Description
We have created a Compliance Crosswalk Matrix(1) - to help see where our baseline criteria aligns with global frameworks, standards, and regulations. I started us off with looking at the EU CRA, NIST's SSDF, NIST's CSF, Security Insights and I'm working through BP Badges. Eventually we'll need to do things like NIST 800-53, EU DORA, EU NIS/NIS2, ISO 2700x, etc.
I'd like feedback on the initial alignments from the community to ensure or correct my perspective. Did I account for and align things appropriately?
- The "Crosswalk" tab is where everything ultimately is aggregated and will be displayed (until we debate the best ways to show our data....a future conversation). This is where the meat of what I am looking for feedback on. Here I am keying off the OSPS criteria and showing "If you fulfill OSPS-AC-01. then you also get credit for SSDF requirement PO3.2 or CRA Annex 1.2d, etc.)
- Each framework/standard/reg has it's own tab where I key off that standard to the OSPS. As we pull in more regs/frameworks, a tab such as this is where the mapping will start and ultimately it will get added back into the "Crosswalk" tab. The data should be identical to the alignments in the 1st tab.
I'd love it if folks could look at this and ponder it, and then we can coordinate a live working session to work through the feedback together. I propose doing this in early January '25.
Thanks for your time, expertise, and collaboration on this!