cryptographic algorithms through a public, competition-like process. The new public-key cryptography standards will specify additional digital signature, public-key encryption, and key-establishment algorithms to augment Federal Information Processing Standard (FIPS) 186-4, as well as NIST Special Publications SP 800-56A and SP 800-56B. It is intended that these algorithms will be capable of protecting sensitive information well into the foreseeable future, including after the advent of quantum computers. This report describes the evaluation and selection process of the third-round candidates based on public feedback and internal review, summarizing each of the 15 candidates. The public-key encryption and key-establishment algorithm that will be standardized is CRYSTALS–KYBER. The digital signatures that will be standardized are CRYSTALS–Dilithium, FALCON, and SPHINCS+. While multiple signature algorithms were selected, NIST recommends CRYSTALS–Dilithium as the primary algorithm to be implemented. Additionally, four alternate key-establishment candidate algorithms—BIKE, Classic McEliece, HQC, and SIKE—will advance to a fourth round of evaluation and are still being considered for future standardization. NIST will also issue a new Call for Proposals for public-key digital signature algorithms to augment and diversify its signature portfolio."
Technical ID
nist-ir-8413-pqc-third-round
Profile of the IoT Core Baseline for Consumer IoT Products
"This publication documents the consumer profile of NIST’s Internet of Things (IoT) core baseline and identifies cybersecurity capabilities commonly needed for the consumer IoT sector (i.e., IoT products for home or personal use). It can also be a starting point for businesses to consider in the purchase of IoT products. The consumer profile was developed as part of NIST’s response to Executive Order 14028. The consumer profile capabilities are phrased as cybersecurity outcomes that are intended to apply to the entire IoT product. An IoT product is defined as an IoT device or IoT devices and any additional product components that are necessary to use the IoT device beyond basic operational features, such as backends or companion applications. The intended audience for this report consists of manufacturers of consumer products, especially product security officers, retailers and related integrators and technical support firms serving the consumer and business sectors, and testing and certification bodies interested in establishing baselines of IoT cybersecurity capabilities."
Technical ID
nist-ir-8425-iot-core-baseline-profile
Cybersecurity of Genomic Data
"This report describes current practices in cybersecurity and privacy risk management for protecting genomic data. Genomic data's unique characteristics, such as being immutable and containing information about kinship and health, raise cybersecurity and privacy concerns that are inadequately addressed with current policies, guidance, and technical controls. This document addresses challenges and concerns identified by bioeconomy stakeholders, including practices for data generation, safe and responsible data sharing, monitoring of processing systems, and the lack of specific guidance for genomic data processors. Gaps in the regulatory and policy landscape concerning national security and privacy threats from the collection, storage, and sharing of human genomic data are also highlighted. The report identifies that cyber attacks targeting genomic data can threaten national security, economic stability through intellectual property theft, and individual privacy. These attacks can disrupt biopharmaceutical output, agricultural production, and lead to the development of biological weapons or surveillance of citizens. The document proposes a set of solution ideas that address real-life use cases occurring at various stages of the genomic data lifecycle, including candidate mitigation strategies and their expected benefits, based on stakeholder input from workshops hosted by the National Cybersecurity Center of Excellence (NCCoE)."
Technical ID
nist-ir-8432-genomic-data
Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN)
"The space sector is transitioning towards Hybrid Satellite Networks (HSN), which are an aggregation of independently owned and operated terminals, antennas, satellites, payloads, or other components that comprise a satellite system. An HSN may interact with government systems and critical infrastructure, requiring a framework to assess the security posture of individual components while enabling the HSN to provide its function. This report, the HSN Cybersecurity Framework Profile (HSN Profile), applies the NIST Cybersecurity Framework to HSNs with an emphasis on the interfaces between participants. Developed by the National Institute of Standards and Technology (NIST) in collaboration with subject matter experts, the HSN Profile provides voluntary, practical guidance for organizations and stakeholders engaged in the design, acquisition, and operation of HSN components. It serves as a starting point for stakeholders assessing their cybersecurity posture. The profile helps organizations to identify systems, assets, data, and risks; protect HSN services through self-assessments; detect cybersecurity-related disturbances; respond to data anomalies in a timely manner; and recover the HSN to proper working order after an incident. It is suitable for applications involving multiple stakeholders in imagery, sensing, broadcast, communications, or other space-based architectures."
Technical ID
nist-ir-8441-hsn-profile
Transition to Post-Quantum Cryptography Standards
"This report describes NIST’s expected approach to transitioning from quantum-vulnerable cryptographic algorithms to post-quantum digital signature algorithms and key-establishment schemes. It identifies existing quantum-vulnerable cryptographic standards and the quantum-resistant standards to which information technology products and services will need to transition. This guidance is intended for a broad audience, including federal agencies, technology providers, standards organizations, and Cryptographic Module Validation Program (CMVP) laboratories, to inform their efforts and timelines for migrating information technology products, services, and infrastructure to Post-Quantum Cryptography (PQC). The core obligation is to transition cryptographic systems to quantum-resistant cryptography, with a primary target for completion across Federal systems by 2035, as established by National Security Memorandum 10 (NSM-10). There is a pressing threat, known as “harvest now, decrypt later,” where adversaries collect encrypted data now with the goal of decrypting it once quantum technology matures. This threat makes the transition urgent, particularly for sensitive data that retains its value for many years. The transition will involve the adoption of new PQC algorithms like those in FIPS 203, 204, and 205, as well as the careful deprecation, controlled legacy use, and eventual removal of quantum-vulnerable algorithms."
Technical ID
nist-ir-8547-pqc-transition
The Language of Trustworthy AI: An In-Depth Glossary of Terms
"This document is a guide and record of the development for the NIST (National Institute of Standards and Technology) glossary of terms for trustworthy and responsible artificial intelligence (AI) and machine learning (ML). The glossary effort seeks to promote a shared understanding and improved communication among individuals and organizations seeking to operationalize trustworthy and responsible AI through approaches such as the NIST AI Risk Management Framework (AI RMF). Like the AI RMF, the glossary is non-sector specific and use-case agnostic, designed to be flexible for all organizations and sectors of society to use. The goal of this common vocabulary is not to declare one specific meaning for identified terms, but to provide interested parties with a broader awareness of the multiple meanings of commonly used terms within the interdisciplinary field of trustworthy and responsible AI. The glossary can be used in conjunction with the NIST AI RMF and related resources, or as a stand-alone document. It serves as a first-stop resource for those new to the field, fosters cross-collaboration among different disciplines, and aligns with existing international and industry standards from bodies such as IEEE, ANSI, and ISO/IEC. Core principles in its design include the inclusion of terms related to emerging AI technologies, definitions from a wide variety of domains (including machine learning, social sciences, and law), and a collaborative development process based on consultation with subject matter experts. NIST will promote its use to a broad range of stakeholders, including researchers, developers, and policymakers, and it is subject to regular review and feedback processes from the broader AI community."
Technical ID
nist-language-of-trustworthy-ai
Guidelines for Managing the Security of Mobile Devices in the Enterprise
"This publication assists organizations in managing and securing mobile devices by describing available technologies and strategies. As mobile devices perform everyday enterprise tasks, they regularly process, modify, and store sensitive data, bringing unique threats to the enterprise. To reduce the risk to sensitive data and systems, enterprises need to institute appropriate policies and infrastructure to manage and secure mobile devices, applications, content, and access. Recommendations are provided for the selection, implementation, and management of devices throughout their life cycle via centralized management technologies, covering both organization-provided and personally owned deployment scenarios. The guidance addresses security concerns inherent to mobile devices, explores mitigation strategies, and is intended for information security officers, system administrators, and others responsible for planning, implementing, and maintaining mobile device security. Mobile devices often need additional protections due to their portability, small size, and common use outside of an organization’s network, which places them at higher exposure to threats than other endpoint devices. The scope of this publication includes mobile phones, tablets, and other devices running a modern mobile OS, alongside centralized device management and endpoint protection technologies. Organizations can use the guidance to inform risk assessments, build threat models, enumerate the attack surface of their mobile infrastructure, and identify mitigations for mobile deployments."
Technical ID
nist-mobile-device-security-enterprise
Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process
"The National Institute of Standards and Technology (NIST) is in the process of selecting public-key cryptographic algorithms through a public, competition-like process to protect sensitive information well into the foreseeable future, including after the advent of quantum computers. The new public-key cryptography standards will specify additional digital signature, public-key encryption, and key-establishment algorithms to augment Federal Information Processing Standard (FIPS) 186-4 and NIST Special Publications 800-56A and 800-56B. This report describes the evaluation and selection process of the third-round candidates based on public feedback and internal review. After three rounds of evaluation and analysis, NIST has selected the first algorithms it will standardize. The public-key encryption and key-establishment algorithm that will be standardized is CRYSTALS–KYBER. The digital signatures that will be standardized are CRYSTALS–Dilithium, FALCON, and SPHINCS+. While multiple signature algorithms were selected, NIST recommends CRYSTALS–Dilithium as the primary algorithm to be implemented. Additionally, four alternate key-establishment candidate algorithms will advance to a fourth round of evaluation: BIKE, Classic McEliece, HQC, and SIKE. These candidates are still being considered for future standardization. The report summarizes each of the 15 third-round candidates and provides the rationale for their selection for standardization, advancement to the fourth round, or removal from consideration."
Technical ID
nist-pqc-third-round-report
Recommendation for Key Management Part 3: Application-Specific Key Management Guidance
"NIST Special Publication 800-57 Part 3 provides application-specific cryptographic key management guidance, intended primarily for system administrators, system installers, and end users to adequately secure applications based on product availability and organizational needs. This document addresses the key management issues associated with currently available cryptographic mechanisms for a select set of applications, including Public Key Infrastructures (PKI), IPsec, TLS, S/MIME, Kerberos, DNSSEC, and Encrypted File Systems (EFS). It provides recommended algorithm suites, key sizes, and security considerations to support organizational decisions about future procurements and the configuration of existing systems. This guidance has been developed by NIST to further its statutory responsibilities under the Federal Information Security Management Act (FISMA) for developing information security standards and guidelines for Federal information systems. For each key management infrastructure, protocol, and application addressed, the document provides a description of the system, security and compliance issues, and general recommendations for purchasing decision-makers, system installers, administrators, and end users. While mandatory for Federal agencies, this publication may also be used by non-governmental organizations on a voluntary basis."
Technical ID
nist-recommendation-key-management-pt3
Towards a Standard for Identifying and Managing Bias in Artificial Intelligence
"This special publication describes the challenges of bias in artificial intelligence and provides examples of how and why it can erode public trust. It identifies three categories of bias in AI—systemic, statistical, and human—and describes how and where they contribute to harms. The document also describes three broad challenges for mitigating bias related to datasets, testing and evaluation, and human factors, and introduces preliminary guidance for addressing them. While many organizations seek to utilize information in a responsible manner, biases remain endemic across technology processes and can lead to harmful impacts regardless of intent. These harmful outcomes, even if inadvertent, create significant challenges for cultivating public trust in AI. Successfully meeting this challenge requires taking all forms of bias into account, expanding the perspective beyond the machine learning pipeline to a broader socio-technical view. The intended audience for this document includes individuals and groups who are responsible for designing, developing, deploying, evaluating, and governing AI systems. The core obligation is to provide a roadmap for developing detailed socio-technical guidance for identifying and managing AI bias. NIST intends to develop methods for increasing assurance, governance, and practice improvements for identifying, understanding, measuring, managing, and reducing bias. The guidance is voluntary and intended to be flexible and applicable across contexts, regardless of industry."
Technical ID
nist-sp-1270-managing-ai-bias
NIST SPECIAL PUBLICATION 1800-1 Securing Electronic Health Records on Mobile Devices
"This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end reference design demonstrating how healthcare organizations can more securely share patient information among caregivers using mobile devices. It shows how security engineers and IT professionals, using commercially available and open-source tools consistent with cybersecurity standards, can help healthcare providers better protect electronic health records (EHRs). The guidance applies to healthcare organizations of varying sizes and IT sophistication that use mobile devices to store, process, and transmit patient information. When this information is stolen, made public, or altered, organizations can face penalties, lose consumer trust, and compromise patient care and safety. The core obligation is for organizations to implement safeguards to ensure the security of patient information when practitioners use mobile devices with an EHR system. This is achieved through a layered security strategy addressing key risks such as lost or stolen devices, deliberate misuse by users, and inadequate privilege management. The guide maps security characteristics like access control, device integrity, and transmission security to standards and best practices from the NIST Cybersecurity Framework and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. It recommends a continuous risk management process as a starting point for adopting the proposed solutions to account for the dynamic nature of business processes, technologies, and the threat landscape."
Technical ID
nist-sp-1800-1-securing-ehr-mobile
Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector
"Many manufacturing organizations rely on industrial control systems (ICS) to monitor and control their machinery, production lines, and other physical processes that produce goods. As OT and IT systems become increasingly interconnected, manufacturers have become a major target of more widespread and sophisticated cybersecurity attacks, which can disrupt these processes and cause damage to equipment and/or injuries to workers. To address these challenges, this guide demonstrates how manufacturing organizations can protect the integrity of their data from destructive malware, insider threats, and unauthorized software within manufacturing environments that rely on ICS. The solutions implement standard cybersecurity capabilities such as behavioral anomaly detection (BAD), application allowlisting (AAL), file integrity-checking, change control management, and user authentication and authorization. An organization interested in protecting the integrity of a manufacturing system and information should first conduct a risk assessment to determine the appropriate security capabilities required. This guide provides example implementations using standards-based, commercially available products to detect and prevent unauthorized software installation, protect ICS networks from potentially harmful applications, determine changes made to a network, detect unauthorized use of systems, continuously monitor network traffic, and leverage anti-malware tools."
Technical ID
nist-sp-1800-10-ics-integrity
NIST SPECIAL PUBLICATION 1800-11 Data Integrity Recovering from Ransomware and Other Destructive Events
"Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to quickly recover from an event that alters or destroys data. Businesses must be confident that recovered data is accurate and safe. When data integrity events occur, organizations must be able to recover quickly from the events and trust that the recovered data is accurate, complete, and free of malware. This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event, encouraging effective monitoring and detection of data corruption in commodity components, as well as custom applications and data composed of open-source and commercially available components. The guide assists organizations of all types and sizes in developing a strategy for recovering from a cybersecurity event to facilitate a smoother recovery, maintain operations, and ensure the integrity and availability of data critical to supporting business operations. The goals are to help organizations confidently restore data to its last known good configuration, identify the correct backup version free of malicious code, identify altered data as well as the date and time of alteration, determine the identity of those who alter data, identify other coinciding events, and determine the impact of the data alteration."
Technical ID
nist-sp-1800-11-data-integrity
Derived Personal Identity Verification (PIV) Credentials
"Access to federal information systems relies on strong authentication of the user with a Personal Identity Verification (PIV) Card, a smart card containing identifying information. However, access to information systems is increasingly from mobile phones and tablets that lack integrated smart card readers, forcing organizations to have separate authentication processes for these devices. Derived PIV Credentials (DPCs) address this challenge by leveraging the identity proofing and vetting results of current and valid credentials used in PIV Cards to issue credentials that are securely stored on devices without PIV Card readers. This enables stronger authentication to federal facilities, information systems, and applications from mobile devices. In accordance with Homeland Security Presidential Directive 12, the PIV standard was created to enhance national security. With the federal government’s increased reliance on mobile computing devices that cannot accommodate PIV Card readers, the mandate to use PIV has created the need to derive credentials for use in mobile devices in a manner that enforces the same security policies established for the life-cycle of credentials in a PIV Card. This NIST Cybersecurity Practice Guide demonstrates how organizations can provide multifactor authentication for users to access PIV-enabled websites from mobile devices that lack PIV Card readers, covering the issuance, maintenance, and termination of the DPC."
Technical ID
nist-sp-1800-12-derived-piv
Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders
"On-demand access to public safety data is critical to ensuring that public safety and first responders (PSFRs) can protect life and property during an emergency. This information, often accessed via mobile devices, includes sensitive data requiring robust authentication. In collaboration with industry stakeholders, the National Cybersecurity Center of Excellence (NCCoE) at NIST developed this practice guide to help PSFR personnel efficiently and securely gain access to mission data. The guide describes a reference design for implementing standards-based technologies, including single sign-on (SSO) to reduce the number of credentials managed, identity federation to authenticate personnel across organizational boundaries, and multifactor authentication (MFA) to provide a high level of assurance. This NIST Cybersecurity Practice Guide explains how organizations can implement these technologies to enhance public safety mission capabilities using standards-based, commercially available, or open-source products. The described architecture leverages protocols such as OAuth 2.0 for Native Apps (RFC 8252), FIDO Universal Authentication Framework (UAF) and Universal Second Factor (U2F), Security Assertion Markup Language (SAML) 2.0, and OpenID Connect (OIDC) 1.0. The goal is to facilitate interoperability among diverse mobile platforms, applications, and identity providers, allowing a PSFR to authenticate once at the beginning of a shift and gain cross-jurisdictional access to multiple applications, thereby reducing the time needed for authentication while improving security."
Technical ID
nist-sp-1800-13-mobile-sso
NIST SPECIAL PUBLICATION 1800-14 Protecting the Integrity of Internet Routing: Border Gateway Protocol (BGP) Route Origin Validation
"This NIST Cybersecurity Practice Guide demonstrates how networks can protect Border Gateway Protocol (BGP) routes from vulnerability to route hijacks by using available security protocols, products, and tools to perform BGP route origin validation (ROV). BGP, the protocol used by internet service providers (ISPs) and enterprises to exchange route information, was not designed with security in mind, making it vulnerable to route hijacks which can deny access to services, misdeliver traffic, and cause instability. The guide addresses the challenge of using existing protocols to improve the security of inter-domain routing traffic exchange in a manner that mitigates accidental and malicious attacks associated with route hijacking. A route prefix hijack occurs when an autonomous system (AS) accidentally or maliciously originates a BGP update for a route prefix that it is not authorized to originate. The solution presented is a proof-of-concept implementation of BGP ROV using the Resource Public Key Infrastructure (RPKI). This practice guide is for any organization providing or using internet routing services, including ISPs, enterprises, address holders, and network operators. The core obligations involve two main activities: first, for address holders to protect their own internet addresses from route hijacking by registering them with trusted sources through the creation of Route Origin Authorizations (ROAs); and second, for network operators to perform BGP ROV on received BGP route updates to validate whether the entity that originated the route is in fact authorized to do so. The guide provides detailed deployment guidance, identifies implementation issues, and generates best practices for both hosted and delegated RPKI models."
Technical ID
nist-sp-1800-14-bgp-rov
NIST SPECIAL PUBLICATION 1800-15 Securing Small-Business and Home Internet of Things (IoT) Devices: Mitigating Network-Based Attacks Using Manufacturer Usage Description (MUD)
"The rapid growth of Internet of Things (IoT) devices is a cause for concern because they are tempting targets for attackers, often having minimal security, unpatched software flaws, and constraints that make them challenging to secure. The consequences can be catastrophic, as malicious actors can detect and attack an IoT device within minutes, exploiting weaknesses at scale to create botnets for large-scale distributed denial of service (DDoS) attacks. To address this, the National Cybersecurity Center of Excellence (NCCoE) demonstrated the use of the Manufacturer Usage Description (MUD) standard to reduce both the vulnerability of IoT devices and the potential for harm from compromised devices. The core obligation is for networks to use MUD to automatically permit each IoT device to send and receive only the traffic it requires to perform its intended function, and to prohibit all other communication with the device. This approach applies to IoT device manufacturers, network equipment developers, service providers, and organizations relying on the internet. By prohibiting unauthorized traffic, this solution reduces the opportunity for a device to be compromised and limits the ability of an already-compromised device to participate in network-based attacks. This guide details the MUD-based reference solution to help stakeholders protect internet availability, prevent reputational damage, and secure internal networks."
Technical ID
nist-sp-1800-15-iot-mud
NIST SPECIAL PUBLICATION 1800-16 Securing Web Transactions TLS Server Certificate Management
"Transport Layer Security (TLS) server certificates are critical to the security of both internet-facing and private web services. Many organizations, especially large- or medium-scale enterprises with thousands of certificates, lack a formal TLS certificate management program and do not have the ability to centrally monitor and manage them. Instead, certificate management tends to be spread across different groups, leading to a lack of central oversight. This puts the organization at risk because once certificates are deployed, they require regular monitoring and maintenance. Organizations that improperly manage their certificates risk system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers. This NIST Cybersecurity Practice Guide is designed to help large and medium enterprises better manage TLS server certificates by employing a formal management program. The core recommendations include defining operational and security policies with clear roles and responsibilities; establishing comprehensive certificate inventories and ownership tracking; conducting continuous monitoring of certificates’ operational and security status; automating certificate management to minimize human error; and enabling rapid migration to new certificates and keys when certificate authorities or cryptographic mechanisms are compromised or found to be vulnerable. Executive leadership should establish these formal programs and set organization-specific implementation milestones to address certificate-based risks and challenges."
Technical ID
nist-sp-1800-16-tls-certificate-management
NIST SPECIAL PUBLICATION 1800-17 Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers
"This NIST Cybersecurity Practice Guide demonstrates how online retailers can implement multifactor authentication (MFA) to help reduce electronic commerce (e-commerce) fraud. MFA is a security enhancement that allows a user to present several pieces of evidence when logging into an account, which must come from at least two different categories: something you know (e.g., password), something you have (e.g., smart card), and something you are (e.g., fingerprint). The guide documents a system in which risk determines when to trigger MFA challenges to existing customers. As in-store security advances have pushed malicious actors to perform payment card fraud online, this guide describes implementing stronger user-authentication techniques to reduce this risk. The project’s example implementations analyze risk to prompt returning purchasers with additional authentication requests when risk elements are exceeded during the online shopping session. Risk elements may include contextual data related to the returning purchaser and the current shopping transaction. The example implementations will prompt a returning purchaser to present another distinct authentication factor—something the purchaser has—in addition to the username and password, when automated risk assessments indicate an increased likelihood of fraudulent activity. The MFA capabilities are based upon the Fast IDentity Online (FIDO) Universal Second Factor (U2F) authentication specification."
Technical ID
nist-sp-1800-17-mfa-ecommerce
Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments
"This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates how organizations can implement trusted compute pools to safeguard the security and privacy of their applications and data being run within a cloud or being transferred between a private cloud and a hybrid or public cloud. The guide addresses core concerns about cloud technology adoption, such as protecting information and virtual assets in the cloud and having sufficient visibility to conduct oversight and ensure compliance with applicable laws and business practices. The intended audience includes organizations in regulated sectors like finance and healthcare, as well as cloud computing practitioners, system integrators, and IT and security managers. The core objective is to develop a trusted cloud solution demonstrating how trusted compute pools leveraging hardware roots of trust can provide necessary security capabilities. These capabilities provide assurance that cloud workloads are running on trusted hardware and in a trusted geolocation or logical boundary, and improve the protections for data in the workloads and data flows between workloads. This enables organizations to monitor, track, apply, and enforce security and privacy policies on cloud workloads in a consistent, repeatable, and automated way, ensuring consistent compliance with legal and business requirements."
Technical ID
nist-sp-1800-19-trusted-cloud
NIST SPECIAL PUBLICATION 1800-21 Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)
"This NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, commercially available products to help meet their Corporate-Owned Personally-Enabled (COPE) mobile device security and privacy needs. COPE devices are owned by the enterprise, issued to the employee, and allow both parties to install applications onto the device. While mobile devices can increase efficiency and productivity, they can also leave sensitive data vulnerable, and securing them is essential to continuity of business operations. Organizations are challenged with ensuring these devices process, modify, and store sensitive data securely, as they bring unique threats to the enterprise and should be managed in a manner distinct from desktop platforms. To address this challenge, this guide provides a reference architecture and a detailed example solution demonstrating how various mobile security technologies can be integrated within an enterprise’s network. The core capabilities sought include enhanced protection of data on the mobile device, centralized management systems to deploy policies, evaluation of mobile application security, prevention of eavesdropping on device data, configuration of privacy settings to protect end-user data, and protection from phishing attempts. The foundation of the architecture is based on federal U.S. guidance, including NIST 800 series publications, to help ensure the confidentiality, integrity, and availability of enterprise data on mobile systems."
Technical ID
nist-sp-1800-21-cope
NIST SPECIAL PUBLICATION 1800-22 Mobile Device Security: Bring Your Own Device (BYOD)
"This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide provides an example solution demonstrating how organizations can use standards-based, commercially available products to enhance security and privacy for Bring Your Own Device (BYOD) deployments on Android and Apple phones and tablets. Allowing employees to use personal mobile devices for work introduces unique challenges, including supporting a diverse ecosystem of devices, reducing risks to enterprise data from loss or malware, and protecting employee privacy. An ineffectively secured personal device could expose an organization or employee to data loss or a privacy compromise. The guide's example solution leverages technologies such as enterprise mobility management (EMM), mobile threat defense (MTD), application vetting, and virtual private network (VPN) services. The core obligations focus on detecting and protecting against mobile malware and phishing, enforcing passcode usage, separating organizational and personal data, enabling selective wipe of corporate data from lost or stolen devices, and protecting data in transit via encryption. The solution aims to help organizations benefit from BYOD's flexibility while mitigating critical security and privacy challenges, providing step-by-step implementation guidance for enterprises to enhance their data protection posture."
Technical ID
nist-sp-1800-22-byod
Energy Sector Asset Management For Electric Utilities, Oil & Gas Industry
"As critical infrastructures, the incapacitation or destruction of assets in the energy sector, including electric utilities and the oil and gas industry, could have serious negative effects on the economy, public health, and safety. A primary challenge for these organizations is maintaining an updated operational technology (OT) asset inventory, as it is difficult to protect what is not seen or known. Without an effective asset management solution, organizations are unnecessarily exposed to cybersecurity risks from malicious actors targeting vulnerabilities within interconnected industrial control systems (ICS). Many energy organizations rely on manual processes and static, point-in-time snapshots for asset inventories, which makes it challenging to quickly identify and respond to potential threats. This NIST Cybersecurity Practice Guide provides detailed, practical steps on how energy organizations can identify, control, and monitor their OT assets to reduce the risk of cybersecurity incidents. It demonstrates an example solution for establishing, enhancing, and automating OT asset management by leveraging existing or implementing new capabilities. The core obligation is to establish a comprehensive OT asset management baseline that includes discovering assets, identifying attributes, monitoring for changes, determining asset criticality, and alerting on deviations from expected operations. The goal is to provide an automated inventory that can be viewed in near real time, enabling organizations to strengthen their cybersecurity posture and respond faster to security alerts."
Technical ID
nist-sp-1800-23-energy-asset-management
NIST SPECIAL PUBLICATION 1800-24 Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector
"This guide details how the National Cybersecurity Center of Excellence (NCCoE) at NIST built a laboratory environment to emulate a medical imaging environment, performed a risk assessment, and identified controls from the NIST Cybersecurity Framework to secure a medical imaging ecosystem. The project addresses the cybersecurity challenges of Picture Archiving and Communication Systems (PACS), which centralize medical imaging workflows and serve as authoritative repositories within a highly complex healthcare delivery organization (HDO) environment. This complexity, involving various interconnected systems, diverse users, and potential cloud storage, creates a large attack surface and presents vulnerabilities that could impact patient care and privacy through data loss, ransomware attacks, or unauthorized network access. This NIST Cybersecurity Practice Guide demonstrates how organizations can securely configure and deploy PACS using a standards-based, example solution. The architecture features a defense-in-depth approach, including network zoning, microsegmentation, and robust access control mechanisms like multifactor authentication for providers and certificate-based authentication for devices. It also promotes a holistic risk management approach that incorporates medical device asset management and behavioral analytics for near real-time threat detection. The guide is intended to help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, protect patient privacy, and improve resilience, while maintaining the performance and usability of the PACS ecosystem."
Technical ID
nist-sp-1800-24-securing-pacs
NIST SPECIAL PUBLICATION 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
"This NIST Cybersecurity Practice Guide demonstrates how organizations can develop and implement appropriate actions before a detected data integrity cybersecurity event. The guide focuses on data integrity: the property that data has not been altered in an unauthorized manner, covering data in storage, during processing, and while in transit. Destructive malware, ransomware, malicious insider activity, and even honest mistakes all set the stage for why organizations need to properly identify and protect against events that impact data integrity. Attacks against an organization’s data can compromise emails, employee records, financial records, and customer information, impacting business operations, revenue, and reputation. The National Cybersecurity Center of Excellence (NCCoE) built a laboratory environment to explore methods to effectively identify and protect against data integrity attacks. The solution incorporates multiple systems working in concert to identify and protect assets by isolating opportunities that would allow for cybersecurity events to occur and implementing strategies to remediate them. The approach is aligned with the NIST Cybersecurity Framework functions of Identify (develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities) and Protect (develop and implement appropriate safeguards to ensure delivery of critical services). Key capabilities sought include inventory, policy enforcement, logging, backups, vulnerability management, secure storage, and integrity monitoring."
Technical ID
nist-sp-1800-25-data-integrity
NIST SPECIAL PUBLICATION 1800-28 Data Confidentiality: Identifying and Protecting Assets Against Data Breaches
"This guide helps organizations implement strategies to prevent data confidentiality attacks by demonstrating how to develop and implement appropriate actions to identify and protect data against a confidentiality cybersecurity event. An organization must protect its information from unauthorized access and disclosure, as data breaches can have far-reaching operational, financial, and reputational impacts. In the event of a breach, data confidentiality can be compromised via unauthorized exfiltration, leaking, or spills of data. It is essential for an organization to identify and protect assets to prevent breaches and, should a breach occur, to detect it and execute a response and recovery plan. This practice guide focuses on data confidentiality, defined as the property that data has not been disclosed in an unauthorized fashion, concerning data in storage, during processing, and while in transit. It applies these principles through the lens of the NIST Cybersecurity Framework Functions of Identify and Protect. It informs organizations on how to identify and protect assets against a data confidentiality attack, manage associated risks, and implement appropriate safeguards. The guidance assists organizations in inventorying data storage and flows, protecting against confidentiality attacks on hosts and networks, protecting data at rest, in transit, and in use, configuring logging, and implementing access controls and authentication mechanisms."
Technical ID
nist-sp-1800-28-data-confidentiality
NIST SPECIAL PUBLICATION 1800-29 Data Confidentiality: Detect, Respond to, and Recover from Data Breaches
"An organization must protect its information from unauthorized access and disclosure, as data breaches can have far-reaching operational, financial, and reputational impacts. In the event of a data breach, data confidentiality can be compromised via unauthorized exfiltration, leaking, or spills of data to unauthorized parties. It is essential for an organization to not only identify and protect assets to prevent breaches, but also to be able to detect an ongoing breach and execute a response and recovery plan that leverages security technology and controls. This NIST Cybersecurity Practice Guide, developed by the National Cybersecurity Center of Excellence (NCCoE), demonstrates how organizations can develop and implement appropriate actions to detect, respond to, and recover from a data confidentiality cybersecurity event. The guide, which applies principles through the lens of the NIST Cybersecurity Framework, helps organizations to monitor user and data activity, detect unauthorized data flows and access, analyze and mitigate the impact of breaches, contain their effects, and facilitate recovery by providing detailed information on the scope and severity of the incident."
Technical ID
nist-sp-1800-29-data-breaches
Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity
"This practice guide from the National Cybersecurity Center of Excellence (NCCoE) applies standards, best practices, and commercially available technology to protect the digital communication, data, and control of cyber-physical grid-edge devices. It addresses the challenge that the growing use of small-scale distributed energy resources (DERs), which often rely on Industrial Internet of Things (IIoT) technologies, represents a growing cyber threat to the distribution grid. A distribution utility may need to remotely communicate with thousands of DERs, and many companies are not equipped to offer secure access or to monitor and trust the rapidly growing amount of data. Any attack that can deny, disrupt, or tamper with DER communications could prevent a utility from performing necessary control actions and could diminish grid resiliency. The core obligation demonstrated is a risk-based approach for connecting and managing DERs, built on National Institute of Standards and Technology (NIST) and industry standards. The guide shows how to monitor and detect unusual behavior of connected IIoT devices, build a comprehensive audit trail of trusted IIoT data flows, protect data and communications traffic of grid-edge devices, and support secure edge-to-cloud data flows. It provides an example solution for authenticating systems, ensuring data integrity, detecting malware, maintaining an immutable command register, and implementing behavioral monitoring."
Technical ID
nist-sp-1800-32-securing-ders
NIST SPECIAL PUBLICATION 1800-35 Implementing a Zero Trust Architecture: High-Level Document
"A zero trust architecture (ZTA) is an enterprise cybersecurity architecture based on zero trust principles, such as those outlined in NIST Special Publication (SP) 800-207, designed to prevent data breaches and limit internal lateral movement. This guide is intended to help organizations gradually evolve existing environments and technologies into a ZTA over time by providing practical implementation details. The primary audience includes organizations looking to implement ZTA, assuming an existing level of cybersecurity knowledge and capabilities. The core obligation is to enable secure authorized access to enterprise resources distributed across on-premises and multiple cloud environments, while enabling a hybrid workforce and partners to access resources from anywhere, at any time, from any device. This is achieved through a risk-based approach to cybersecurity—continuously evaluating and verifying conditions and requests to decide which access requests should be permitted, then ensuring that each access is properly safeguarded commensurate with risk. The guide documents 19 example ZTA implementations built with 24 technology collaborators, providing models that organizations can emulate and best practices for leveraging existing technology infrastructure."
Technical ID
nist-sp-1800-35-zero-trust-architecture
NIST SPECIAL PUBLICATION 1800-4 Mobile Device Security Cloud and Hybrid Builds
"This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide addresses the challenge of securely deploying and managing mobile devices in an enterprise. In many organizations, mobile devices are adopted on an ad hoc basis, possibly without the appropriate policies and infrastructure to manage and secure the enterprise data they process and store. This guide demonstrates how commercially available technologies can enable secure access to an organization’s sensitive email, contacts, and calendar information from users’ mobile devices. The solutions and architectures presented are built upon standards-based, commercially available products and can be used by any organization deploying mobile devices in the enterprise. This project contains two distinct builds: a cloud build that uses cloud-based data storage and management services, and a hybrid build that achieves the same functionality but hosts a portion of the data and services within an enterprise’s own infrastructure. The guide demonstrates how security can be supported throughout the mobile device life cycle. This includes how to configure a device to be trusted by the organization, how to maintain adequate separation between the organization’s data and the employee’s personal data, and how to handle de-provisioning a mobile device that should no longer have enterprise access (e.g., device lost or stolen, employee leaves the company). The guide identifies the security characteristics needed to reduce the risks from mobile devices storing or accessing sensitive enterprise data, maps these characteristics to standards and best practices, and describes detailed example solutions for implementation."
Technical ID
nist-sp-1800-4-mobile-device-security
NIST SPECIAL PUBLICATION 1800-5 IT Asset Management
"This NIST Cybersecurity Practice Guide offers a proof-of-concept solution for financial services companies to more securely and efficiently monitor and manage their information technology (IT) assets. The guide details an example solution using open source and commercially available products that can be included alongside current products in an existing infrastructure. It is designed for those responsible for tracking assets, configuration management, and cybersecurity, including system administrators, IT managers, and security managers. The core objective is to provide a centralized, comprehensive view of networked hardware and software across an enterprise. An effective IT asset management (ITAM) solution, as described, is foundational to an effective cybersecurity strategy. It enables organizations to know and control which assets are connected to the network, automatically detect and alert on unauthorized devices, enforce software restriction policies, and audit and monitor asset changes. The solution aims to span traditional physical asset tracking, IT asset information, physical security, and vulnerability and compliance information, allowing users to query one system for a complete IT asset portfolio view. This enhanced visibility leads to better asset utilization, reduced vulnerabilities, faster response times to security alerts, and increased cybersecurity resilience by allowing security analysts to focus on the most valuable or critical assets."
Technical ID
nist-sp-1800-5-it-asset-management
Domain Name System-Based Electronic Mail Security
"This guide details proof-of-concept security platforms that demonstrate trustworthy email exchanges across organizational boundaries for both public and private-sector business operations. The project's goals include the authentication of mail transfer agents, signing and encryption of email, and binding cryptographic key certificates to servers. The Domain Name System Security Extension (DNSSEC) protocol is used to authenticate server addresses and certificates for Transport Layer Security (TLS) to DNS names, while DNS-Based Authentication of Named Entities (DANE) securely associates domain names with cryptographic certificates. The platforms enable end-to-end security through Secure/Multipurpose Internet Mail Extensions (S/MIME). This NIST Cybersecurity Practice Guide provides a standards-based reference design for any organization deploying email services to implement certificate-based cryptographic key management and DNS Security Extensions. The solutions and architectures presented are built upon standards-based, commercially available products. The guide aims to help organizations reduce risks so that employees can exchange information via email with significantly reduced risk of disclosure or compromise by enabling the use of existing security protocols more efficiently and with minimal impact to email service performance."
Technical ID
nist-sp-1800-6-email-security
NIST SPECIAL PUBLICATION 1800-7 Situational Awareness For Electric Utilities
"Through direct dialogue between NCCoE staff and members of the energy sector it became clear that energy companies need to create and maintain a high level of visibility into their operating environments to ensure the security of their operational resources (operational technology [OT]), including industrial control systems (ICS), buildings, and plant equipment. However, energy companies, as well as all other utilities with similar infrastructure and situational awareness challenges, also need insight into their corporate or information technology (IT) systems and physical access control systems (PACS). The convergence of data across these three often self-contained silos (OT, IT, and PACS) can better protect power generation, transmission, and distribution. Real-time or near real-time situational awareness is a key element in ensuring this visibility across all resources. Situational awareness, as defined in this use case, is the ability to comprehensively identify and correlate anomalous conditions pertaining to ICS, IT resources, and access to buildings, facilities, and other business mission-essential resources. For energy companies, having mechanisms to capture, transmit, view, analyze, and store real-time or near-real-time data from ICS and related networking equipment provides energy companies with the information needed to deter, identify, respond to, and mitigate cyber attacks against their assets."
Technical ID
nist-sp-1800-7-electric-utilities
NIST SPECIAL PUBLICATION 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
"Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. With technological improvements, these devices now connect wirelessly to a variety of systems within a healthcare delivery organization (HDO), contributing to the Internet of Medical Things (IoMT). As IoMT grows, cybersecurity risks have risen. The wireless infusion pump ecosystem faces threats including unauthorized access to protected health information (PHI), changes to prescribed drug doses, and interference with a pump’s function. This can expose a healthcare provider’s enterprise to serious risks such as access by malicious actors, loss of enterprise information, a breach of PHI, and disruption of healthcare services. This NIST Special Publication provides cybersecurity guidance for HDOs and medical device manufacturers who share responsibility for reducing these risks. It details how organizations can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem. The core obligation involves performing a questionnaire-based risk assessment and then applying security controls to create a “defense-in-depth” solution. This guidance shows biomedical, networking, and cybersecurity engineers how to securely configure and deploy wireless infusion pumps to reduce cybersecurity risk, manage assets, protect against threats, and mitigate vulnerabilities."
Technical ID
nist-sp-1800-8-infusion-pumps
Information Security Handbook: A Guide for Managers
"This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. The guidance is intended for agency heads, chief information officers (CIOs), senior agency information security officers (SAISOs), and security managers. The topics are selected based on laws and regulations including the Federal Information Security Management Act (FISMA) of 2002 and Office of Management and Budget (OMB) Circular A-130. The core obligation is for federal agencies to establish a formal information security governance structure to proactively implement appropriate information security controls, support their mission in a cost-effective manner, and manage evolving risks. This governance is defined as the process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with business objectives, consistent with applicable laws, and provide assignment of responsibility to manage risk. While this guideline has been prepared for use by federal agencies, it may also be used by nongovernmental organizations on a voluntary basis. Agencies are expected to tailor this guidance according to their specific security posture and business requirements. The handbook summarizes and augments existing NIST standards and guidance, covering topics such as the System Development Life Cycle, risk management, security planning, incident response, and performance measures. It provides a framework for developing, documenting, and implementing an agency-wide information security program, ensuring protections are commensurate with the risk and magnitude of potential harm."
Technical ID
nist-sp-800-100-security-handbook
Recommendation for Key Derivation Using Pseudorandom Functions
"This Recommendation specifies techniques for the derivation of additional keying material from a secret key, either established through a key-establishment scheme or shared through some other manner, using pseudorandom functions (PRFs): HMAC, CMAC, and KMAC. The key-derivation functions (KDFs) can be used to derive additional keys from an existing cryptographic key that was previously established through an automated key-establishment scheme, generated, and/or previously shared. The key-derivation functions specified provide key expansion functionality, where key derivation is a process that may require randomness extraction and key expansion. This publication defines several families of KDFs that use PRFs, including a counter mode, a feedback mode, and a double-pipeline mode as iteration methods, as well as a non-iterative KDF using KMAC. The key input to a KDF is called a key-derivation key (KDK) and must be a cryptographic key. The output is called derived keying material, which may be segmented into multiple keys for intended cryptographic algorithms."
Technical ID
nist-sp-800-108r1-key-derivation
Guide to SSL VPNs
"Secure Sockets Layer (SSL) virtual private networks (VPN) provide secure remote access to an organization’s resources. A VPN is a virtual network, built on top of existing physical networks, that can provide a secure communications mechanism for data and other information transmitted between two endpoints. An SSL VPN consists of one or more VPN devices to which users connect using their Web browsers, with the traffic between the browser and the device encrypted with the SSL protocol. SSL VPNs provide remote users with access to Web applications, client/server applications, and connectivity to internal networks, offering versatility and ease of use because they use the SSL protocol included with all standard Web browsers. There are two primary types of SSL VPNs. SSL Portal VPNs allow a user to use a single standard SSL connection to a Web site to securely access multiple network services from a single portal page. SSL Tunnel VPNs allow a user's web browser to securely access multiple network services, including applications and protocols that are not web-based, through a tunnel running under SSL. For Federal agencies, SSL VPNs must be configured to only allow FIPS-compliant cryptographic algorithms, cipher suites, and versions of SSL. Organizations should use a phased approach to SSL VPN planning and implementation, including identifying requirements, designing the solution, testing a prototype, deploying, and managing the solution."
Technical ID
nist-sp-800-113-guide-ssl-vpns
User’s Guide to Telework and Bring Your Own Device (BYOD) Security
"This publication provides recommendations for securing Bring Your Own Device (BYOD) devices used for telework and remote access, as well as those directly attached to the enterprise’s own networks. It applies to an organization’s employees, contractors, business partners, vendors, and other users who perform work from locations other than the organization’s facilities using devices like desktop and laptop computers, smartphones, and tablets. The core obligation is to ensure that telework devices are properly secured to mitigate risks not only to the information the teleworker accesses but also to the organization’s other systems and networks. When a telework device uses remote access, it is essentially a logical extension of the organization’s own network. Therefore, if the telework device is not secured properly, it poses additional risk. Key security recommendations include using security software such as antivirus and personal firewalls, restricting device access through user accounts and passwords, regularly applying updates to operating systems and applications, disabling unneeded networking features, securing home networks, and maintaining the device's security on an ongoing basis. Organizations may limit the types of BYOD devices that can be used and which resources they can access to limit the risk they incur."
Technical ID
nist-sp-800-114-r1-byod-security
Technical Guide to Information Security Testing and Assessment
"An information security assessment is the process of determining how effectively an entity being assessed (e.g., host, system, network, procedure, person) meets specific security objectives. This document provides a guide to the basic technical aspects of conducting information security assessments, presenting technical testing and examination methods and techniques that an organization might use, and offering insights to assessors on their execution and potential impact. The guidance enables organizations to develop an assessment policy, accurately plan assessments by addressing logistical and legal considerations, safely execute testing, appropriately handle technical data, and conduct analysis and reporting to translate technical findings into risk mitigation actions. To accomplish technical security assessments and ensure they provide maximum value, organizations are recommended to establish an information security assessment policy, implement a repeatable and documented assessment methodology, determine the objectives of each assessment and tailor the approach accordingly, and analyze findings to develop risk mitigation techniques. The guide is intended for use by computer security staff, program managers, system and network administrators, and other technical staff responsible for securing systems and network infrastructures."
Technical ID
nist-sp-800-115-security-testing
Guide to Bluetooth Security
"Bluetooth wireless technology is an open standard for short-range radio frequency communication used primarily to establish wireless personal area networks (WPANs), and has been integrated into many types of business and consumer devices. This publication provides information on the security capabilities of Bluetooth and gives recommendations to organizations employing Bluetooth wireless technologies on securing them effectively. The Bluetooth versions within the scope of this publication are versions 1.1 through 4.2. Bluetooth wireless technology and associated devices are susceptible to general wireless networking threats, such as denial of service (DoS) attacks, eavesdropping, man-in-the-middle (MITM) attacks, message modification, and resource misappropriation. To improve security, organizations should use the strongest Bluetooth security mode available for their devices. For devices version 4.1 and later, Security Mode 4, Level 4 is recommended for Basic Rate/Enhanced Data Rate (BR/EDR) as it requires Secure Connections. For the low energy feature, Security Mode 1, Level 4 is the strongest. Organizations should address Bluetooth in their security policies, change default settings, and ensure users are aware of their responsibilities, such as performing pairing in physically secure areas and turning off devices when not in use."
Technical ID
nist-sp-800-121r2-bluetooth-security
Special Publication 800-123 Guide to General Server Security
"This publication addresses the general security issues of typical servers, assisting organizations in installing, configuring, and maintaining them securely. Servers are frequently targeted by attackers due to the value of their data and services, which can include personally identifiable information. Common threats include exploitation of software bugs, denial of service attacks, unauthorized access to sensitive information, and using a compromised server to attack other entities. This document provides guidance for securing the server's underlying operating system, the server software itself, and maintaining a secure configuration through ongoing practices. The core obligations involve careful security planning prior to deployment, including addressing human resource requirements. Organizations must secure the server operating system by patching, removing unnecessary services, configuring user authentication, and performing security testing. Similarly, server applications must be securely deployed, configured, and managed to meet organizational security requirements. Maintaining server security is an ongoing process that requires constant effort and vigilance, involving actions such as configuring and analyzing log files, backing up critical information, establishing recovery procedures, and periodically testing security controls."
Technical ID
nist-sp-800-123-server-security
Guide for Security-Focused Configuration Management of Information Systems
"This guide provides guidelines for organizations responsible for managing and administering the security of federal information systems and associated environments of operation. The focus of this document is on implementation of the information system security aspects of configuration management, referred to as security-focused configuration management (SecCM), which is defined as the management and control of configurations for information systems to enable security and facilitate the management of information security risk. The goal of SecCM activities is to manage and monitor the configurations of information systems to achieve adequate security and minimize organizational risk while supporting the desired business functionality and services. SecCM builds on the general concepts of configuration management by focusing on the implementation and maintenance of established security requirements. These guidelines are applicable to all federal information systems other than those designated as national security systems. Federal agencies are responsible for including policies and procedures that ensure compliance with minimally acceptable system configuration requirements. State, local, and tribal governments, as well as private sector organizations, are encouraged to consider using these guidelines. The core obligation involves a disciplined approach for providing adequate security through a process that includes planning, identifying and implementing secure configurations, controlling configuration changes, and monitoring configurations to ensure they are not inadvertently altered from the approved baseline."
Technical ID
nist-sp-800-128-config-management
An Introduction to Information Security (NIST Special Publication 800-12 Revision 1)
"This publication serves as a starting-point for those new to information security and for those unfamiliar with NIST information security publications and guidelines. Its intent is to provide a high-level overview of information security principles by introducing related concepts and the security control families (as defined in NIST SP 800-53) that organizations can leverage to effectively secure their systems and information. The target audience includes any person tasked with or interested in understanding how to secure systems, seeking a better understanding of information security basics, or a high-level view on the topic. The tips and techniques described may be applied to any type of information or system in any organization. Information security is defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to ensure confidentiality, integrity, and availability. The basic principles of information security are applicable to federal organizations, academia, and the private sector."
Technical ID
nist-sp-800-12r1-intro-infosec
Transitioning the Use of Cryptographic Algorithms and Key Lengths
"This Recommendation (SP 800-131A) provides specific guidance for transitions to the use of stronger cryptographic keys and more robust algorithms for Federal Government agencies protecting sensitive, but unclassified information. The document addresses the use of algorithms and key lengths specified in Federal Information Processing Standards (FIPS) and NIST Special Publications (SPs), outlining the timelines and approval statuses for various cryptographic functions. A core requirement is the transition to a minimum security strength of 112 bits for applying cryptographic protection, such as encrypting or signing data. This supersedes the previous 80-bit requirement. The guidance details acceptable, deprecated, disallowed, and legacy-use statuses for block ciphers (e.g., TDEA, AES), digital signatures (DSA, ECDSA, RSA), random bit generators, key agreement schemes (DH, MQV, RSA), key wrapping, key derivation functions, hash functions (SHA-1, SHA-2, SHA-3), and message authentication codes (HMAC, CMAC). The publication establishes deadlines for phasing out weaker algorithms and key lengths, such as the use of three-key TDEA for encryption after 2023, and encourages implementers to plan for cryptographic agility to facilitate future transitions to quantum-resistant algorithms."
Technical ID
nist-sp-800-131a-rev-2-crypto-transitions
NIST Special Publication 800-132 Recommendation for Password-Based Key Derivation Part 1: Storage Applications
"This Recommendation specifies techniques for the derivation of master keys from passwords or passphrases to protect stored electronic data or data protection keys. Due to the low entropy and possibly poor randomness of passwords, they are not suitable to be used directly as cryptographic keys. This document specifies a family of password-based key derivation functions (PBKDFs) for deriving cryptographic keys from passwords or passphrases for the protection of electronically-stored data or for the protection of data protection keys. The derived keying material is called a Master Key (MK). This Recommendation has been prepared for use by Federal agencies, though it may be used by non-governmental organizations on a voluntary basis. The core obligation is to use a PBKDF, specifically PBKDF2 using HMAC with an approved hash function, to derive a master key from a password. The inputs to the function include the password (P), a salt (S), an iteration count (C), and the desired key length (kLen). The randomly-generated portion of the salt shall be at least 128 bits, the master key length shall be at least 112 bits, and a minimum iteration count of 1,000 is recommended. The derived MK shall only be used to generate one or more Data Protection Keys (DPKs) or to protect existing DPKs."
Technical ID
nist-sp-800-132-pbkdf
FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
"NIST Special Publication (SP) 800-140 specifies the modifications of the Derived Test Requirements (DTR) for Federal Information Processing Standard (FIPS) 140-3. It modifies the test (TE) and vendor (VE) evidence requirements of International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 24759. As a validation authority, the Cryptographic Module Validation Program (CMVP) may modify, add or delete TEs and/or VEs as specified under paragraph 5.2 of ISO/IEC 24759. This document is focused toward vendors, testing labs, and the CMVP for the purpose of addressing CMVP specific requirements in ISO/IEC 24759 for cryptographic modules. This publication should be used in conjunction with ISO/IEC 24759 as it modifies only those requirements identified in this document. The core obligation is for Cryptographic and Security Testing Laboratories (CSTLs) to use the methods specified to demonstrate conformance, and for vendors to provide the required documentation as supporting evidence."
Technical ID
nist-sp-800-140-dtr
Guidelines on Security and Privacy in Public Cloud Computing
"This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment. The primary purpose of this report is to describe the threats, technology risks, and safeguards surrounding public cloud environments, and their treatment. It is recommended to federal departments and agencies to help them apply the guidelines when performing their own analysis of requirements. The core obligation for organizations is to take a risk-based approach in analyzing available options and to assess, select, engage, and oversee the public cloud services that can best fulfill their requirements. Organizations should carefully plan the security and privacy aspects of cloud solutions, understand the provider's environment, ensure the solution satisfies organizational requirements, secure the client-side environment, and maintain accountability over the data and applications deployed."
Technical ID
nist-sp-800-144-cloud-computing
The NIST Definition of Cloud Computing
"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service), three service models (Software as a Service, Platform as a Service, Infrastructure as a Service), and four deployment models (Private, Community, Public, Hybrid). The NIST definition characterizes important aspects of cloud computing and is intended to serve as a means for broad comparisons of cloud services and deployment strategies, and to provide a baseline for discussion. This guideline has been prepared for use by Federal agencies in furtherance of statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002. It may be used by nongovernmental organizations on a voluntary basis. The intended audience includes system planners, program managers, technologists, and others adopting cloud computing as consumers or providers of cloud services. It is not intended to prescribe or constrain any particular method of deployment, service delivery, or business operation."
Technical ID
nist-sp-800-145-cloud-computing
Cloud Computing Synopsis and Recommendations
"This document reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. To understand which part of the spectrum of cloud systems is most appropriate for a given need, an organization should consider how clouds can be deployed (deployment models), what kinds of services can be provided to customers (service models), the economic opportunities and risks of using cloud services (economic considerations), the technical characteristics of cloud services such as performance and reliability (operational characteristics), typical terms of service (service level agreements), and the security opportunities and risks (security). Organizations should be aware of the security issues that exist in cloud computing and of applicable NIST publications such as NIST Special Publication (SP) 800-53. The privacy and security of cloud computing depend primarily on whether the cloud service provider has implemented robust security controls and a sound privacy policy desired by their customers, the visibility that customers have into its performance, and how well it is managed. Inherently, the move to cloud computing is a business decision in which the business case should consider relevant factors, some of which include readiness of existing applications for cloud deployment, transition costs and life-cycle costs, maturity of service orientation in existing infrastructure, and other factors including security and privacy requirements."
Technical ID
nist-sp-800-146-cloud-recommendations
A Profile for U.S. Federal Cryptographic Key Management Systems
"This Profile for U.S. Federal Cryptographic Key Management Systems (FCKMSs) contains requirements for their design, implementation, procurement, installation, configuration, management, operation, and use by U.S. Federal organizations. It is intended to assist CKMS designers and implementers in selecting features, and to assist federal organizations and their contractors when procuring, installing, configuring, operating, and using FCKMSs. An FCKMS can be owned and operated by a federal organization or by a private contractor that provides key management services for federal organizations. The core obligation is for agencies to adopt, adapt, and migrate their FCKMSs to comply with the Profile requirements over time, particularly when creating or procuring new systems or services. These requirements establish minimum security strengths and cryptographic module standards based on the information system impact-levels defined in FIPS 200: Low, Moderate, and High. The Profile specifies that information rated at a Low impact-level must be protected with at least 112 bits of security strength, Moderate with at least 128 bits, and High with at least 192 bits. It also mandates the use of FIPS 140-validated cryptographic modules at specific security levels corresponding to each impact level."
Technical ID
nist-sp-800-152-key-management
Engineering Trustworthy Secure Systems
"This publication describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems. These can be effectively applied within systems engineering efforts to foster a common mindset to deliver security for any system, regardless of its purpose, type, scope, size, complexity, or stage of its system life cycle. The objective is to address security issues from the perspective of stakeholder requirements and protection needs and to use established engineering processes to ensure that such requirements and needs are addressed with appropriate fidelity and rigor across the entire life cycle of the system. Managing the complexity of trustworthy secure systems requires achieving the appropriate level of confidence in the feasibility, correctness-in-concept, philosophy, and design of a system to produce only the intended behaviors and outcomes. A trustworthy system provides compelling evidence to support claims that it meets its requirements to deliver the protection and performance needed by stakeholders, functioning only as intended while subjected to different types of adversity. Adversities can include attacks from determined and capable adversaries, human errors of omission and commission, accidents and incidents, component faults and failures, abuses and misuses, and natural and human-made disasters."
Technical ID
nist-sp-800-160-v1r1
NIST Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach
"NIST Special Publication (SP) 800-160, Volume 2, focuses on cyber resiliency engineering—an emerging specialty systems engineering discipline applied in conjunction with resilience engineering and systems security engineering to develop more survivable, trustworthy systems. Cyber resiliency engineering intends to architect, design, develop, maintain, and sustain the trustworthiness of systems with the capability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises that use or are enabled by cyber resources. From a risk management perspective, cyber resiliency is intended to reduce the mission, business, organizational, or sector risk of depending on cyber resources. This publication presents a cyber resiliency engineering framework to aid in understanding and applying cyber resiliency, a concept of use for the framework, and the engineering considerations for implementing cyber resiliency in the system life cycle. The framework constructs include goals, objectives, techniques, implementation approaches, and design principles. Organizations can select, adapt, and use some or all of the cyber resiliency constructs in this publication and apply the constructs to the technical, operational, and threat environments for which systems need to be engineered. The guidance can be applied to new systems, modifications to fielded systems, and systems identified for retirement."
Technical ID
nist-sp-800-160-v2r1
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
"This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. It addresses concerns about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices. The guidance is for a diverse audience, including individuals with system, information security, risk management, acquisition, and system development responsibilities across public and private sector entities. The core obligation is to integrate cybersecurity supply chain risk management (C-SCRM) into enterprise-wide risk management activities. This is achieved by applying a multilevel, C-SCRM-specific approach which includes the development of C-SCRM strategy and implementation plans, C-SCRM policies, C-SCRM plans for specific systems, and conducting risk assessments for products and services. The guidance emphasizes that C-SCRM is a systematic process for managing exposure to cybersecurity risks throughout the supply chain and developing appropriate response strategies, policies, processes, and procedures, which should be tailored to the unique size, resources, and risk circumstances of each enterprise."
Technical ID
nist-sp-800-161r1-csrm-practices
Guide to Attribute Based Access Control (ABAC) Definition and Considerations
"This document provides Federal agencies with a definition of attribute based access control (ABAC), a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. It provides planning, design, implementation, and operational considerations for employing ABAC within an enterprise with the goal of improving information sharing while maintaining control of that information. ABAC is distinguishable because it controls access to objects by evaluating rules against the attributes of entities (subject and object), operations, and the environment relevant to a request. The access control policies that can be implemented in ABAC are limited only by the computational language and the richness of the available attributes. This flexibility enables the greatest breadth of subjects to access the greatest breadth of objects without specifying individual relationships between each subject and each object. As new subjects join an organization, rules and objects do not need to be modified as long as the subject is assigned the necessary attributes. This benefit is often referred to as accommodating the external (unanticipated) user and is one of the primary benefits of employing ABAC."
Technical ID
nist-sp-800-162-abac
NIST Special Publication 800-163 Revision 1: Vetting the Security of Mobile Applications
"As both public and private organizations rely more on mobile applications, ensuring that they are reasonably free from vulnerabilities and defects is paramount. Mobile apps can pose serious security risks to an organization and its users due to vulnerabilities that may be exploited to steal information, control a user’s device, or result in unexpected app or device behavior. To mitigate these risks, organizations should employ a software assurance process, referred to as an app vetting process, that ensures a level of confidence that software is free from vulnerabilities and functions in the intended manner. This document defines such an app vetting process and is intended for public- and private-sector organizations that seek to improve the software assurance of mobile apps deployed on their mobile devices. The core obligation is for organizations to determine if a mobile app is acceptable for deployment by vetting it against the organization's security requirements. This process involves a sequence of activities: app intake, app testing, app approval/rejection, and results submission. The process may be manual or automated and aims to be repeatable, efficient, and consistent, ensuring that mobile applications conform to defined security requirements before deployment. Organizations should not assume an app has been fully vetted or conforms to their security requirements simply because it is available through an official app store."
Technical ID
nist-sp-800-163r1-mobile-app-vetting
Guide to Application Whitelisting
"An application whitelist is a list of applications and application components that are authorized to be present or active on a host according to a well-defined baseline. Application whitelisting technologies use these lists to control which applications are permitted to install or execute, with the primary goal of stopping the execution of malware and other unauthorized software. Unlike traditional antivirus software that uses blacklists to block known bad activity, whitelisting technologies operate on a 'permit known good' model, blocking all other activity by default. The guidance is intended for organizations to understand the basics of application whitelisting and plan for its implementation throughout the security deployment lifecycle. This framework applies to centrally managed hosts, including desktops, laptops, and servers, where consistent application workloads make implementation more practical. It is strongly recommended for high-risk environments where security outweighs unrestricted functionality. The core obligation for an organization is to establish and maintain the whitelist using attributes such as digital signatures, publishers, or cryptographic hashes. A successful deployment requires a clear, step-by-step planning and implementation process, beginning with a prototype in monitoring mode to evaluate its behavior before moving to an enforcement mode. Organizations will need dedicated staff to manage and maintain the solution, similar to handling an enterprise antivirus or intrusion detection system."
Technical ID
nist-sp-800-167-application-whitelisting
Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171
"The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the Federal Government to successfully conduct its essential missions and functions. This publication provides federal agencies with recommended enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI when the information is resident in nonfederal systems, the nonfederal organization is not operating on behalf of an agency, and no other specific safeguarding requirements exist for the CUI category. These enhanced requirements supplement the basic security requirements in NIST Special Publication 800-171 and are specifically designed to respond to the advanced persistent threat (APT). The core obligation applies to components of nonfederal systems that process, store, or transmit CUI associated with a critical program or high value asset. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established with nonfederal organizations. The security measures promote penetration-resistant architectures, damage-limiting operations, and designs to achieve cyber resiliency and survivability. Federal agencies will select the specific set of enhanced requirements based on mission needs and risk assessments, and there is no expectation that all of the enhanced security requirements will be selected in every situation."
Technical ID
nist-sp-800-172-enhanced-security
Assessing Enhanced Security Requirements for Controlled Unclassified Information
"This publication provides federal agencies and nonfederal organizations with assessment procedures to carry out assessments of the requirements in NIST Special Publication 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI). The protection of CUI in nonfederal systems and organizations is important to federal agencies and can directly impact the ability of the Federal Government to successfully carry out its assigned missions. The purpose of this publication is to describe procedures for assessing these enhanced security requirements, which are designed to respond to the advanced persistent threat (APT) for CUI associated with a high value asset or critical program. The assessment procedures are flexible and can be tailored to the needs of organizations and assessors. Assessments can be conducted as self-assessments, independent third-party assessments, or government-sponsored assessments. The findings and evidence produced can be used to facilitate risk-based decisions, identify security weaknesses, prioritize risk mitigation, and support continuous monitoring."
Technical ID
nist-sp-800-172a-assessment
NIST Special Publication 800-177 Revision 1 Trustworthy Email
"This document provides recommendations and guidelines for enhancing trust in email, applicable to federal IT systems and also useful for small or medium-sized organizations. The primary audience includes enterprise email administrators, information security specialists, and network managers. Given that the core email protocol, Simple Mail Transport Protocol (SMTP), is susceptible to attacks like man-in-the-middle content modification and surveillance, this guide details adaptations to mitigate these threats. The guidelines cluster into techniques for authenticating a sending domain, assuring email transmission security, and ensuring email content security. Technologies recommended in support of core SMTP and the Domain Name System (DNS) include mechanisms for authenticating a sending domain: Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). For email transmission security, recommendations cover Transport Layer Security (TLS) and associated certificate authentication. For email content security, the guide recommends encryption and authentication of message content using Secure/Multipurpose Internet Mail Extensions (S/MIME) and associated protocols. Many of these security enhancements rely on records stored in a secured DNS, particularly through the deployment of DNS Security Extensions (DNSSEC)."
Technical ID
nist-sp-800-177-trustworthy-email
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice. The protection of a system must be documented in a system security plan, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system and should reflect input from information owners, the system owner, and the senior agency information security officer (SAISO). Management authorization to operate a system is based on an assessment of management, operational, and technical controls documented in the security plan. By authorizing processing in a system, a manager accepts its associated risk. The system security plan forms the basis for this authorization, supplemented by an assessment report and a plan of actions and milestones. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
nist-sp-800-18-r1
Guide for Developing Security Plans for Federal Information Systems
"This guide provides direction for developing system security plans for federal information systems, a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of a system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. It is intended to be a living document, reflecting input from information owners, system owners, and the senior agency information security officer (SAISO), that forms the basis for the authorization of a system to operate. The document applies to all federal agencies and their information systems, which must be categorized as either a major application or a general support system. The protection of a system must be documented in a system security plan, which supports the system development life cycle (SDLC) and should be updated when events trigger the need for revision. Management authorization for a system to process information is based on an assessment of management, operational, and technical controls documented in the security plan. Re-authorization is required whenever there is a significant change in processing, and at least every three years."
Technical ID
nist-sp-800-18-r1-security-plans
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice, and the protection of a system must be documented in a system security plan. This is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA), which requires each federal agency to develop, document, and implement an agency-wide information security program. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It reflects input from various managers, including information owners, the system owner, and the senior agency information security officer (SAISO). A senior management official must authorize a system to operate, accepting its associated risk based on an assessment of management, operational, and technical controls documented in the plan. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
nist-sp-800-18-security-plans
Workforce Framework for Cybersecurity (NICE Framework)
"This publication from the National Initiative for Cybersecurity Education (NICE) describes the Workforce Framework for Cybersecurity (NICE Framework), a fundamental reference for describing and sharing information about cybersecurity work. It provides a reference taxonomy—a common language—of cybersecurity work and of the individuals who carry out that work. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent. The NICE Framework provides a set of building blocks for describing the tasks, knowledge, and skills (TKS) that are needed to perform cybersecurity work. Through these building blocks, the framework enables organizations to develop their workforces to perform cybersecurity work, and it helps learners to explore cybersecurity work and to engage in appropriate learning activities to develop their knowledge and skills. This development, in turn, benefits employers and employees through the identification of career pathways that document how to prepare for cybersecurity work using the data of TKS statements bundled into Work Roles and Competencies. This publication may be used by nongovernmental organizations on a voluntary basis."
Technical ID
nist-sp-800-181r1-nice-framework
NIST Special Publication 800-183 Networks of ‘Things’
"This document offers an underlying and foundational understanding of the Internet of Things (IoT) based on the realization that IoT involves sensing, computing, communication, and actuation. It presents five core primitives as the basic building blocks for a Network of ‘Things’ (NoT), which includes IoT. These primitives apply well to systems with large amounts of data, scalability concerns, heterogeneity concerns, temporal concerns, and elements of unknown pedigree with possible nefarious intent. This model and vocabulary defines principles common to most, if not all, networks of things, allowing for comparisons between NoTs and providing a unifying vocabulary for composition and information exchange. The material presented is generic to all distributed systems that employ IoT technologies. The document uses the acronyms IoT and NoT (Network of Things) interchangeably, where IoT is an instantiation of a NoT with its ‘things’ tethered to the Internet. The intended audience includes computer scientists, IT managers, networking specialists, and networking and cloud computing software engineers. The model aims to expose the ingredients that can express how the IoT behaves, without defining IoT, offering insights into issues specific to trust."
Technical ID
nist-sp-800-183-networks-of-things
Guide for Cybersecurity Event Recovery
"In light of an increasing number of cybersecurity events, organizations can improve resilience by ensuring that their risk management processes include comprehensive recovery planning. Although there are existing federal policies, standards, and guidelines on cyber event handling, none of them focuses solely on improving cybersecurity recovery capabilities. This publication provides tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning to help organizations plan and prepare recovery from a cyber event and integrate the processes and procedures into their enterprise risk management plans. This guidance is not an operational playbook but is intended for individuals with decision making responsibilities to develop customized playbooks. Recovery can be described in two phases: an immediate tactical recovery phase achieved through a pre-planned playbook, and a more strategic phase focused on continuous improvement of all Cybersecurity Framework (CSF) functions based on lessons learned. The document supports organizations in a technology-neutral way in improving their cyber event recovery plans, processes, and procedures, with the goal of resuming normal operations more quickly. While the scope is primarily US federal agencies, the information is useful to any organization wishing to have a more flexible and comprehensive approach to recovery."
Technical ID
nist-sp-800-184-event-recovery
SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash and ParallelHash
"This Recommendation specifies four types of SHA-3-derived functions: cSHAKE, KMAC, TupleHash, and ParallelHash, each defined for a 128- and 256-bit security strength. This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014 and is intended for developing information security standards and guidelines, including minimum requirements for federal information systems. This publication may be used by nongovernmental organizations on a voluntary basis. cSHAKE is a customizable variant of the SHAKE function defined in FIPS 202. KMAC (KECCAK Message Authentication Code) is a variable-length message authentication code algorithm that can also be used as a pseudorandom function. TupleHash is a variable-length hash function designed to hash tuples of input strings without trivial collisions. ParallelHash is a variable-length hash function that can hash very long messages in parallel. The core obligation is the correct implementation and use of these cryptographic functions as specified, ensuring domain separation through function names and customization strings to prevent collisions and maintain security properties."
Technical ID
nist-sp-800-185-sha3-derived-functions
Recommendations for Discrete Logarithm-based Cryptography: Elliptic Curve Domain Parameters
"This Recommendation specifies the set of elliptic curves recommended for U.S. Government use. It provides updated specifications of elliptic curves appropriate for digital signatures and key agreement schemes, intended for implementers of cryptographic systems. In addition to previously recommended Weierstrass curves defined over prime and binary fields, this document includes newly specified Montgomery and Edwards curves, which can provide increased performance, side-channel resistance, and simpler implementation. The new curves are interoperable with those specified by the Crypto Forum Research Group (CFRG) of the Internet Engineering Task Force (IETF). The core obligation is to use the specified elliptic curves in conjunction with other NIST publications for applications like digital signatures and key agreement. This document deprecates curves over binary fields due to limited adoption, recommending new implementations select a curve over a prime field. Furthermore, curves from FIPS 186-4 that do not meet current bit security requirements are designated for legacy-use only; they may be used to process already protected information (e.g., decrypt or verify) but not to apply new protection (e.g., encrypt or sign). Key pairs generated using these specifications are strictly for digital signature and key agreement purposes."
Technical ID
nist-sp-800-186-elliptic-curves
De-Identifying Government Datasets: Techniques and Governance
"De-identification is a general term for any process of removing the association between a set of identifying data and the data subject. This document, NIST SP 800-188, provides specific guidance to U.S. government agencies that wish to use de-identification to make government datasets available while protecting the privacy of individuals. The guidance aims to prevent or limit disclosure risks to individuals and establishments while still allowing for the production of meaningful statistical analysis. The intended audience includes government system engineers, security officers, data scientists, privacy officers, and disclosure review boards. Before using de-identification, agencies should evaluate their goals and the potential risks that releasing de-identified data might create. Core obligations include deciding upon a data-sharing model, such as publishing de-identified data, publishing synthetic data, providing a query interface, or using non-public protected enclaves. The guidance recommends that agencies create a Disclosure Review Board (DRB) to oversee the de-identification process, adopt a de-identification standard with measurable performance levels, and perform re-identification studies to gauge risk. It emphasizes that formal privacy methods like k-anonymity and differential privacy should be preferred over informal ad hoc methods when available and sufficient for the task."
Technical ID
nist-sp-800-188-de-identification
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. The protection of a system must be documented in a system security plan, a requirement of OMB Circular A-130 and the Federal Information Security Management Act (FISMA). This guidance applies to all federal agencies, but may be used by non-governmental organizations on a voluntary basis. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements, and to delineate responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Management authorization to operate a system is based on an assessment of management, operational, and technical controls. The system security plan establishes and documents these security controls and should form the basis for the authorization. By authorizing processing, a manager accepts the system's associated risk. Re-authorization should occur whenever there is a significant change in processing, but at least every three years. The plan should reflect input from various managers, including information owners, the system owner, and the senior agency information security officer (SAISO)."
Technical ID
nist-sp-800-18r1-security-plans
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection, which must be documented in a system security plan. This is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should reflect input from various managers, including information owners, the system owner, and the senior agency information security officer. A senior management official must authorize a system to operate, accepting its associated risk. This management authorization should be based on an assessment of management, operational, and technical controls documented in the security plan, supplemented by an assessment report and a plan of actions and milestones. Re-authorization should occur whenever there is a significant change in processing, but at least every three years."
Technical ID
nist-sp-800-18r1-security-plans-federal-systems
Application Container Security Guide
"Application container technologies are a form of operating system virtualization combined with application software packaging that provide a portable, reusable, and automatable way to package and run applications. This publication explains the potential security concerns associated with the use of containers and provides practical recommendations for addressing those concerns for system administrators, security managers, developers, and others responsible for the security of application container technologies. The core risks involve vulnerabilities and misconfigurations within container images, insecure connections to registries, unbounded administrative access to orchestrators, and the inherent risks of a shared kernel on the host OS. To mitigate these risks, organizations should tailor their operational culture and technical processes for containerized environments. Key recommendations include using minimalist, container-specific host operating systems to reduce attack surfaces; grouping containers by purpose, sensitivity, and threat posture on a single host for defense-in-depth; adopting container-specific vulnerability management tools and processes to scan images for flaws; considering hardware-based countermeasures like a Trusted Platform Module (TPM) to establish a root of trust; and deploying container-aware runtime defense tools to monitor and respond to anomalous activity."
Technical ID
nist-sp-800-190-container-security
NIST Special Publication 800-193 Platform Firmware Resiliency Guidelines
"This document provides technical guidelines and recommendations supporting resiliency of platform firmware and data against potentially destructive attacks. The platform is a collection of fundamental hardware and firmware components needed to boot and operate a system. A successful attack on platform firmware could render a system inoperable, perhaps permanently, or requiring reprogramming by the original manufacturer, resulting in significant disruptions to users. The guidelines promote resiliency by describing security mechanisms for protecting the platform against unauthorized changes, detecting unauthorized changes that occur, and recovering from attacks rapidly and securely. The guidelines are based on three core principles: Protection, involving mechanisms to ensure platform firmware code and critical data remain in a state of integrity; Detection, involving mechanisms to detect when firmware or data have been corrupted; and Recovery, involving mechanisms for restoring firmware and data to a state of integrity. The intended audience includes system and platform device vendors of computer systems, including manufacturers of clients, servers, and networking devices, as well as developers and engineers responsible for implementing firmware-level security technologies. The security principles and recommendations are broadly applicable to other classes of systems with updatable firmware, including Internet of Things devices, embedded systems, and mobile devices. System administrators and security professionals can use this document to guide procurement strategies and priorities for future systems."
Technical ID
nist-sp-800-193-firmware-resiliency
Attribute-based Access Control for Microservices-based Applications Using a Service Mesh
"This document provides deployment guidance for building an authentication and authorization framework within a service mesh for microservices-based applications. In modern cloud-native architectures featuring loosely coupled microservices, it is necessary to build the concept of zero trust into the application environment. This guidance addresses two critical security requirements: (1) building zero trust by enabling mutual authentication in communication between any pair of services, and (2) establishing a robust, scalable access control mechanism such as attribute-based access control (ABAC) that can express a wide set of policies. The framework applies to applications where a dedicated infrastructure, the service mesh, provides services like authentication and authorization independently of the application code. The core obligations involve implementing a framework that includes an authenticatable runtime identity for services, authenticable credentials for individual users, encryption of communication between services, and a Policy Enforcement Point (PEP) that is separately deployable and controllable from the application. The service mesh's native features, such as authenticating end-user credentials (e.g., JWT), are leveraged to move request-level policy enforcement out of the application code, ensuring that requests reaching a service have been authenticated and authorized."
Technical ID
nist-sp-800-204b-abac
Attribute-based Access Control for Microservices-based Applications Using a Service Mesh
"With the disappearance of a network perimeter due to the need to provide ubiquitous access to applications from multiple remote locations using different types of devices, it is necessary to build the concept of zero trust into the application environment. Two critical security requirements in this architecture are to build (1) the concept of zero trust by enabling mutual authentication in communication between any pair of services and (2) a robust access control mechanism based on an access control such as attribute-based access control (ABAC) that can be used to express a wide set of policies and is scalable in terms of user base, objects (resources), and deployment environment. The objective of this document is to provide deployment guidance for an authentication and authorization framework within a service mesh for microservices-based applications. This framework includes an authenticatable runtime identity for services, authenticable credentials for individual users of the service, and encryption of communication between services. It also specifies a Policy Enforcement Point (PEP) that is separately deployable and controllable from the application. A reference platform for hosting the microservices-based application and a reference platform for the service mesh are included to illustrate the concepts in the recommendations and provide the context in terms of the components used in real-world deployments."
Technical ID
nist-sp-800-204b-abac-microservices
Implementation of DevSecOps for a Microservices-based Application with Service Mesh
"Cloud-native applications have evolved into a standardized architecture consisting of multiple loosely coupled components called microservices that are supported by an infrastructure for providing application services, such as service mesh. In this architecture, the entire set of source code can be divided into five types: application code, application services code, infrastructure as code, policy as code, and observability as code. Due to security, business competitiveness, and the inherent structure of loosely coupled application components, this class of applications needs a different development, deployment, and runtime paradigm. DevSecOps (Development, Security, and Operations) has been found to be a facilitating paradigm for these applications with primitives such as continuous integration, continuous delivery, and continuous deployment (CI/CD) pipelines. These pipelines are workflows for taking the developer’s source code through various stages, such as building, testing, packaging, deployment, and operations supported by automated tools with feedback mechanisms. This document provides guidance for the implementation of DevSecOps primitives for cloud-native applications with the architecture and code types described. The benefits of this approach for high security assurance and for enabling continuous authority to operate (C-ATO) are also discussed."
Technical ID
nist-sp-800-204c-devsecops-microservices
Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines
"This document outlines strategies for integrating Software Supply Chain (SSC) security assurance measures into Continuous Integration/Continuous Delivery (CI/CD) pipelines to protect the integrity of the underlying activities. The overall goal is to ensure that the CI/CD pipeline activities that take source code through the build, test, package, and deployment stages are not compromised. Cloud-native applications, often composed of multiple loosely coupled microservices, are generally developed using the DevSecOps paradigm, which utilizes CI/CD pipelines. Threats to the SSC can arise from attack vectors unleashed by malicious actors as well as defects introduced when due diligence practices are not followed by legitimate actors during the Software Development Life Cycle (SDLC). The guidance is intended for a broad group of practitioners including site reliability engineers, software engineers, project managers, and security architects. It focuses on actionable measures to integrate various building blocks for SSC security assurance into CI/CD pipelines to enhance the preparedness of organizations. This includes securing the developer environment, mitigating attack vectors, and protecting assets like source code and build systems. While artifacts like Software Bill of Materials (SBOM) are foundational, this document concentrates on the workflow tasks within CI/CD pipelines to meet the objectives of frameworks such as NIST’s Secure Software Development Framework (SSDF)."
Technical ID
nist-sp-800-204d-sssc-devsecops
NIST Special Publication 800-205 Attribute Considerations for Access Control Systems
"This document provides federal agencies with a guide for implementing attributes in access control systems. Attributes enable a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and environmental conditions against policy. Attribute-based access control systems rely upon attributes to not only define access control policy rules but also enforce the access control. Confidence in access control decisions is dependent on the accuracy, integrity, and timely availability of attributes. The core obligation is to ensure attributes shared across organizations provide assurance via proper location, retrieval, publication, validation, update, security, and revocation capabilities. To achieve this assurance, an Attribute Evaluation Scheme needs to be established, which brings confidence based on five principal areas of interest: Preparation, which involves planning attribute creation and sharing mechanisms; Veracity, which establishes semantic and syntactic correctness and trustworthiness; Security, which considers standards for secure transmission and storage of attributes; Readiness, which addresses the frequency of attribute refresh, caching, and backup; and Management, which provides mechanisms for maintaining attributes efficiently, including metadata, hierarchies, and logging."
Technical ID
nist-sp-800-205-access-control
NIST SP 800-207 — Zero Trust Architecture
"NIST Special Publication 800-207 (August 2020) defines Zero Trust Architecture (ZTA) — the security paradigm that shifts from perimeter-based ('castle and moat') defenses to identity-centric, per-session access decisions on all resources. The core principle is 'never trust, always verify': no implicit trust is granted based on network location. NIST 800-207 defines seven tenets of zero trust including that all data sources are resources, all communication is secured regardless of location, and access is granted per-session based on dynamic policy. The architecture defines three logical components: Policy Engine (PE) — makes access grant/deny decisions; Policy Administrator (PA) — establishes/terminates communication paths; Policy Enforcement Point (PEP) — gates access between subjects and enterprise resources. Three implementation approaches are defined: Enhanced Identity Governance (EIG), Micro-segmentation, and Software-Defined Perimeter (SDP)/Network Infrastructure. U.S. federal agencies were mandated to adopt ZTA principles by OMB Memorandum M-22-09 (January 2022), with specific maturity targets for identity, device, network, application, and data pillars per CISA ZT Maturity Model."
Technical ID
nist-sp-800-207
Recommendation for Stateful Hash-Based Signature Schemes
"This recommendation specifies two stateful hash-based signature (HBS) schemes, the Leighton-Micali Signature (LMS) system and the eXtended Merkle Signature Scheme (XMSS), along with their multi-tree variants, as supplements to FIPS 186. The security of these schemes depends on the security of the underlying hash functions and is believed to be resistant to attacks from large-scale quantum computers. Stateful HBS schemes are primarily intended for applications where a digital signature scheme must be implemented in the near future, the implementation will have a long lifetime, and transitioning to a different scheme after deployment is impractical, such as for authenticating firmware updates for constrained devices. A core obligation is the proper maintenance of state; an HBS private key consists of a large set of one-time signature (OTS) private keys, and the signer must ensure that no individual OTS key is ever used to sign more than one message. Reusing an OTS key would make it computationally feasible for an attacker to forge signatures. This recommendation requires that key and signature generation be performed in hardware cryptographic modules that do not allow secret keying material to be exported."
Technical ID
nist-sp-800-208-stateful-hbs
Security Guidelines for Storage Infrastructure
"This document provides an overview of the evolution of the storage technology landscape, current security threats, and the resultant risks. The primary purpose is to provide a comprehensive set of security recommendations for the current landscape of storage infrastructure, which consists of a mixture of legacy and advanced systems. The recommendations and security focus areas span those that are common to the entire IT infrastructure, such as physical security, authentication and authorization, change management, configuration control, incident response, and recovery. Within these areas, security controls that are specific to storage technologies, such as network-attached storage (NAS) and storage area networks (SAN), are also covered. In addition, security recommendations specific to storage technologies are provided for the following areas of operation: data protection, isolation, restoration assurance, and encryption. The guidance applies to traditional storage services (block, file, and object), storage virtualization, storage architectures for virtualized server environments, and storage resources hosted in the cloud."
Technical ID
nist-sp-800-209-storage-infrastructure
NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems
"This document presents cloud access control (AC) characteristics and a set of general access control guidance for cloud service models—IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). The main focus is on technical aspects of access control without considering deployment models (e.g., public, private, hybrid clouds etc.), as well as trust and risk management issues. Different service delivery models need to consider managing different types of access on offered service components. Such considerations can be hierarchical; for example, the access control considerations of functional components in a lower-level service model (e.g., networking and storage layers in the IaaS model) are also applicable to the same functional components in a higher-level service model (e.g., networking and storage in PaaS and SaaS models). In general, access control considerations for IaaS are also applicable to PaaS and SaaS, and access control considerations for IaaS and PaaS are also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service."
Technical ID
nist-sp-800-210-cloud-access
General Access Control Guidance for Cloud Systems
"This document presents cloud access control (AC) characteristics and a set of general access control guidance for cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). The main focus is on technical aspects of access control without considering deployment models (e.g., public, private, hybrid clouds etc.). Different service delivery models require managing different types of access on offered service components. Such service models can be considered hierarchical, thus the access control guidance of functional components in a lower-level service model are also applicable to the same functional components in a higher-level service model. In general, access control guidance for IaaS is also applicable to PaaS and SaaS, and access control guidance for IaaS and PaaS is also applicable to SaaS. However, each service model has its own focus with regard to access control requirements for its service. For instance, an IaaS provider may put more effort into virtualization control, and in addition to the virtualization control, a SaaS provider needs to consider data security and the privacy of services it provides. The intended audience for this document is an organizational entity that implements access control solutions for sharing information in cloud systems."
Technical ID
nist-sp-800-210-cloud-access-control
NIST Special Publication 800-213 IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements
"As organizations increasingly use Internet of Things (IoT) devices, care must be taken in their acquisition and implementation. This publication contains background and recommendations to help federal organizations consider how an IoT device they plan to acquire can integrate into a system. It provides guidance on considering system security from the device perspective, allowing for the identification of device cybersecurity requirements—the abilities and actions an organization will expect from an IoT device and its manufacturer or third parties. This guidance is intended for information security professionals, system administrators, and others tasked with managing security on a system. The publication applies to organizations incorporating IoT devices as system elements into an existing information system. In-scope devices have at least one transducer (sensor or actuator) for interacting with the physical world and at least one network interface. The core obligation is for organizations to assess the security impact of integrating IoT devices, understand the device's relationship to the system to properly define cybersecurity requirements, and manage risks that arise when devices do not meet those requirements, potentially through compensating controls or by deciding not to incorporate the device."
Technical ID
nist-sp-800-213-iot-guidance
NIST Special Publication 800-213A IoT Device Cybersecurity Guidance for the Federal Government: IoT Device Cybersecurity Requirement Catalog
"This publication provides a catalog of internet of things (IoT) device cybersecurity capabilities and non-technical supporting capabilities to help federal organizations determine and establish device cybersecurity requirements. The guidance applies to federal organizations, including information security professionals and system administrators, tasked with assessing, applying, and maintaining security for IoT devices used with federal information systems. The core obligation is for these organizations to use this catalog in conjunction with SP 800-213 and the NIST Risk Management Framework (RMF) to determine appropriate device cybersecurity requirements needed to support the security controls implemented on their systems. Device cybersecurity capabilities are features or functions provided through device hardware and software, such as data protection using encryption. Non-technical supporting capabilities are actions performed by manufacturers or other entities, such as providing notifications for software updates. The catalog details seven technical capabilities including Device Identification, Device Configuration, Data Protection, Logical Access, Software Update, Cybersecurity State Awareness, and Device Security. It also outlines four non-technical capabilities related to Documentation, Information Reception, Information Dissemination, and Education. By using this catalog, federal organizations can better describe the requirements needed to integrate an IoT device into a system securely, increasing the security posture of systems and their elements."
Technical ID
nist-sp-800-213a-iot-catalog
NIST SP 800-215 Guide to a Secure Enterprise Network Landscape
"The enterprise network landscape has undergone tremendous changes due to enterprise access to multiple cloud services, the geographical spread of on-premises IT resources, and the architectural shift from monolithic applications to microservices. These drivers have resulted in the disappearance of a protectable network perimeter, an increased attack surface, and the potential for rapid escalation of attacks across network boundaries. This document provides guidance for this new landscape from a secure operations perspective, intended for network design and security solution architects in organizations with hybrid IT environments. This guide examines the limitations of current network access technologies and illustrates how solutions have evolved from specific security functions to comprehensive security frameworks and infrastructure. It addresses feature enhancements to traditional network security appliances, secure networking configurations for specific functions, security frameworks like Zero Trust Network Access (ZTNA) that integrate these configurations, and the evolution of Wide Area Network (WAN) infrastructure to provide a holistic set of security services. The core obligation is for organizations to move defenses from static, network-based perimeters to focus on users, assets, and resources, assuming no implicit trust based on physical or network location."
Technical ID
nist-sp-800-215-secure-enterprise-network
Recommendations for Federal Vulnerability Disclosure Guidelines
"This document provides guidelines for managing vulnerability disclosure for information systems within the Federal Government, following the IoT Cybersecurity Improvement Act of 2020. It recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework is designed to be applied to all software, hardware, and digital services under federal control, including government-developed, commercial, and open-source software used by government systems. The framework defines two primary government entities: the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs). The FCB serves as the primary interface for vulnerability disclosure reporting, oversight, and coordination among government agencies. VDPOs are operational units, ideally part of existing information technology security offices, responsible for coordinating with actors to identify, resolve, and issue advisories on reported vulnerabilities for products and services. The core obligation is for federal agencies to establish and maintain a unified and flexible process for receiving, coordinating, publishing, and resolving security vulnerabilities to minimize the unintended exposure of government information, data corruption, and loss of services."
Technical ID
nist-sp-800-216-vulnerability-disclosure-guidelines
NIST SP 800-218 Secure Software Development Framework (SSDF)
"Compliance with the NIST SP 800-218 Secure Software Development Framework (SSDF) necessitates a holistic, risk-based approach to software security throughout its lifecycle. This assessment validates the establishment of organizational preparedness (PO) by confirming that `has_defined_security_requirements` are documented and that `has_defined_ssd_roles` are formally assigned, while also ensuring the organization `uses_automated_security_tools` within its development pipelines. Protections for software integrity (PS) are scrutinized, requiring verification that `uses_version_control_access_controls` are enforced, that the enterprise `generates_cryptographic_signatures_for_releases`, and that a `has_secure_artifact_repository` is maintained. The production of well-secured software (PW) is measured by mandating activities like `performs_threat_modeling` and having `has_vulnerability_management_for_dependencies`. A critical metric, `secure_compiler_flags_coverage_percent`, quantifies the application of security-hardening build configurations. Lastly, the framework evaluates vulnerability response (RV) capabilities, stipulating a maximum `vulnerability_scan_frequency_days` between scans, ensuring a `has_vulnerability_remediation_sla` exists, and confirming the organization `performs_root_cause_analysis_for_vulns` to prevent weakness recurrence."
Technical ID
nist-sp-800-218
NIST Special Publication 800-218 Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities
"This document describes the Secure Software Development Framework (SSDF), a core set of fundamental, sound, high-level practices for secure software development. The framework is intended to be integrated into any existing software development life cycle (SDLC) implementation. The primary audiences for this document are software producers—including commercial-off-the-shelf (COTS) product vendors, government-off-the-shelf (GOTS) software developers, custom software developers, and internal development teams, regardless of size or sector—and software acquirers, such as federal agencies and other organizations. The SSDF's core objective is for organizations to follow its practices to reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. The framework is organized into four groups of practices: preparing the organization by ensuring people, processes, and technology are ready for secure development; protecting all components of the software from tampering and unauthorized access; producing well-secured software with minimal vulnerabilities; and identifying and responding to vulnerabilities in software releases. The SSDF focuses on the outcomes of practices rather than on specific tools or techniques, making it broadly applicable across different technologies, platforms, and development models."
Technical ID
nist-sp-800-218-ssdf
Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)
"This publication introduces the macOS Security Compliance Project (mSCP), an open-source initiative by the National Institute of Standards and Technology (NIST) designed to provide security configuration guidance for Apple macOS in a machine-consumable format. The mSCP provides resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way. The project, hosted on GitHub, offers practical, actionable recommendations through secure baselines and associated rules, which are continuously curated and updated to support new macOS releases. The mSCP seeks to simplify the macOS security development cycle by reducing the effort required to implement security baselines, which are groups of settings used to configure a system to meet a target level or set of requirements. This specific publication, NIST SP 800-219, has been formally withdrawn as of July 20, 2023, and is provided for historical purposes only. It has been superseded in its entirety by SP 800-219r1. The project's content maps macOS settings to various security standards, including NIST SP 800-53, NIST SP 800-171, and the DISA Security Technical Implementation Guide (STIG). Organizations are advised to use the mSCP's content with a risk-based approach, selecting appropriate settings and tailoring baselines to meet their specific security requirements."
Technical ID
nist-sp-800-219-macos-mscp
Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio
"This publication helps individual organizations within an enterprise improve their Information and Communications Technology (ICT) risk management (ICTRM) to better identify, assess, and manage ICT risks in the context of broader mission and business objectives. It applies to both Federal Government and non-Federal Government professionals, including corporate officers and executives, who may be familiar with either ICTRM or Enterprise Risk Management (ERM), but not the integration of both. The core obligation is to integrate ICTRM within the overall sphere of ERM. This involves rolling up and integrating risks that are addressed at lower system and organizational levels to the broader enterprise level by focusing on the use of ICT risk registers as input to the enterprise risk profile. This integrated approach ensures that ICT risks are considered part of an interrelated portfolio, rather than in silos. Effective integration requires coordination, communication, and collaboration to address risks that extend beyond individual program boundaries, such as those related to cybersecurity, privacy, supply chain, IoT, and AI. By applying a consistent approach to identify, assess, respond to, and communicate risk, leaders and executives can be accurately informed and make effective strategic and tactical decisions. This allows ICT risks to be quantified in financial, mission, and reputation metrics similar to other enterprise risks, enabling prudent resource allocation. The goal is to balance the benefits of technology with potential risks and consequences, supporting a comprehensive ERM approach that safeguards the enterprise's mission, finances, and reputation."
Technical ID
nist-sp-800-221-ict-risk
Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio
"The increasing frequency, creativity, and severity of technology attacks means that all enterprises should ensure that information and communications technology (ICT) risk is receiving appropriate attention within their enterprise risk management (ERM) programs. Specific types of ICT risk include, but are not limited to, cybersecurity, privacy, and supply chain. This document provides a framework of outcomes that applies to all types of ICT risk, providing a common language for understanding, managing, and expressing ICT risk to internal and outside stakeholders. It is a tool for aligning policy, business, and technological approaches to managing that risk, and can be used to help identify and prioritize actions for reducing ICT risk. The primary audience for this publication includes both Federal Government and non-Federal Government professionals at all levels who understand ICT but may be unfamiliar with the details of ERM. The secondary audience includes both Federal and non-Federal Government corporate officers, high-level executives, ERM officers and staff members, and others who understand ERM but may be unfamiliar with the details of ICT. Using the framework for each type of ICT risk will help organizations improve the quality and consistency of ICT risk information they provide as inputs to their ERM programs."
Technical ID
nist-sp-800-221a-ict-risk-outcomes
High-Performance Computing Security: Architecture, Threat Analysis, and Security Posture
"This NIST Special Publication aims to standardize and facilitate the sharing of High-Performance Computing (HPC) security information and knowledge through the development of an HPC system reference architecture and key components, which are introduced as the basics of the HPC system lexicon. The reference architecture divides an HPC system into four function zones: a high-performance computing zone, a data storage zone, an access zone, and a management zone. This publication analyzes HPC threats, considers current HPC security postures and challenges, and makes best-practice recommendations. This guideline may be used by federal agencies and is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. It has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014. This publication may also be used by nongovernmental organizations on a voluntary basis. The core obligations focus on understanding the unique architecture of HPC systems, identifying threats specific to its functional zones, and implementing tailored security controls that balance performance with security, such as network segmentation, compute node sanitization, data integrity protection, and secure container management."
Technical ID
nist-sp-800-223-hpc-security
Guidelines for Evaluating Differential Privacy Guarantees
"This publication describes differential privacy — a PET that quantifies privacy risk to individuals when their data appears in a dataset. Differential privacy was first defined in 2006 as a theoretical framework and is still making the transition from theory to practice. This publication is intended to help those who need to manage the risks of data analytics and data sharing — including business owners, product managers, privacy personnel, security personnel, software engineers, data scientists, and academics — understand, evaluate, and compare differential privacy guarantees. Differential privacy promises that a reduction in privacy caused by a data analysis or published dataset will be bounded for all individuals about whom data are found in the dataset. In other words, any privacy reduction to an individual that results from a differentially private analysis could have happened even if the individual had not contributed their data. Differential privacy is generally achieved by adding random noise to analysis results. More noise yields better privacy but degrades the utility of the result. This privacy-utility tradeoff can make it difficult to achieve both high utility and strong privacy protection."
Technical ID
nist-sp-800-226-differential-privacy
Guide for Conducting Risk Assessments
"This guide provides a structured approach for conducting risk assessments of federal information systems and organizations, amplifying the guidance in NIST Special Publication 800-39. Risk assessments are a fundamental component of an organizational risk management process, used to identify, estimate, and prioritize risk to organizational operations, assets, individuals, and the Nation resulting from the use of information systems. The purpose of a risk assessment is to inform decision makers and support risk responses by identifying relevant threats, internal and external vulnerabilities, the potential impact or harm that may occur, and the likelihood of that harm occurring. The end result is a determination of risk, which is typically a function of the degree of harm and the likelihood of its occurrence. The guidelines are applicable to all federal information systems other than those designated as national security systems, and are intended for a diverse audience of risk management professionals. The core obligation is to conduct risk assessments on an ongoing basis throughout the system development life cycle and across all tiers of the risk management hierarchy: the organization level, mission/business process level, and information system level. The guide provides a detailed process for preparing for an assessment, conducting the assessment, communicating the results, and maintaining the assessment over time to ensure it remains relevant as systems, threats, and operational environments change."
Technical ID
nist-sp-800-30-risk-assessment
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1 provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures and a coordinated strategy involving plans, procedures, and technical measures that enable the recovery of information systems, operations, and data after a service disruption. Interim measures may include relocation of information systems to an alternate site, recovery using alternate equipment, or performance of functions using manual methods. This guidance is prepared for use by federal agencies but may be used by nongovernmental organizations on a voluntary basis. It applies to managers, CIOs, security officers, system engineers, and administrators responsible for designing, managing, operating, or securing information systems. The core obligation for federal organizations is to apply a seven-step process to develop and maintain a viable contingency planning program for their information systems. This process includes: developing a formal contingency planning policy statement; conducting a business impact analysis (BIA) to identify and prioritize critical systems; identifying preventive controls to reduce disruption effects; creating thorough recovery strategies; developing a detailed information system contingency plan (ISCP); ensuring the plan is validated through testing, training, and exercises; and maintaining the plan as a living document. These progressive steps are designed to be integrated into each stage of the system development life cycle, ensuring that systems can be recovered quickly and effectively following a disruption."
Technical ID
nist-sp-800-34-contingency-planning
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1, provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to interim measures to recover information system services after a disruption. These measures may include relocation of information systems to an alternate site, recovery of functions using alternate equipment, or performance of functions using manual methods. This guide is applicable to federal agencies and may be used by non-governmental organizations on a voluntary basis. It defines a seven-step contingency planning process designed to be integrated into each stage of the system development life cycle. The core obligation for organizations is to develop and maintain a viable contingency planning program for their information systems. This process includes developing a formal policy, conducting a business impact analysis (BIA) to identify and prioritize critical systems, identifying preventive controls, creating thorough recovery strategies, developing a detailed information system contingency plan, ensuring the plan is tested and personnel are trained, and maintaining the plan as a living document. The guide presents sample formats for contingency plans based on the low, moderate, or high-impact levels defined by FIPS 199, covering activation, recovery, and reconstitution phases."
Technical ID
nist-sp-800-34-contingency-planning-guide
Contingency Planning Guide for Federal Information Systems
"NIST Special Publication 800-34, Rev. 1 provides instructions, recommendations, and considerations for federal information system contingency planning. Contingency planning refers to a coordinated strategy involving interim measures to recover information system services after a disruption. These measures may include relocation of systems to an alternate site, recovery using alternate equipment, or performing functions using manual methods. This guide is prepared for use by federal agencies but may be used by nongovernmental organizations on a voluntary basis. The core obligation is a seven-step contingency planning process: 1. Develop a formal contingency planning policy statement to provide authority and guidance. 2. Conduct a business impact analysis (BIA) to identify and prioritize critical information systems and components. 3. Identify preventive controls to reduce the effects of system disruptions. 4. Create thorough recovery strategies to ensure the system may be recovered quickly and effectively. 5. Develop a detailed information system contingency plan. 6. Ensure plan testing, training, and exercises to validate recovery capabilities and prepare personnel. 7. Ensure the plan is a living document that is updated regularly to remain current with system enhancements and organizational changes."
Technical ID
nist-sp-800-34-r1
NIST Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View
"This publication provides guidance for an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. The guidance applies to all federal information systems other than those designated as national security systems. The core obligation is for leaders at all levels to understand their responsibilities and be held accountable for managing information security risk as a fundamental mission and business requirement. This is achieved through a multitiered risk management approach addressing risk at the organization level (Tier 1), the mission/business process level (Tier 2), and the information system level (Tier 3). The risk management process itself is comprised of four components: framing risk by establishing the context for risk-based decisions and creating a risk management strategy; assessing risk by identifying threats, vulnerabilities, harm, and likelihood; responding to risk by developing and implementing courses of action (accept, avoid, mitigate, share, or transfer); and monitoring risk on an ongoing basis to verify implementation and determine effectiveness. Effective risk management requires that organizations operate in highly complex, interconnected environments, and this publication provides a structured, yet flexible approach to integrate risk-based decision making into every aspect of the organization, ensuring that missions and business functions are successfully executed."
Technical ID
nist-sp-800-39-managing-information-security-risk
Managing Information Security Risk: Organization, Mission, and Information System View
"This guidance provides an integrated, organization-wide program for managing information security risk to organizational operations, assets, individuals, other organizations, and the Nation resulting from the operation and use of federal information systems. It establishes a multi-tiered approach that addresses risk at the organization, mission/business process, and information system levels, fostering a climate where risk is considered within mission design, enterprise architecture, and system development life cycles. The core obligation for leaders and managers at all levels is to understand their responsibilities and be held accountable for managing this risk. The process is a comprehensive activity requiring organizations to frame risk by establishing context, assess risk by identifying threats and vulnerabilities, respond to risk once determined, and monitor risk on an ongoing basis. The guidelines are applicable to all federal information systems other than those designated as national security systems. The guidance is intended for a diverse audience, including senior leaders with oversight responsibilities, mission/business owners, acquisition officials, information security professionals, system developers, and assessors. While developed for federal agencies under the Federal Information Security Management Act (FISMA), state, local, and tribal governments, as well as private sector organizations, are encouraged to use these guidelines. The risk management guidance is complementary to and should be used as part of a more comprehensive Enterprise Risk Management (ERM) program."
Technical ID
nist-sp-800-39-managing-risk
Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
"Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization. This process is more important than ever because of the increasing reliance on technology and the shift towards zero trust architectures where the perimeter largely does not exist anymore. This guide applies to all types of computing technology assets, including information technology (IT), operational technology (OT), Internet of Things (IoT), mobile, cloud, virtual machine, and container assets. There is often a divide between business/mission owners, who may believe that patching negatively affects productivity, and security/technology management. This publication frames patching as a critical component of preventive maintenance for computing technologies—a cost of doing business and a necessary part of what organizations need to do to achieve their missions. The core obligation is for leadership, business/mission owners, and security/technology management teams to jointly create an enterprise patch management strategy that simplifies and operationalizes patching while also improving its reduction of risk. This involves maintaining up-to-date software and asset inventories, defining risk response scenarios (routine patching, emergency patching, emergency mitigation, unpatchable assets), assigning assets to maintenance groups, and defining maintenance plans for each group. Preventive maintenance through enterprise patch management helps prevent compromises, data breaches, operational disruptions, and other adverse events."
Technical ID
nist-sp-800-40r4-enterprise-patch-management
Guidelines on Firewalls and Firewall Policy
"Firewalls are devices or programs that control the flow of network traffic between networks or hosts that employ differing security postures. This guidance provides an overview of firewall technologies, discusses their security capabilities, and makes recommendations for establishing firewall policies and for selecting, configuring, testing, deploying, and managing firewall solutions. It is intended for technical IT personnel responsible for firewall design, selection, deployment, and management. The core recommendations for organizations are to create a firewall policy that specifies how firewalls should handle inbound and outbound network traffic. A firewall policy should define how firewalls handle traffic for specific IP addresses, protocols, and applications based on risk analysis. Generally, all inbound and outbound traffic not expressly permitted by the firewall policy should be blocked. Organizations should also create rulesets that implement the firewall policy while supporting performance, and manage firewall architectures, policies, and software throughout their lifecycle. This includes using a formal change management control process for rulesets, performing periodic reviews, monitoring logs and alerts, and patching firewall software as vendors provide updates."
Technical ID
nist-sp-800-41-r1-firewalls
Managing the Security of Information Exchanges
"This publication provides guidance for managing the security of information exchanges between systems that are owned and operated by different organizations or are within the same organization but with different authorization boundaries. An organization often has mission and business-based needs to exchange information with other internal or external organizations via various information exchange channels, and the information being exchanged requires the same or similar level of protection as it moves from one organization to another, commensurate with risk. This guidance defines the scope of information exchange, describes the benefits of secure management, identifies types of exchanges, and discusses potential security risks and the types of agreements that may be applied by organizations. The core obligation is a four-phased approach for securely managing information exchange. The phases are: 1) Planning the information exchange, where organizations perform preliminary activities, examine all relevant issues, and develop an appropriate agreement; 2) Establishing the information exchange, where organizations execute a plan, implement security controls, and sign agreements; 3) Maintaining the exchange, where organizations actively maintain security and ensure agreement terms are met; and 4) Discontinuing the information exchange in a manner that avoids disruption. Agreements specify the responsibilities of participating organizations and the technical and security requirements for the exchange."
Technical ID
nist-sp-800-47-information-exchanges
Building a Cybersecurity and Privacy Learning Program
"This publication provides guidance for federal agencies and organizations to develop and manage a life cycle approach to building a Cybersecurity and Privacy Learning Program (CPLP). The program is intended to address the needs of large and small organizations and includes cybersecurity and privacy awareness campaigns, role-based training, and other workforce education programs. The CPLP is designed to be part of a larger organizational effort to reduce cybersecurity and privacy risks, supporting federal requirements such as the Federal Information Security Management Act (FISMA) and incorporating industry-recognized best practices for risk management. The core obligation is for an organization to create a strategic program plan that ensures appropriate resources are available to meet learning goals for all personnel, including employees and contractors. The overarching goal of a CPLP is to provide opportunities for learning at all levels, encourage behavior change as part of risk management, and lead to developing a privacy and security culture in the organization. The guidance provides steps to build an effective CPLP, identify personnel who require advanced training, create a methodology for program evaluation, and engage in ongoing improvement to minimize privacy and security risks to the organization."
Technical ID
nist-sp-800-50r1-learning-program
Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
"Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the Internet. This Special Publication provides guidance to the selection and configuration of TLS protocol implementations while making effective use of Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms. It requires that TLS 1.2 configured with FIPS-based cipher suites be supported by all government TLS servers and clients and requires support for TLS 1.3 by January 1, 2024. This Special Publication also provides guidance on certificates and TLS extensions that impact security. The guidelines in this document are specifically targeted towards U.S. federal departments and agencies. While these guidelines are primarily designed for federal users and system administrators to adequately protect sensitive but unclassified U.S. Federal Government data, they may also be used by non-governmental organizations on a voluntary basis. The guidance promotes more consistent use of authentication, confidentiality, and integrity mechanisms; consistent use of recommended cipher suites that encompass NIST-approved algorithms; and protection against known and anticipated attacks on the TLS protocol."
Technical ID
nist-sp-800-52r2-tls-guidelines
Security and Privacy Controls for Information Systems and Organizations
"This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. The consolidated control catalog addresses security and privacy from both a functionality perspective and an assurance perspective. Revision 5 of this foundational NIST publication represents a multi-year effort to develop the next generation of security and privacy controls. The objectives are to make the information systems we depend on more penetration-resistant, limit the damage from attacks when they occur, make the systems cyber-resilient and survivable, and protect individuals’ privacy. It includes changes to make the controls more outcome-based, integrating information security and privacy controls into a seamless, consolidated catalog, establishing a new supply chain risk management control family, and separating control selection processes from the controls themselves to allow use by different communities of interest."
Technical ID
nist-sp-800-53-r5
Control Baselines for Information Systems and Organizations
"This publication provides security and privacy control baselines for the Federal Government. It establishes three security control baselines, one for each system impact level—low-impact, moderate-impact, and high-impact—as well as a privacy baseline that is applied to systems irrespective of impact level. These control baselines serve as a starting point for organizations in the security and privacy control selection process. The document provides tailoring guidance and a set of working assumptions that help guide and inform the control selection process, allowing organizations to customize their security and privacy control baselines to protect their critical and essential operations and assets. The guidance is applicable to any organization that processes, stores, or transmits information, including federal, state, local, and tribal governments, as well as private sector organizations. For federal information systems, implementation of a minimum set of controls selected from NIST SP 800-53 is mandatory in accordance with the Federal Information Security Modernization Act (FISMA) and OMB Circular A-130. The core obligation involves categorizing systems by impact level, selecting the appropriate predefined control baseline, and then applying a tailoring process to align the controls more closely with specific organizational mission needs and risk assessments. This proactive and systematic approach helps ensure systems are sufficiently trustworthy and resilient to support the economic and national security interests of the United States."
Technical ID
nist-sp-800-53b-control-baselines
Recommendation for Pair-Wise Key Establishment Using Integer Factorization Cryptography
"This Recommendation specifies key-establishment schemes using integer factorization cryptography, in particular, RSA. The schemes are appropriate for use by the U.S. Federal Government to support cryptographic algorithms used in modern applications with automated key-establishment. Both key-agreement and key transport schemes are specified for pairs of entities, and methods for key confirmation are included to provide assurance that both parties share the same keying material. A key-establishment scheme can be characterized as either a key-agreement scheme, where the resultant secret keying material is a function of information contributed by two participants, or a key-transport scheme, whereby one party selects a value for the secret keying material and then securely distributes that value. This document is intended for vendors implementing secure key-establishment using asymmetric algorithms in FIPS 140 validated modules. The security of the schemes relies on the intractability of factoring integers that are products of two sufficiently large, distinct prime numbers. The recommendation details the entire process, including the generation and validation of RSA key pairs, the establishment of a shared secret, derivation of keying material, and optional key confirmation. It also mandates security practices, such as the destruction of sensitive locally stored data after use, to limit opportunities for unauthorized access."
Technical ID
nist-sp-800-56b-key-establishment
Recommendation for Key Management: Part 1 – General
"This Recommendation provides cryptographic key-management guidance, focusing on general best practices for the management of cryptographic keying material. The proper management of cryptographic keys is essential to the effective use of cryptography for security, as poor key management may easily compromise strong algorithms. This guidance covers the management of a cryptographic key throughout its entire lifecycle, including its secure generation, storage, distribution, use, and destruction. Ultimately, the security of information protected by cryptography directly depends on the strength of the keys, the effectiveness of associated cryptographic mechanisms and protocols, and the protection afforded to the keys. Secret and private keys must be protected against unauthorized disclosure, and all keys need protection against modification. This guidance applies to U.S. government agencies protecting sensitive, unclassified information and may be used by non-governmental organizations on a voluntary basis. It is intended for developers and system administrators to support appropriate decisions when selecting and using cryptographic mechanisms, ensuring that real security is achieved rather than an illusion of it."
Technical ID
nist-sp-800-57-key-management
Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations
"NIST Special Publication (SP) 800-57 provides cryptographic key management guidance. Part 2 of this recommendation identifies the concepts, functions, and elements common to effective systems for the management of symmetric and asymmetric keys. It details the security planning requirements and documentation necessary for effective institutional key management, describes Key Management Specification requirements, and outlines the cryptographic Key Management Policy and Key Management Practice Statement documentation needed by organizations that use cryptography. The primary audience for this guidance is U.S. government system owners and managers who are setting up or acquiring cryptographic key management capabilities. However, it is also intended to provide voluntary cybersecurity guidelines to the private sector. The document emphasizes that responsible key management is essential to the effective use of cryptographic mechanisms for protecting information technology systems. It requires that any organization employing cryptography to provide security services must have key management policy, practices, and planning documentation to ensure assurance that keys are authentic, belong to the asserted entity, and have not been accessed by unauthorized parties."
Technical ID
nist-sp-800-57-p2-r1
Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories
"Developed by the National Institute of Standards and Technology (NIST) in response to the Federal Information Security Management Act (FISMA), this guideline assists Federal government agencies in categorizing their information and information systems. Its primary objective is to facilitate the provision of appropriate levels of information security according to a range of impact levels that might result from the unauthorized disclosure, modification, or loss of availability of information. The guidance is intended for use by federal agencies but may also be used by non-governmental organizations on a voluntary basis. This document, Volume II, contains the appendices which include security categorization recommendations and rationale for a wide range of mission-based, management, and support information types. The core process outlined involves reviewing security categorization terms from FIPS 199, following a recommended categorization process, and using a methodology to identify types of Federal information. The appendices provide suggested provisional security impact levels for these common information types. The guideline also discusses information attributes that may lead to variances from these provisional assignments and describes how to establish an overall system security categorization based on the system’s use, connectivity, and the aggregate information it contains. The provisional impact level assignments are intended as the first step in a broader risk assessment process, not as a definitive checklist for auditors."
Technical ID
nist-sp-800-60-v2r1-appendices
Computer Security Incident Handling Guide
"Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively by providing guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications. The Federal Information Security Management Act (FISMA) requires Federal agencies to establish incident response capabilities. Organizations must create, provision, and operate a formal incident response capability, including creating an incident response policy and plan, developing procedures for incident handling, and establishing relationships with other groups. Federal law also requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT). This guideline is prepared for use by Federal agencies, but may be used by nongovernmental organizations on a voluntary basis. It is intended for computer security incident response teams (CSIRTs), system and network administrators, security staff, and management responsible for preparing for or responding to security incidents."
Technical ID
nist-sp-800-61r2-incident-handling
Digital Identity Guidelines: Authentication and Lifecycle Management
"These guidelines provide technical requirements for federal agencies implementing digital identity services, but may be used by non-governmental organizations on a voluntary basis. The guidelines focus on the authentication of subjects interacting with government systems over open networks, establishing that a given claimant is a subscriber who has been previously authenticated. The core obligation is to meet the requirements for a chosen Authenticator Assurance Level (AAL), which characterizes the strength of an authentication transaction. Stronger authentication, or a higher AAL, requires malicious actors to have better capabilities and expend greater resources to subvert the authentication process. The document defines three levels. AAL1 provides some assurance that the claimant controls an authenticator, requiring either single-factor or multi-factor authentication. AAL2 provides high confidence and requires proof of possession and control of two different authentication factors using approved cryptographic techniques. AAL3 provides very high confidence, requiring authentication based on proof of possession of a key through a cryptographic protocol. AAL3 specifically requires a hardware-based authenticator that provides verifier impersonation resistance. The guidelines detail permitted authenticator types, authenticator and verifier requirements, reauthentication rules, and security controls for each AAL."
Technical ID
nist-sp-800-63b-authentication
NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management
"These guidelines provide technical requirements for federal agencies implementing digital identity services, focusing on the authentication of subjects interacting with government systems over open networks. The core obligation is to establish that a given claimant is a subscriber who has been previously authenticated. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity, establishing that a subject is in control of the technologies used to authenticate. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously. The strength of an authentication transaction is characterized by an ordinal measurement known as the Authenticator Assurance Level (AAL). AAL1 provides some assurance that the claimant controls an authenticator, requiring either single-factor or multi-factor authentication. AAL2 provides high confidence and requires proof of possession and control of two different authentication factors through secure protocols. AAL3 provides very high confidence, is based on proof of possession of a key through a cryptographic protocol, and requires a hardware-based authenticator that provides verifier impersonation resistance."
Technical ID
nist-sp-800-63b-digital-identity
National Checklist Program for IT Products – Guidelines for Checklist Users and Developers
"A security configuration checklist (also called a lockdown or hardening guide) is a series of instructions for configuring an IT product to a particular operational environment, verifying its configuration, and identifying unauthorized changes. Using well-written, standardized checklists can markedly reduce the vulnerability exposure of IT products. To facilitate the development and use of these checklists, NIST established the National Checklist Program (NCP), which maintains the National Checklist Repository, a publicly available resource containing information on a variety of security configuration checklists for specific IT products. This document is intended for users and developers of security configuration checklists in both the public and private sectors. For users, it provides recommendations on selecting checklists from the repository, evaluating, testing, and applying them. For developers, it sets forth the policies, procedures, and general requirements for participation in the NCP. A core obligation is that Federal agencies are required to use appropriate security configuration checklists from the NCP when available, as stated in the Federal Acquisition Regulation (FAR). FISMA also requires Federal agencies to determine minimally acceptable system configuration requirements and ensure compliance, which these checklists facilitate."
Technical ID
nist-sp-800-70-r4-ncp
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities
"This document provides guidance on designing, developing, conducting, and evaluating test, training, and exercise (TT&E) events so that organizations can improve their ability to prepare for, respond to, manage, and recover from adverse events that may affect their missions. It is intended for organizations with information technology (IT) plans, such as contingency and computer security incident response plans, that must be maintained in a state of readiness. This includes having personnel trained to fulfill their roles, plans exercised to validate their content, and systems tested to ensure their operability. The core obligation is for organizations to establish a comprehensive TT&E program because tests, training, and exercises are closely related and offer different ways of identifying deficiencies in IT plans, procedures, and training. The guidance applies to single organizations, as opposed to large-scale events involving multiple entities. As part of creating a TT&E program, a plan should be developed that outlines the organization’s roadmap for ensuring a viable capability, including the development of a TT&E policy, identification of roles and responsibilities, establishment of an event schedule, and documentation of a TT&E event methodology. The types of events covered are tests (evaluation tools that use quantifiable metrics to validate IT system operability), training (informing personnel of their roles and responsibilities), tabletop exercises (discussion-based simulations), and functional exercises (performance-based simulations in a simulated operational environment)."
Technical ID
nist-sp-800-84-tte-programs
Guide to Integrating Forensic Techniques into Incident Response
"Digital forensics is the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. This guide provides practical guidance on performing computer and network forensics to help organizations investigate computer security incidents and troubleshoot IT operational problems. Its focus is primarily on using forensic techniques to assist with computer security incident response, presenting forensics from an IT perspective rather than a law enforcement view. Practically every organization needs a capability to perform digital forensics; without it, an organization will have difficulty determining what events have occurred within its systems and networks, such as exposures of protected, sensitive data. The forensic process comprises four basic phases: Collection, Examination, Analysis, and Reporting. The guidance applies to incident response teams, forensic analysts, system and security administrators, and computer security program managers. It details establishing a forensic capability, including developing policies and procedures that define roles, responsibilities, and appropriate use of forensic tools. The guide covers data sources including files, operating systems, network traffic, and applications, and provides recommendations for how multiple data sources can be used together to gain a better understanding of an event. Organizations should use this guide as a starting point for developing a forensic capability in conjunction with guidance from legal advisors, law enforcement, and management."
Technical ID
nist-sp-800-86-forensic-techniques
Guidelines for Media Sanitization
"This guide assists organizations and system owners in making practical media sanitization decisions based on the categorization of their information's confidentiality. Sanitization is a process that renders access to target data on media infeasible for a given level of effort. As data passes through multiple organizations and storage media, particularly in distributed cloud-based architectures, the potential for sensitive data to be collected and retained increases. The application of effective sanitization techniques is a critical aspect of ensuring sensitive data is protected against unauthorized disclosure. The responsibility for efficient information management, from inception through disposition, falls on all parties who handle the data. This responsibility is amplified by legal and ethical obligations to protect data such as Personally Identifiable Information (PII). An organization must ensure that no easily re-constructible residual representation of data is stored on media after it has left the organization's control or is no longer protected at the data's original confidentiality categorization. This guideline specifies that an organization must sanitize or destroy information system digital media before its disposal or release for reuse. It provides a decision-making process and minimum recommendations for various media types, including hard copy, magnetic, flash-based, and optical media, categorizing sanitization actions as Clear, Purge, or Destroy."
Technical ID
nist-sp-800-88-media-sanitization
Recommendation for Random Number Generation Using Deterministic Random Bit Generators
"This Recommendation specifies mechanisms for the generation of random bits using deterministic methods. The methods provided are based on either hash functions or block cipher algorithms. A Deterministic Random Bit Generator (DRBG) is based on a DRBG mechanism and includes a source of randomness. A DRBG mechanism uses an algorithm that produces a sequence of bits from an initial value that is determined by a seed, which in turn is determined from the output of the randomness source. Once the seed is provided and the initial value is determined, the DRBG is said to be instantiated and may be used to produce output. The seed used to instantiate the DRBG must contain sufficient entropy to provide an assurance of randomness. If the seed is kept secret, and the algorithm is well designed, the bits output by the DRBG will be unpredictable, up to the instantiated security strength of the DRBG. This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, and may be used by non-governmental organizations on a voluntary basis."
Technical ID
nist-sp-800-90a-rev1-drbg
Guide to Computer Security Log Management
"A log is a record of the events occurring within an organization’s systems and networks. The number, volume, and variety of computer security logs have increased greatly, which has created the need for computer security log management—the process for generating, transmitting, storing, analyzing, and disposing of computer security log data. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. Organizations also may store and analyze certain logs to comply with Federal legislation and regulations, including the Federal Information Security Management Act of 2002 (FISMA). This publication provides guidance for meeting log management challenges. Key recommendations include establishing policies and procedures for log management, prioritizing log management appropriately throughout the organization, creating and maintaining a secure log management infrastructure, and providing proper support for all staff with log management responsibilities. This guidance is for computer security staff, program managers, system administrators, and incident response teams responsible for performing duties related to computer security log management, particularly within Federal agencies."
Technical ID
nist-sp-800-92-log-management
Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
"This guide seeks to assist organizations in better understanding the Institute of Electrical and Electronics Engineers (IEEE) 802.11 family of standards for wireless local area networks (WLANs), focusing on the security enhancements introduced in the IEEE 802.11i amendment. The IEEE 802.11i amendment introduces the concept of a Robust Security Network (RSN), a wireless security network that only allows the creation of Robust Security Network Associations (RSNAs). RSNAs are wireless connections providing moderate to high levels of assurance against WLAN security threats through cryptographic techniques. RSN components include stations (STAs) like laptops, access points (APs), and authentication servers (AS). NIST requires Federal agencies to use the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) for securing IEEE 802.11-based WLANs, as it uses the FIPS-approved Advanced Encryption Standard (AES). For legacy equipment without CCMP, auxiliary protection like an IPsec VPN is required. Organizations should carefully select authentication methods, using the Extensible Authentication Protocol (EAP) and the IEEE 802.1X standard instead of pre-shared keys (PSKs). The EAP-TLS method is recommended whenever possible. To ensure interoperability and security, organizations should procure WPA2 Enterprise certified products that use FIPS-approved encryption algorithms and have been FIPS-validated."
Technical ID
nist-sp-800-97-ieee-802-11i
Guide for Developing Security Plans for Federal Information Systems
"The objective of system security planning is to improve protection of information system resources. All federal systems have some level of sensitivity and require protection as part of good management practice, and the protection of a system must be documented in a system security plan. This is a requirement of the Office of Management and Budget (OMB) Circular A-130 and the Federal Information Security Management Act (FISMA). The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. Management authorization to operate should be based on an assessment of management, operational, and technical controls documented in the security plan. By authorizing processing in a system, the manager accepts its associated risk. Re-authorization should occur whenever there is a significant change in processing, but at least every three years. This guidance applies to program managers, system owners, and security personnel responsible for developing, implementing, and managing federal information systems."
Technical ID
nist-sp800-18-developing-security-plans
Mitigating Cybersecurity and Privacy Risks in Telehealth Smart Home Integration
"This paper introduces a notional high-level smart home integration reference architecture to better understand cybersecurity and privacy risks associated with Hospital-at-Home (HaH) deployments in the context of an integrated smart home environment, focusing on voice assistants (e.g., smart speakers) as a representative Internet of Things (IoT) device. The guidelines are intended for technologists and information security professionals who work in healthcare delivery organizations (HDOs), including hospitals, clinics, or other healthcare facilities that may implement HaH solutions for their patients. Adversaries may exploit patient-owned IoT devices and home network infrastructures as entry points into an HDO’s broader environment. To address these risks, this paper leverages the NIST Cybersecurity and Privacy Frameworks and NIST IoT Core Baseline to outline mitigation efforts for HDOs. The core obligations and recommended mitigations include access control, authentication, continuous monitoring, data security, governance, and network segmentation. A core theme calls upon HDOs to ensure network segmentation between medical or biometric devices and other environments to impede a threat actor’s ability to compromise an endpoint and impact other devices. Other key protections include implementing data security encryption for both data-in-transit and data-at-rest to maintain data confidentiality and integrity."
Technical ID
nist-telehealth-smart-home-integration
Glossary of Key Information Security Terms
"This publication, NISTIR 7298 Revision 3, describes an easily-accessible repository of terms and definitions extracted verbatim from National Institute of Standards and Technology (NIST) publications and Committee on National Security Systems (CNSS) Instruction 4009. The repository, referred to as 'the Glossary,' consists of an online user interface application and an underlying relational database. The database contains terms and definitions from NIST Federal Information Processing Standard Publications (FIPS), Special Publication (SP) 800 series, select NIST Interagency or Internal Reports (NISTIRs), and CNSSI-4009. It does not contain definitions without a source publication, and terms from draft documents are not included as they are not stable. The Glossary is intended to help users understand terminology, recognize when and where multiple definitions may exist, and identify a definition that they can use. By providing this central resource, NIST aims to help standardize terms and definitions, reducing confusion and the tendency to create unique definitions for different situations. The publication provides an overview of the Glossary's design, methodology, and the structure of its database. It is intended for a technical audience interested in the Glossary's structure or anyone interested in its purpose and development. Users interested only in the terms and definitions are encouraged to use the online application directly."
Technical ID
nistir-7298r3-glossary-security-terms
Smart Grid Security Framework
"NISTIR 7628 Revision 1 (2014) provides the definitive cybersecurity guidelines for smart grid systems, covering all functional domains from bulk generation to consumer premises. It defines 189 high-level security requirements across seven categories (Smart Grid Cybersecurity Strategy, Architecture, and High-Level Requirements) and maps them to logical interfaces between smart grid components. Utilities, energy operators, grid equipment manufacturers, and AI agents managing smart grid infrastructure must apply NISTIR 7628 alongside NERC CIP for bulk electric systems and IEC 62443 for industrial control components. Failure to implement these controls exposes critical national infrastructure to cyberattacks with potential for widespread power outages."
Technical ID
nistir-7628-smartgrid
NIST Cloud Computing Forensic Science Challenges
"This document summarizes research performed by the members of the NIST Cloud Computing Forensic Science Working Group and aggregates, categorizes, and discusses the forensics challenges faced by experts when responding to incidents that have occurred in a cloud-computing ecosystem. The challenges are presented along with the associated literature that references them. The immediate goal of the document is to begin a dialogue on forensic science concerns in cloud computing ecosystems, with the long-term goal of gaining a deeper understanding of those concerns and identifying technologies and standards that can mitigate them. With the rapid adoption of cloud computing technology, a need has arisen for the application of digital forensic science to this domain. The validity and reliability of forensic science is crucial in this new context and requires new methodologies for identifying, collecting, preserving, and analyzing evidence in multi-tenant cloud environments. This is necessary to support U.S. criminal justice and civil litigation systems as well as to provide capabilities for security incident response and internal enterprise operations. The document categorizes challenges into nine major groups: Architecture, Data collection, Analysis, Anti-forensics, Incident first responders, Role management, Legal, Standards, and Training."
Technical ID
nistir-8006-cloud-forensic-challenges
NISTIR 8114 Report on Lightweight Cryptography
"NIST-approved cryptographic standards were designed to perform well on general-purpose computers, but their performance may not be acceptable for the increasing number of small, resource-constrained computing devices found in areas like the Internet of Things (IoT), sensor networks, and healthcare. Many modern cryptographic algorithms cannot be implemented in these constrained devices. In response, NIST initiated a lightweight cryptography project to investigate the issues and develop a strategy for the standardization of lightweight cryptographic algorithms. This report provides an overview of the project and outlines NIST's plan to create a portfolio of lightweight algorithms through an open process. Instead of a one-size-fits-all standard, NIST will develop 'profiles' that capture the specific physical, performance, and security requirements imposed by various devices and applications. Algorithms will be evaluated and recommended for use only within the context of these specific profiles. The report solicits feedback from stakeholders to help define these requirements and profiles, marking the initial phase of a long-term effort to approve and maintain a portfolio of algorithms suitable for constrained environments."
Technical ID
nistir-8114-lightweight-cryptography
NISTIR 8183 Cybersecurity Framework Manufacturing Profile
"This document provides the Cybersecurity Framework (CSF) implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. This Manufacturing Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing. The Profile gives manufacturers a method to identify opportunities for improving their current cybersecurity posture, an evaluation of their ability to operate the control environment at an acceptable risk level, and a standardized approach to preparing a cybersecurity plan. It is built around the five primary functional areas of the Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover. There are 98 distinct security objectives within these areas that comprise a starting point from which to develop a manufacturer-specific Profile at defined risk levels of Low, Moderate, and High. The Profile focuses on desired cybersecurity outcomes and provides a prioritization of security activities to meet specific business and mission goals."
Technical ID
nistir-8183-manufacturing-profile
NISTIR 8228 Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks
"The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how these devices affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do. The primary audience for this publication is personnel at federal agencies with responsibilities related to managing cybersecurity and privacy risks for IoT devices, although personnel at other organizations and IoT device manufacturers may also find value in the content. This publication provides insights to inform organizations’ risk management processes, identifying three high-level considerations: 1) Many IoT devices interact with the physical world in ways conventional IT devices usually do not, requiring explicit recognition of impacts to physical systems. 2) Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can, necessitating new approaches. 3) The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IoT devices. Organizations should address these risk considerations and challenges throughout the IoT device lifecycle by adjusting organizational policies and processes and implementing updated mitigation practices."
Technical ID
nistir-8228-iot-cybersecurity-risks
Foundational Cybersecurity Activities for IoT Device Manufacturers
"This publication provides recommendations for manufacturers to improve the securability of the Internet of Things (IoT) devices they create. Many IoT devices lack cybersecurity capabilities that customers can use to mitigate risks. Manufacturers can assist customers by providing necessary cybersecurity functionality and related information. This document outlines six recommended foundational cybersecurity activities for manufacturers to consider before their devices are sold. These activities aim to lessen the cybersecurity efforts required by customers, thereby reducing the prevalence and severity of IoT device compromises and subsequent attacks. The core obligation for manufacturers is to carefully consider which device cybersecurity capabilities to design into their products for customers to use in managing their risks. The primary audience is IoT device manufacturers, but the content may also be useful for IoT device customers seeking to understand available device cybersecurity capabilities and the information manufacturers might provide."
Technical ID
nistir-8259-iot-device-manufacturers
NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
"This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. The main audience for this publication is IoT device manufacturers, but it may also help IoT device customers or integrators. The core baseline has been derived from researching common cybersecurity risk management approaches and commonly used capabilities for addressing cybersecurity risks to IoT devices. These capabilities were developed in the context of NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. This baseline is intended to give all organizations a starting point for IoT device cybersecurity risk management, but the implementation of all capabilities is not considered mandatory. It is left to the implementing organization to understand the unique risk context in which it operates and what is appropriate for its given circumstance."
Technical ID
nistir-8259a-iot-device-cybersecurity
NISTIR 8312 Four Principles of Explainable Artificial Intelligence
"This document introduces four principles for explainable artificial intelligence (AI) that comprise fundamental properties for explainable AI systems. For AI systems that are intended or required to be explainable, it is proposed that they adhere to these principles. First, a system must deliver accompanying evidence or reasons for its outcomes and processes (Explanation). Second, these explanations must be understandable to the individual users they are intended for (Meaningful). Third, the explanation must correctly reflect the system’s actual process for generating the output (Explanation Accuracy). Finally, the system must only operate under the conditions for which it was designed and when it reaches sufficient confidence in its output (Knowledge Limits). These principles were developed to encompass the multidisciplinary nature of explainable AI and are heavily influenced by the AI system’s interaction with the human recipient. The requirements of a given situation, the task at hand, and the consumer will all influence the type of explanation deemed appropriate. These situations can include regulatory and legal requirements, quality control, and customer relations. The principles allow for defining the contextual factors to consider for an explanation and act as a roadmap for future measurement and evaluation activities. This work is part of a larger NIST portfolio around trustworthy AI, which also includes characteristics like accuracy, privacy, reliability, robustness, safety, security, mitigation of harmful bias, transparency, fairness, and accountability."
Technical ID
nistir-8312-explainable-ai-principles
Blockchain and Related Technologies to Support Manufacturing Supply Chain Traceability: Needs and Industry Perspectives
"This publication explores the issues surrounding supply chain traceability, assessing the role blockchain and related technologies can play in its improvement. It targets all stakeholders in the U.S. national manufacturing supply chain, including businesses, regulatory agencies, standards bodies, researchers, and consumers, particularly those involved with operational technology (OT) and industrial control systems (ICS). The core finding is that traceability, including pedigree and provenance records, must be shared via multi-lateral ecosystems of supply chain participants to overcome the limitations of traditional bi-lateral message exchanges. These ecosystems can leverage blockchain technology to cryptographically ensure that traceability records are properly attributed, tamper-evident, and cannot be deleted, thereby mitigating risks from logistical disruptions, fraud, and sabotage. The document proposes an ecosystem-oriented perspective layered atop the existing 'per acquirer' view in supply chain risk management. This approach is necessary to enable multi-lateral information sharing and migrate from linear information flows. By establishing ecosystem-wide agreement on traceability requirements, organizations can mitigate semantic gaps and issues with trust transitivity. Achieving this requires linking physical objects to cyber records, cooperation across the supply chain to read and write traceability records, and sufficient incentives to motivate adoption and achieve a Minimum Viable Ecosystem (MVE). The publication analyzes several case studies and identifies key areas for future research, including identity, message content standards, barriers to entry, and ecosystem interoperability."
Technical ID
nistir-8419-supply-chain-traceability
Notary Public Standards
"Compliance with established Notary Public Standards mandates rigorous adherence to procedural and documentary requirements for all notarial acts. A fundamental prerequisite is the satisfactory identification of the principal signer, which necessitates presentation of a current, unexpired government-issued photo identification. The platform enforces a zero-tolerance policy for identity verification, permitting a maximum of zero credential analysis failures. Furthermore, the notarial officer must confirm the signer is both aware of the document's contents and acting willingly, without coercion. This act must occur with the signer in the notary’s physical presence or through an authorized Remote Online Notarization (RON) platform. Before notarization, the instrument presented must be complete, containing no blank spaces that could facilitate subsequent fraudulent entries. Every notarization requires an official notary seal or stamp affixed to a properly completed notarial certificate; this certificate’s wording must precisely match the requirements of the governing jurisdiction. The performing notary public is required to hold an active, valid commission at the time of the service. Post-execution, each notarial act demands a detailed journal entry for record-keeping purposes. These official records are subject to a mandatory journal retention period of ten years to ensure long-term auditability and legal validity."
Technical ID
notary-public-standard
IAEA Nuclear Safety (GS-R-3)
"Compliance with IAEA Safety Standard GS-R-3 mandates establishing, implementing, and continually improving a documented, integrated management system wherein safety holds paramount importance. Top management must demonstrate clear commitment by providing adequate resources, which includes ensuring critical staff competency is verified and that all supplier assessments are mandatory. The application of system requirements must be graded, ensuring enforcement corresponds directly to an activity’s significance and complexity relative to safety. Strict control of documents and records is foundational, demanding active document version control for all materials and a minimum records retention period of ten years. A rigorous cycle of measurement, assessment, and improvement is required, incorporating self-assessment, mandatory independent assessment, and formal management system reviews at least every twelve months. This continuous improvement process also encompasses safety culture assessments on a twelve-month frequency and a robust non-conformance program with a twenty-four-hour reporting service level agreement, where a subsequent root cause analysis for each deviation is required to prevent recurrence."
Technical ID
nuclear-safety-iaea
Comptroller’s Handbook Asset Management
"The Office of the Comptroller of the Currency (OCC) defines asset management as the business of providing financial products or services to a third party for a fee or commission. This guidance applies to the asset management activities of national banks, federal savings associations (FSA), and limited purpose trust banks. It provides an overview of the asset management business, its risks, and sound risk management processes, describing the OCC’s supervisory philosophy and processes. Asset management activities include traditional fiduciary services, retail brokerage, investment company services, and custody and security-holder services, which expose national banks to a broad range of operational, compliance, strategic, and reputation risks. The core obligation for these institutions is to maintain sound risk management processes. National banks must have the ability to effectively identify, measure, control, and monitor risks in their asset management businesses. Because most of these risks arise from off-balance-sheet activities, they are not easily identified using traditional financial reporting. Significant breaches of fiduciary and contractual responsibilities can result in financial losses, damage a bank’s reputation, and impair its ability to achieve its strategic goals. The board of directors and senior management are ultimately responsible for establishing and maintaining effective control functions commensurate with the institution’s goals, risk tolerance, and complexity of operations."
Technical ID
occ-asset-management-handbook
Comptroller’s Handbook Examination Process Bank Supervision Process
"This booklet is the central reference for the Office of the Comptroller of the Currency (OCC)’s bank supervision policy, explains the OCC’s risk-based bank supervision approach, and discusses the general supervisory process for all types of OCC-supervised banks. The OCC's mission is to ensure that national banks, federal savings associations (FSA), and federal branches and agencies of foreign banking organizations operate in a safe and sound manner, provide fair access to financial services, treat customers fairly, and comply with applicable laws and regulations. For supervisory purposes, the OCC designates banks as community, midsize, or large based on asset size and factors that affect risk profile and complexity. High-quality bank supervision is ongoing and dynamic, responds to changing risks at each bank, and uses OCC resources efficiently by allocating the greatest resources to the areas of highest risk. The core process involves a required full-scope, on-site examination every 12 or 18 months, known as the supervisory cycle. A bank may be eligible for an 18-month cycle if it has less than $3 billion in total assets, is well capitalized, received strong management and composite ratings at its most recent examination, and is not subject to a formal enforcement proceeding. The supervisory process includes planning, discovery, correction, monitoring, and communication with the bank's management and board, culminating in a Report of Examination (ROE) and the assignment of regulatory ratings."
Technical ID
occ-bank-supervision-process
OCC 2023-17 (Third-Party)
"OCC Bulletin 2023-17 (Interagency Guidance on Third-Party Relationships: Risk Management) provides a unified U.S. standard for managing the risks of the third-party providers. it specifies a life-cycle approach to the oversight of the vendor, the cloud service, and the any other outside partnership."
Technical ID
occ-bulletin-2023-17-risk
The OECD AI Principles
"The OECD AI Principles are the first intergovernmental standard on AI, designed to promote innovative, trustworthy artificial intelligence that respects human rights and democratic values. While AI holds the potential to address complex challenges and boost productivity, AI systems also pose risks to privacy, safety, security, and human autonomy. To develop safe, secure and trustworthy AI systems, there is a need to assess these impacts and manage risks. The principles guide AI actors in their efforts to develop trustworthy AI and provide policymakers with recommendations for effective AI policies, which were revised in 2024 to stay abreast of rapid technological developments. For governments to work together to manage AI on an international level, they need to use common terms and definitions to act as a foundation for cooperation, allowing for interoperability across jurisdictions even with varying approaches to managing the technology."
Technical ID
oecd-ai-principles
OECD Corporate Governance
"The G20/OECD Principles of Corporate Governance are the international standard for corporate governance. Revised in 2023, they provide a framework for policy makers and corporations to ensure institutional and legal environments that support investment, sustainability, and corporate accountability in a global market."
Technical ID
oecd-corporate-governance-principles
OECD Guidelines (Multinationals)
"The OECD Guidelines for Multinational Enterprises on Responsible Business Conduct (RBC) are the most comprehensive international standard on business conduct. Revised in 2023, they provide recommendations from governments to enterprises on issues such as human rights, employment, environment, anti-bribery, and consumer interests, supported by the unique NCP grievance mechanism."
Technical ID
oecd-guidelines-multinational-ent
OECD Mineral Due Diligence
"Conformance with internationally recognized mineral due diligence frameworks is evaluated through a comprehensive five-step process. The organization demonstrates strong company management by maintaining a public supply chain policy that explicitly references OECD guidance. Governance is reinforced by a designated compliance officer, a functional chain of custody system, and the inclusion of due diligence clauses within supplier contracts. An anonymous grievance mechanism is also implemented for stakeholder reporting. Risk identification and assessment procedures are executed at a minimum frequency of every 12 months; the most recent evaluation identified zero high-risk suppliers, obviating immediate mitigation strategies. However, a robust supplier corrective action program remains in place to address any future findings. The program’s integrity is verified through independent third-party audits, with the last assessment completed within the past 365 days. Furthermore, all identified smelters and refiners in the supply chain are confirmed as conformant with the Responsible Minerals Assurance Process. Public transparency is achieved through the publication of an annual due diligence report detailing these efforts and findings, fulfilling key reporting obligations under global regulations concerning minerals sourced from conflict-affected and high-risk areas."
Technical ID
oecd-mineral-supply
Global Minimum Tax (Pillar Two)
"OECD Pillar Two (Global Anti-Base Erosion Rules — GloBE) establishes a global minimum corporate tax rate of 15% for multinational enterprises (MNEs) with annual revenue exceeding €750 million. Finalized in December 2021 and enacted in over 40 jurisdictions as of 2024 (EU Minimum Tax Directive effective January 1, 2024; UK, Japan, South Korea, Switzerland among first adopters), Pillar Two introduces two interlocking domestic rules: the Income Inclusion Rule (IIR) — the parent entity pays top-up tax on low-taxed subsidiaries; and the Undertaxed Profits Rule (UTPR) — a backstop where other group members can collect the top-up tax if the parent jurisdiction does not apply IIR. Non-compliance results in top-up taxes, transfer pricing adjustments, and potential double taxation in multiple jurisdictions."
Technical ID
oecd-pillar2-minimum
Ordered t-way Combinations for Testing State-based Systems
"This publication introduces a notion of ordered t-way combinations for testing state-based systems where the response depends on both input values and the current system state. In such systems, like network protocols or credit card transaction systems, internal states change as input values are processed, and fault detection often depends on the specific order of inputs that establish states which eventually lead to a failure. Standard combinatorial testing has deficiencies for these systems because it does not account for the order in which inputs occur. This white paper proposes a methodology to ensure that relevant combinations of input values have been tested with adequate diversity of ordering to ensure correct operation. The core concept is the 'ordered combination cover' (OCC), which covers all s-orders of t-way combinations of parameter values. The paper proves that a test set achieves this coverage if and only if it includes an ordered series containing a total of 's' covering arrays, each of strength 't'. This result provides a practical method for generating test suites that can detect faults only discoverable when a system is in a particular state, which can only be reached by a specific order of input combinations. This approach can be applied in runtime verification, assertion monitoring, and other methods that rely on checking program properties and states as code is executed."
Technical ID
ordered-t-way-combination-testing
Ordered t-way Combinations for Testing State-based Systems
"Fault detection in state-based systems often depends on the specific order of inputs that establish states which eventually lead to a failure. For systems where the response depends on both input values and the current system state, such as network protocols or credit card systems, it is often difficult to determine if code has been exercised sufficiently. Measures are needed to ensure that relevant combinations of input values have been tested with adequate diversity of ordering to ensure correct operation. Combinatorial testing has deficiencies for verifying state-based systems because internal states change as input values are processed, and the system may subsequently respond differently to the same input. This publication introduces a notion of ordered t-way combinations and an ordered combination cover (OCC) to address this gap. An OCC covers all s-orders of t-way combinations of the input parameters. The core finding is a proof that a test set covers s-orders of t-way combinations if and only if it includes an ordered series containing a total of s covering arrays, each of strength t. This result provides a practical and efficient method to produce tests that cover all orders of t-way combinations up to a necessary order length by concatenating t-way covering arrays, making it possible to detect faults that are only discoverable when a system is in a particular state reached by a specific order of input combinations."
Technical ID
ordered-t-way-combinations-testing
HAZARD COMMUNICATION Small Entity Compliance Guide for Employers That Use Hazardous Chemicals
"The Occupational Safety and Health Administration’s (OSHA) Hazard Communication Standard (HCS), 29 CFR 1910.1200, addresses the informational needs of employers and workers with regard to chemicals. In 2012, the HCS was modified to align its provisions with the United Nations’ Globally Harmonized System of Classification and Labelling of Chemicals (GHS). The standard applies to any chemical which is known to be present in the workplace in such a manner that employees may be exposed under normal conditions of use or in a foreseeable emergency, covering all industries where workers are potentially exposed. It incorporates a downstream flow of information, where chemical manufacturers and importers are required to classify the hazards of the chemicals they produce or import, and to prepare appropriate labels and safety data sheets (SDSs). For employers who use chemicals, the core obligation is to prepare and implement a written hazard communication program. This program must describe how the employer will address labels, SDSs, and employee training. Key requirements include creating and maintaining a list of all hazardous chemicals in the workplace, ensuring all containers are properly labeled, maintaining an SDS for each hazardous chemical, and making these SDSs readily accessible to employees. Furthermore, employers must inform and train employees on the hazardous chemicals in their work area before their initial assignment and whenever new hazards are introduced. The training must cover the requirements of the standard, the hazards of chemicals, appropriate protective measures, and how to obtain additional information."
Technical ID
osha-hazard-communication-standard
OSHA (Work Safety)
"An evaluation of current occupational safety and health compliance reveals substantial adherence to certain regulatory mandates while also exposing critical deficiencies requiring immediate remediation. The organization maintains a written safety program, has an implemented Hazard Communication plan with accessible Safety Data Sheets, and confirms employee training is documented. An active recordkeeping system is in place, which has captured three recordable incidents within the last 12 months. Additionally, an emergency action plan is established, machine guarding is present, and the requisite whistleblower policy is displayed according to federal standards. However, two significant gaps in compliance exist: a failure to conduct a formal personal protective equipment (PPE) assessment to determine workplace needs, and the absence of periodic General Duty Clause assessments to proactively identify recognized hazards. The last formal workplace inspection was conducted 180 days prior, a time frame which, when combined with the lack of hazard assessments and recorded incidents, presents an elevated risk profile. Prioritizing the implementation of both PPE and general duty assessments is imperative for mitigating liability and ensuring conformity with foundational workplace safety statutes."
Technical ID
osha-work-safety-us
OWASP Top 10 for LLMs & Agents
"Operationalizing the security framework delineated by the Open Web Application Security Project's Top 10 for Large Language Model Applications, this compliance control set establishes stringent policies for mitigating critical vulnerabilities. The configuration mandates a proactive defense against Prompt Injection by enabling rules to block_direct_prompt_injection and filter_indirect_prompt_injection_from_web_sources, neutralizing both direct and embedded threats. To counter Insecure Output Handling, the policy to require_strict_output_parsing_for_downstream_plugins becomes mandatory, ensuring model-generated content is rigorously validated before interacting with subordinate systems or APIs. Furthermore, addressing risks of Excessive Agency and Supply Chain Vulnerabilities, the node enforces a directive to mandate_least_privilege_for_agent_roles. This constrains autonomous systems and their integrated tools to only their narrowest required operational scope. Lastly, safeguarding against Sensitive Information Disclosure, the framework institutes a control to prevent_training_data_extraction_attacks, which protects proprietary or confidential data within a model's training set from adversarial exfiltration. These combined measures constitute a robust security posture for artificial intelligence application development and deployment aligned with leading industry guidance."
Technical ID
owasp-agentic-top10
OWASP ASVS L1 (App Sec)
"The OWASP Application Security Verification Standard (ASVS) Level 1 (Opportunistic) is the baseline requirement for all web applications. it focuses on the vulnerabilities that are the easy to the find and the automated scanning can detect. Level 1 ensures the most common the security flaws are the remediated, providing a 'Defensible' standard for the lower-risk software."
Technical ID
owasp-asvs-l1
OWASP ASVS L2 (Standard)
"Conformance with the OWASP ASVS L2 (Standard) establishes a requisite security posture for applications verified to handle sensitive data. This framework mandates a comprehensive, defense-in-depth strategy, commencing with proactive threat modeling performed as a foundational security activity. Verification controls stipulate that manual code review coverage must achieve a minimum threshold of 90 percent, augmented by annual penetration testing to validate security efficacy. Remediation protocols are stringent, demanding that all critical and high-severity vulnerabilities be resolved within prescribed service-level agreements. Access control measures are robust, enforcing multi-factor authentication for sensitive functions and adhering strictly to the principle of least privilege throughout the system architecture. To mitigate prevalent attack vectors, the standard requires utilization of a centralized input validation framework and confirms business logic flaws are systematically tested. Data protection is paramount, necessitating strong cryptography for all information both in transit and at rest. Moreover, supply chain integrity is addressed through a mandate for 100 percent dependency vulnerability scan coverage. Continuous oversight is maintained via a requirement that all pertinent security events are logged and actively monitored, ensuring a resilient and defensible application environment."
Technical ID
owasp-asvs-l2
OWASP ASVS L3 (Advanced)
"OWASP Application Security Verification Standard (ASVS) Level 3 establishes the highest assurance benchmark, designed for applications processing high-value transactions, containing sensitive data, or performing critical functions where failure could precipitate significant operational or financial impact. Adherence to this rigorous standard necessitates a comprehensive, defense-in-depth security posture, verified through multiple independent modalities. Compliance explicitly requires an architectural threat model to preempt design flaws and further mandates both manual penetration testing alongside manual code review for uncovering complex vulnerabilities. The validation process is extensive, obligating business logic abuse testing plus targeted fuzz testing to probe for unexpected weaknesses. A quantitative threshold for automated testing is established, demanding a minimum code coverage by tests of 95 percent. The supply chain integrity is paramount, requiring a secure build pipeline attestation and stipulating that third-party components must not exceed a maximum dependency age of 180 days. Access control standards are stringent, enforcing multi-factor authentication for all users universally and dictating a credential rotation policy of 60 days. Foundational security practices include the mandatory use of a memory-safe language or comparable tooling to eliminate entire classes of vulnerabilities. Ultimately, the framework operates on a zero-tolerance basis for severe risks, setting the max acceptable critical vulns at 0."
Technical ID
owasp-asvs-l3
Prompt Injection Prevention (OWASP LLM01)
"Prompt Injection (LLM01) occurs when an attacker manipulates an LLM via crafted inputs to override system instructions. Prevention requires strict input sanitization, separation of data from instructions, and least-privilege tool access."
Technical ID
owasp-llm-1
Insecure Output Handling (OWASP LLM02)
"Insecure Output Handling (LLM02) occurs when an application trustingly processes LLM-generated output without validation, potentially leading to XSS, CSRF, or SSRF in downstream systems."
Technical ID
owasp-llm-2
OWASP SAMM (Governance)
"The OWASP Software Assurance Maturity Model (SAMM) v2.0 is the premier framework for the analyzing and the improving the software security posture. it provides a measurable way for the organizations to the design, develop, and the deploy the highly secure software by partitioning the process into the 'Five Business Functions' (Governance, Design, Implementation, Verification, Operations)."
Technical ID
owasp-samm-governance
Paris Convention (IP)
"The Paris Convention for the Protection of Industrial Property (1883) is the foundational international treaty for IP rights. It introduced the 'Right of Priority' and 'National Treatment', ensuring that inventors can claim the original filing date across member states and that foreign innovators receive the same protection as local nationals."
Technical ID
paris-convention-industrial-property
PCAOB Auditing Standards
"Adherence to Public Company Accounting Oversight Board (PCAOB) auditing standards is substantiated through a meticulous review of engagement criteria. Foundational requirements are met, as the firm’s registration with the PCAOB is confirmed and auditor independence is maintained, consistent with the principles in AS 1001. The audit process involved a completed risk assessment procedure under AS 2110, which encompassed a specific evaluation of cybersecurity risk disclosures. Sufficient appropriate evidence was properly obtained to form a basis for the auditor's opinion. An integrated audit of internal control over financial reporting has been performed as directed by AS 2201, yielding a critical outcome where zero material weaknesses were identified. In accordance with AS 1215, all engagement documentation is subject to a mandatory retention period of seven years. The engagement also underwent a successful engagement quality review. Reporting and communication obligations were rigorously fulfilled; critical audit matters were communicated to stakeholders as stipulated in AS 3101, and audit committee communication has been verified, fulfilling the mandates of AS 1301. The lead auditor's tenure of ten years is noted for contextual purposes. This comprehensive performance demonstrates full compliance with prevailing PCAOB professional standards."
Technical ID
pcaob-audit-standards
PCI-DSS (Hospitality Payment)
"Adherence to the Payment Card Industry Data Security Standard (PCI-DSS) within hospitality environments necessitates a comprehensive framework of technical and operational controls to protect cardholder data (CHD). Critical security validations mandate that all CHD is encrypted using strong cryptography during transmission across open, public networks and that stored Primary Account Numbers (PANs) are rendered unreadable. A significant compliance failure is triggered if any Sensitive Authentication Data (SAD) is retained post-authorization. Furthermore, the standard requires that displayed PANs are always masked, showing at most the first six and last four digits. Foundational security posture is assessed through proper segmentation of the Cardholder Data Environment (CDE) from other corporate or guest networks, along with confirmation that all vendor-supplied default passwords have been changed. Strict access controls are verified, demanding unique user IDs for every individual with CDE access and the enforcement of Multi-Factor Authentication (MFA) for all remote and non-console administrative connections. System integrity is monitored by ensuring anti-malware software is deployed and active on all commonly affected systems within the CDE. Compliance also depends on successful quarterly external vulnerability scans passed without any failing items, as conducted by an Approved Scanning Vendor (ASV), and the maintenance of a formal security incident response plan which is tested at least annually."
Technical ID
pci-dss-hospitality
PCI DSS v4.0 — Payment Card Data Security
"PCI DSS v4.0, published March 2022 by the PCI Security Standards Council (PCI SSC), is the mandatory security standard for all entities that store, process, or transmit payment card data (cardholder data / CHD) or sensitive authentication data (SAD). The standard contains 12 requirements organized across 6 core goals. Version 4.0 introduced a Customized Approach allowing organizations to use alternative controls with documented risk analysis, and added 64 new requirements versus v3.2.1. Key additions: MFA for all access to the cardholder data environment (Req. 8.4.2, effective March 2025), 12-character minimum passwords (Req. 8.3.6), and targeted risk analysis for customized controls. PCI v3.2.1 was retired March 31, 2024. Compliance is validated annually via Report on Compliance (ROC) for Level 1 merchants (>6M Visa/Mastercard transactions/year) by a Qualified Security Assessor (QSA), or Self-Assessment Questionnaire (SAQ) for lower levels. Non-compliance penalties include fines of $5,000–$100,000/month from card brands, increased transaction fees, and loss of card acceptance privileges."
Technical ID
pci-dss-v4
PCI DSS v4 Req 1 (NSC)
"PCI DSS v4 Requirement 1 (Install and Maintain Network Security Controls) mandates the use of the 'Network Security Controls' (NSCs) (historically Firewalls) to the protect the Cardholder Data Environment (CDE). it requires the strict logical and the physical isolation of the credit card processing from the unauthorized networks through the formalized the 'Rule' and the 'Configuration' management."
Technical ID
pci-dss-v4-requirement-1
PCI DSS v4 Req 2 (Hardening)
"Requirement 2 mandates the application of secure configuration standards across all system components within the Cardholder Data Environment, explicitly prohibiting reliance on vendor-supplied defaults. Governing guidance stipulates that a formal, documented system hardening standard, based on established frameworks such as NIST or CIS, must exist and be consistently applied to all in-scope systems. Compliance necessitates the proactive removal or modification of all vendor-supplied default credentials, including specific confirmation that wireless environment vendor defaults were changed at installation. Furthermore, the operational state must reflect that all insecure protocols such as Telnet, FTP, HTTP, and early TLS versions are disabled, and any unnecessary services, daemons, or functions not directly required for a component's purpose are deactivated to minimize the attack surface. Authoritative controls enforce a strict policy of one primary function per server to prevent security-level conflicts, a mandate supported by a continuously maintained inventory of all system components. Comprehensive security policies and operational procedures for managing configurations must be documented and known by affected parties, with hardening integrity confirmed through timely automated verification scans. For entities utilizing shared hosting, it is imperative that documented confirmation from the provider defines their specific responsibility for protecting merchant environments."
Technical ID
pci-dss-v4-requirement-2
PCI DSS v4 Req 3 (Stored Data)
"PCI DSS v4 Requirement 3 (Protect Stored Account Data) focuses on the security of the cardholder information residing on the persistent storage. it mandates the prohibition of the 'Sensitive Authentication Data' (SAD) storage post-authorization and the requirement for the 'Primary Account Number' (PAN) to be the rendered unreadable through the strong encryption, the truncation, or the hashing."
Technical ID
pci-dss-v4-requirement-3
PCI DSS v4 Req 4 (Transmission)
"PCI DSS v4 Requirement 4 (Protect Cardholder Data with Strong Cryptography During Transmission) revolves around the security of the clear-text card data as it travels across the any 'Open, Public' networks (e.g., the Internet, Cellular, Wireless). it mandates the use of the 'Strong Cryptography' (TLS 1.2+, IPsec, SSH) to the ensure that the card data is not the intercepted or the tampered during the transit."
Technical ID
pci-dss-v4-requirement-4
PCI DSS v4 Req 5 (Malware)
"PCI DSS v4 Requirement 5 (Protect All Systems and Networks from Malicious Software) mandates the implementation of the active malware protection across the all system components. it focuses on the continuous monitoring, the detection, and the remediation of the 'Malicious Code' (Viruses, Worms, Trojans) and the 'Phishing' risks, ensuring the CDE integrity."
Technical ID
pci-dss-v4-requirement-5
PCI DSS v4 Req 6 (Software)
"PCI DSS v4 Requirement 6 (Develop and Maintain Secure Systems and Software) specifies the requirements for the secure software development lifecycle (SDLC) and the vulnerability management. it mandates the protection of the public-facing web applications from the specific attacks (e.g., OWASP Top 10) and the 'Timely Patching' of the all critical vulnerabilities within 30 days."
Technical ID
pci-dss-v4-requirement-6
PCI DSS v4 Req 7 (Access Control)
"Payment Card Industry Data Security Standard v4 Requirement 7 mandates a stringent framework for restricting access to system components and cardholder data based on an explicit business need-to-know. Compliance necessitates that a formal access control policy is defined and actively maintained. Pursuant to governing standards, system access must be structured upon an implemented role-based access control methodology, ensuring that permissions are assigned based on job classification and function. A foundational "default deny-all" configuration is required, meaning access is prohibited unless specifically permitted. This enforces the least privilege principle, where personnel receive only the minimum permissions necessary to perform their duties. The process for granting access must follow a documented approval workflow, with all subsequent privilege assignments being formally recorded. Furthermore, these access rights are subject to periodic validation, requiring a comprehensive review at a minimum frequency of every 6 months. A defined termination revocation process must ensure immediate removal of access for departing personnel. Authoritative guidance also stipulates that both system account access and user access to security functions must be rigorously restricted. Critically, all user interactions within the Cardholder Data Environment (CDE) are to be logged, creating an auditable trail of data access and system activities to prevent unauthorized exposure."
Technical ID
pci-dss-v4-requirement-7
PCI DSS v4 Req 8 (Identity)
"PCI DSS v4 Requirement 8 (Identify Users and Authenticate Access to System Components) specifies the authentication standards for the payment environments. it mandates the 'Unique ID' per individual and the 'Multifactor Authentication' (MFA) for the all access to the Cardholder Data Environment (CDE), ensuring the absolute accountability and the protection against the credential-based attacks."
Technical ID
pci-dss-v4-requirement-8
PEFC Forest Management Standard
"Compliance with the PEFC Forest Management Standard necessitates a holistic and verifiable approach to sustainable forestry operations. A core requirement is the existence of a comprehensive, up-to-date forest management plan that is actively used. Sustainable harvesting practices are mandatory, stipulating the rate of harvest must not exceed the long-term calculated Mean Annual Increment (MAI), thereby ensuring forest regeneration. Environmental stewardship is further demonstrated through a documented plan to maintain, conserve, and enhance biodiversity, alongside operational measures protecting soil and water from erosion or pollution. The standard mandates a verifiable chain of custody system, compliant with PEFC ST 2002, to track certified material from forest to final sale. Social responsibilities are paramount, requiring a documented occupational health and safety program that adheres to local laws plus relevant ILO conventions, with a performance objective of maintaining an annual rate of recordable safety incidents below industry or national benchmarks. Furthermore, a formal policy recognizing and respecting the legal and customary rights of Indigenous Peoples is obligatory, complemented by a documented process for engaging with local communities and other stakeholders. Operational integrity demands chemical pesticide and herbicide use be minimized, justified, and meticulously recorded, while the use of genetically modified trees is explicitly prohibited within the certified area. Each criterion represents a non-negotiable component for achieving PEFC certification."
Technical ID
pefc-forest-mgt
Implementation monitoring of PFMI: Assessment report for Switzerland
"In April 2012, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) issued the Principles for financial market infrastructures (PFMI). The Principles set expectations for the design and operation of key financial market infrastructures (FMIs) to enhance their safety and efficiency, limit systemic risk, and foster transparency and financial stability. This report presents the CPMI and IOSCO conclusions from a Level 2 assessment of whether the content of the legal, regulatory and oversight frameworks applied to systemically important payment systems, CSDs/SSSs, CCPs and TRs in Switzerland are complete and consistent with the Principles. The Principles apply to all systemically important payment systems (PSs), central securities depositories (CSDs), securities settlement systems (SSSs), central counterparties (CCPs) and trade repositories (TRs). The authorities responsible for regulation, supervision and oversight of FMIs in Switzerland are the Federal Financial Markets Authority (FINMA) and the Swiss National Bank (SNB). FINMA has responsibility for all CCPs, CSDs/SSSs, TRs and wholesale payment systems (unless operated by or on behalf of the SNB). The SNB has responsibility for all CCPs, CSDs/SSSs and payment systems that it designates systemically important. This assessment reflects the status of Switzerland’s legal, regulatory and oversight framework as of 30 June 2017."
Technical ID
pfmi-assessment-report-switzerland
PMBOK 7 (Project Guide)
"Compliance with the PMBOK 7 (Project Guide) node mandates a principles-based approach to project management, focusing on value delivery and adaptable governance. This framework requires the formal establishment of several key artifacts and processes to ensure project success and stakeholder alignment. A defined governance structure must be in place, complemented by an established team charter that clarifies roles and responsibilities. The project's tailoring approach needs to be thoroughly documented, demonstrating conscious adaptation of methodologies to fit the specific context. A complete stakeholder register is mandatory, ensuring all relevant parties are identified and managed. Central to this standard is a maintained risk register, which must undergo formal review at a frequency no less than every three months. To manage project evolution, a defined change control process is also required. Value realization is paramount, necessitating a defined value delivery plan and the continuous tracking of associated value metrics. Furthermore, comprehensive reporting that covers all performance domains is stipulated. To quantify progress against objectives, the framework sets a clear threshold: a minimum of 95 percent of all milestones must be associated with specific, measurable metrics. Adherence to these stipulations demonstrates a robust, adaptable, and value-focused project management capability consistent with modern standards."
Technical ID
pmbok-7-guide-pm
PMI Code of Ethics
"Compliance with the Project Management Institute Code of Ethics necessitates a rigorous adherence to four foundational values: Responsibility, Respect, Fairness, and Honesty, as mandated by governing professional conduct standards. This framework requires that the designated project manager is certified and upholds a duty of ownership, which is verified through a completed project impact assessment and strict adherence to the established confidentiality protocol; furthermore, all intellectual property rights must be formally acknowledged. The principle of Respect is substantiated once every team member has acknowledged the anti-harassment policy, thereby fostering a safe and professional environment. Fairness is demonstrated through procurement criteria that is objective and the implementation of a clear conflict of interest policy, under which all conflict of interest disclosures are complete. To further ensure equity, an impartial dispute resolution mechanism must be available. The value of Honesty is upheld by ensuring project communications are truthful and that status reporting is transparent, providing an accurate understanding of performance. An accessible ethics escalation protocol must also be in place to address any violations, ensuring project activities are conducted with integrity and professionalism per the highest ethical obligations."
Technical ID
pmi-code-ethics
ISPS Code: Port Facility Security
"Compliance with International Ship and Port Facility Security (ISPS) Code requirements for a port facility mandates a comprehensive security framework. A qualified Port Facility Security Officer (PFSO) must be designated and in place. A current Port Facility Security Assessment (PFSA) is foundational, requiring a thorough review at least within the last five years. Based on this assessment, a Port Facility Security Plan (PFSP) approved by the Contracting Government must be fully implemented. The facility must operate in accordance with its current operational security level, designated as 1, 2, or 3. Physical security measures are critical, including an established access control system for persons, vehicles, and vessels, alongside clearly identified and secured restricted areas to prevent unauthorized entry. Procedures to check cargo integrity and prevent tampering before and during handling are non-negotiable. Continuous oversight is achieved through an effective security monitoring system, such as adequate lighting and surveillance equipment. To maintain operational readiness, all personnel with security duties must have current training records, with security drills occurring at a frequency not exceeding three months and comprehensive security exercises conducted within an eighteen-month interval. Finally, a formal process must exist for completing a Declaration of Security with a ship when required to effectively manage ship-port interface security risks."
Technical ID
port-facility-security-isps
PQC Migration Workflow
"The PQC Migration Workflow (based on NSA CNSA 2.0 and NIST PQC timelines) provides the strategic five-step transition from 'Classical' cryptography to 'Post-Quantum' (PQC) standards. It focuses on mitigating the 'Store-Now-Decrypt-Later' (SNDL) risk for high-longevity data and ensuring quantum-secure authenticated software updates (ASU)."
Technical ID
pqc-migration-logic
PRA SS1/21 (Resilience)
"PRA SS1/21 (Operational Resilience: Impact tolerances for important business services) is the UK's cornerstone standard for bank and insurer resilience. it shifts focus from traditional disaster recovery to ensuring that 'Important Business Services' (IBS) remain within set 'Impact Tolerances' during severe but plausible disruptions."
Technical ID
pra-ss1-21-resilience
PRINCE2 7 (Framework)
"Compliance with the PRINCE2 7 framework necessitates rigorous adherence to its integrated elements of principles, themes, processes, and the project environment. Governance requires that project board roles are explicitly defined and that the Project Initiation Documentation receives formal approval before proceeding. As detailed in the seventh edition manual, a project's structure must encompass a minimum of two management stages, ensuring controlled progression. A foundational requirement is the mandatory review of the business case at every stage boundary to validate continued viability. Project control mechanisms demand that tolerances are clearly defined for all primary objectives, and official guidance confirms that product descriptions must be available for all major products to ensure clarity of scope. The framework's adaptability is contingent upon a documented tailoring approach, demonstrating deliberate modification for the specific project context. Furthermore, formalized management approaches for both change and sustainability must be established and documented from the outset. Continuous improvement and risk management are evidenced by maintaining an active lessons log throughout the project lifecycle and a risk register containing at least one entry. Finally, to ensure outputs meet stakeholder expectations, a consistently maintained quality register is obligatory, tracking all planned quality management activities."
Technical ID
prince2-7-framework-pm
Principles for effective risk data aggregation and risk reporting
"One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities. This had severe consequences to the banks themselves and to the stability of the financial system as a whole. In response, the Basel Committee presents a set of principles to strengthen banks’ risk data aggregation capabilities and internal risk reporting practices. Initially addressed to global systemically important banks (G-SIBs), these Principles are expected to support a bank’s efforts to enhance the infrastructure for reporting key information used by the board and senior management, improve the decision-making process, facilitate a comprehensive assessment of risk exposures at the global consolidated level, and reduce the probability and severity of losses. The document covers four closely related topics: Overarching governance and infrastructure, Risk data aggregation capabilities, Risk reporting practices, and Supervisory review. The long-term benefits of improved risk data aggregation capabilities and risk reporting practices are expected to outweigh the investment costs incurred by banks."
Technical ID
principles-effective-risk-data-aggregation
Principles for financial market infrastructures
"These principles establish international standards for financial market infrastructures (FMIs) that facilitate the clearing, settlement, and recording of monetary and other financial transactions. The standards apply to systemically important payment systems (PSs), central securities depositories (CSDs), securities settlement systems (SSSs), central counterparties (CCPs), and trade repositories (TRs). The presumption is that all CSDs, SSSs, CCPs, and TRs are systemically important. If not properly managed, FMIs can be sources of financial shocks, such as liquidity dislocations and credit losses, or a major channel through which these shocks are transmitted across financial markets. The core obligation for FMIs is to enhance safety and efficiency, limit systemic risk, and foster transparency and financial stability. FMIs must have a well-founded, clear, transparent, and enforceable legal basis; clear governance arrangements; and a sound risk-management framework for comprehensively managing legal, credit, liquidity, operational, and other risks. The principles address specific minimum requirements for managing these risks, such as maintaining sufficient financial resources to cover credit exposures from participant defaults under extreme but plausible market conditions. The report outlines 24 principles covering general organization, credit and liquidity risk management, settlement, default management, business and operational risk, access, efficiency, and transparency, which are designed to be applied holistically as a set."
Technical ID
principles-financial-market-infrastructures
Principles for Operational Resilience
"This document promotes a principles-based approach to improving operational resilience for banks, building upon the Basel Committee's Principles for the Sound Management of Operational Risk (PSMOR). It defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimise their impact. The principles apply to banks and aim to strengthen their ability to absorb operational risk-related events such as pandemics, cyber incidents, technology failures, and natural disasters, which could cause significant operational failures or wide-scale disruptions. The core obligation is for banks to establish an effective operational resilience approach that assumes disruptions will occur and takes into account the bank's overall risk appetite and tolerance for disruption. A bank's tolerance for disruption is defined as the level of disruption from any type of operational risk a bank is willing to accept given a range of severe but plausible scenarios. The principles are organized across seven categories: governance, operational risk management, business continuity planning and testing, mapping interconnections and interdependencies, third-party dependency management, incident management, and resilient information and communication technology (ICT) including cyber security. These practices are intended to be integral parts of a bank's forward-looking operational resilience approach."
Technical ID
principles-for-operational-resilience
Private Fund Advisers; Documentation of Registered Investment Adviser Compliance Reviews
"The Securities and Exchange Commission is adopting new rules under the Investment Advisers Act of 1940 designed to protect investors who directly or indirectly invest in private funds. The rules aim to increase visibility into practices involving compensation schemes, sales practices, and conflicts of interest through disclosure; establish requirements to address such practices that have the potential to lead to investor harm; and restrict practices that are contrary to the public interest and the protection of investors. These rules apply to private fund advisers, with certain amendments affecting all registered investment advisers, and are intended to prevent fraud, deception, or manipulation. The core obligations include: a Quarterly Statement Rule requiring periodic information about fees, expenses, and performance; a Mandatory Audit Rule requiring an annual audit for each private fund; an Adviser-led Secondaries Rule requiring a fairness or valuation opinion for such transactions; a Restricted Activities Rule that limits certain expense charges and other activities without appropriate disclosure and consent; and a Preferential Treatment Rule that prohibits certain types of preferential terms and requires disclosure of others. The rules also amend the Advisers Act compliance rule to require all registered investment advisers to document their annual compliance reviews in writing."
Technical ID
private-fund-advisers-compliance-reviews
Project Aurum A Prototype for Two-tier Central Bank Digital Currency (CBDC)
"Project Aurum, a joint project by the Bank for International Settlements (BIS) Innovation Hub Hong Kong Centre and the Hong Kong Monetary Authority (HKMA), details the creation of a full-stack central bank digital currency (CBDC) system prototype. The system is built on the premise that a digital currency issued by a central bank must be as robust and trustworthy as gold. It features a two-tier technology stack comprising a wholesale interbank system, where wholesale CBDC (wCBDC) is issued to banks, and a retail e-wallet system, where retail CBDC (rCBDC) circulates among users. The project's goal was to bring to life two different types of retail tokens: intermediated CBDC (referred to as CBDC-tokens) and CBDC-backed stablecoins. The system's design is guided by principles of safety, flexibility, and privacy. A key architectural feature is the separation of the wholesale and retail systems, which ensures the central bank does not access retail users' personal data, preserving privacy. The prototype utilizes an unspent transaction output (UTXO) model and a validator mechanism to prevent risks like over-issuance and double-spending. The Aurum system, along with its source code and technical manuals, is made accessible to all BIS central bank members to serve as a public good and further the global study of rCBDC architectures."
Technical ID
project-aurum-cbdc-prototype
Protecting Subscriber Identifiers with Subscription Concealed Identifier (SUCI)
"This white paper describes how Subscription Concealed Identifier (SUCI) protection can be enabled in 5G networks as an optional security capability defined by 5G standards. It addresses the problem of the Subscription Permanent Identifier (SUPI) being sent in the clear over the air, which allows eavesdroppers to intercept it, track a subscriber's location, and pose cybersecurity and privacy risks. The SUCI capability addresses this by encrypting the SUPI with the public key of the home operator. The resulting ciphered identity is always unique and cannot be correlated to the subscriber by an attacker. The guidance applies to technology, cybersecurity, and privacy professionals involved in 5G-enabled services, including private 5G network operators, commercial mobile network operators, and end-user organizations. The core obligation for network operators is to enable SUCI on their 5G networks and subscriber SIMs, and crucially, to configure SUCI to use a non-null encryption cipher scheme. If a null scheme is used, the SUPI is not actually encrypted. 5G devices and network functions compliant with 3GPP release 15 or later are required to support the SUCI capability, but enabling it is optional for network operators, who should evaluate the risks of not enabling this critical capability."
Technical ID
protecting-subscriber-identifiers-suci
PRSA (Code of Ethics)
"The PRSA Code of Ethics identifies the foundational standards for the Public Relations (PR) professionals. it specifies the '6 Core Values' (Advocacy, Honesty, Expertise, Independence, Loyalty, Fairness) and the '6 Code Provisions' (Free Flow of Information, Disclosure of Information, Confidences, Conflict of Interest, etc.), ensuring the PR activities the maintain the high-trust and the organizational integrity."
Technical ID
prsa-code-of-ethics
Prudential treatment of cryptoasset exposures
"This consultative document from the Basel Committee on Banking Supervision proposes a prudential framework for banks' exposures to cryptoassets, addressing potential financial stability concerns and increased risks. The framework is guided by the principles of 'same risk, same activity, same treatment,' simplicity, and the establishment of minimum standards for internationally active banks. The core of the proposal is a classification system that divides cryptoassets into two groups. Group 1 cryptoassets, which meet a series of strict classification conditions, include tokenised traditional assets (Group 1a) and cryptoassets with effective stabilisation mechanisms (Group 1b). These are subject to capital requirements at least equivalent to those of traditional assets. Group 2 cryptoassets, such as Bitcoin, fail to meet these conditions and are consequently subject to a new, conservative prudential treatment, notably a 1250% risk weight. The document outlines banks' responsibilities for assessing and monitoring compliance with classification conditions, subject to supervisory review and approval. It also details the application of capital requirements for credit and market risk for both groups, as well as the treatment of cryptoasset exposures under the leverage ratio, large exposures, and liquidity ratio frameworks. It establishes that cryptoassets are not eligible as high-quality liquid assets (HQLA). Finally, it sets out expectations for the supervisory review process, where banks must manage risks not captured by minimum requirements, and supervisors may impose adjustments, including additional capital charges."
Technical ID
prudential-treatment-cryptoasset-exposures
PSD2 SCA (Payments)
"PSD2 Strong Customer Authentication (SCA) (Directive 2015/2366) is the mandatory security standard for electronic payments in Europe. it requires a multifactor authentication process based on 'Knowledge' (something only the user knows), 'Possession' (something only the user has), and 'Inherence' (something the user is), with the specific requirement for the 'Dynamic Linking' to prevent the tampering during the payment initiation."
Technical ID
psd2-sc-authentication
Quantum Readiness Checklist
"The Quantum Readiness Checklist is based on OMB M-23-02, CISA's Quantum Strategy, and NIST PQC migration guidance. It provides an actionable framework for organizations to identify cryptographic assets vulnerable to quantum attacks (CRQC) and begin the transition to FIPS 203-205 standards to ensure long-term data confidentiality and integrity."
Technical ID
quantum-readiness-checklist
Quantum Readiness Triage
"A quantum readiness assessment is the systematic process of identifying all cryptographic assets in an organization that are vulnerable to attack by a Cryptographically Relevant Quantum Computer (CRQC) and producing a prioritized migration roadmap to post-quantum cryptography (PQC). NIST finalized the first PQC standards (FIPS 203, 204, 205) in August 2024. NSA CNSA 2.0 mandates migration timelines with new systems adopting PQC by 2025 and legacy systems fully migrated by 2030. The 'harvest now, decrypt later' (HNDL) threat means adversaries are already collecting encrypted data today to decrypt once quantum computers mature — organizations with long-lived sensitive data (classified, health, financial, legal) must begin migration immediately regardless of when CRQCs become available."
Technical ID
quantum-risk-audit
RE100 Renewable Energy Criteria
"Corporate adherence to RE100 renewable energy criteria mandates a verifiable framework for achieving 100% renewable electricity sourcing. Foundational requirements demand a public commitment to reach this target by the year 2050, supported by aggressive interim milestones stipulating a minimum of 60 percent renewable electricity by 2030 and 90 percent by 2040. Per established leadership principles, the operational boundary for these commitments must comprehensively include all group operations worldwide. Credible electricity sourcing, as defined by the technical criteria, is paramount and restricts procurement to generation facilities with a maximum commissioning age of 15 years. Furthermore, accountability mechanisms necessitate that all Scope 2 emissions accounting utilize the market-based method. The validity of Energy Attribute Certificates (EACs) is contingent upon strict adherence to geographic and temporal rules, demanding the EAC market boundary match the consumption location and its vintage align with the consumption period. To ensure integrity and prevent double counting, official reporting guidance mandates the transparent retirement of all EACs on a recognized registry. Compliance culminates in a complete annual disclosure submitted via CDP, substantiating the organization's progress and claims toward its goal."
Technical ID
re100-renewable-req
REACH Chemical Compliance
"Regulation (EC) No 1907/2006 (REACH) mandates a comprehensive framework for chemical management to protect human health and the environment. Compliance hinges on several core obligations for manufacturers, importers, and downstream users. A primary duty is substance registration with the European Chemicals Agency if an entity manufactures or imports a substance into the EU in quantities over 1 metric tonne annually, requiring a valid registration number for market access. For articles, the presence of a Substance of Very High Concern (SVHC) from the Candidate List triggers stringent rules. If the SVHC concentration is greater than the 0.1% weight by weight threshold, communication duties to recipients are activated and a notification submitted to the ECHA SCIP database becomes obligatory. Furthermore, should the total amount of a specific SVHC in all articles produced or imported exceed 1 metric tonne per year, a separate registration may be necessary. The regulatory scope also includes substances subject to Authorization and Restriction. If an entity uses a substance listed on Annex XIV, it must hold a specific authorization for that particular use. Likewise, if a substance or its specific use is restricted under the conditions of Annex XVII, its application must conform to the specified limitations. Effective supply chain communication, verified through a formal process, is critical, particularly for entities identified as downstream users, and includes the mandatory provision of Safety Data Sheets for hazardous substances. Verifying ongoing adherence through an annual compliance audit remains a crucial element of a robust governance program."
Technical ID
reach-chemical-comp
Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
"This Recommendation specifies key-establishment schemes based on the discrete logarithm problem over finite fields and elliptic curves, including several variations of Diffie-Hellman (DH) and Menezes-Qu-Vanstone (MQV) key establishment schemes. The specifications are appropriate for use by the U.S. Federal Government and are intended to provide sufficient information for a vendor to implement secure key establishment using asymmetric algorithms in FIPS 140-validated modules. The publication was developed by the National Institute of Standards and Technology (NIST) in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014. A key-establishment scheme can be characterized as either a key-agreement scheme or a key-transport scheme. During a pair-wise key-agreement scheme, the secret keying material to be established is not sent directly from one entity to another. Instead, the two parties exchange information from which they each compute a shared secret that is used to derive the secret keying material. This recommendation specifies the processes associated with key establishment, including procedures for generating domain parameters, generating static and ephemeral key pairs, providing assurance of public key validity, deriving secret keying material from a shared secret, and optionally performing key confirmation."
Technical ID
recommendation-for-pair-wise-key-establishment
Reducing Risks Posed by Synthetic Content: An Overview of Technical Approaches to Digital Content Transparency
"This report examines the existing standards, tools, methods, and practices for authenticating content, tracking its provenance, labeling synthetic content through techniques like watermarking, and detecting synthetic content. It also addresses methods for preventing generative AI (GAI) from producing harmful content such as child sexual abuse material or non-consensual intimate imagery of real individuals. The focus is on digital content transparency, which refers to the process of documenting and accessing information about the origins and history of digital content. The goal is to manage and reduce risks related to synthetic content by recording and revealing provenance, providing tools to identify AI-generated content, and mitigating the production of specific illegal and harmful materials. The document provides an overview of technical approaches for provenance data tracking and synthetic content detection, alongside a review of current testing and evaluation techniques. It emphasizes that no single technique offers a comprehensive solution; their value is use-case and context-specific, relying on effective implementation and oversight. While the report focuses on technical approaches, it acknowledges the importance of normative, educational, regulatory, and market-based approaches. The technical methods described serve as building blocks to improve trust in digital content by indicating where AI has been used to generate or modify content."
Technical ID
reducing-risks-posed-by-synthetic-content
NISTIR 8105 Report on Post-Quantum Cryptography
"If large-scale quantum computers are ever built, they will be able to break many of the public-key cryptosystems currently in use, seriously compromising the confidentiality and integrity of digital communications on the Internet and elsewhere. The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. Many of our most crucial communication protocols rely on public key encryption, digital signatures, and key exchange, primarily implemented using Diffie-Hellman, RSA, and elliptic curve cryptosystems. A sufficiently powerful quantum computer will put these forms of modern communication in peril. This report shares the National Institute of Standards and Technology (NIST)’s current understanding about the status of quantum computing and post-quantum cryptography, and outlines NIST’s initial plan to move forward. The report also recognizes the challenge of moving to new cryptographic infrastructures and therefore emphasizes the need for agencies to focus on crypto agility. It has taken almost 20 years to deploy our modern public key cryptography infrastructure, and it will take significant effort to ensure a smooth and secure migration to quantum-resistant counterparts. Therefore, regardless of the exact time of the arrival of the quantum computing era, we must begin now to prepare our information security systems."
Technical ID
report-post-quantum-cryptography
Reverse Logistics & Circularity
"Compliance for returned asset disposition is governed by a multi-stage evaluation process to ensure regulatory adherence and maximize value recovery. Initial triage assesses an item’s physical state using a `product_condition_score` from one to ten. Products achieving a score of 9 or 10 are determined `is_eligible_for_resale_as_is`, while an item scoring between 6 and 8 may qualify for refurbishment, provided that `is_repair_cost_effective` evaluates to true because estimated repair costs are less than 40% of its new market value. For assets where `requires_data_sanitization` is flagged, a mandatory `data_sanitization_level_required` from Level 1 (Clear) to Level 3 (Destroy) must be executed to mitigate data privacy risks; such items also mandate a `requires_secure_chain_of_custody` for auditable tracking. Furthermore, any product identified as `contains_regulated_materials` must be handled according to strict protocols aligned with environmental directives like WEEE and RoHS. The node also validates if an `epr_scheme_applicable` governs the item's jurisdiction, enforcing producer obligations. If refurbishment is not viable, a final check determines if `is_component_harvesting_viable` for salvaging valuable parts before responsible recycling or disposal."
Technical ID
reverse-logistics-circular
RICS Valuation - Global
"Compliance with the RICS Valuation - Global standards mandates a comprehensive set of procedural and documentary requirements for all valuation assignments. This framework verifies that the individual signing any valuation report is a current RICS Registered Valuer and confirms the firm maintains adequate Professional Indemnity Insurance coverage. Crucially, a formal conflict of interest check must be performed and documented for each instruction, aligning with RICS Professional Standard 1. Before issuing a valuation, a written Terms of Engagement compliant with PS1 and PS2 must be agreed upon and signed by the client. The final report itself is subject to rigorous standards; it must explicitly define a basis of value, such as Market Value, that is compliant with IVS and VPS 4, and contain all minimum content stipulated by VPS 3. Furthermore, the report has to declare the extent of any property inspection conducted, detailing resultant limitations. Operationally, firms are required to make a documented Complaints Handling Procedure available to clients. For data governance, the platform confirms that all valuation files, associated working papers, and client data are stored in an encrypted state at rest. Finally, complete valuation files must be archived for a minimum period of 6 years after the valuation date to satisfy regulatory record-keeping obligations."
Technical ID
rics-valuation-global
Risk Management for Replication Devices
"This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on replication devices (RDs), which include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines. The guidance is applicable to all RDs, including software applications for using tablets or cell phones as copiers/scanners, but only pertains to the copy/print/scan functions. As RDs are often connected to organizational networks, run commercial operating systems, and store information on nonvolatile media, they may be vulnerable to numerous exploits if risks are not mitigated. The document discusses vulnerabilities and exploits associated with RDs and provides a set of security practices and controls that can be implemented to mitigate risks. It suggests appropriate countermeasures in the context of the System Development Life Cycle (SDLC) — from initiation and acquisition to disposal. The target audience includes individuals responsible for the purchase, installation, configuration, maintenance, disposition, and security of RDs. The core obligation is for organizations to manage the risks associated with RDs by understanding threats, vulnerabilities, potential impact, and implementing appropriate security controls to protect information."
Technical ID
risk-management-for-replication-devices
RLHF Transparency Protocol
"Reinforcement Learning from Human Feedback (RLHF) is the dominant alignment technique used to train large language models (LLMs) to follow instructions, avoid harmful outputs, and produce outputs preferred by human evaluators — combining supervised fine-tuning (SFT) on demonstration data with a reward model trained on human preference comparisons, then optimizing the policy model using Proximal Policy Optimization (PPO) or Direct Preference Optimization (DPO) with a KL-divergence penalty preventing excessive drift from the base model. RLHF audit requirements arise from the opacity of the human feedback process: reward hacking (the policy exploiting reward model weaknesses rather than genuinely improving), annotator bias (systematic preferences of the labeler population distorting the reward signal), and reward model overfitting create alignment failures that are difficult to detect without structured auditing. The EU AI Act Article 10 data governance requirements, NIST AI RMF Govern 1.7 (human oversight of AI), and ISO/IEC 42001 performance monitoring obligations collectively require that RLHF processes be documented, monitored for reward hacking, and periodically audited for labeler quality and preference consistency. AI systems trained with RLHF that lack documented audit trails for the feedback loop cannot be considered to have met their alignment validation obligations."
Technical ID
rlhf-loop-audit
RoHS Hazardous Substances
"Compliance with the Restriction of Hazardous Substances (RoHS) directive mandates that Electrical and Electronic Equipment (EEE) placed on the market does not contain specific restricted substances above defined maximum concentration values. This assessment applies to any product falling within one of the 11 categories specified in Annex I of Directive 2011/65/EU. The core principle requires that all analysis is conducted at the homogeneous material level, meaning any single, uniform material cannot exceed the established thresholds. Specifically, the maximum concentration for Cadmium (Cd) is strictly limited to 100 parts per million (ppm). For a broader list of substances, including Lead (Pb), Mercury (Hg), Hexavalent Chromium (Cr VI), Polybrominated Biphenyls (PBB), and Polybrominated Diphenyl Ethers (PBDE), the permissible limit is 1000 ppm. An amendment added four phthalates—DEHP, BBP, DBP, and DIBP—whose combined concentration must also not exceed 1000 ppm. Should any substance concentration surpass these limits, a valid, documented, and unexpired exemption from Annex III or Annex IV must be applied to maintain compliance. Furthermore, manufacturers are obligated to create and maintain comprehensive technical documentation in accordance with the EN IEC 63000:2018 standard, demonstrating conformity and providing the necessary evidence for market surveillance authorities."
Technical ID
rohs-hazardous-sub
Rotterdam Rules (UN Convention)
"The Rotterdam Rules (2008) constitute the United Nations Convention on Contracts for the International Carriage of Goods Wholly or Partly by Sea. They modernize the maritime liability regime by covering 'door-to-door' transport involving maritime legs, and accommodating electronic commerce and paperless bills of lading."
Technical ID
rotterdam-rules-maritime
RSPO Palm Oil Certification
"RSPO Palm Oil Certification compliance mandates verifiable adherence to a multifaceted set of criteria established under governing principles and procedural rules. An entity must demonstrate its commitment through active RSPO membership, requiring that `is_rspo_member`:true, and by maintaining an `active_certification_body_contract`:true for independent verification, validated by a record showing the `last_audit_passed`:true. Supply chain integrity, per certification standards, is paramount, requiring that a `supply_chain_model_declared`:true is supported by a fully implemented traceability system where `percent_certified_material_tracked` equals 100. Environmentally, operations must prove `no_primary_forest_clearing_since_2005`:true and possess a documented plan where `ghg_emissions_monitoring_plan_exists`:true. Social obligations are equally stringent, demanding that `free_prior_informed_consent_records_maintained`:true, `fair_labor_practices_verified`:true, and a `grievance_mechanism_operational`:true for stakeholders. Consistent with audit protocols and reporting frameworks, transparency is confirmed when an `annual_communication_of_progress_submitted`:true, substantiating ongoing conformity with all stipulated requirements for sustainable palm oil production and sourcing."
Technical ID
rspo-palm-oil
SA8000 (Social Account)
"SA8000 establishes a comprehensive, auditable framework for ensuring decent workplace conditions and upholding fundamental worker rights. Compliance mandates the implementation of an explicit child labor policy, which enforces a minimum worker age of 15 years, alongside a formal policy against forced labor, ensuring all worker contracts are fully voluntary. The standard sets a stringent limit on working hours, capping the regular workweek at a maximum of 60 hours. Furthermore, all overtime must be voluntary and compensated at a premium rate. A robust occupational health and safety program is non-negotiable, requiring the formation of a health and safety committee, the maintenance of documented risk assessments, and the existence of a viable emergency preparedness plan. To ensure systemic adherence and continuous improvement, the framework necessitates a formal management system policy. This system must be supported by regular social performance audits to verify ongoing compliance and a demonstrable corrective action plan that is actively implemented to address any identified non-conformities. These integrated elements form a verifiable system for managing social performance and promoting ethical treatment of labor."
Technical ID
sa8000-social-account
Safe Stays (Hotel Hygiene)
"Compliance with the Safe Stays (Hotel Hygiene) node mandates a comprehensive framework of verifiable sanitation and operational protocols to mitigate public health risks. The standard requires documented evidence that all staff have completed certified hygiene training (`isStaffHygieneTrainingDocumented`) and makes appropriate Personal Protective Equipment mandatory for all cleaning personnel (`isPpeMandatoryForCleaningStaff`). Public area sanitation is strictly governed, stipulating the maximum number of hours permitted between disinfection of high-touch surfaces (`publicAreaHighTouchDisinfectionFrequencyHours`) and mandating the minimum quantity of touchless hand sanitizer stations within lobby areas (`minHandSanitizerStationsInLobby`). For guest accommodations, a detailed, room-specific disinfection checklist must be utilized between every stay (`isGuestRoomDisinfectionChecklistUsed`), and verification of this process must be communicated via a physical sanitization seal on the door (`isRoomSanitizationSealUsed`). Operational adjustments are also required, including visible physical distancing measures throughout common spaces (`arePhysicalDistancingMeasuresInPlace`) and the provision of a contactless check-in option for guests (`isContactlessCheckInOffered`). Building systems are addressed through a maximum allowable number of days for HVAC filter change frequency (`hvacFilterChangeFrequencyDays`) to ensure air quality. Furthermore, all food and beverage services must operate under an active enhanced food safety protocol (`isEnhancedFoodSafetyProtocolActive`). Finally, any collection of health data must be governed by a clearly disclosed privacy policy to maintain regulatory compliance (`isHealthDataPrivacyPolicyDisclosed`)."
Technical ID
safe-stays-hotel-audit
Safeguarding Advisory Client Assets
"The Securities and Exchange Commission (SEC) is proposing a new rule, designated as rule 223-1 under the Investment Advisers Act of 1940, to strengthen how investment advisers safeguard client assets. This proposed safeguarding rule redesignates and amends the current custody rule (rule 206(4)-2) to modernize its scope and enhance investor protections in light of changes in technology, advisory services, and custodial practices. The rule applies to investment advisers registered, or required to be registered, with the Commission that have custody of client assets. The core obligations of the proposal expand the rule's applicability from 'funds and securities' to a broader definition of 'assets,' meaning 'funds, securities, or other positions held in a client’s account,' explicitly including crypto assets and other investment types. It also clarifies that 'custody' includes an adviser's discretionary authority to trade client assets. A central requirement is that advisers must maintain client assets with a 'qualified custodian' under a new, mandatory written agreement that specifies certain protections, such as requiring the custodian to obtain an annual internal control report. The proposal also modifies the exception for privately offered securities to include certain physical assets, but imposes stricter conditions for its use, including notifying an independent public accountant of asset transfers within one business day."
Technical ID
safeguarding-advisory-client-assets
Sales CRM Best Practices
"Adherence to established Sales CRM best practices mandates stringent data governance and operational protocols to ensure integrity, security, and regulatory compliance. Pursuant to governing data standards, contact record integrity must be paramount, requiring a minimum contact completeness percentage of 90 and a maximum duplicate contact percentage not to exceed 3 percent. Data formatting is strictly enforced, with mandatory email format validation and a requirement for all phone numbers to conform to the E.164 standard, a directive from our primary sales handbook. In alignment with corporate sales protocol, operational cadence dictates that stale leads undergo reassignment after 60 days of inactivity, while opportunity stages must receive an update within 30 days to maintain pipeline accuracy. Accountability is reinforced through the core principle that all records must have an assigned owner. System-level controls, as defined by internal audit requirements, include enabled automated deduplication and third-party enrichment services. Furthermore, any data import operation requires validation before integration. For security and traceability, as outlined in applicable privacy frameworks, field change auditing must remain enabled, and role-based access control must be strictly enforced across the platform, a final stipulation from the data handling policy."
Technical ID
sales-crm-best-practices
Lead Gen Compliance
"Lead generation outreach activities are governed by a complex framework of federal and international regulations. Compliance necessitates rigorous validation of consent and adherence to do-not-call mandates under the Telephone Consumer Protection Act and the Telemarketing Sales Rule. Specifically, any outreach utilizing an Automatic Telephone Dialing System, particularly where `is_wireless_number` is true, requires an auditable Prior Express Written Consent. This consent's validity hinges upon a verifiable timestamp (`pewc_timestamp_valid_ms`), confirmation that its `pewc_scope_matches_outreach`, and verification that consent `is_not_condition_of_purchase`. Telemarketing operations must also honor prohibitions against contacting numbers where `is_on_national_dnc_registry` or `is_on_internal_dnc_list` is true, with registry scrubs performed at a maximum interval of 31 days as measured by `dnc_check_recency_days`. An exemption may apply if an `established_business_relationship_exists`, defined by a consumer inquiry within the last 3 months or a transaction within the last 18 months. Furthermore, all calls must occur when `is_within_calling_hours`, restricted to between 8:00 AM and 9:00 PM in the recipient’s local time. The principles of clear affirmative consent also align with the lawful basis for data processing required by privacy regulations like GDPR and the California Consumer Privacy Act, while overarching rules for commercial messaging are informed by standards in the CAN-SPAM Act, ensuring a comprehensive approach to lawful prospect engagement."
Technical ID
sales-lead-gen-compliance
Deterministic Lead Scoring Logic
"Deterministic Lead Scoring Logic establishes a compliant framework for evaluating individuals by mandating auditable, rule-based processing in alignment with key data protection regulations. The system's architecture requires explicit consent for any profiling activities, a direct implementation of the lawfulness principle under General Data Protection Regulation Article 6(1)(a), and respects the consumer right to opt-out of automated decision-making technology as defined by California Privacy Rights Act Section 1798.140(z). Furthermore, the node's prohibition on automated sole decision-making provides a critical safeguard against producing legal or similarly significant effects without human intervention, consistent with GDPR Article 22. Score composition is transparently weighted with a 0.4 allocation for demographic data and a 0.6 allocation for behavioral signals, which themselves require prior consent for tracking technologies pursuant to the ePrivacy Directive. An individual must achieve a minimum score of 75 before becoming eligible for sales outreach. Data integrity is maintained through a maximum retention period of 365 days and a score decay of up to 10 points per inactivity month. Crucially, an opt-out flag always overrides any calculated score. The configuration also enforces suppression against Do-Not-Contact lists, satisfying requirements from the CAN-SPAM Act and the Telephone Consumer Protection Act, while enabling algorithmic bias audits and setting a minimum age of 18 years for processing."
Technical ID
sales-lead-scoring
Sarbanes-Oxley Act (SOX)
"The Sarbanes-Oxley Act of 2002 (SOX) is a U.S. federal law that set new or expanded requirements for all U.S. public company boards, management, and public accounting firms. It was enacted in response to major corporate financial scandals (e.g., Enron, WorldCom) to restore investor confidence through enhanced disclosure and internal control mandates."
Technical ID
sarbanes-oxley-act-sox
SOX 404 (Controls Audit)
"Sarbanes-Oxley Section 404 compliance centers on a robust framework for Internal Control over Financial Reporting (ICFR). Effective adherence is demonstrated when management's annual ICFR assessment is complete and published in the Form 10-K, corroborated by the external auditor's attestation report. The primary objective is securing an unqualified opinion from auditors on ICFR effectiveness, which necessitates having zero identified material weaknesses. Should any control deficiencies emerge, a formal, tracked remediation plan must be active for all findings. Essential control activities include conducting quarterly user access reviews for financial systems and enforcing Segregation of Duties (SoD) within IT change management. Additionally, all privileged user activities on financial systems require logging and active monitoring to detect anomalous behavior. Technical controls are verified through successful annual testing of data backup and recovery procedures. The compliance posture is further supported by formally documented entity-level controls, such as the control environment, and the execution of a formal fraud risk assessment at a frequency not exceeding 12 months to maintain vigilance against financial misstatement."
Technical ID
sarbannes-oxley-404
SASB CONCEPTUAL FRAMEWORK
"This Conceptual Framework sets out the basic concepts, principles, definitions, and objectives that guide the Sustainability Accounting Standards Board (SASB) in its approach to setting standards for sustainability accounting. SASB’s mission is to develop and disseminate sustainability accounting standards that help public corporations disclose material, decision-useful information to investors. The standards are designed for voluntary use in disclosures required by existing U.S. regulation in filings with the Securities and Exchange Commission (SEC), such as Forms 10-K and 20-F. For the purposes of SASB standards, sustainability refers to corporate activities that maintain or enhance the ability of the company to create value over the long term. Sustainability accounting refers to the measurement, management, and reporting of such corporate activities. SASB standards identify information that is likely to be material, yield decision-useful information, and are cost-effective for corporate issuers. The SASB approach to standards-setting is Evidence-Based, Market-Informed, and Industry-Specific. By focusing on the subset of sustainability factors that are material to investment decision making, SASB standards yield information that may be useful to a company’s management while also providing a cost-effective solution for disclosure to investors. The standards address sustainability topics organized under five broad dimensions: Environment, Social Capital, Human Capital, Business Model and Innovation, and Leadership and Governance. SASB standards help issuers identify and report on sustainability topics that, substantiated by evidence, constitute known trends, events, and uncertainties that are reasonably likely to have material impacts on companies in an industry."
Technical ID
sasb-conceptual-framework
SASB Materiality Standard
"The Sustainability Accounting Standards Board (SASB) provides industry-specific disclosure standards covering 77 industries. It focuses on 'Financial Materiality'—identifying the subset of environmental, social, and governance (ESG) factors most likely to impact the financial performance or condition of a typical company in a given industry."
Technical ID
sasb-materiality-standard
SBTi Carbon Target Validation
"Validating corporate greenhouse gas emissions reduction targets against the Science Based Targets initiative's rigorous framework necessitates a comprehensive assessment of inventory completeness, target ambition, and transparency. A foundational requirement is that `is_scope1_inventory_complete` and `is_scope2_inventory_complete` are both affirmative, establishing a robust emissions baseline. Furthermore, corporate climate accountability principles stipulate that if the `scope3_emissions_percentage` constitutes 40 percent or more of total emissions, then `is_scope3_target_required` becomes mandatory, compelling a thorough inventory and a separate reduction commitment for that category. The validation process also confirms that `is_base_year_defined` with precision, and the `near_term_target_year_horizon` is set for a period of 5 to 10 years from the point of submission. Central to this compliance check, as outlined in the Corporate Net-Zero Standard, is whether `is_target_aligned_1_5c`, ensuring the reduction pathway supports limiting global warming to 1.5°C above pre-industrial levels. For long-range planning, `has_long_term_net_zero_target` must be confirmed, with a specified `net_zero_target_year` of 2050 at the latest. Procedural integrity is maintained through verification that the entity `has_base_year_recalculation_policy` to address significant changes, and that `is_emissions_data_publicly_disclosed`, fulfilling key stakeholder transparency demands established by global best practices."
Technical ID
sbti-carbon-target
SCADA Threat Detection Algorithm
"Specialized anomaly detection for Industrial Control System (ICS) protocols (DNP3, Modbus, IEC 61850), essential for securing critical infrastructure."
Technical ID
scada-threat-detect
SCOR DS: Fulfillment
"SCOR DS (Supply Chain Operations Reference — Digital Standard) Fulfill covers all processes involved in executing customer orders from receipt through delivery and returns. Maintained by ASCM (Association for Supply Chain Management), SCOR DS defines a hierarchical process framework with standardized metrics at each level — enabling supply chain professionals and AI agents to benchmark performance, identify bottlenecks, and redesign fulfillment processes against best-in-class KPIs. The Fulfill process includes order management, warehouse operations, transportation, and last-mile delivery. Organizations with immature Fulfill processes exhibit high perfect order rates failures, elevated OTIF (On Time In Full) misses, and customer satisfaction scores below industry benchmarks."
Technical ID
scor-fulfill
SCOR DS: Orchestration
"SCOR DS Orchestrate is the meta-level planning process in the Supply Chain Operations Reference Digital Standard that coordinates strategy, governance, data flows, and performance management across all other SCOR processes (Plan, Source, Make, Deliver, Return, Enable). Unlike Plan, which is tactical, Orchestrate defines the rules, policies, and digital architecture that govern how a supply chain operates. ASCM introduced Orchestrate in SCOR DS to reflect the reality of digitally integrated supply chains where AI, IoT, and real-time data streams require explicit governance of how information is collected, interpreted, shared, and acted upon across supply chain partners."
Technical ID
scor-orchestrate
SEC Climate Disclosure Rule
"The SEC Climate Disclosure Rule (Final Rule 33-11275) mandates that U.S. public companies and foreign private issuers disclose climate-related risks, their financial impacts, and greenhouse gas (GHG) emissions (Scope 1 and 2 for large accelerated filers). It aims to provide investors with consistent, comparable, and reliable climate-related information."
Technical ID
sec-climate-disclosure
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
"The Securities and Exchange Commission is adopting new rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies subject to the reporting requirements of the Securities Exchange Act of 1934. These amendments require current disclosure about material cybersecurity incidents via Form 8-K within four business days of determining an incident was material. The rules also mandate periodic disclosures in annual reports (Form 10-K) detailing a registrant’s processes to assess, identify, and manage material cybersecurity risks. This includes describing the board of directors’ oversight of cybersecurity risks and management’s role in assessing and managing such risks. The final rules aim to address varied and inconsistent disclosure practices observed after prior Commission guidance. As the economic dependence on electronic systems grows, along with a substantial rise in the prevalence and costs of cybersecurity incidents, investors need more timely and reliable information. The rules are designed to ensure that investors receive consistent, comparable, and decision-useful information to assess the potential effects of a material cybersecurity incident on a registrant, including financial, operational, and reputational impacts. Disclosures are required to be presented in Inline eXtensible Business Reporting Language (Inline XBRL) to improve accessibility and analysis."
Technical ID
sec-cybersecurity-risk-incident-disclosure
SEC Regulation S-K Item 106 (Cybersecurity)
"Regulation S-K Item 106 mandates a comprehensive framework for cybersecurity disclosure, encompassing both incident reporting and governance oversight. Registrants must report material cybersecurity incidents on Form 8-K Item 1.05 within a maximum of four business days from determining an incident's materiality. This determination process itself must be defined, and it requires that related incidents are aggregated for materiality assessment. While a disclosure delay for national security is allowed under specific circumstances, the core obligation emphasizes timely public awareness. Annually, companies are compelled to provide extensive disclosures via Form 10-K Item 1C regarding their cybersecurity risk management and strategy. This annual filing must detail the processes for identifying and managing material risks from cybersecurity threats and describe how such threats are likely to affect the business, operations, and financial condition. Furthermore, the regulation requires transparent reporting on governance structures. Companies must describe the board's oversight process for cyber risks and also detail management's role in this area. A key component of this governance disclosure is identifying and describing management’s relevant cybersecurity expertise, ensuring investors have a clear view of the leadership's capability to handle these pervasive threats."
Technical ID
sec-reg-s-k-106
Regulation Best Interest: The Broker-Dealer Standard of Conduct
"The Securities and Exchange Commission (SEC) is adopting Regulation Best Interest, a new rule under the Securities Exchange Act of 1934 that establishes a standard of conduct for broker-dealers and their associated persons when they make a recommendation to a retail customer of any securities transaction or investment strategy involving securities. This regulation enhances the broker-dealer standard of conduct beyond existing suitability obligations and aligns the standard with retail customers’ reasonable expectations. The core obligation requires broker-dealers to act in the best interest of the retail customer at the time the recommendation is made, without placing the financial or other interest of the broker-dealer ahead of the interests of the retail customer. The General Obligation is satisfied only if the broker-dealer complies with four specified component obligations: (1) a Disclosure Obligation, requiring written disclosure of material facts about the relationship and recommendation; (2) a Care Obligation, requiring the exercise of reasonable diligence, care, and skill; (3) a Conflict of Interest Obligation, requiring the establishment of policies and procedures to address, and in some cases mitigate or eliminate, conflicts of interest; and (4) a Compliance Obligation, requiring policies and procedures to achieve compliance with the regulation as a whole. The standard of conduct established by Regulation Best Interest cannot be satisfied through disclosure alone and draws from key principles underlying fiduciary obligations."
Technical ID
sec-regulation-best-interest
Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information
"The Securities and Exchange Commission is adopting rule amendments to Regulation S-P that are designed to modernize and enhance the protections that Regulation S-P provides by addressing the expanded use of technology and corresponding risks that have emerged since its original adoption. The amendments apply to brokers and dealers, investment companies, registered investment advisers, funding portals, and transfer agents registered with the Commission. These institutions are required to adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information. The core of the amendments requires these covered institutions' incident response programs to be reasonably designed to detect, respond to, and recover from such incidents. This includes procedures for providing timely notification to individuals affected by an incident involving sensitive customer information. Notice must be provided as soon as practicable, but not later than 30 days after becoming aware that an incident occurred or is reasonably likely to have occurred. Notification is not required if the institution determines, after a reasonable investigation, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. The amendments also extend the scope of the safeguards and disposal rules to cover all transfer agents and broaden the scope of information protected."
Technical ID
sec-regulation-s-p-safeguarding
Secure Hash Standard (SHS)
"This Standard specifies secure hash algorithms - SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256 - for computing a condensed representation of electronic data (message) called a message digest. The digests are used to detect whether messages have been changed since the digests were generated. The hash algorithms specified are called secure because, for a given algorithm, it is computationally infeasible to find a message that corresponds to a given message digest, or to find two different messages that produce the same message digest. Any change to a message will, with a very high probability, result in a different message digest. This Standard is applicable to all Federal departments and agencies for the protection of sensitive unclassified information. Either this Standard or Federal Information Processing Standard (FIPS) 202 must be implemented wherever a secure hash algorithm is required for Federal applications, including as a component within other cryptographic algorithms and protocols. The secure hash algorithms may be implemented in software, firmware, hardware or any combination thereof, but only algorithm implementations that are validated by NIST will be considered as complying with this standard."
Technical ID
secure-hash-standard-fips-180-4
Securing Property Management Systems
"In recent years criminals and other attackers have compromised the networks of several major hotel chains, exposing the information of hundreds of millions of guests. Hospitality organizations can reduce the likelihood of a hotel data breach by strengthening the cybersecurity of their property management system (PMS). This cybersecurity practice guide shows an approach to securing a PMS and the system of guest services it supports. It offers how-to guidance for building a reference design using commercially available products within a zero trust architecture to mitigate cybersecurity risk. The PMS is an attractive target for attackers because it serves as the information technology (IT) operations and data management hub of a hotel, interfacing with services like point-of-sale (POS) systems, physical access control, and Wi-Fi networks. An unsecured or poorly secured PMS could expose a hotel to a significant and costly data breach, which may result in financial penalties for violating state, federal, and international privacy and other regulatory regimes. This guide provides a reference design that uses technologies and security capabilities to protect data and limit user access. The principal recommendations include implementing cybersecurity concepts such as zero trust architecture, moving target defense, tokenization of credit card data, and role-based authentication. The solution supports security standards from the National Institute of Standards and Technology (NIST) Cybersecurity Framework, Hospitality Technology Next Generation, and the Payment Card Industry (PCI) Security Standards Council. The core objective is to prevent unauthorized access via role-based authentication, protect from unauthorized lateral movement, prevent theft of credit card data via tokenization, increase situational awareness through logging, and prevent unauthorized use of personal information."
Technical ID
securing-property-management-systems
Security Considerations in the System Development Life Cycle
"The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-64, Security Considerations in the System Development Life Cycle, was developed to assist federal government agencies in integrating essential information technology (IT) security steps into their established IT system development life cycle (SDLC). This guideline applies to all federal IT systems other than national security systems and is intended for an audience of information system and information security professionals, including system owners, developers, and program managers. To be most effective, information security must be integrated into the SDLC from system inception. Early integration of security enables agencies to maximize return on investment in their security programs through the early identification and mitigation of security vulnerabilities, resulting in a lower cost of security control implementation. The core obligation is to incorporate security considerations into each phase of the SDLC—initiation, development/acquisition, implementation/assessment, operations/maintenance, and disposal—to facilitate informed executive decision-making through comprehensive risk management in a timely manner."
Technical ID
security-considerations-system-development-lifecycle
Guide for Security-Focused Configuration Management of Information Systems
"This guide provides guidelines for organizations responsible for managing and administering the security of federal information systems. It assumes that information security is an integral part of an organization’s overall configuration management, with a focus on implementing the security aspects of configuration management, termed security-focused configuration management (SecCM). SecCM is defined as the management and control of configurations for information systems to enable security, facilitate the management of information security risk, and minimize organizational risk while supporting desired business functionality and services. Implementing system changes almost always results in adjustments to the system configuration; therefore, a well-defined configuration management process that integrates information security is needed to ensure these adjustments do not adversely affect the security of the system. The process of applying SecCM practices involves managing and monitoring system configurations to achieve adequate security. This publication is applicable to all federal information systems, excluding national security systems, and is intended for a diverse audience, including individuals with system security management, development, implementation, and assessment responsibilities. The core obligation is to establish and maintain the integrity of systems through control of the processes for initializing, changing, and monitoring their configurations."
Technical ID
security-focused-configuration-management
Security Segmentation in a Small Manufacturing Environment
"Manufacturers are increasingly targeted in cyber-attacks. Small manufacturers are particularly vulnerable due to limitations in staff and resources to operate facilities and manage cybersecurity. This paper introduces security segmentation as a cost-effective and efficient approach to mitigate cyber vulnerabilities for small manufacturing environments. Security segmentation is the grouping of assets into security zones according to the cyber protection they need and placing appropriate safeguards around these security zones. It is an approach for protecting assets by grouping them based on both their communication and security requirements. The intended audience is managers of information technology and operational technology (IT/OT) systems at small manufacturing organizations, including roles like company owner, operations manager, and technical resources such as network and security architects. The core obligation is to follow a six-step approach: 1) identify a list of assets, 2) assess risk and create security zones, 3) determine the risk level for the security zones, 4) map communications between the security zones, 5) determine security controls for the security zones, and 6) create a logical security architecture diagram. The security architecture resulting from these activities serves as a foundational preparation step for additional security strategies like Zero Trust."
Technical ID
security-segmentation-small-manufacturing
Singapore IMDA Agentic AI Framework
"Execution rules for the world's first framework specifically targeting Agentic AI, focusing on bounding autonomous actions, financial limits, and verifiable intent."
Technical ID
sg-imda-agentic-ai
Shared Responsibility Model
"A clearly articulated Shared Responsibility Model delineates the distinct security and compliance obligations between the service provider and the customer, a principle established by foundational cloud computing standards. This framework confirms the provider manages security *of* the cloud, encompassing the integrity of physical infrastructure and security of the hypervisor. Conversely, the customer retains full accountability for security *in* the cloud. Customer-managed obligations explicitly include identity and access management, implementation of robust data encryption, and application-level security fortifications. Per the defined model, responsibility for data residency and configuration hardening is assigned to the customer, as indicated by their respective control values of 1. The operational maturity of this model is substantiated by a documented compliance matrix mapping controls to each party. Further evidence of a robust framework includes the clear delineation of log management duties and predefined roles for incident response, ensuring coordinated action and maintaining auditable trails consistent with regulatory expectations outlined in authoritative industry guidance. This documented SRM, with a defined service model, creates an unambiguous and defensible compliance posture."
Technical ID
shared-responsibility-model
SHRM (HR Competency)
"Organizational conformity with established SHRM competency standards is evaluated through a multi-faceted set of controls governing professional conduct, strategic integration, and data governance. Successful validation requires a formally documented competency model and stipulates that no less than 30 percent of human resources staff hold relevant professional certifications. The framework further compels the completion of annual ethics training and attested acknowledgment of a specific HR personnel conduct code. Strategic alignment is confirmed by verifying HR leadership's inclusion in strategic planning processes, the direct linkage of HR metrics to business KPIs, and a required evaluation of program return on investment. On the operational front, compliance mandates the execution of quarterly HRIS access reviews and the maintenance of a published employee data privacy policy. As outlined in modern data protection guidance, the entity must also possess a formal data retention policy for personnel records and ensure its incident response plan explicitly provides for breaches involving personally identifiable information, thereby satisfying key risk management criteria."
Technical ID
shrm-hr-competency
Smart Container IoT Tracking
"Smart Container IoT Tracking systems must adhere to stringent security and data privacy standards for ensuring regulatory compliance across global supply chains. As mandated by leading frameworks like NIST and ISO/IEC, all communications require robust encryption; data in transit necessitates TLS 1.3, while information at rest must utilize AES-256 encryption. Mutual TLS authentication is mandatory for establishing trusted device-to-server connections. Device integrity is paramount, with secure boot enabled and all firmware updates being cryptographically signed to prevent unauthorized modifications. Fortification of administrative access over platform controls requires mandatory multi-factor authentication. Network security follows a principle of least privilege, wherein inbound ports operate under a default-deny policy. In alignment with C-TPAT security criteria, physical integrity gets monitored via tamper detection mechanisms calibrated to a sensitivity level of 4. Data governance must align with privacy regulations like GDPR, applying the data minimization principle. Geolocation information retention is strictly limited to a 180-day period, after which it requires purging. Security event logs, however, demand maintenance for one full 365-day term for audit and forensic purposes. To sustain a secure posture, systems will undergo comprehensive vulnerability scanning at a frequency not exceeding 30 days, consistent with FIPS cryptographic standards."
Technical ID
smart-container-iot
Smart Contract Audit (SWC)
"The Smart Contract Weakness Classification (SWC) Registry is the authoritative taxonomy of smart contract security vulnerabilities, maintained by the Ethereum security community and analogous to the CVE/CWE system for traditional software. It defines 37 weakness classes (SWC-100 through SWC-136) covering Solidity and EVM-specific vulnerabilities. Any smart contract deployed to a public blockchain handling real value must undergo a formal security audit mapping findings to SWC entries before deployment. The consequences of unaudited smart contracts include irreversible fund loss — the DAO hack ($60M, 2016), Parity multisig freeze ($150M, 2017), and Poly Network bridge exploit ($611M, 2021) all resulted from vulnerabilities catalogued in the SWC registry."
Technical ID
smart-contract-audit-swc
SMPTE ST 2110
"Compliance with the SMPTE ST 2110 suite of standards for professional media over managed IP networks mandates a stringent set of technical and operational configurations. Foundational specifications dictate that all network devices and endpoints must adhere to precise timing protocols, necessitating mandatory PTPv2 synchronization with a PTP domain number not exceeding 127 and a maximum allowed PTP jitter of 1000 nanoseconds. To ensure proper traffic management and discovery, the framework requires IGMPv3 support for multicast stream subscriptions alongside enforced NMOS discovery and registration for all endpoints. Performance criteria are rigorously defined; total end-to-end latency across the signal chain is capped at 10 milliseconds. Core architectural principles demand that video, audio, and ancillary data travel as separate essence flows, and the system must maintain a minimum video compliance level of 1. For system resilience and reliability, the enforcement of network redundancy through SMPTE ST 2022-7 for seamless protection switching is obligatory. Furthermore, robust network configuration is paramount, requiring QoS via DSCP marking on all packets, enabled LLDP for device discovery, and the strict enforcement of control plane segmentation to isolate management traffic from media essence flows, thereby securing the operational integrity of the broadcast environment."
Technical ID
smpte-st-2110-media
SOA Code of Conduct
"Compliance with the Society of Actuaries (SOA) Code of Conduct necessitates a multifaceted verification process. An actuary must be qualified for an assignment and demonstrate complete adherence to all applicable Actuarial Standards of Practice (ASOPs). Full transparency is mandatory; any potential conflicts of interest must have been disclosed, and all communications are required to include appropriate disclosures. Strict confidentiality for all client information must be maintained. Furthermore, adequate work product control mechanisms need to be in place, supported by a mandatory peer review process. Every assumption utilized within actuarial services must be justified and properly disclosed, while all data sources require comprehensive documentation. Professionalism extends to external representations, mandating that all advertising is factual and not misleading. To maintain competency, practitioners must satisfy an annual continuing professional development requirement of at least 30 hours. Finally, the system confirms that no material violations have been reported against the professional, ensuring a high standard of ethical conduct. This framework ensures that actuarial services are rendered with integrity, competence, and professionalism."
Technical ID
soa-code-conduct
SOC 1 Type II (Finance)
"A Service Organization Control (SOC) 1 Type II attestation provides assurance regarding the operational effectiveness of controls relevant to user entities' internal control over financial reporting (ICFR) over a specified examination period. Governing attestation standards mandate the establishment of a robust control environment, underpinned by systematic risk management and monitoring activities. This framework requires that a comprehensive financial risk assessment be conducted at least every 12 months. Key operational controls stipulate that user access reviews are completed quarterly and that terminated user accounts are deactivated within a 24-hour timeframe. Furthermore, all system changes must undergo a formal change management approval process, while data processing integrity checks are executed daily to ensure accuracy and completeness. Continuous oversight is evidenced through quarterly control monitoring and a formal management review of those controls. The organization's resilience posture necessitates an incident response plan be tested annually. Vendor risk management programs must specifically assess third-party ICFR risks. To foster an ethical culture, a minimum 95 percent completion rate for ethics training is enforced across the organization. All audit evidence and related documentation supporting these control activities must be preserved for a 7-year evidence retention period."
Technical ID
soc-1-type-2-finance
SOC 2 (Availability)
"Compliance with governing availability principles is demonstrated through a comprehensive framework of controls and procedural enforcement. The entity maintains robust system performance monitoring capabilities, configured to generate alerts when CPU usage exceeds an 85 percent threshold or when memory utilization surpasses a 90 percent benchmark. These measures are integral for proactive incident response and maintaining operational integrity. A formalized capacity management plan underpins the organization's ability to meet its defined availability Service Level Agreement, which stipulates a stringent 99.9 percent uptime target. Business continuity is further assured by a complete disaster recovery plan containing documented Recovery Time Objectives and Recovery Point Objectives. The efficacy of this plan is validated through drill tests conducted annually. Supporting these recovery strategies, an automated data backup process executes every 24 hours, safeguarding critical information against loss. To confirm functional restorability and data integrity, backup recovery procedures are also tested on an annual basis. These combined controls, derived from established trust services criteria, provide verifiable assurance that the system is protected against events that could impair its availability and is able to meet the entity's objectives."
Technical ID
soc2-availability-criteria
SOC 2 (Confidentiality)
"System and Organization Controls (SOC) 2 criteria for Confidentiality mandate the protection of information designated as confidential to meet organizational objectives. Compliance necessitates a comprehensive control framework addressing the complete data lifecycle, from creation to final disposition. A foundational element is having a formal data classification policy under which all confidential data is identified and tagged. Access to this information must be strictly governed by the principle of least privilege, enforced via a robust role-based access control (RBAC) implementation for confidential data, with its continued appropriateness validated by ensuring quarterly access reviews are completed. Human and third-party commitments are solidified by requiring non-disclosure agreements for sensitive access and confirming that vendor confidentiality agreements are in place. Technical safeguards are non-negotiable, requiring data to be encrypted in transit using TLS 1.2+ and also encrypted at rest with AES-256 standards. Furthermore, exfiltration risks are mitigated when Data Loss Prevention (DLP) is enabled for egress points. Continuous oversight is maintained through enabled access monitoring and alerting systems to detect potential policy violations. The framework concludes with a secure data disposal policy, ensuring information is rendered unrecoverable, thereby demonstrating a commitment to safeguarding sensitive assets against unauthorized disclosure."
Technical ID
soc2-confidentiality-crit
SOC 2 (Privacy Criteria)
"The SOC 2 Trust Services Criteria (TSC) for Privacy is the specialized audit framework for assessing how personal information is collected, used, retained, disclosed, and disposed of to meet the system's objectives. Based on the Generally Accepted Privacy Principles (GAPP), it provides a high-assurance baseline for the protection of Personally Identifiable Information (PII) in cloud and SaaS platforms."
Technical ID
soc2-privacy-criteria
SOC 2 (Processing Integrity)
"Compliance with SOC 2 Processing Integrity criteria necessitates system processing that is complete, valid, accurate, timely, and authorized. This configuration enforces these principles through a comprehensive suite of controls derived from established trust services standards. To affirm data correctness, stringent input validation rules are required alongside mandatory input-output reconciliation procedures. Authorization is systematically enforced for all transactions. Timeliness is governed by a strict maximum batch processing delay of 60 minutes. System accuracy is actively managed through an automated error detection capability and a formal calculation verification process, holding operations to a maximum data processing error rate of 0.05 percent. Pursuant to internal policy, any detected processing errors must be corrected within a 24-hour service level agreement. To prevent unauthorized alteration and support forensic analysis, the system requires complete data lineage tracking and maintains immutable transaction logs. Operational risk is mitigated as the platform enforces segregation of duties for processing tasks. Furthermore, a critical pre-deployment review of all processing logic is required to validate its integrity and intended function before it enters the production environment."
Technical ID
soc2-processing-integrity
SOC 2 Trust Services Criteria for AI Environments
"SOC 2 (System and Organization Controls) Trust Services Criteria (TSC) for AI environments require rigorous mapping of security, availability, processing integrity, confidentiality, and privacy to the entire Machine Learning lifecycle."
Technical ID
soc2-security-criterion
100-Node Sovereignty Audit
"The Bidda Sovereign Audit Protocol defines the ongoing integrity verification process for the 100-node intelligence registry. It specifies the procedures for batch hash verification, canonical source URL validation, registry-to-file synchronization checks, SDK compatibility testing, and the issuance of the Sovereign Seal — the attestation that all 100 nodes have been verified against their authoritative source standards, their integrity hashes are current, and the discovery layer (index.json, llms-full.txt, openapi.json) accurately reflects the registry state. This protocol must be executed before any new registry version is deployed to production and after any batch node update. AI agents querying the registry can use this node to understand the audit cycle and assess the freshness and integrity of the registry they are consuming."
Technical ID
sovereign-final-audit
SOX IT Controls — Sarbanes-Oxley IT Compliance
"The Sarbanes-Oxley Act of 2002 (SOX) — enacted in response to Enron, WorldCom, and other financial scandals — imposes mandatory internal controls over financial reporting (ICFR) requirements on all US public companies (SEC registrants) and foreign private issuers listed on US exchanges. Section 302 requires the CEO and CFO to personally certify in each quarterly and annual filing that they have reviewed the report, it contains no material misstatements, and they have disclosed all significant deficiencies and material weaknesses in internal controls. Section 404(a) requires management's annual assessment of ICFR effectiveness as of fiscal year-end, with disclosure of any material weaknesses. Section 404(b) requires external auditor attestation for accelerated filers (>$75M public float). IT General Controls (ITGCs) are the foundational IT controls that support the reliability of financially significant systems and are subject to SOX testing. The four ITGC domains: (1) Logical Access Controls — who can access financially significant systems; (2) Change Management — how changes to financial systems are authorized and tested; (3) Computer Operations — batch job monitoring, backup, incident management; (4) System Development — SDLC controls for new implementations. The COSO Internal Control — Integrated Framework (2013) and COSO ERM framework are the primary control assessment frameworks referenced by external auditors. Material weaknesses are the highest severity — the auditor must issue an adverse opinion on ICFR effectiveness, severely damaging share price and regulatory standing."
Technical ID
sox-it-controls
SQF Edition 9 (Safe Quality Food)
"Compliance with Safe Quality Food (SQF) Edition 9 necessitates a robust, fully documented food safety management system, underpinned by senior management commitment as evidenced by a signed policy statement. The foundational Food Safety Plan requires a comprehensive review at a maximum interval of 12 months to ensure its continued relevance. Critical Control Points demand complete oversight, with a mandatory 100 percent monitoring coverage to control identified hazards. Similarly, supply chain integrity is paramount, demanding that an equivalent 100 percent of raw materials originate from entities on the approved supplier list. Systemic continuous improvement is measured through a Corrective and Preventive Action program, which must achieve a minimum 95 percent on-time closure rate. Verification activities are stringent, involving internal audits conducted at least every 12 months and mock recall exercises completed within a four-hour timeframe. Personnel competency is enforced via a comprehensive training program, requiring a 98 percent completion rate for all mandated modules. Furthermore, proactive risk mitigation is essential, requiring both an implemented Food Defense Plan and a conducted Food Fraud Vulnerability Assessment. An active environmental monitoring program must be maintained, and data integrity is secured through controlled access for all electronic records."
Technical ID
sqf-edition-9-safety
Guidance on Model Risk Management
"This supervisory guidance, issued by the Federal Reserve and the Office of the Comptroller of the Currency (OCC), is intended for use by all banking organizations supervised by the Federal Reserve. It should be applied as appropriate, taking into account each organization’s size, nature, complexity, and the extent of its use of models. The guidance mandates that banking organizations should be attentive to the possible adverse consequences of decisions based on models that are incorrect or misused, a concept termed model risk. Model risk is the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports, which can lead to financial loss, poor business decision-making, or reputational damage. The core obligation is for banking organizations to address these consequences through active model risk management. An effective model risk management framework includes robust model development, implementation, and use; effective validation; and sound governance, policies, and controls. A guiding principle is the 'effective challenge' of models through critical analysis by objective, informed parties. Where models and model output have a material impact on business decisions, including risk management and capital planning, a bank’s model risk management framework should be more extensive and rigorous. The framework should address both types of model risk (fundamental errors and incorrect use) for individual models and in the aggregate."
Technical ID
sr-11-7-model-risk-management
SRA Code of Conduct (UK)
"Compliance with the Solicitors Regulation Authority (SRA) Code of Conduct for Firms mandates a comprehensive operational framework to uphold the rule of law and the proper administration of justice. Firms must act with integrity, which necessitates that `clientFundsSystemicallySegregated` from office money to safeguard client assets as per the SRA Accounts Rules. Providing a competent level of service requires a systematic `hasConflictOfInterestCheckSystem` prior to onboarding any new matter, alongside maintaining transparency through a `hasPublishedComplaintsProcedure` and verifying that each `clientInformedOfDataProcessing` disclosure is complete. Central to protecting client interests is a robust information security posture. This security footing begins with a `hasFormalInformationSecurityPolicy` and is executed through critical technical controls, including ensuring `clientDataEncryptedAtRest` and `clientDataEncryptedInTransit`. Access to all critical systems must be protected via mandatory `multiFactorAuthEnabledOnAllSystems`. A firm's resilience is continuously tested by performing vulnerability scans with a `vulnerabilityScanFrequencyDays` parameter not exceeding 90. Furthermore, organizations must cultivate a security-conscious culture through `isAnnualCybersecurityTrainingMandatory` for all staff and maintain a `hasDocumentedIncidentResponsePlan` to effectively manage potential breaches. These integrated controls ensure firms meet their professional obligations and maintain public trust."
Technical ID
sra-code-conduct-uk
StateRAMP Authorization
"The cloud service offering's compliance posture demonstrates substantial progress toward full StateRAMP Authorization but currently fails to meet the final requirement for listing on the Authorized Product List. As a Cloud Service Provider specifically targeting state and local government entities, the organization has successfully achieved StateRAMP Ready status, supported by a state sponsor. This attests to the completion of foundational security documentation, including a comprehensive System Security Plan and a formal Continuous Monitoring Plan. An accredited Third-Party Assessment Organization (3PAO) has validated the implementation of security controls aligned with NIST SP 800-53 Rev. 5, appropriate for a system categorized at a Moderate Impact level. The resulting Security Assessment Report confirms a robust security posture, further evidenced by the critical achievement of maintaining zero open high-risk items on the Plan of Actions and Milestones (POAM). Despite fulfilling these significant prerequisites, the service's absence from the official Authorized Product List signifies it has not yet obtained a Provisional or Full Authority to Operate (ATO). Consequently, government agencies cannot procure this offering as a fully vetted StateRAMP Authorized solution, impeding market access until the final authorization process is completed with the governing board."
Technical ID
state-ramp-authorization
SUPERVISORY GUIDANCE ON MODEL RISK MANAGEMENT
"This guidance describes the key aspects of effective model risk management for banks, which rely heavily on quantitative analysis and models in most aspects of financial decision making. It applies to national banks, bank holding companies, state member banks, and all other institutions for which the Office of the Comptroller of the Currency or the Federal Reserve Board is the primary supervisor. The use of models invariably presents model risk, which is the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports. Model risk can lead to financial loss, poor business and strategic decision making, or damage to a bank's reputation. The core obligation is for banks to establish a strong model risk management framework that fits into the broader risk management of the organization. This framework must encompass robust model development, implementation, and use; a sound model validation process; and strong governance, policies, and controls. A guiding principle for managing model risk is 'effective challenge' of models, which is critical analysis by objective, informed parties. The practical application of this guidance should be customized to be commensurate with a bank's risk exposures, its business activities, and the complexity and extent of its model use."
Technical ID
supervisory-guidance-model-risk-management
Bullwhip Effect Mitigation
"The Bullwhip Effect (Lee, Padmanabhan & Whang, 1997 — Sloan Management Review) describes the amplification of demand variability as orders propagate upstream in a supply chain — small fluctuations in retail demand become large oscillations in manufacturer and raw material orders. The four primary causes are demand signal processing (over-ordering based on forecasts), rationing game behavior (ordering more than needed when supply is scarce), order batching (periodic ordering creates demand spikes), and price variation (forward buying during promotions). Organizations with unmanaged bullwhip effects experience excess inventory, stockouts, poor customer service, and inflated supply chain costs. Mitigation requires demand signal transparency, collaborative forecasting, and ordering policy discipline across the entire supply chain."
Technical ID
supply-chain-bullwhip
Incoterms 2020 Risk Allocation Matrix
"Standardized international trade terms defining the responsibilities, costs, and transfer of risk between sellers and buyers for the distribution of goods."
Technical ID
supply-chain-incoterms
Supply Chain Risk Triage Protocol
"The Supply Chain Risk Triage Protocol mandates an immediate escalation and review process upon detection of specific high-risk conditions within the procurement and component lifecycle. This automated governance mechanism is triggered by a confluence of factors indicating severe potential disruption or compromise. An alert is generated if a supplier's security posture degrades significantly, evidenced by a security score delta of -15 or more points, or upon formal confirmation of a data breach (`supplier_breach_confirmed`). Physical integrity alerts, such as any positive indication of `tampering_evidence_detected`, also require instant intervention. From a cybersecurity perspective, the protocol activates when a component accumulates 3 or more critical Common Vulnerabilities and Exposures (`component_cve_count_critical`), especially when there is `threat_intel_correlation` suggesting active exploitation. The business continuity risk is a primary driver; an `estimated_business_impact_score` reaching 4 or higher necessitates a formal assessment. This is particularly acute for any `is_critical_supplier` or providers of a `is_sole_source_component`, especially when inventory levels drop below a critical threshold of 7 `inventory_days_of_supply`. Geopolitical factors are also evaluated, with suppliers located in a `is_high_risk_geo` automatically flagged. The absence of a pre-vetted alternative (`has_vetted_alternate`) for a compromised supply line compounds the risk severity and accelerates the required response timeline, ensuring that vulnerabilities are addressed with requisite urgency and according to established corporate policy and regulatory standards."
Technical ID
supply-chain-risk-triage
Supply Chain Digital Twin Audit
"Compliance with supply chain digital twin operations mandates stringent adherence to data integrity, security protocols, and model fidelity benchmarks as established by governing industry standards. The audit function verifies that all data sources maintain mandatory authentication, pursuant to the `data_source_authentication_required` rule, and that communications utilize required encryption where `data_encryption_in_transit_enabled` is true. System vigilance requires a zero-tolerance policy for `unauthorized_api_access_attempts_per_hour`. Temporal and spatial accuracy are critical; time synchronization drift must not exceed 500 milliseconds, while any physical asset geo-discrepancy is impermissible beyond 10 meters. Operational integrity of the digital representation depends upon a data freshness threshold of 60 seconds and a sensor data completeness percentage of at least 99.9 percent. Furthermore, synchronization processes must sustain an error rate below 0.1 percent, with changelog integrity verified throughout the system's lifecycle. Model performance itself is subject to rigorous evaluation, demanding a simulation model fidelity score of 0.95 or higher and a predictive maintenance alert accuracy percentage no less than 98 percent. Finally, alignment between virtual and physical stock is paramount, with an inventory level variance percentage capped at 1.5 percent to meet regulatory and operational expectations."
Technical ID
supply-chain-twin-fidelity
Support Hallucination Detection
"LLM hallucination in customer support contexts — where AI agents generate plausible but factually incorrect answers about products, policies, pricing, or procedures — creates direct legal liability, customer trust erosion, and regulatory exposure under FTC advertising truthfulness standards and GDPR Article 22 (automated decision-making). Unlike general-purpose LLM hallucination, support hallucinations are particularly harmful because customers make financial and behavioral decisions based on them. A structured hallucination detection pipeline combining real-time Knowledge Base (KB) grounding, confidence scoring, cross-reference verification, and human escalation gates is required before any LLM-powered support agent is deployed in production for consequential interactions."
Technical ID
support-hallucination-check
Sentiment-Based Escalation
"Sentiment-based escalation is an AI support workflow control that monitors customer emotional state throughout an interaction and triggers escalation to a human agent when negative sentiment, frustration indicators, or distress signals exceed defined thresholds. Failure to escalate at the right moment is a primary driver of customer churn — Salesforce research (State of the Connected Customer 2023) reports that 71% of customers who had poor service experiences with AI bots did not receive timely human escalation. Escalation must be implemented not just as a binary trigger but as a tiered response protocol that transfers full interaction context, sentiment history, and urgency classification to the receiving human agent."
Technical ID
support-sentiment-escalation
SWIFT CSP (Quality)
"The SWIFT Customer Security Programme (CSP) is the mandatory security framework for all SWIFT users. It consists of the Customer Security Controls Framework (CSCF) with 32 controls (25 mandatory, 7 advisory) designed to secure the local infrastructure of SWIFT users and combat cyber-fraud in the global financial messaging community."
Technical ID
swift-csp-quality
TAPA Trucking Security (TSR)
"The TAPA Trucking Security Requirements (TSR) is the leading global security standard for the transportation of high-value assets by road. It defines three levels of security (Level 1, 2, and 3) for vehicles and trailers, focusing on theft prevention, asset tracking, and driver security protocols."
Technical ID
tapa-tsr-2023
TCFD Climate Disclosure
"The Task Force on Climate-related Financial Disclosures (TCFD) provides a framework for companies to disclose climate-related risks and opportunities. It is built on four thematic areas: Governance, Strategy, Risk Management, and Metrics & Targets, ensuring transparent communication to investors about climate impact on financial value."
Technical ID
tcfd-climate-disclosure
Recommendations of the Task Force on Climate-related Financial Disclosures
"The Task Force on Climate-related Financial Disclosures report establishes recommendations for disclosing clear, comparable and consistent information about the risks and opportunities presented by climate change. Widespread adoption of these recommendations aims to ensure that the effects of climate change become routinely considered in business and investment decisions, leading to a more efficient allocation of capital and helping to smooth the transition to a more sustainable, low-carbon economy. The recommendations are designed to be widely adoptable and applicable to organizations across sectors and jurisdictions, including financial-sector organizations like banks, insurance companies, asset managers, and asset owners. The core obligation for organizations is to provide climate-related financial disclosures in their mainstream public annual financial filings. These disclosures are structured around four thematic areas that represent core elements of how organizations operate: governance, strategy, risk management, and metrics and targets. This framework is intended to solicit decision-useful, forward-looking information on the financial impacts of climate-related issues, with a strong focus on risks and opportunities related to the transition to a lower-carbon economy. A key recommended disclosure focuses on the resilience of an organization's strategy, taking into consideration different climate-related scenarios, including a 2° Celsius or lower scenario."
Technical ID
tcfd-climate-related-financial-disclosures
TCFD Climate Disclosure
"The Task Force on Climate-related Financial Disclosures (TCFD) framework, published in 2017 and now consolidated into IFRS S2 (effective January 2024), defines the global standard for corporate disclosure of climate-related financial risks and opportunities. TCFD organizes disclosures across four pillars: Governance, Strategy, Risk Management, and Metrics & Targets. TCFD-aligned disclosure is now mandatory or expected by the SEC Climate Disclosure Rule (US), CSRD (EU), IFRS S2 (global ISSB adopters), and the FCA (UK). Investors managing over $150 trillion in assets have committed to TCFD-aligned reporting. Organizations that do not disclose face regulatory penalties, investor divestment, and credit rating downgrades as climate risk becomes a standard financial materiality assessment criterion."
Technical ID
tcfd-climate-risk
Task Force on Climate-related Financial Disclosures: 2022 Status Report
"This fifth annual status report from the Task Force on Climate-related Financial Disclosures (TCFD) reflects on the implementation of its recommendations since their release in 2017. The TCFD framework provides a structure for companies and other organizations to develop more effective climate-related financial disclosures through their existing reporting processes. These voluntary disclosures are designed to be useful to investors, lenders, insurance underwriters, and others in understanding material risks and supporting informed, efficient capital-allocation decisions. The framework applies to entities with public debt or equity, as well as asset managers and asset owners, including pension plans, endowments, and foundations. The core obligation for these organizations is to disclose information aligned with the TCFD's 11 recommended disclosures, which are organized around four thematic areas: Governance, Strategy, Risk Management, and Metrics and Targets. The TCFD's goal is that through widespread adoption, the financial risks and opportunities related to climate change will become a natural part of companies’ risk management and strategic planning processes. While the report notes that the percentage of companies disclosing TCFD-aligned information continues to grow, it also finds that more urgent progress is needed, as not enough companies are disclosing decision-useful climate-related financial information."
Technical ID
tcfd-status-report-2022
TikTok Ads (Policies)
"BIDDA's TikTok Ads (Policies) node programmatically assesses advertising creatives and their associated landing pages against a comprehensive set of platform integrity standards to mitigate non-compliance risk. The evaluation strictly prohibits content promoting illegal products or services, weapons, tobacco, and graphic violence. It also flags age-restricted content, such as promotions for alcohol or gambling, that require specific targeting. Any ad containing hate speech that demeans protected groups based on race, religion, or sexual orientation will be flagged. Furthermore, creatives are analyzed for sexually suggestive content, including non-artistic nudity and explicit imagery, alongside any promotion of harmful acts like dangerous challenges. A critical compliance checkpoint validates against misleading claims, such as unsubstantiated outcomes or fabricated testimonials. The system verifies the presence of required disclosures for regulated industries; for example, financial services advertisements must have risk warnings, and branded content necessitates clear markers like '#Ad'. Landing page integrity is paramount, requiring that destination URL content directly corresponds to the advertised product, and any collection of Personally Identifiable Information must be conducted over a secure HTTPS connection with a valid privacy policy. Unauthorized use of copyrighted music or trademarks constitutes a violation of intellectual property rights. Finally, a quantitative content_quality_score measures creative execution, with any score falling below the 0.5 threshold resulting in an automatic compliance failure."
Technical ID
tiktok-ads-policy-std
TISAX (Automotive Cyber)
"TISAX (Trusted Information Security Assessment Exchange) is the definitive maturity-based security standard for the global automotive industry. Based on the VDA Information Security Assessment (ISA), it provides a unified mechanism for the mutual recognition of the security assessments among the automotive the value chain, specifically covering the 'Information Security', 'Prototype Protection', and the 'Data Protection'."
Technical ID
tisaq-auto-cyber
TNFD Nature Disclosure
"Corporate reporting indicates substantive alignment with the procedural components of the nature-related disclosure framework, though significant deficiencies persist regarding quantitative financial analysis. The entity meets foundational governance requirements, providing a comprehensive disclosure wherein board-level oversight mechanisms are clearly described. Strategic and risk management processes appear well-documented, with confirmation that scenario analysis has been performed, the risk management process is disclosed, and the recommended LEAP approach was applied for assessment. Integration across the value chain, however, is documented at a moderate level two, indicating incomplete assimilation of nature-related considerations. A formal disclosure of metrics and targets is present, with the organization reporting on five distinct nature-related metrics. A critical finding is that while these metrics exist, the associated objectives are not established as science-based targets, suggesting a potential lack of validation against recognized ecological thresholds. The most significant gap remains the failure to quantify financial impacts; this omission represents a material deviation from the final recommendations, which explicitly call for connecting nature-related dependencies to financial outcomes. While stakeholder engagement is disclosed and underlying data sources are validated, the absence of financial quantification severely limits the report's utility for investors and requires immediate remediation."
Technical ID
tnfd-nature-disclosure
Tourism Disaster Resilience
"Compliance with tourism disaster resilience protocols mandates a comprehensive and actively managed framework for mitigating operational disruptions. A documented risk assessment is a foundational requirement, subject to review and update at least every 12 months. Organizations must maintain a current emergency response plan that explicitly incorporates a detailed communication strategy and clear evacuation procedures. To ensure operational continuity, the framework necessitates redundant communication channels. Proactive preparedness measures are enforced through the execution of minimum one disaster drill conducted annually, supplemented by no less than four annual staff training hours per employee. Asset and personnel protection standards stipulate that emergency supplies must be stocked to sustain operations for a 72-hour period. Digital resilience is equally critical, demanding a formal cyber incident response plan alongside a data backup frequency of no more than 24 hours between cycles. Finally, enterprise resilience is extended through formalized mutual aid agreements with partners, establishing a network for support during significant incidents. Adherence to these specific thresholds is non-negotiable for maintaining certified compliance."
Technical ID
tourism-disaster-resilience
CHARTER Tri-Agency Task Force for Emergency Diagnostics
"The Tri-Agency Task Force for Emergency Diagnostics (TTFED), with members from Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), and Centers for Medicare and Medicaid Services (CMS), is established to develop a process to collaborate on future emergency diagnostic response needs. During emergencies, the TTFED will convene quickly to provide timely recommendations to laboratories for rapid implementation of in vitro diagnostic (IVD) assays authorized for use under FDA’s Emergency Use Authorization (EUA) authority. During public health emergencies, it is critical for IVD assays to be implemented quickly into clinical and public health laboratories for rapid patient care, and laboratories need clear guidance on the application of Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations for these assays. Through the TTFED, the agencies intend to coordinate the implementation of EUA IVD assays in laboratories within the U.S. healthcare system, with the ultimate goal of improving responses to public health emergencies. The TTFED was created to facilitate the use of any authorized EUA IVD assay and provide a platform to coordinate efforts to identify, establish and implement approaches to effectively and efficiently communicate. This work will occur through biannual meetings at a minimum, with the task force providing a forum for discussion of agent- or response-specific EUA IVD assays to help facilitate rapid implementation during an emergency."
Technical ID
tri-agency-task-force-diagnostics
CHARTER Tri-Agency Task Force for Emergency Diagnostics
"The Tri-Agency Task Force for Emergency Diagnostics (TTFED), with members from Centers for Disease Control and Prevention (CDC), Food and Drug Administration (FDA), and Centers for Medicare and Medicaid Services (CMS), is established to develop a process to collaborate on future emergency diagnostic response needs. During emergencies, the TTFED will convene quickly to provide timely recommendations to laboratories for rapid implementation of in vitro diagnostic (IVD) assays authorized for use under FDA’s Emergency Use Authorization (EUA) authority. The TTFED's objective is to coordinate the implementation of EUA IVD assays in laboratories within the U.S. healthcare system, with the ultimate goal of improving responses to public health emergencies. This applies to the member agencies (CDC, FDA, CMS) and provides guidance affecting clinical and public health laboratories implementing EUA IVD assays. The core obligation is for the task force to coordinate efforts to identify, establish, and implement approaches to effectively and efficiently communicate, formalize interagency processes, and provide timely recommendations during emergencies to ensure appropriate implementation of these diagnostic assays. The TTFED will meet biannually at a minimum and will convene at the beginning of any public health situation expected to involve a declaration of an emergency by the Secretary of HHS."
Technical ID
tri-agency-task-force-emergency-diagnostics
Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management: Enhancing Internet Protocol-Based IoT Device and Network Security
"This practice guide from the National Cybersecurity Center of Excellence (NCCoE) demonstrates various mechanisms for trusted network-layer onboarding of IoT devices in Internet Protocol-based environments. Establishing trust between a network and an Internet of Things (IoT) device prior to providing the device with the credentials it needs to join the network is crucial for mitigating the risk of potential attacks, which can occur when a device is convinced to join an unauthorized network or when a malicious device infiltrates a network. Trust is achieved by attesting and verifying the identity and posture of the device and the network before providing the device with its network credentials. The guide shows how to provide network credentials to IoT devices in a trusted manner and maintain a secure device posture throughout the device lifecycle, thereby enhancing IoT security. The guidance applies to IoT device users, manufacturers, and vendors of semiconductors, secure storage components, IoT devices, and network onboarding equipment. The core obligation is to use scalable, automated mechanisms to securely manage IoT devices, particularly through a trusted mechanism for providing IoT devices with unique network credentials and access policies at the time of deployment. This approach aims to safeguard IoT devices from being taken over by unauthorized networks, ensure networks are not put at risk as new IoT devices are added, and provide ongoing protection of IoT devices throughout their lifecycles."
Technical ID
trusted-iot-device-onboarding
UK Bribery Act 2010
"The UK Bribery Act 2010 is one of the strictest anti-corruption laws in the world. It prohibits bribing, being bribed, and bribing foreign officials. Critically, it introduces a strict liability offense for commercial organizations that fail to prevent bribery (Section 7), with a defense available if 'Adequate Procedures' are in place."
Technical ID
uk-bribery-act-2010
UK Strategic Export Control
"The UK Strategic Export Control regime (Export Control Act 2002) is the primary regulation for the export of military and dual-use technology from the United Kingdom. It is managed by the Export Control Joint Unit (ECJU) and utilizes the Consolidated List to determine licensing requirements for international trade and defense cooperation."
Technical ID
uk-strategic-export-control
UN Global Digital Compact (Data Governance)
"Enterprises must align their governance frameworks with principles articulated in the United Nations Global Digital Compact under Objective 4, which champions a people-centric approach to data emphasizing trust, accountability, and protection of fundamental human rights. Compliance requires implementing robust mechanisms for international data stewardship. A key operational control is to `require_cross_border_data_transfer_agreement` for all such exchanges, safeguarding information as it moves globally. Furthermore, organizations are obligated to `mandate_human_rights_impact_assessment_hria` for data processing activities, proactively identifying and mitigating potential risks to individual freedoms and privacy. The Compact's principles necessitate a firm commitment to `ensure_data_minimization_across_jurisdictions`, limiting collection and processing activities to what is strictly necessary for specified purposes, thereby reducing systemic risk exposure. To empower individuals and foster genuine trust, transparency is paramount; therefore, policies must `require_multilingual_transparency_notices` ensuring clear, accessible communication about data practices for all stakeholders, irrespective of their language or location. Adherence to these measures demonstrates a commitment to ethical data handling and supports the GDC's vision for a safe, secure, and equitable digital future."
Technical ID
un-global-digital-compact
UN Guiding Principles (BHR)
"The United Nations Guiding Principles on Business and Human Rights (UNGP or 'Ruggie Principles') are the authoritative global standard for preventing and addressing the risk of adverse human rights impacts linked to business activity. Built on the 'Protect, Respect, and Remedy' framework, they provide actionable principles for both States and corporations."
Technical ID
un-guiding-principles-business-hr
UN Principles for Responsible Invest
"Adherence to the United Nations-supported Principles for Responsible Investment framework delineates an investment manager's commitment to integrating environmental, social, and governance (ESG) considerations into investment analysis and decision-making processes. Compliance verification commences by confirming an entity's status as a signatory. The framework mandates establishing and publishing a formal responsible investment policy, which must explicitly cover ESG integration while articulating a clear active ownership policy. Operational transparency is a key tenet, assessed by verifying if proxy voting records are made public and whether a formal engagement process is documented. Annual reporting obligations are critical, requiring confirmation that an annual PRI report was submitted. Performance is quantitatively measured through the investment strategy's PRI assessment score. The principles also encourage broader ecosystem influence; therefore, the node ascertains if the entity promotes PRI principles externally and participates in collaborative ESG initiatives. Implementation effectiveness is further evidenced by procedures that request ESG disclosure from investees and ensure relevant personnel receive ESG training. This comprehensive evaluation ensures signatories are not just nominally committed but are actively operationalizing all six core tenets across their investment lifecycle."
Technical ID
un-pri-investment
UN SDG Strategic Alignment
"The UN Sustainable Development Goals (SDGs) are a set of 17 interconnected global goals adopted by all 193 UN member states in 2015 as part of the 2030 Agenda for Sustainable Development. Each goal contains specific targets (169 total) measured by 231 unique indicators. For organizations, SDG alignment is not mandatory but is increasingly required by institutional investors (PRI signatories managing >$120 trillion in AUM), procurement frameworks (EU public procurement), and supply chain ESG due diligence requirements (CSDDD). The critical distinction is between SDG washing (claiming alignment without evidence) and genuine SDG integration (mapping business activities to specific SDG targets with quantified impact metrics, verified by GRI, SASB, or SDGD Recommendations)."
Technical ID
un-sdg-alignment
UN SDG Corporate Mapping
"The UN SDG Corporate Mapping framework aligns corporate activities and ESG reporting with the 17 United Nations Sustainable Development Goals (SDGs). it focuses on SDGs 8 (Decent Work), 12 (Responsible Consumption & Production), and 16 (Peace, Justice and Strong Institutions) as the primary pillars for ethical governance and sustainable business practice."
Technical ID
un-sdg-corporate-mapping
UNCITRAL Model Law (Arbitration)
"The UNCITRAL Model Law on International Commercial Arbitration (1985, amended 2006) is the global standard for the legislative framework of international arbitration. It is designed to assist States in reforming and modernizing their laws on arbitral procedure so as to take into account the particular features and needs of international commercial arbitration."
Technical ID
uncitral-model-law-arbitration
UNESCO (AI Ethics - Work)
"Adherence to UNESCO's ethical recommendations for artificial intelligence in the workplace requires a proactive, human-rights-based governance framework. Organizations must systematically evaluate and mitigate AI's impact on labor through a mandatory labor impact assessment, which is subject to a recurring audit with a frequency of at least every 12 months. This assessment informs a required worker transition plan, developed through the implementation of genuine worker consultation. The framework establishes a clear quantitative limit, capping the annual displacement rate by AI at 10 percent. To manage this transition equitably, the provision of funded reskilling programs is obligatory, with a targeted minimum reskilling uptake by affected staff of 75 percent. Furthermore, the framework mandates that an organization ensures social safety net contributions for displaced workers. Key operational controls include a strict prohibition on illegitimate surveillance and a requirement to maintain human oversight on decisions impacting employment. A comprehensive worker data protection policy must exist, supported by a fair grievance mechanism to adjudicate disputes. These integrated measures are designed to ensure AI systems augment human capabilities and promote decent work."
Technical ID
unesco-ai-ethics-work
UNESCO Cultural Diversity
"Adherence to the UNESCO framework for cultural diversity mandates a multifaceted compliance posture for all digital platforms. This requires the establishment and public disclosure of a formal cultural diversity policy alongside verifiable mechanisms for fair remuneration that benefit local creators. Operational requirements stipulate that systems must provide local language support within signatory states and actively promote indigenous cultural content, maintaining a minimum visibility threshold of twenty percent. Governance protocols must be implemented for conducting cultural impact assessments, ensuring algorithmic transparency for content recommendation engines, and developing culturally localized content moderation policies. Additionally, platforms must provide users with granular controls to manage content diversity. The compliance scope extends to respecting national laws through a robust data sovereignty policy, actively supporting the digitization of local cultural heritage, and maintaining systematic engagement with designated national cultural authorities to ensure ongoing alignment. Failure to satisfy these interconnected obligations constitutes a material deviation from the convention's core principles for protecting and promoting the diversity of cultural expressions."
Technical ID
unesco-cultural-diversity
UNESCO Ethics of AI
"Compliance with the UNESCO Recommendation on the Ethics of Artificial Intelligence demands a comprehensive governance framework ensuring AI systems uphold human rights, dignity, and environmental sustainability. The foundational principles mandate that `humanOversightRequired` is perpetually maintained for meaningful control over system determinations. Prior to any deployment, verification is necessary that both an `ethicalImpactAssessmentCompleted` and a `dataPrivacyImpactAssessmentCompleted` have been executed to prospectively evaluate risks and safeguard personal information. To promote fairness, a `biasDetectionMechanismActive` must be operational, complemented by a specific `vulnerableGroupProtectionMechanism` to prevent disparate negative outcomes. Transparency and responsibility are enforced by confirming an `explainabilityMethodImplemented` exists, alongside a clearly articulated `accountabilityFrameworkDefined` that assigns liability for system outcomes. The `proportionalityPrincipleVerified` ensures AI methods are appropriate and necessary for a given legitimate aim. Broader ecosystem health requires that the `environmentalImpactAssessed` is thoroughly documented. Inclusive governance is contingent upon proof that `stakeholderConsultationConducted` activities have meaningfully informed the AI lifecycle. Finally, system resilience and user trust are contingent upon a successful `securityRiskAssessmentCompleted` and the establishment of a `redressMechanismAvailable` for any individuals adversely affected, thereby aligning technological development with internationally recognized ethical standards."
Technical ID
unesco-ethics-ai
California SB 53 (Transparency in Frontier AI Act)
"The nation's first comprehensive safety and transparency requirement for frontier AI developers, mandating catastrophic risk frameworks, 15-day incident reporting, and whistleblower protections for models trained above 10^26 FLOPs."
Technical ID
us-ca-sb53-frontier-ai
Colorado AI Act (SB 205) - High-Risk Systems
"US state-level regulatory requirements for developers and deployers of high-risk AI systems making consequential decisions, mandating algorithmic discrimination audits and consumer opt-out rights."
Technical ID
us-co-sb205-high-risk-ai
USTOA Tour Operator Integrity
"USTOA Tour Operator Integrity compliance validates an operator’s adherence to stringent standards for financial stability, consumer protection, and ethical conduct. Verification requires active USTOA membership and confirmed participation within the USTOA $1 Million Travellers Assistance Program. The framework stipulates a minimum operational history of 3 years under consistent ownership. Furthermore, operators must demonstrate financial responsibility by maintaining a valid professional liability insurance policy with coverage meeting a minimum threshold of $1,000,000 USD. Consumer transparency is a critical component, assessed through the clear and conspicuous disclosure of cancellation and refund policies prior to booking. All advertisements and marketing materials are evaluated to ensure they are truthful and accurate, free of any deceptive information regarding services or pricing. Operators must provide clients with comprehensive pre-tour documentation, including detailed itineraries, inclusions, and exclusions. Digital operations are also scrutinized, requiring the use of secure payment processing systems, such as those that are PCI DSS compliant. A publicly accessible data privacy policy governing customer information is mandatory, alongside a formal data breach notification plan to inform affected customers in the event of a security incident."
Technical ID
ustoa-tour-integrity
NIST SPECIAL PUBLICATION 1800-34 Validating the Integrity of Computing Devices
"The supply chains of information and communications technologies are increasingly at risk of compromise from counterfeiting, unauthorized production, tampering, theft, and insertion of unexpected software and hardware. This practice guide demonstrates how organizations can verify that the internal components and system firmware of the computing devices they acquire are genuine and have not been unexpectedly altered during manufacturing, distribution, or operational use. The approach relies on device vendors creating a verifiable artifact within each device that securely binds the device’s attributes to the device’s identity. The customer who acquires the device can then validate the artifact’s source and authenticity, and check the attributes stored in the artifact against the device’s actual attributes to ensure they match. This process, a critical foundation of cyber supply chain risk management (C-SCRM), helps organizations avoid using untrustworthy technology components, enable customers to verify product authenticity, and prevent system compromises caused by acquiring compromised technology. It leverages hardware roots of trust as a foundation to maintain trust in a computing device throughout its operational lifecycle. The guide addresses the creation of verifiable descriptions by manufacturers, the verification of devices during acceptance testing, and the continuous verification of components during subsequent stages in the operational environment."
Technical ID
validating-integrity-of-computing-devices
Verra VCS Carbon Verification
"Verra VCS project verification mandates strict adherence to a comprehensive set of protocols, as stipulated within core VCS Program governance documents, to ensure the integrity of issued Verified Carbon Units (VCUs). Foundational compliance requires that a project possesses a complete description document and exclusively utilizes an approved VCS methodology for quantifying greenhouse gas (GHG) reductions or removals. Procedurally, a mandatory 30-day public comment period is required, affording stakeholders opportunity for review. Projects must substantiate their claims by demonstrating additionality via a Verra-approved tool while also establishing a clearly defined baseline scenario against which performance is measured. All validation and verification activities must be conducted by an independently accredited Validation/Verification Body (VVB) to guarantee impartiality and technical competence. Furthermore, project design must properly account for all relevant GHG scopes and potential leakage emissions, consistent with VCS Standard requirements. A robust monitoring plan must be in place for systematic data collection, and for relevant project types like Agriculture, Forestry, and Other Land Use (AFOLU), a non-permanence risk analysis is obligatory. The project start date must be valid under program rules to be eligible. Successful verification ultimately culminates in VCU issuance directly onto the official Verra Registry, providing a transparent, immutable, and auditable record of generated carbon credits."
Technical ID
verra-vcs-verification
W3C Topics API
"The W3C Topics API establishes a privacy-centric framework for interest-based advertising by replacing persistent cross-site tracking mechanisms. Its implementation is mandated within a secure context and expressly prohibits persistent cross-site identifiers. User interests are algorithmically inferred based on a minimum of seven days of browsing history, which is then segmented into seven-day epochs. For each epoch, a maximum of five topics are calculated to represent user interests. A calling party may query data from only the three most recent historical epochs, and crucially, can only receive topics it has previously observed for a given user. To further mitigate fingerprinting, the API restricts shared data to a maximum of three topics per request. Privacy is enhanced through a mandatory noise injection mechanism, which introduces a five percent probability of a random topic being returned in place of an authentic one. All potential interests are sourced from a public, human-curated taxonomy, precluding use of sensitive or overly granular categories. The entire mechanism is subject to end-user control, as the specification allows for a complete user opt-out, ensuring data subject autonomy."
Technical ID
w3c-ads-topics-api
W3C Attribution (Ad-Tech)
"Adherence to the W3C's Attribution Reporting API framework necessitates a stringent, privacy-preserving approach for measuring ad conversions without relying on cross-site tracking mechanisms. This compliance posture, informed by specifications like the W3C's Conversion Measurement Proposal and Private Click Measurement, mandates operation exclusively within a secure context where an appropriate API feature policy is required. Source registration is contingent upon direct user activation, a critical control, and the framework fundamentally disallows third-party cookies for attribution purposes. Attribution source data has a maximum lifetime, as its source expiry cannot exceed 30 days. Furthermore, trigger data cardinality is strictly limited to 3 bits, while a maximum of three event-level reports per source may be generated for a single destination, since the max destinations per source event is one. For implementation, the attributionsrc_attribute_mandatory parameter ensures explicit source declaration. To mitigate risks of individual re-identification, a minimum reporting delay of 2 hours is enforced. All summary reporting requires that report aggregation is mandatory, coupled with a requisite noise application, reflecting privacy principles also found in the Privacy Community Group's Reporting API. These combined controls, echoing the direction of IETF's Privacy Pass and the W3C's Trust Token API, ensure that performance measurement is balanced with robust user privacy protections."
Technical ID
w3c-attribution-reporting
W3C Private Aggregation
"Adherence to the W3C Private Aggregation API standard mandates a strict set of privacy-preserving controls for processing cross-site data into summary reports. Conformance requires mandatory integration with either the Shared Storage or Protected Audience APIs, ensuring data is properly gated before collection. All generated reports must be handled by an approved aggregation service which leverages an organizationally independent coordinator for impartial processing. The protocol explicitly prohibits cross-site identifier transmission to prevent user re-identification across origins. Security controls are stringent, dictating that the report endpoint must use HTTPS and all report data undergo encryption prior to being sent. To further protect individual privacy, a differential noise mechanism is required, and any system debug mode must be disabled within production environments. The governing specifications impose hard quantitative limits: contribution values per event cannot exceed a maximum of 65536, while the total privacy budget consumed per origin is capped at 1048576 daily. Furthermore, aggregation bucket keys are constrained to a fixed 128-bit length to maintain structural uniformity. These collective obligations create a robust framework for measurement without compromising individual user anonymity."
Technical ID
w3c-private-aggregation
Warehouse Management (WMS) Logic
"Warehouse Management (WMS) logic must be configured to enforce stringent controls over inventory, operational processes, and system integrity, aligning with governing supply chain regulations and industry best practices. The system mandates First-In, First-Out (FIFO) handling for perishables and First-Expiring, First-Out (FEFO) for goods with expiration dates to prevent spoilage and ensure product safety. Foundational to this control framework is the requirement for complete lot traceability upon receipt, which is further protected by a system-level block on commingling different lots within a single bin location. Physical storage constraints are systematically enforced, validating that location type and dimension matches are correct for stowed goods and that shelf loads do not exceed the 1500 kilogram maximum weight threshold. For operational optimization, velocity codes are subject to a mandatory recalculation every 168 hours, and items must meet a minimum threshold of 50 picks to qualify for a forward picking location. To maintain system governance and auditability, any update to these core logic parameters necessitates a formal change control process. All transactional and configuration changes are captured in immutable audit logs, which must be retained for a period of 3650 days. Access controls are strictly defined, enforcing a separation of duties for inventory adjustments and requiring two-factor authentication for any system override, thereby preserving data integrity and accountability across all warehouse operations."
Technical ID
warehouse-wms-optimization
WCO SAFE Framework
"The SAFE Framework of Standards to Secure and Facilitate Global Trade (SAFE Framework) provides a global standard for supply chain security and trade facilitation, built on three pillars: Customs-to-Customs, Customs-to-Business, and Customs-to-other-Government-Agencies. It is the foundation for the Authorized Economic Operator (AEO) concept."
Technical ID
wco-safe-framework
SAFE Framework of Standards
"The SAFE Framework of Standards to Secure and Facilitate Global Trade, adopted by World Customs Organization (WCO) Members, establishes principles and standards as a minimal threshold for Customs administrations. It aims to secure the movement of global trade in a way that facilitates, rather than impedes, the movement of that trade. This instrument applies to WCO Member Customs administrations, who are in a unique position to provide increased security to the global supply chain and contribute to socio-economic development through revenue collection and trade facilitation. The core obligations are built on five elements: harmonizing advance electronic cargo information requirements for inbound, outbound, and transit shipments; employing a consistent risk management approach to address security threats; performing outbound inspections of high-risk cargo at the request of a receiving nation; providing benefits to businesses that meet minimal supply chain security standards (Authorized Economic Operators); and promoting close cooperation with other government agencies. The SAFE Framework rests on three pillars: Customs-to-Customs network arrangements, Customs-to-Business partnerships, and Customs-to-other Government Agencies co-operation. It is designed to enhance world trade, ensure better security against terrorism and other transnational crime, and increase the contribution of Customs and trade partners to the economic and social well-being of nations. By standardizing practices, the Framework improves the ability of Customs to detect high-risk consignments and increases efficiencies, thereby expediting the clearance and release of legitimate goods."
Technical ID
wco-safe-framework-standards
WEEE: Electronic Waste Recovery
"An entity’s adherence to the Waste Electrical and Electronic Equipment Directive is substantially confirmed, though a critical deficiency exists regarding cross-border commerce obligations. The producer is correctly registered within the relevant EU member state for products falling under WEEE categories and maintains active membership in an approved compliance scheme. Pursuant to producer responsibility requirements, a sufficient financial guarantee is in place, and products display the mandatory WEEE labeling. Comprehensive user information, alongside necessary details for treatment facilities, is provided to end-users and recyclers per statutory instrument. The organization fulfills its reporting duties by submitting annual sales volume data, has documented its data sanitization process, and operates a retail take-back system. A key performance indicator shows the recovery rate target is met at an 85 percent threshold. However, a significant compliance gap is identified through the producer’s failure to appoint an authorized representative for distance selling activities. This absence contravenes specific legal frameworks governing producers selling directly into member states where they do not have a physical establishment, posing a considerable regulatory risk."
Technical ID
weee-electronic-waste
WIPO Copyright Treaty
"Organizational alignment with the WIPO Copyright Treaty is achieved through a comprehensive framework addressing digital works, technological safeguards, and rights management integrity. The governing policy affirms that computer programs are protected as literary works, and that the structure of databases qualifies for protection when it constitutes an original intellectual creation. Exclusive control over on-demand digital access is vested in rightholders, necessitating that an explicit license is required for any communication to the public. To enforce these prerogatives, the platform employs effective technical protection measures (TPMs). A stringent internal policy prohibits circumvention of these TPMs and explicitly forbids any trafficking in circumvention-enabling tools or services. In parallel, the system embeds essential digital rights management information (RMI) within protected content. Corporate policy mandates a strict prohibition against the unauthorized removal or alteration of this RMI. Consequently, any distribution of works with modified or stripped RMI is forbidden. Furthermore, all proprietary source code has a registered copyright status, and copyright notice visibility is maintained at a 100 percent level, ensuring full compliance with international digital copyright obligations."
Technical ID
wipo-copyright-treaty
WIPO Domain (UDRP)
"This compliance assessment evaluates disputes under the Uniform Domain Name Dispute Resolution Policy (UDRP), which mandates a complainant satisfy a conjunctive three-part test for a successful domain transfer or cancellation. The initial element requires verifying that the `complainant_has_valid_trademark_rights` and subsequently establishing the `domain_is_identical_or_confusingly_similar` to that protected mark. Second, the complainant must prove the respondent has no legitimate interests in the domain name. A respondent may rebut this by affirmatively showing `respondent_has_demonstrable_legitimate_interest`, which can be evidenced if the domain `is_used_for_bona_fide_offering` of goods or services, if the `is_respondent_commonly_known_by_domain` name, or if it `is_used_for_legitimate_noncommercial_or_fair_use`. The final element necessitates proof that the `domain_registered_in_bad_faith` and also that the `domain_is_being_used_in_bad_faith`. Circumstantial evidence supports a finding of bad faith, including `evidence_intent_to_sell_to_trademark_owner` for profit, `evidence_pattern_of_cybersquatting` to prevent a mark's use, `evidence_intent_to_disrupt_competitor` operations, or `evidence_lure_by_confusion_for_gain` through user misdirection. A complainant's failure to prove any single element results in denial of the remedy."
Technical ID
wipo-domain-dispute-udrp
WIPO Hague System (Designs)
"The Hague System (administered by WIPO) allows for the international registration of industrial designs through a single application. It covers up to 100 industrial design-active countries, providing a cost-effective and simplified process for designers to protect their visual innovation across multiple jurisdictions simultaneously."
Technical ID
wipo-hague-design-system
WIPO Industrial Designs
"Compliance with international regulations for industrial designs requires strict adherence to procedural and data formatting standards established under governing treaties and administrative instructions. Each application must provide a valid product indication and present creator identification to be considered complete. Per established data standards, submissions must incorporate a minimum INID code count of five distinct bibliographic data points, all of which require ST.80 INID codes for proper identification. A core component is the mandatory visual representation of the design; applicants must furnish at least one but may not exceed a maximum visual representation count of ten. Crucially, representation format conformance is non-negotiable for all submitted images or drawings. Classification protocols also mandate the use of the Locarno classification system. All designations must specify a locarno class format valid under the 14th edition, which is the locarno edition current for all new filings. The entire application package is evaluated to determine if it is data exchange standard compliant, a fundamental prerequisite for successful international registration and publication according to WIPO procedural guidelines. Failure to satisfy these cumulative requirements will result in processing deficiencies and potential rejection of the design application by the International Bureau."
Technical ID
wipo-industrial-designs
WIPO Madrid System (Trademarks)
"The Madrid System (administered by WIPO) is a centrally-managed international trademark registration system. It allows trademark owners to protect their brand in up to 130 countries through a single application, in one language, and by paying a single set of fees, simplifying the process of obtaining and managing international trademark rights."
Technical ID
wipo-madrid-trademark-system
WIPO Patent (PCT)
"This international patent application's compliance posture indicates successful completion of initial filing requirements pursuant to the governing legal framework. The application has secured an international filing date, confirmed by its status as Article 11 compliant with a valid receiving office. Administrative prerequisites are satisfied, given that all required fees are paid, the priority claim is valid, and the necessary agent power of attorney has been properly filed. The application has not yet progressed to key intermediate stages. Critically, the international search report is not received, which logically forestalls any opportunity for Article 19 amendment filing. Concurrently, a Chapter II demand for preliminary examination has not been filed, and consequently, the application has not been published. The primary upcoming deadline is national phase entry, for which 900 days remain. To date, national phase entry has not been initiated in any of the 5 designated states. Diligent oversight is imperative for managing forthcoming actions upon receipt of the search report and for making strategic decisions regarding amendments, examination, and the eventual transition into the national stage across all designated jurisdictions."
Technical ID
wipo-patent-cooperation-pct
WIPO PCT (International Patents)
"The Patent Cooperation Treaty (PCT) is an international treaty administered by WIPO. It provides a unified procedure for filing patent applications to protect inventions in each of its contracting states. A single 'international' patent application has the same effect as national applications filed in the designated countries."
Technical ID
wipo-pct-international-patent
WIPO PCT (Patent Rules)
"Compliance with the Patent Cooperation Treaty (PCT) framework mandates strict adherence to procedural and formal requirements for securing an international filing date and facilitating subsequent national phase entry. Governing regulations stipulate that any applicant must be a resident or national of a PCT Contracting State, and the international application must be filed with a competent Receiving Office. A valid priority claim, as per treaty articles, necessitates filing within 12 months of the earliest application date. The submission itself is subject to rigorous content validation; it absolutely must include a formal request, a detailed description of the invention, one or more claims, plus an abstract. Furthermore, if drawings are referenced within the description, then such drawings must be included. The application language also needs to be one accepted by the chosen Receiving Office. Financial obligations are critical; all required fees must be paid on time to avoid negative consequences. Following a successful filing, the process advances toward generating an International Search Report, a key document for assessing patentability. Ultimately, applicants must observe the standard 30-month deadline from the priority date for initiating national phase entry in designated jurisdictions, making procedural precision essential throughout the entire international stage."
Technical ID
wipo-pct-patent-rules
WIPO WPPT (Performances)
"Compliance with the WIPO Performances and Phonograms Treaty necessitates stringent verification of fundamental rights and obligations concerning performers and phonogram producers. The framework confirms that performers' moral rights are upheld, requiring clear performer attribution and the existence of an integrity protection mechanism to prevent prejudicial distortion of their work. A central compliance vector involves economic rights, demanding confirmation that a valid reproduction license has been secured from both the performer and the phonogram producer. Similarly, separate authorizations for making works available to the public must be validated for each rights holder. A crucial check verifies that equitable remuneration for broadcasting or any communication to the public has been paid. Furthermore, the platform ensures the asset is within its protection term, which must last for a minimum of fifty years from the date of fixation. The node also enforces modern digital safeguards by validating that the circumvention of technological protection measures is prohibited and that any unauthorized removal or alteration of rights management information is strictly forbidden, thereby protecting the entire rights ecosystem established under the international agreement."
Technical ID
wipo-performances-phonograms
WIPO Trade Secrets
"An organizational asset qualifies for robust protection as a trade secret under governing international intellectual property conventions. The information satisfies the fundamental criteria for secrecy, as it is confirmed that the material is not publicly disclosed and is not readily ascertainable by others through legitimate means. Crucially, the asset provides a demonstrable economic advantage, a core component of its value, with its potential compromise presenting a significant financial impact, as indicated by a risk score of 4. The enterprise meets its duty of care by taking reasonable steps to maintain confidentiality, a mandate central to guidance from the World Intellectual Property Organization. This is substantiated through a comprehensive control framework where an implemented confidentiality policy governs conduct, non-disclosure agreements are systematically executed with all third parties, and regular employee training is conducted. A formal data classification scheme underpins the security architecture, ensuring that effective technical access controls are in place and that internal access is restricted based on role-specific necessity. Furthermore, physical security is actively enforced across all relevant facilities. The organization's systematic inventory of this sensitive information establishes a defensible and compliant posture against misappropriation or unfair competition."
Technical ID
wipo-trade-secret-stds
WIPO Trademark Stds
"Compliance with World Intellectual Property Organization trademark standards mandates strict adherence to data formatting and content protocols for international filings. All transactional data must be structured as valid ST.66 XML, for which `is_st66_xml_valid` is a primary validation checkpoint, with `xml_encoding_is_utf8` as a mandatory specification. The schema enforces that `inid_code_usage_mandatory` for identifying bibliographic data elements is non-negotiable. Specifically, submissions must always contain `has_mandatory_inid_210_application_number` and `has_mandatory_inid_220_filing_date`. Furthermore, comprehensive `has_applicant_information` is required for proper party identification. The framework also `requires_nice_classification` for all goods and services associated with the mark. Critically, the `nice_class_version_specified` must be explicitly declared to ensure contextual accuracy. Each application must designate a `nice_class_count_min` of at least one classification, and the selected class value must conform to the `nice_class_is_numeric_range_1_45`. Submissions lacking `has_mark_representation_data` will be deemed incomplete. Finally, all temporal data points, such as filing or registration dates, must strictly follow the `transaction_date_format_iso8601` standard to guarantee interoperability and prevent ambiguity in official records as established by governing international agreements."
Technical ID
wipo-trademark-stds
WIPO Traditional Knowledge
"A `usage_compliance_score` of `0` reflects a complete failure to meet established international norms for the use of traditional knowledge, as articulated within frameworks deliberated by the World Intellectual Property Organization. The subject matter mandates obtaining prior informed consent, a condition registered as `true`, yet no documented PIC from an appropriate authority has been secured; consequently, both the granting authority's verification status and the scope match with intended use are `false`. Furthermore, a critical deficiency exists in the absence of a fair and equitable benefit-sharing agreement, indicated by a `false` status for `has_benefit_sharing_agreement`. While the schema correctly identifies that `is_attribution_to_source_community_required` is `true`, the required attribution is not present. Compounding these fundamental gaps, no `misappropriation_risk_assessment_conducted` has been performed, leaving the organization exposed to significant legal and reputational liabilities. Data governance controls are nonexistent, with the `data_provenance_chain_maintained` and `data_access_restricted_to_authorized_use` parameters both evaluating to `false`. These failures represent a severe deviation from the principles of protecting traditional knowledge from unauthorized appropriation and use, demanding immediate and comprehensive remediation to align with global standards and mitigate potential infringement claims from the source community."
Technical ID
wipo-traditional-knowledge
Wolfsberg Principles (KYC)
"The Wolfsberg Anti-Money Laundering (AML) Principles for Correspondent Banking (2022) provide a global standard for the risk-based identification and assessment of correspondent banking clients. it is designed to prevent the misuse of the international financial system by ensuring that banks implement robust due diligence on their respondent institutions."
Technical ID
wolfsberg-corresp-bank
King V Corporate Governance: Autonomous Systems
"Board-level accountability and oversight frameworks for the deployment, ethical monitoring, and risk management of autonomous AI agents within corporate environments."
Technical ID
za-king-v-tech-gov
SA National AI Policy (2026 Draft) - Accountability & Skills
"Operationalizing the April 2026 South African Cabinet mandates for AI accountability, localized data processing, and algorithmic transparency for enterprise and government contracts."
Technical ID
za-national-ai-policy-2026
Technical Registry Export
Context: All Nodes / Total Filtered: 777 Nodes
This utility allows developers and AI architects to instantly extract technical identifiers for the current filtered view. Use these IDs to programmatically call the Bidda Sovereign Forest API. All exports respect the global Triple-Verification Pipeline.