updated ACN framework

[f0r7y]

Summary by CodeRabbit

Release Notes

• Updates
  • Updated framework version and publication date to align with latest standards
  • Modified assessability status for multiple security controls across governance, identity, and protection domains
  • Refined control descriptions and policy references for improved clarity and alignment
  • Restructured control relationships and dependencies to reflect updated governance hierarchy

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A security framework configuration file for the Italian national cybersecurity program has been updated with version increments, metadata changes, and extensive modifications to requirement nodes including assessable flag adjustments, description rewording, and removal of implementation group blocks.

Changes

Cohort / File(s)

Summary

Framework Nationale Configuration backend/library/libraries/framework-nazionale-cs-dp.yaml

Added library version compatibility marker; updated metadata (version 1→3, publication_date 2025-04-20→2025-12-10); toggled assessable flags from true to false across numerous requirement nodes (GV.OC-, GV.RM-, GV.RR-, GV.SC-, ID.AM-, ID.RA-, PR., DE., RC.* series); rewrote and adjusted description strings throughout with escaping/formatting changes; removed or trimmed implementation_groups blocks across multiple nodes; updated policy references and parent-child relationships; adjusted capitalization and phrasing in textual content.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A framework hops through version three,
With flags now false—assessable spree!
Descriptions refined, groups trimmed with care,
Italian security strengthened everywhere! ✨

Pre-merge checks

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'updated ACN framework' is vague and generic, failing to convey specific meaningful information about the substantial changes made to the framework-nazionale-cs-dp.yaml file.	Use a more descriptive title that captures the main change, such as 'Update ACN framework library version and assessable flags' or 'Revise framework-nazionale-cs-dp.yaml metadata and control assessability'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 89cd80f and 09760fe.

⛔ Files ignored due to path filters (2)

• tools/ACN/Framework-Nazionale-CS-DP.xlsx is excluded by !**/*.xlsx
• tools/ACN/Framework-Nazionale-CS-DP_new.xlsx is excluded by !**/*.xlsx

📒 Files selected for processing (2)

• backend/library/libraries/framework-nazionale-cs-dp.yaml
• tools/framework-nazionale-cs-dp.yaml

🔇 Additional comments (4)

backend/library/libraries/framework-nazionale-cs-dp.yaml (4)

1-14: LGTM - Metadata updates are appropriate.

Version bump to 3 and updated publication date align with the framework refresh. The convert_library_version directive with Compat Mode: [False] correctly indicates this is a non-backward-compatible update.

---

52-98: Assessable flag changes follow a consistent pattern.

The changes switching parent requirement nodes (e.g., GV.OC-01 through GV.OC-05) from assessable: true to assessable: false while keeping their child nodes (e.g., GV.OC-04.1) as assessable: true is a valid design pattern. This ensures that only the specific, actionable sub-requirements are assessed rather than the higher-level category descriptions.

---

343-353: Description reformatting is consistent.

The multi-line description for GV.PO-01.1 listing policy areas (a through p) is well-structured and maintains proper YAML escaping. The enumerated list format improves readability.

---

1894-1896: Verify the removal of PR.IR-01.1 from the procedure reference.

The procedure documentation requirement PR.IR-01.4 now references only PR.IR-01.2 e PR.IR-01.3, removing the previous reference to PR.IR-01.1. Please confirm this change is intentional and that procedures for PR.IR-01.1 (remote access activities) are documented elsewhere or no longer require explicit documentation procedures.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Incorrect depth and parent_urn for RC.CO-03.1.

This node breaks the established hierarchy pattern used throughout the framework. Comparing to similar nodes:

• GV.OC-04.1 has depth: 4 with parent_urn: ...gv.oc-04
• GV.RM-03.1 has depth: 4 with parent_urn: ...gv.rm-03
• ID.AM-01.1 has depth: 4 with parent_urn: ...id.am-01

RC.CO-03.1 should follow the same pattern as a child of RC.CO-03.

🔎 Proposed fix

     - urn: urn:intuitem:risk:req_node:Framework-Nazionale-C-DP:rc.co-03.1
       assessable: true
-      depth: 3
-      parent_urn: urn:intuitem:risk:req_node:Framework-Nazionale-C-DP:rc.co
+      depth: 4
+      parent_urn: urn:intuitem:risk:req_node:Framework-Nazionale-C-DP:rc.co-03
       ref_id: RC.CO-03.1
       description: "Sono adottate e documentate procedure per comunicare alle parti\
         \ interne interessate, ivi incluse le articolazioni competenti del soggetto\
         \ NIS, le attivit\xE0 di ripristino a seguito di un incidente."
       implementation_groups:
       - E

🤖 Prompt for AI Agents

In backend/library/libraries/framework-nazionale-cs-dp.yaml around lines 2387 to
2395, the node for RC.CO-03.1 has an incorrect hierarchy: change depth from 3 to
4 and update parent_urn to the RC.CO-03 node (set parent_urn:
urn:intuitem:risk:req_node:Framework-Nazionale-C-DP:rc.co-03) so it matches the
established child pattern for similar nodes; keep the rest of the fields (urn,
assessable, ref_id, description, implementation_groups) unchanged.

[eric-intuitem]

Thanks for the contribution!
As many nodes go from assessable=true to assessable=false, updating the version is not the best option. It seems more relevant to create a new framework, with a different URN, and to provide a mapping between the two frameworks.
With the current approach, assessments done with the current version will be lost after update.

[f0r7y]

Hi
This version, in addition to including the updates released a few days ago by ACN, contains the exact number of requirements. In the previous version, the requirements were split by individual request, but the count was incorrect.

I understand what you're saying, but this is the correct version of the framework. The old one doesn't make sense.