Framework Key Registry¶
Draft v0.1
This page is in draft. Content may change before v1.0.
This is the authoritative ACES registry of framework identifiers. All ACES-compliant implementations must use these keys exactly when referencing frameworks in evidence objects, control mappings, and metric data.
Naming Convention¶
ACES framework keys follow four rules:
- All lowercase —
cis-v8notCIS-V8 - Dash-separated words —
nist-csfnotnist_csf - Version included when ambiguity exists —
cis-v8notcis;nist-csf-2for CSF 2.0 specifically - Level included for tiered frameworks —
cmmc-level1,cmmc-level2not barecmmc
These rules make keys URL-safe, JSON-friendly, and consistent with connector slug conventions.
Registry¶
| Key | Full Name | Category | Version | Notes |
|---|---|---|---|---|
cis-v8 | CIS Controls | Cybersecurity Controls | v8 | Use cis-v8 to avoid ambiguity with v7 |
cmmc-level1 | CMMC Level 1 | Defense/Federal | 2.0 | 17 practices, FAR clause 52.204-21 |
cmmc-level2 | CMMC Level 2 | Defense/Federal | 2.0 | 110 practices, NIST 800-171 aligned; includes SPRS scoring |
cmmc-level3 | CMMC Level 3 | Defense/Federal | 2.0 | 110+ practices, NIST 800-172 overlay |
nist-csf | NIST Cybersecurity Framework | Risk Management | 2.0 | Generic key for CSF without version pin |
nist-csf-2 | NIST Cybersecurity Framework 2.0 | Risk Management | 2.0 | Use when pinning to CSF 2.0 specifically |
nist-800-171 | NIST SP 800-171 | Defense/Federal | r2 | Protecting CUI; basis for CMMC Level 2 |
nist-800-53 | NIST SP 800-53 | Federal/General | r5 | Federal information systems; also used by FedRAMP |
nist-800-82 | NIST SP 800-82 | OT/ICS | r3 | Industrial control systems |
soc-2 | SOC 2 | Audit/Trust Services | 2017 TSC | AICPA Trust Services Criteria |
iso-27001 | ISO/IEC 27001 | International | 2022 | Information security management system |
iso-27002 | ISO/IEC 27002 | International | 2022 | Information security controls (companion to 27001) |
pci-dss | PCI DSS | Payment | v4.0 | Payment card industry data security standard |
hipaa | HIPAA Security Rule | Healthcare | 2013 | Protected health information |
gdpr | GDPR | Privacy | 2018 | EU General Data Protection Regulation |
ccpa | CCPA | Privacy | 2020 | California Consumer Privacy Act |
glba | GLBA Safeguards Rule | Financial | 2023 | Gramm-Leach-Bliley / FTC Safeguards |
ftc-safeguards | FTC Safeguards Rule | Financial | 2023 | Alias for glba where FTC framing is preferred |
fisma | FISMA | Federal | 2014 | Federal Information Security Modernization Act |
fedramp | FedRAMP | Federal Cloud | rev5 | Federal Risk and Authorization Management Program |
ferpa | FERPA | Education | 1974/amended | Family Educational Rights and Privacy Act |
dfars | DFARS 252.204-7012 | Defense/Federal | current | Defense Federal Acquisition Regulation clause |
cobit | COBIT | IT Governance | 2019 | Control Objectives for Information Technologies |
hitrust | HITRUST CSF | Healthcare | e1/i1/r2 | Health Information Trust Alliance |
csa-ccm | CSA Cloud Controls Matrix | Cloud | v4 | Cloud Security Alliance |
soc-1 | SOC 1 | Audit | SSAE 18 | Financial reporting controls |
soc-3 | SOC 3 | Audit | 2017 TSC | Public-facing SOC 2 summary report |
Legacy Keys (Production — Do Not Use in New Implementations)¶
The following keys are observed in production CSC deployments but do not conform to ACES naming conventions. Implementations consuming data from legacy systems should map these to canonical keys.
| Legacy Key | Canonical ACES Key | Notes |
|---|---|---|
nist_csf | nist-csf | Underscore → dash |
nist_800_171 | nist-800-171 | Underscore → dash |
nist_800_53 | nist-800-53 | Underscore → dash |
iso_27001 | iso-27001 | Underscore → dash |
iso_27002 | iso-27002 | Underscore → dash |
pci_dss | pci-dss | Underscore → dash |
soc2 | soc-2 | No separator → dash-separated |
cmmc | cmmc-level2 | Level must be explicit |
Adding a Framework¶
To propose a new framework key:
- Verify the key follows all four naming convention rules
- Check it does not conflict with an existing key
- Open a GitHub Issue tagged
framework-keywith: key, full name, category, version, canonical reference URL - Community review period (minimum 7 days)
- Maintainer adds to this registry and the schema validator
Validator Behavior¶
ACES-compliant validators MUST:
- Accept all keys in the Registry table
- Accept legacy keys with a deprecation warning
- Reject unknown keys with a validation error (configurable to warning for permissive mode)
- Be case-insensitive on input but normalize to lowercase on output