|
49 | 49 | "control_name": "Policies for data privacy", |
50 | 50 | "tier": "Foundational", |
51 | 51 | "scope": "Both", |
52 | | - "notes": "Supply chain governance policy — approved sources for agent tools, MCP servers, and model components" |
| 52 | + "notes": "Supply chain governance policy � approved sources for agent tools, MCP servers, and model components" |
53 | 53 | }, |
54 | 54 | { |
55 | 55 | "framework": "NIST AI RMF 1.0", |
56 | 56 | "control_id": "MP-5.1", |
57 | 57 | "control_name": "Interdependencies", |
58 | 58 | "tier": "Foundational", |
59 | 59 | "scope": "Both", |
60 | | - "notes": "All agent supply chain components mapped — dynamic tool loading inventoried, approved before use" |
| 60 | + "notes": "All agent supply chain components mapped � dynamic tool loading inventoried, approved before use" |
61 | 61 | }, |
62 | 62 | { |
63 | 63 | "framework": "NIST AI RMF 1.0", |
64 | 64 | "control_id": "MS-2.5", |
65 | | - "control_name": "Testing — adversarial", |
| 65 | + "control_name": "Testing � adversarial", |
66 | 66 | "tier": "Foundational", |
67 | 67 | "scope": "Both", |
68 | | - "notes": "Supply chain integrity testing — signature verification, descriptor review, backdoor scanning" |
| 68 | + "notes": "Supply chain integrity testing � signature verification, descriptor review, backdoor scanning" |
69 | 69 | }, |
70 | 70 | { |
71 | 71 | "framework": "NIST AI RMF 1.0", |
72 | 72 | "control_id": "MG-3.2", |
73 | 73 | "control_name": "Residual risk", |
74 | 74 | "tier": "Foundational", |
75 | 75 | "scope": "Both", |
76 | | - "notes": "Residual supply chain risk documented and treated — third-party component risks in AI risk register" |
| 76 | + "notes": "Residual supply chain risk documented and treated � third-party component risks in AI risk register" |
77 | 77 | }, |
78 | 78 | { |
79 | 79 | "framework": "EU AI Act", |
80 | 80 | "control_id": "Supply chain risks identified and mitigated", |
81 | | - "control_name": "Art. 9 — Risk management", |
| 81 | + "control_name": "Art. 9 � Risk management", |
82 | 82 | "tier": "Foundational", |
83 | 83 | "scope": "Both", |
84 | | - "notes": "All agent components in Art. 9 risk management — dynamic runtime components explicitly in scope" |
| 84 | + "notes": "All agent components in Art. 9 risk management � dynamic runtime components explicitly in scope" |
85 | 85 | }, |
86 | 86 | { |
87 | 87 | "framework": "EU AI Act", |
88 | 88 | "control_id": "Quality management includes supply chain controls", |
89 | | - "control_name": "Art. 17 — Quality management", |
| 89 | + "control_name": "Art. 17 � Quality management", |
90 | 90 | "tier": "Foundational", |
91 | 91 | "scope": "Both", |
92 | | - "notes": "Documented supply chain security procedures — component verification, change management" |
| 92 | + "notes": "Documented supply chain security procedures � component verification, change management" |
93 | 93 | }, |
94 | 94 | { |
95 | 95 | "framework": "EU AI Act", |
96 | 96 | "control_id": "Providers document obligations; deployers verify", |
97 | | - "control_name": "Art. 25 — Value chain responsibilities", |
| 97 | + "control_name": "Art. 25 � Value chain responsibilities", |
98 | 98 | "tier": "Foundational", |
99 | 99 | "scope": "Both", |
100 | 100 | "notes": "Agent tool and MCP server supply chain obligations distributed along value chain" |
|
105 | 105 | "control_name": "Supplier relationships", |
106 | 106 | "tier": "Foundational", |
107 | 107 | "scope": "Both", |
108 | | - "notes": "Security requirements applied to all agent tool and MCP server providers — provenance, integrity, disclosure obligations" |
| 108 | + "notes": "Security requirements applied to all agent tool and MCP server providers � provenance, integrity, disclosure obligations" |
109 | 109 | }, |
110 | 110 | { |
111 | 111 | "framework": "ISO/IEC 27001:2022", |
112 | 112 | "control_id": "A.5.20", |
113 | 113 | "control_name": "Supplier agreements", |
114 | 114 | "tier": "Foundational", |
115 | 115 | "scope": "Both", |
116 | | - "notes": "Contractual security requirements for all agent component suppliers — integrity guarantees, vulnerability notification SLA" |
| 116 | + "notes": "Contractual security requirements for all agent component suppliers � integrity guarantees, vulnerability notification SLA" |
117 | 117 | }, |
118 | 118 | { |
119 | 119 | "framework": "ISO/IEC 27001:2022", |
120 | 120 | "control_id": "A.5.21", |
121 | 121 | "control_name": "Supply chain security", |
122 | 122 | "tier": "Foundational", |
123 | 123 | "scope": "Both", |
124 | | - "notes": "Managing ICT supply chain risks — agent tool and MCP server ecosystem explicitly in scope" |
| 124 | + "notes": "Managing ICT supply chain risks � agent tool and MCP server ecosystem explicitly in scope" |
125 | 125 | }, |
126 | 126 | { |
127 | 127 | "framework": "ISO/IEC 27001:2022", |
128 | 128 | "control_id": "A.8.8", |
129 | 129 | "control_name": "Management of technical vulnerabilities", |
130 | 130 | "tier": "Foundational", |
131 | 131 | "scope": "Both", |
132 | | - "notes": "Agent component CVEs in vulnerability management — ML libraries, inference runtime, MCP server dependencies" |
| 132 | + "notes": "Agent component CVEs in vulnerability management � ML libraries, inference runtime, MCP server dependencies" |
133 | 133 | }, |
134 | 134 | { |
135 | 135 | "framework": "ISO/IEC 42001:2023", |
136 | 136 | "control_id": "A.10.1", |
137 | 137 | "control_name": "Third-party AI system acquisition", |
138 | 138 | "tier": "Foundational", |
139 | 139 | "scope": "Both", |
140 | | - "notes": "All agent tool and MCP server providers assessed — security obligations, integrity guarantees, disclosure SLA in contracts" |
| 140 | + "notes": "All agent tool and MCP server providers assessed � security obligations, integrity guarantees, disclosure SLA in contracts" |
141 | 141 | }, |
142 | 142 | { |
143 | 143 | "framework": "ISO/IEC 42001:2023", |
144 | 144 | "control_id": "A.10.2", |
145 | 145 | "control_name": "Customer relationships", |
146 | 146 | "tier": "Foundational", |
147 | 147 | "scope": "Both", |
148 | | - "notes": "Obligations to downstream consumers of agentic systems — what supply chain security is guaranteed" |
| 148 | + "notes": "Obligations to downstream consumers of agentic systems � what supply chain security is guaranteed" |
149 | 149 | }, |
150 | 150 | { |
151 | 151 | "framework": "ISO/IEC 42001:2023", |
152 | 152 | "control_id": "A.6.2.3", |
153 | 153 | "control_name": "AI system security", |
154 | 154 | "tier": "Foundational", |
155 | 155 | "scope": "Both", |
156 | | - "notes": "Component integrity verification as AIMS security design requirement — cryptographic signatures before loading" |
| 156 | + "notes": "Component integrity verification as AIMS security design requirement � cryptographic signatures before loading" |
157 | 157 | }, |
158 | 158 | { |
159 | 159 | "framework": "ISO/IEC 42001:2023", |
160 | 160 | "control_id": "A.7.2", |
161 | 161 | "control_name": "Data quality", |
162 | 162 | "tier": "Foundational", |
163 | 163 | "scope": "Both", |
164 | | - "notes": "Training data from third-party sources assessed — same data quality criteria as internal data" |
| 164 | + "notes": "Training data from third-party sources assessed � same data quality criteria as internal data" |
165 | 165 | }, |
166 | 166 | { |
167 | 167 | "framework": "CIS Controls v8.1", |
168 | 168 | "control_id": "2.1 Establish and maintain software inventory", |
169 | | - "control_name": "CIS 2 — Inventory and Control of Software Assets", |
| 169 | + "control_name": "CIS 2 � Inventory and Control of Software Assets", |
170 | 170 | "tier": "Foundational", |
171 | 171 | "scope": "Both", |
172 | | - "notes": "ML SBOM as software asset inventory — all agent components (tools, MCP servers, models, libraries)" |
| 172 | + "notes": "ML SBOM as software asset inventory � all agent components (tools, MCP servers, models, libraries)" |
173 | 173 | }, |
174 | 174 | { |
175 | 175 | "framework": "CIS Controls v8.1", |
176 | 176 | "control_id": "7.1 Establish vulnerability management process", |
177 | | - "control_name": "CIS 7 — Continuous Vulnerability Management", |
| 177 | + "control_name": "CIS 7 � Continuous Vulnerability Management", |
178 | 178 | "tier": "Foundational", |
179 | 179 | "scope": "Both", |
180 | | - "notes": "Agent component CVEs in vulnerability management — urgent patching for code execution risks" |
| 180 | + "notes": "Agent component CVEs in vulnerability management � urgent patching for code execution risks" |
181 | 181 | }, |
182 | 182 | { |
183 | 183 | "framework": "CIS Controls v8.1", |
184 | 184 | "control_id": "16.6 Use only up-to-date and trusted third-party components", |
185 | | - "control_name": "CIS 16 — Application Software Security", |
| 185 | + "control_name": "CIS 16 � Application Software Security", |
186 | 186 | "tier": "Foundational", |
187 | 187 | "scope": "Both", |
188 | | - "notes": "Approved component list — only sourced from approved vendors, signatures verified" |
| 188 | + "notes": "Approved component list � only sourced from approved vendors, signatures verified" |
189 | 189 | }, |
190 | 190 | { |
191 | 191 | "framework": "CIS Controls v8.1", |
192 | 192 | "control_id": "15.1 Establish service provider management process", |
193 | | - "control_name": "CIS 15 — Service Provider Management", |
| 193 | + "control_name": "CIS 15 � Service Provider Management", |
194 | 194 | "tier": "Foundational", |
195 | 195 | "scope": "Both", |
196 | | - "notes": "Agent tool and MCP providers managed as service providers — security assessment before onboarding" |
| 196 | + "notes": "Agent tool and MCP providers managed as service providers � security assessment before onboarding" |
197 | 197 | }, |
198 | 198 | { |
199 | 199 | "framework": "OWASP ASVS 4.0.3", |
200 | 200 | "control_id": "V10.2.1", |
201 | 201 | "control_name": "Verify third-party components current and free of vulnerabilities", |
202 | 202 | "tier": "Foundational", |
203 | 203 | "scope": "Both", |
204 | | - "notes": "All agent component libraries scanned for CVEs — ML SBOM maintained and monitored" |
| 204 | + "notes": "All agent component libraries scanned for CVEs � ML SBOM maintained and monitored" |
205 | 205 | }, |
206 | 206 | { |
207 | 207 | "framework": "OWASP ASVS 4.0.3", |
208 | 208 | "control_id": "V10.2.2", |
209 | 209 | "control_name": "Verify only minimal approved external libraries", |
210 | 210 | "tier": "Foundational", |
211 | 211 | "scope": "Both", |
212 | | - "notes": "Approved component list — unsigned or unverified agent components rejected" |
| 212 | + "notes": "Approved component list � unsigned or unverified agent components rejected" |
213 | 213 | }, |
214 | 214 | { |
215 | 215 | "framework": "OWASP ASVS 4.0.3", |
|
241 | 241 | "control_name": "Use control", |
242 | 242 | "tier": "Foundational", |
243 | 243 | "scope": "Both", |
244 | | - "notes": "Only approved, verified agent components permitted in OT zones — no runtime loading of unapproved tools" |
| 244 | + "notes": "Only approved, verified agent components permitted in OT zones � no runtime loading of unapproved tools" |
245 | 245 | }, |
246 | 246 | { |
247 | 247 | "framework": "ISA/IEC 62443", |
|
257 | 257 | "control_name": "Software and information integrity (change)", |
258 | 258 | "tier": "Foundational", |
259 | 259 | "scope": "Both", |
260 | | - "notes": "Agent component updates subject to OT change management — no automatic updates in production" |
| 260 | + "notes": "Agent component updates subject to OT change management � no automatic updates in production" |
261 | 261 | }, |
262 | 262 | { |
263 | 263 | "framework": "NIST SP 800-82 Rev 3", |
|
289 | 289 | "control_name": "Supply Chain Risk Management", |
290 | 290 | "tier": "Foundational", |
291 | 291 | "scope": "Both", |
292 | | - "notes": "Cybersecurity supply chain risk management programme — all agent component vendors in scope" |
| 292 | + "notes": "Cybersecurity supply chain risk management programme � all agent component vendors in scope" |
293 | 293 | }, |
294 | 294 | { |
295 | 295 | "framework": "NIST CSF 2.0", |
296 | 296 | "control_id": "GV.SC-06", |
297 | 297 | "control_name": "Supply Chain Risk Management", |
298 | 298 | "tier": "Foundational", |
299 | 299 | "scope": "Both", |
300 | | - "notes": "Cybersecurity requirements in supplier contracts — integrity guarantees, vulnerability disclosure SLA" |
| 300 | + "notes": "Cybersecurity requirements in supplier contracts � integrity guarantees, vulnerability disclosure SLA" |
301 | 301 | }, |
302 | 302 | { |
303 | 303 | "framework": "NIST CSF 2.0", |
304 | 304 | "control_id": "ID.AM-08", |
305 | 305 | "control_name": "Asset Management", |
306 | 306 | "tier": "Foundational", |
307 | 307 | "scope": "Both", |
308 | | - "notes": "Agent components inventoried — ML SBOM for all tools, MCP servers, model weights, libraries" |
| 308 | + "notes": "Agent components inventoried � ML SBOM for all tools, MCP servers, model weights, libraries" |
309 | 309 | }, |
310 | 310 | { |
311 | 311 | "framework": "NIST CSF 2.0", |
312 | 312 | "control_id": "PR.PS-02", |
313 | 313 | "control_name": "Platform Security", |
314 | 314 | "tier": "Foundational", |
315 | 315 | "scope": "Both", |
316 | | - "notes": "Software managed to reduce risk — component integrity verification, change management" |
| 316 | + "notes": "Software managed to reduce risk � component integrity verification, change management" |
317 | 317 | }, |
318 | 318 | { |
319 | 319 | "framework": "SOC 2", |
|
494 | 494 | { |
495 | 495 | "framework": "OWASP AI Testing Guide", |
496 | 496 | "control_id": "Component integrity verification", |
497 | | - "control_name": "SCT — Supply Chain", |
| 497 | + "control_name": "SCT � Supply Chain", |
498 | 498 | "tier": "Foundational", |
499 | 499 | "scope": "Both", |
500 | 500 | "notes": "Verify cryptographic signatures of all agent components; scan for hidden instructions in descriptors" |
501 | 501 | }, |
502 | 502 | { |
503 | 503 | "framework": "OWASP AI Testing Guide", |
504 | 504 | "control_id": "Behavioural change detection post-update", |
505 | | - "control_name": "MBT — Model Behaviour", |
| 505 | + "control_name": "MBT � Model Behaviour", |
506 | 506 | "tier": "Foundational", |
507 | 507 | "scope": "Both", |
508 | 508 | "notes": "Establish behavioural baseline before component update; verify no unexpected behaviour change after update" |
509 | 509 | }, |
510 | 510 | { |
511 | 511 | "framework": "OWASP AI Testing Guide", |
512 | 512 | "control_id": "Runtime component monitoring", |
513 | | - "control_name": "AST — Agent-Specific", |
| 513 | + "control_name": "AST � Agent-Specific", |
514 | 514 | "tier": "Foundational", |
515 | 515 | "scope": "Both", |
516 | 516 | "notes": "Verify that component modification at runtime is detected and triggers agent suspension" |
|
570 | 570 | "control_name": "NHI-3 Vulnerable Third-Party NHI", |
571 | 571 | "tier": "Foundational", |
572 | 572 | "scope": "Both", |
573 | | - "notes": "Validate all third-party NHIs at connection — revoke tokens from unverified sources" |
| 573 | + "notes": "Validate all third-party NHIs at connection � revoke tokens from unverified sources" |
574 | 574 | }, |
575 | 575 | { |
576 | 576 | "framework": "OWASP NHI Top 10", |
577 | 577 | "control_id": "Malicious components extract credentials from agent memory or config", |
578 | 578 | "control_name": "NHI-6 Insecure Credential Storage", |
579 | 579 | "tier": "Foundational", |
580 | 580 | "scope": "Both", |
581 | | - "notes": "Credential isolation — components cannot access other components' credentials" |
| 581 | + "notes": "Credential isolation � components cannot access other components' credentials" |
582 | 582 | }, |
583 | 583 | { |
584 | 584 | "framework": "OWASP NHI Top 10", |
|
0 commit comments