Universal hub · 20 families · 170 frameworks · one hop
NIST 800-53 Rev 5 — the canonical control taxonomy.
Every regulatory framework KYE Protocol™ maps to crosswalks INTO this hub. When a procurement form asks "do you map to PCI DSS 4.0?" or "Annex III of the EU AI Act?", the answer is deterministic: follow the crosswalk to the NIST control(s), then to the KYE™ artefact that binds it. One hop, machine-readable, no N×M explosion.
JSON: /.well-known/nist-800-53-hub.json. Schema: kye.nist_800_53_hub.v1.
The pattern — N + M, not N × M
Without a hub, every framework-to-framework crosswalk is N × M (170 frameworks ⇒ 380 directed pairs). With NIST 800-53 as the hub, it is N + M — one hop per side.
EU AI Act Art 6 → NIST 800-53 RA-3 + PM-9 → KYE Risk Engine + canonical Implementation Registry entry
GDPR Art 30 → NIST 800-53 PT-3 + AU-2 → data_use_manifest.v1 + audit-chain emission
SOC 2 CC6 → NIST 800-53 AC-2/3/6, IA-2/5 → Entity Engine + Authority Engine + PDP
HIPAA §164.312 → NIST 800-53 AC-2/3, AU-2, SC-8/12 → per-tenant signing-kid registry + TLS 1.3 floor20 control families
Each family maps to one or more KYE™ engines.
| Family | Name | Controls | KYE™ engines |
|---|---|---|---|
AC | Access Control | 25 | purpose-scope · decision · authority |
AT | Awareness and Training | 6 | state |
AU | Audit and Accountability | 16 | evidence · replay |
CA | Assessment, Authorization, and Monitoring | 9 | decision · evidence |
CM | Configuration Management | 14 | rules · state |
CP | Contingency Planning | 13 | state |
IA | Identification and Authentication | 12 | entity · authority |
IR | Incident Response | 10 | evidence · ecosystem |
MA | Maintenance | 7 | state |
MP | Media Protection | 8 | evidence |
PE | Physical and Environmental Protection | 23 | — |
PL | Planning | 11 | rules |
PM | Program Management | 32 | rules · state |
PS | Personnel Security | 9 | entity |
PT | PII Processing and Transparency | 8 | purpose-scope · evidence |
RA | Risk Assessment | 10 | decision · rules |
SA | System and Services Acquisition | 23 | ecosystem |
SC | System and Communications Protection | 51 | evidence · replay |
SI | System and Information Integrity | 23 | evidence · rules |
SR | Supply Chain Risk Management | 12 | ecosystem · entity |
25 headline controls — artefact bindings
The 25 controls cited by the largest share of frameworks. Each binds to a specific KYE™ artefact.
| Control | Name | KYE™ artefact that binds it |
|---|---|---|
AC-2 | Account management | Entity Engine + Authority Engine: per-tenant entity records with signed grant chain. |
AC-3 | Access enforcement | PDP per-call admissibility; deny-by-default. |
AC-4 | Information flow enforcement | data_flow_graph.v1 + signed cross-border envelope. |
AC-6 | Least privilege | Scoped delegation; Purpose Permission™ admissibility. |
AU-2 | Event logging | Audit-chain append-only triggers; per-event signed Evidence Pack™. |
AU-9 | Protection of audit information | WORM triggers; object-store immutability; per-tenant signing-kid registry. |
AU-10 | Non-repudiation | Cryptographically-signed Decision Map™; public-key offline verification. Algorithm internals in patent track. |
AU-12 | Audit record generation | Every privileged action emits the governance event family. |
CA-7 | Continuous monitoring | 6-hour heartbeat liveness + readiness probes. |
CM-2 | Baseline configuration | Compiled control bundle with integrity seal. |
IA-2 | Identification & authentication | Per-tenant API key content-addressed hashed; service-binding mTLS. Hashing algorithm internals in patent track. |
IA-5 | Authenticator management | Quarterly rotation; HSM-backed signing kids. |
IR-4 | Incident handling | Event correlator + signed incident_evidence_pack. |
IR-5 | Incident monitoring | Audit-chain queryable by event class; incident detector. |
PT-2 | Authority to process PII | Purpose Permission™ admissibility; signed lawful-basis envelope. |
PT-3 | PII processing purposes | data_use_manifest.v1 with bounded-purpose declaration. |
RA-3 | Risk assessment | Risk Engine 5-tier + per-framework floor map. |
RA-5 | Vulnerability monitoring | Drift detector + Reality Coupling™. |
SA-15 | Development process | Constitution Kit + reference gates; CI-enforced. |
SC-7 | Boundary protection | Gateway worker withSecurity + Bearer auth on /v1/*. |
SC-8 | Transmission confidentiality | TLS 1.3 floor; HSTS preload; per-tenant region binding. |
SC-12 | Cryptographic key establishment | Per-tenant signing-kid registry; quarterly rotation. |
SI-4 | System monitoring | Event classifier + audit-chain emission coverage. |
SI-12 | Information management & retention | WORM audit + object-store immutability with framework-justified retention years. |
SR-3 | Supply chain controls | subprocessors/manifest.json + signed sub-processor register. |
170 frameworks — all crosswalked one-hop
Pick a framework; every clause resolves to NIST control IDs in the JSON. Auditors get a deterministic answer; procurement gets a one-page table.
| Framework | Example clause | NIST 800-53 anchor |
|---|---|---|
| EU AI Act | Art 6 (high-risk classification) | RA-3 · PM-9 |
| DORA | Art 28 (critical third party) | SR-3 · SA-4 · SA-15 |
| GDPR | Art 30 (RoPA) | PT-3 · AU-2 · PM-5 |
| SOC 2 | CC6 (logical access) | AC-2 · AC-3 · AC-6 · IA-2 · IA-5 |
| ISO/IEC 27001 | Annex A.9 (access control) | AC-2 · AC-3 · AC-6 · IA-2 |
| ISO/IEC 42001 | Annex A.4 (lifecycle) | SA-15 · CM-3 · PM-9 |
| NIST AI RMF | GOVERN-1.2 (traceability) | AU-10 · AU-12 · PT-3 |
| NIST 800-207 (Zero Trust) | Tenet 1 (every request auth'd) | AC-3 · IA-2 |
| FCA OpRes | IBS designation | CP-2 · CA-7 · PM-9 |
| SR 11-7 | §V (model risk management) | RA-3 · AU-10 · PM-9 |
| BCBS 239 | §6 (maker-checker) | AC-3 · AC-5 · AC-6 |
| PCI DSS 4.0 | 6.4.1 (segregated envs) | SC-7 · SC-32 |
| PSD2 / PSD3 | SCA | IA-2 · AC-3 |
| HIPAA | §164.312 (technical safeguards) | AC-2 · AC-3 · AU-2 · SC-8 · SC-12 |
| HAARF | §4.2 (verifiable-by-3rd-party) | AU-10 · AU-9 |
| MHRA SaMD | SaMD AI Change Program | CM-3 · CA-7 |
| FedRAMP Mod | Baseline | AC-2 · AC-3 · AU-2 · AU-9 · AU-12 · SC-7 · SC-8 · SC-12 · SI-4 |
| SEC 17a-4 / FINRA 4511 | Records preservation | AU-9 · SI-12 |
| UK NCSC CAF | Principle B6 (training) | AT-2 · AT-3 |
| NIST CSF 2.0 | GOVERN · IDENTIFY · PROTECT · DETECT · RESPOND · RECOVER | PM-1 · PM-9 · RA-3 · CM-8 · AC-3 · IA-2 · SC-8 · AU-2 · SI-4 · IR-4 · IR-5 · CP-2 |
Full crosswalk in the JSON: /.well-known/nist-800-53-hub.json. The KYE™ Claude Code plugin's /kye:framework-map command consumes this same file and prints the per-clause binding inline in your IDE.
Use the hub from your IDE
The Claude Code plugin's /kye:framework-map command answers procurement & auditor questions deterministically — same bytes every time.
$ /kye:framework-map dora:Art\ 28
DORA Art 28 (critical third party) → NIST 800-53 [SR-3 · SA-4 · SA-15] → KYE Ecosystem Engine + Implementation Registry
$ /kye:framework-map AU-9
AU-9 (Protection of audit information) → KYE: WORM triggers · object-store immutability · per-tenant signing-kid registry
Crosswalks IN: GDPR Art 32 · HAARF §4.2 · HIPAA §164.312 · SEC 17a-4 · FedRAMP Mod baseline