NIST Cybersecurity Framework 2.0 — Core + Tiers + Profiles · v2.0 (February 2024)
NIST Cybersecurity Framework 2.0 — Core + Tiers + Profiles
NIST Cybersecurity Framework 2.0 — Core + Tiers + Profiles — 88% covered.
130 requirements · 105 enforced · 10 designed · 15 advisory · 0 deferred.
Source: NIST CSF 2.0 Core (NIST CSWP 29, February 2024) — 6 functions, 22 categories, 106 subcategories — plus Implementation Tiers (§3.1) and Profiles (§4). Deep-mapping extended 2026-05-29 (Wave-Ralph-B) to cover Implementation Tiers across all three dimensions (Risk Governance, Risk Management Process, External Engagement) and Profile creation lifecycle. · License: NIST publications are US-Government works in the public domain.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| DE Detect | 11 | 10 | 0 | 1 | 0 | 93% |
| GV Govern | 31 | 23 | 2 | 6 | 0 | 82% |
| ID Identify | 21 | 19 | 2 | 0 | 0 | 95% |
| Implementation Tiers — Risk Governance | 4 | 3 | 0 | 1 | 0 | 81% |
| Implementation Tiers — Risk Management Process | 4 | 3 | 0 | 1 | 0 | 81% |
| Implementation Tiers — External Engagement | 4 | 3 | 0 | 1 | 0 | 81% |
| Profiles & Tiers (§4) | 12 | 10 | 2 | 0 | 0 | 92% |
| PR Protect | 22 | 13 | 4 | 5 | 0 | 74% |
| RC Recover | 8 | 8 | 0 | 0 | 0 | 100% |
| RS Respond | 13 | 13 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
nist-csf.DE.CM-01 |
Networks and network services are monitored to find potentially adverse events | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1engines: internal, internalworkers: kye-gateway, kye-edge-arbiterconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
nist-csf.DE.CM-02 |
The physical environment is monitored to find potentially adverse events | advisory | constitution_refs: constitution/00-INDEX.md |
nist-csf.DE.CM-03 |
Personnel activity and technology usage are monitored to find potentially adverse events | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.DE.CM-06 |
External service provider activities and services are monitored to find potentially adverse events | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.DE.CM-09 |
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.DE.AE-02 |
Potentially adverse events are analyzed to better understand associated activities | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.DE.AE-03 |
Information is correlated from multiple sources | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.DE.AE-04 |
The estimated impact and scope of adverse events are understood | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.DE.AE-06 |
Information on adverse events is provided to authorized staff and tools | enforced | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.DE.AE-07 |
Cyber threat intelligence and other contextual information are integrated into the analysis | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.DE.AE-08 |
Incidents are declared when adverse events meet the defined incident criteria | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.OC-01 |
The organizational mission is understood and informs cybersecurity risk management | advisory | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.GV.OC-02 |
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered | advisory | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.GV.OC-03 |
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
nist-csf.GV.OC-04 |
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.OC-05 |
Outcomes, capabilities, and services that the organization depends on are understood and communicated | designed | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.RM-01 |
Risk management objectives are established and agreed to by organizational stakeholders | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.RM-02 |
Risk appetite and risk tolerance statements are established, communicated, and maintained | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.RM-03 |
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.RM-04 |
Strategic direction that describes appropriate risk response options is established and communicated | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.RM-05 |
Lines of communication across the organization are established for cybersecurity risks | enforced | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.GV.RM-06 |
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.RM-07 |
Strategic opportunities (i.e., positive risks) are characterized and included in organizational cybersecurity risk discussions | advisory | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.RR-01 |
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.GV.RR-02 |
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.GV.RR-03 |
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies | advisory | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.GV.RR-04 |
Cybersecurity is included in human resources practices | advisory | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.GV.PO-01 |
Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced | enforced | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.GV.PO-02 |
Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission | enforced | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.GV.OV-01 |
Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
nist-csf.GV.OV-02 |
The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
nist-csf.GV.OV-03 |
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
nist-csf.GV.SC-01 |
A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-02 |
Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-03 |
Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-04 |
Suppliers are known and prioritized by criticality | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-05 |
Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-06 |
Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships | advisory | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-07 |
The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-08 |
Relevant suppliers and other third parties are included in incident planning, response, and recovery activities | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.GV.SC-09 |
Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle | designed | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.md |
nist-csf.GV.SC-10 |
Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement | enforced | audit_events: kye.revocation.event.v1, kye.signal.revocation.cascaded.v1engines: internalworkers: kye-authority-revocation-orchestratorconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.ID.AM-01 |
Inventories of hardware managed by the organization are maintained | enforced | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.ID.AM-02 |
Inventories of software, services, and systems managed by the organization are maintained | enforced | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.ID.AM-03 |
Representations of the organization's authorized network communication and internal and external network data flows are maintained | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1engines: internal, internalworkers: kye-gateway, kye-edge-arbiterconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
nist-csf.ID.AM-04 |
Inventories of services provided by suppliers are maintained | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.ID.AM-05 |
Assets are prioritized based on classification, criticality, resources, and impact on the mission | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.AM-07 |
Inventories of data and corresponding metadata for designated data types are maintained | enforced | audit_events: kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
nist-csf.ID.AM-08 |
Systems, hardware, software, services, and data are managed throughout their life cycles | enforced | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.ID.RA-01 |
Vulnerabilities in assets are identified, validated, and recorded | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-02 |
Cyber threat intelligence is received from information sharing forums and sources | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-03 |
Internal and external threats to the organization are identified and recorded | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-04 |
Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-05 |
Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-06 |
Risk responses are chosen, prioritized, planned, tracked, and communicated | enforced | audit_events: kye.risk.score.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-07 |
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked | enforced | audit_events: kye.governedui.approval.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/36-GOVERNEDUI.md |
nist-csf.ID.RA-08 |
Processes for receiving, analyzing, and responding to vulnerability disclosures are established | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.ID.RA-09 |
The authenticity and integrity of hardware and software are assessed prior to acquisition and use | designed | audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
nist-csf.ID.RA-10 |
Critical suppliers are assessed prior to acquisition | enforced | audit_events: kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.ID.IM-01 |
Improvements are identified from evaluations | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.ID.IM-02 |
Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.ID.IM-03 |
Improvements are identified from execution of operational processes, procedures, and activities | designed | audit_events: kye.signal.drift.detected.v1constitution_refs: constitution/34-RECONCILIATION-ENGINE.md |
nist-csf.ID.IM-04 |
Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.IT.RG-T1 |
Implementation Tier 1 (Partial) — Risk Governance: cybersecurity risk-management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. | advisory | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.IT.RG-T2 |
Implementation Tier 2 (Risk-Informed) — Risk Governance: risk-management practices are approved by management but may not be established as organisation-wide policy. | enforced | audit_events: kye.governedui.approval.v1, kye.compliance.attestation.v1governedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-csf.IT.RG-T3 |
Implementation Tier 3 (Repeatable) — Risk Governance: risk-management practices are formally approved and expressed as policy; cybersecurity practices are regularly updated based on the application of risk-management processes to changes in business / mission requirements and a changing threat landscape. | enforced | audit_events: kye.compliance.attestation.v1, kye.reconciliation.verdict.v1engines: internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.IT.RG-T4 |
Implementation Tier 4 (Adaptive) — Risk Governance: the organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learnt and predictive indicators. | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/41-ERROR-HORIZONS.md |
nist-csf.IT.RM-T1 |
Implementation Tier 1 (Partial) — Risk Management Process: there is limited awareness of cybersecurity risk at the organisational level, and risk management is implemented case-by-case. | advisory | audit_events: kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.IT.RM-T2 |
Implementation Tier 2 (Risk-Informed) — Risk Management Process: risk-informed, management-approved processes and procedures are defined and implemented; staff has adequate resources. | enforced | audit_events: kye.risk_assessment.v1, kye.risk.score.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.IT.RM-T3 |
Implementation Tier 3 (Repeatable) — Risk Management Process: the organisation's risk-management practices are formally approved and expressed as policy; methods to respond effectively to changes in risk are in place. | enforced | audit_events: kye.risk.score.v1, kye.reconciliation.verdict.v1, kye.signal.revocation.cascaded.v1engines: internal, internal, internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md |
nist-csf.IT.RM-T4 |
Implementation Tier 4 (Adaptive) — Risk Management Process: the organisation uses real-time or near-real-time information to understand and consistently act upon cybersecurity risk associated with the products and services it provides and uses. | enforced | audit_events: kye.risk.score.v1, kye.signal.drift.detected.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/35-STREAMING-LOGS.md |
nist-csf.IT.EE-T1 |
Implementation Tier 1 (Partial) — External Engagement: the organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependants. | advisory | audit_events: kye.subprocessor.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-csf.IT.EE-T2 |
Implementation Tier 2 (Risk-Informed) — External Engagement: the organisation collaborates with and receives some information from external parties, generates some of its own, but may not share information externally. | enforced | audit_events: kye.subprocessor.v1, kye.federation.cross_org_delegation.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
nist-csf.IT.EE-T3 |
Implementation Tier 3 (Repeatable) — External Engagement: the organisation collaborates with and receives information from partners on a regular basis, and contributes its own information; the organisation is aware of risks associated with its products and services and its place in the larger ecosystem. | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.subprocessor.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
nist-csf.IT.EE-T4 |
Implementation Tier 4 (Adaptive) — External Engagement: the organisation receives, generates and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscape evolves; the organisation shares information through formal and informal mechanisms. | enforced | audit_events: kye.federation.cross_org_delegation.v1, kye.signal.drift.detected.v1, kye.evidence.pack.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/38-COMMS-RAIL.md |
nist-csf.PF.Current |
Current Profile — describes the cybersecurity outcomes that the organisation is currently achieving (or attempting to achieve) and the extent to which each outcome is being achieved. | enforced | audit_events: kye.compliance.attestation.v1, kye.reconciliation.verdict.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.PF.Target |
Target Profile — describes the desired cybersecurity outcomes the organisation has selected and prioritised for achieving its risk-management objectives. | designed | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md, constitution/53-COHESION-CASCADE.md |
nist-csf.PF.Community |
Community Profile — a sectoral, technology- or threat-specific baseline of CSF outcomes for use as a starting point by similar organisations. | enforced | audit_events: kye.compliance.attestation.v1sector_packs: kye:sector-pack:financial-services, kye:sector-pack:healthcareconstitution_refs: constitution/29-PROFILES-LITE.md, constitution/49-UNIVERSAL-ENGAGEMENT-RAIL.md |
nist-csf.PF.Org |
Organisational Profile — describes a specific organisation's current and / or target cybersecurity posture in terms of Core outcomes. | designed | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.PF.Scope |
Scope the Organisational Profile — define the boundaries of the Organisational Profile (entire enterprise, subsidiary, system or service) so the cybersecurity outcomes are clearly bounded. | enforced | audit_events: kye.risk.authority_register.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.PF.Gather |
Gather information needed to prepare the Organisational Profile — collect information about the organisation's risks, priorities, dependencies, resources, threats and previous incidents. | enforced | audit_events: kye.audit.event.v1, kye.signal.incident.opened.v1, kye.subprocessor.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.PF.Create |
Create the Organisational Profile — for each selected Core element, document the current and / or target state along with the rationale, considerations and applicability. | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.PF.Analyse |
Analyse gaps and create an action plan — compare the current and target Profiles, identify gaps, prioritise actions, and assign owners and timeframes. | enforced | audit_events: kye.signal.drift.detected.v1, kye.spof.path_to_full.v1engines: internalregistries: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.PF.Implement |
Implement the action plan and update the Organisational Profile — execute identified actions, track progress, and update the Profile to reflect the new state. | enforced | audit_events: kye.reconciliation.verdict.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/34-RECONCILIATION-ENGINE.md, constitution/53-COHESION-CASCADE.md |
nist-csf.PF.Tiers |
Implementation Tiers — characterise the rigour of an organisation's cybersecurity risk-governance and risk-management practices along the Partial / Risk-Informed / Repeatable / Adaptive scale. | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-csf.PF.Update |
Maintain and continually improve the Organisational Profile — update the Profile on an ongoing basis to reflect the current and target cybersecurity posture, adjusting priorities and actions as needed. | enforced | audit_events: kye.compliance.attestation.v1, kye.signal.compliance_card.refreshed.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.PF.Cybersecurity |
Cybersecurity Supply Chain Risk Management profile — a specialised Community Profile for supply-chain risk that organisations can adopt or adapt. | enforced | audit_events: kye.subprocessor.v1, kye.compliance.attestation.v1, kye.federation.cross_org_delegation.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md, constitution/52-DELEGATED-AGENT-BINDING.md |
nist-csf.PR.AA-01 |
Identities and credentials for authorized users, services, and hardware are managed by the organization | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.PR.AA-02 |
Identities are proofed and bound to credentials based on the context of interactions | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.PR.AA-03 |
Users, services, and hardware are authenticated | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.PR.AA-04 |
Identity assertions are protected, conveyed, and verified | enforced | audit_events: kye.signing.multisig_envelope.v1engines: internal, internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-csf.PR.AA-05 |
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties | enforced | audit_events: kye.authority.grant.v1, kye.evidence.decision_map.v1, kye.purpose.permission.v1engines: internal, internalworkers: kye-pdpconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.PR.AA-06 |
Physical access to assets is managed, monitored, and enforced commensurate with risk | advisory | constitution_refs: constitution/00-INDEX.md |
nist-csf.PR.AT-01 |
Personnel are provided with awareness and training so they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind | advisory | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.PR.AT-02 |
Individuals in specialized roles are provided with awareness and training so they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind | advisory | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.PR.DS-01 |
The confidentiality, integrity, and availability of data-at-rest are protected | enforced | audit_events: kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
nist-csf.PR.DS-02 |
The confidentiality, integrity, and availability of data-in-transit are protected | enforced | audit_events: kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
nist-csf.PR.DS-10 |
The confidentiality, integrity, and availability of data-in-use are protected | enforced | audit_events: kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
nist-csf.PR.DS-11 |
Backups of data are created, protected, maintained, and tested | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiver, kye-d1-backup-workerconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.PR.PS-01 |
Configuration management practices are established and applied | designed | audit_events: kye.signal.drift.detected.v1constitution_refs: constitution/34-RECONCILIATION-ENGINE.md |
nist-csf.PR.PS-02 |
Software is maintained, replaced, and removed commensurate with risk | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1engines: internalworkers: kye-drift-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.PR.PS-03 |
Hardware is maintained, replaced, and removed commensurate with risk | advisory | constitution_refs: constitution/00-INDEX.md |
nist-csf.PR.PS-04 |
Log records are generated and made available for continuous monitoring | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.PR.PS-05 |
Installation and execution of unauthorized software are prevented | designed | audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1constitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
nist-csf.PR.PS-06 |
Secure software development practices are integrated and their performance is monitored throughout the software development life cycle | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.PR.IR-01 |
Networks and environments are protected from unauthorized logical access and usage | enforced | audit_events: kye.evidence.decision_map.v1, kye.signal.decision.admitted.v1engines: internal, internalworkers: kye-gateway, kye-edge-arbiterconstitution_refs: constitution/25-EDGE-GOVERNANCE.md |
nist-csf.PR.IR-02 |
The organization's technology assets are protected from environmental threats | advisory | constitution_refs: constitution/00-INDEX.md |
nist-csf.PR.IR-03 |
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations | designed | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.md |
nist-csf.PR.IR-04 |
Adequate resource capacity to ensure availability is maintained | designed | audit_events: kye.spof.path_to_full.v1constitution_refs: constitution/51-NO-SPOF.md |
nist-csf.RC.RP-01 |
The recovery portion of the incident response plan is executed once initiated from the incident response process | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RC.RP-02 |
Recovery actions are selected, scoped, prioritized, and performed | enforced | audit_events: kye.assurance.audit_replay_report.v1engines: internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-csf.RC.RP-03 |
The integrity of backups and other restoration assets is verified before using them for restoration | enforced | audit_events: kye.compliance.attestation.v1engines: internal, internalworkers: kye-audit-archiver, kye-d1-backup-workerconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.RC.RP-04 |
Critical mission functions and cybersecurity risk management are considered to establish post-incident operational norms | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/00-INDEX.md |
nist-csf.RC.RP-05 |
The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed | enforced | audit_events: kye.assurance.audit_replay_report.v1engines: internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-csf.RC.RP-06 |
The end of incident recovery is declared based on criteria, and incident-related documentation is completed | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RC.CO-03 |
Recovery activities and progress in restoring operational capabilities are communicated to designated internal and external stakeholders | enforced | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.RC.CO-04 |
Public updates on incident recovery are shared using approved methods and messaging | enforced | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.RS.MA-01 |
The incident response plan is executed in coordination with relevant third parties once an incident is declared | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RS.MA-02 |
Incident reports are triaged and validated | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RS.MA-03 |
Incidents are categorized and prioritized | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RS.MA-04 |
Incidents are escalated or elevated as needed | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RS.MA-05 |
The criteria for initiating incident recovery are applied | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RS.AN-03 |
Analysis is performed to establish what has taken place during an incident and the root cause | enforced | audit_events: kye.assurance.audit_replay_report.v1engines: internalworkers: kye-audit-replay-orchestratorconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-csf.RS.AN-06 |
Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.RS.AN-07 |
Incident data and metadata are collected, and their integrity and provenance are preserved | enforced | audit_events: kye.audit.event.appended.v1, kye.evidence.pack.v1engines: internal, internalworkers: kye-audit-archiverconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-csf.RS.AN-08 |
An incident's magnitude is estimated and validated | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalworkers: kye-incident-detectorconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-csf.RS.CO-02 |
Internal and external stakeholders are notified of incidents | enforced | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.RS.CO-03 |
Information is shared with designated internal and external stakeholders | enforced | audit_events: kye.comms.dispatch.v1engines: internalworkers: kye-comms-engine-workerconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-csf.RS.MI-01 |
Incidents are contained | enforced | audit_events: kye.revocation.event.v1, kye.signal.revocation.cascaded.v1engines: internalworkers: kye-authority-revocation-orchestratorconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-csf.RS.MI-02 |
Incidents are eradicated | enforced | audit_events: kye.revocation.event.v1, kye.signal.revocation.cascaded.v1engines: internalworkers: kye-authority-revocation-orchestratorconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |