SIEM-R1.1SIEM · P7
Log forwarding from cloud workloads to central aggregation
SIEM-R1.2SIEM · P7
Cloud control-plane audit log ingest
SIEM-R1.3SIEM · P7
Network flow data ingest (cloud)
SIEM-R1.4SIEM · P7
Telemetry storage retention compliance
SIEM-R1.5SIEM · P7
Egress cost envelope (analyst-derived strategic constraint)
AD
SIEM-R2.1SIEM · P7
Unified analytical store spanning on-prem and cloud enclaves
SIEM-R2.2SIEM · P7
Schema normalization across heterogeneous log sources
SIEM-R2.3SIEM · P7
Cross-enclave detection rule and analytic coverage
SIEM-R2.4SIEM · P7
Cross-enclave alert latency budget (DOD-IR reuse-from-SOAR-R1.2 at SIEM-alert-delivery-latency scope)
SIEM-R3.1SIEM · P7
Single-pane investigation console spanning on-prem and cloud data
SIEM-R3.2SIEM · P7
Tier-1/2/3 SOC workflow continuity for cloud-origin incidents
SIEM-R3.3SIEM · P7
Cloud-aware investigation pivot capability
SIEM-R3.4SIEM · P7
SOC re-skill and tooling readiness for cloud investigation
SIEM-R4.1SIEM · P7
Ingest throughput scalability for cloud-native telemetry volumes
SIEM-R4.2SIEM · P7
Data pipeline elastic capacity for ephemeral cloud workload bursts
SIEM-R4.3SIEM · P7
Structured and unstructured log analytics capability
SIEM-R4.4SIEM · P7
Cost governance for big-data telemetry storage (NIST-80053 § AU-11 reuse-from-VULNMGMT-R6.5 at SIEM-big-data-telemetry-lifecycle scope)
SIEM-R5.1SIEM · P7
Continuous monitoring strategy alignment with shared-responsibility partition
SIEM-R5.2SIEM · P7
Cloud security posture findings ingestion into SIEM alert pipeline
SIEM-R5.3SIEM · P7
Change-monitoring and configuration-drift alert ingestion
SIEM-R5.4SIEM · P7
Posture-source correlation across CSPM, CWPP, and EDR feeds
SIEM-R5.5SIEM · P7
Mission-Owner vs. CSP-inherited control partition visibility in SIEM dashboards
SIEM-R6.1SIEM · P7
Audit log completeness across on-prem and cloud planes
SIEM-R6.2SIEM · P7
Audit log immutability and chain-of-custody integrity
SIEM-R6.3SIEM · P7
Audit log retention period compliance
SIEM-R6.4SIEM · P7
Privileged user activity auditing (CSP console and TCCM)
SIEM-R6.5SIEM · P7
SOC access to cloud audit log query interface
SIEM-R7.1SIEM · P7
Unified security dashboard spanning on-prem and cloud
SIEM-R7.2SIEM · P7
Compliance reporting coverage for cloud-hosted assets
SIEM-R7.3SIEM · P7
Reporting data refresh rate for near-real-time posture visibility
SIEM-R7.4SIEM · P7
Executive and mission-owner reporting layer
UEBA-R1.1UEBA · P7
Cloud IAM activity log ingest as behavioral input source
UEBA-R1.2UEBA · P7
Cross-CSP IAM stream coverage parity
UEBA-R1.3UEBA · P7
Ingest throughput scalability for UEBA ML pipeline (duplicated from SIEM-R4.1)
UEBA-R1.4UEBA · P7
Structured and unstructured log analytics for UEBA ML feature extraction (duplicated from SIEM-R4.3)
UEBA-R2.1UEBA · P7
Behavioral baseline completeness across hybrid telemetry sources
UEBA-R2.2UEBA · P7
Cold-start baseline period management during cloud onboarding (CA-7 reuse-from-EDR-R5.3)
UEBA-R2.3UEBA · P7
Per-CSP versus unified baselining architecture tradeoff (SI-4(16) first-primary)
UEBA-R2.4UEBA · P7
ML model retraining cadence as cloud surface grows
UEBA-R3.1UEBA · P7
Cloud-native anomaly detection content coverage
UEBA-R3.2UEBA · P7
Content-pack readiness and custom model lifecycle (CA-7 reuse-from-EDR-R5.3)
UEBA-R3.3UEBA · P7
Insider threat overlay per DODIN UAM program requirements
UEBA-R3.4UEBA · P7
CSP-specific MITRE ATT&CK cloud technique coverage assessment (RA-3 reuse-from-CAASM-R3.4)
UEBA-R3.5UEBA · P7
UEBA anomaly visualization integration with SOC console
UEBA-R4.1UEBA · P7
UEBA confidence score integration path to ZT policy engine
UEBA-R4.2UEBA · P7
Enforcement decision latency budget (SI-4(2) first-primary)
UEBA-R4.3UEBA · P7
UEBA signal trust calibration for policy engine consumption (SI-4(13) first-primary)
UEBA-R4.4UEBA · P7
Cross-CSP enforcement reach for UEBA-triggered policy responses
PB-R1.1Packet Broker · P7
Log forwarding from cloud workloads to central aggregation (duplicated from SIEM-R1.1)
PB-R1.2Packet Broker · P7
CSP traffic-mirroring API coverage parity with on-prem physical taps
PB-R1.3Packet Broker · P7
IL5/6 traffic-mirroring availability and FPC equivalence at boundary
PB-R1.4Packet Broker · P7
Physical tap aggregation continuity for on-prem segments during hybrid transition
PB-R2.1Packet Broker · P7
Traffic steering policy continuity from on-prem to cloud
PB-R2.2Packet Broker · P7
Inline tool insertion via gateway load balancer in cloud (SC-7 reuse-from-NAC-R4.2)
PB-R2.3Packet Broker · P7
Dynamic load balancing of mirrored flows across analytical tools
PB-R2.4Packet Broker · P7
Tool-bypass policy for high-volume traffic classes (CM-7 reuse)
PB-R3.1Packet Broker · P7
Content filtering parity between on-prem broker and CSP mirroring
PB-R3.2Packet Broker · P7
Selective mirroring policy per information impact level (IL)
PB-R3.3Packet Broker · P7
Encryption-aware traffic selection for mirroring
PB-R3.4Packet Broker · P7
Protocol-class filtering policy continuity across on-prem and cloud (CM-7 reuse)
PB-R4.1Packet Broker · P7
Egress cost envelope for mirror bandwidth (duplicated from SIEM-R1.5)
AD
PB-R4.2Packet Broker · P7
CSP per-flow API charges for traffic mirroring
AD
PB-R4.3Packet Broker · P7
Sustained mirror bandwidth headroom under production traffic growth (SI-4 reuse)
PB-R4.4Packet Broker · P7
Capex-to-opex profile shift for packet broker function
AD
PB-R5.1Packet Broker · P7
PaaS/serverless visibility gap where no traffic mirror exists (RA-3 reuse-from-CAASM-R3.4)
PB-R5.2Packet Broker · P7
Control-plane vs. data-plane mirror separation
PB-R5.3Packet Broker · P7
Coverage gap inventory manageability across multiple CSPs (RA-3 reuse)
PB-R5.4Packet Broker · P7
Managed-service east-west blind spots (RA-3 reuse)
PCAP-R1.1PCAP · P7
BCAP boundary FPC for all traversing communications
PCAP-R1.2PCAP · P7
VDSS FPC or cloud service equivalent for traversing communications
PCAP-R1.3PCAP · P7
Encrypted traffic segment treatment and M-21-31 PCAP scope boundary
PCAP-R1.4PCAP · P7
FPC coverage parity between on-prem and cloud-resident traffic strata (RA-3 reuse-from-CAASM-R3.4)
PCAP-R2.1PCAP · P7
M-21-31 72-hour PCAP retention for cleartext and decrypted-plaintext traffic (duplicated from SIEM-R1.4)
PCAP-R2.2PCAP · P7
PCAP data not archived except for forensic investigations (SCCA policy alignment)
PCAP-R2.3PCAP · P7
Tier-shift to cloud object storage for PCAP retention capacity (AU-4 first-primary)
PCAP-R2.4PCAP · P7
Cross-cloud PCAP archive replication for multi-CSP COAs (SCCA § 2.3.5.7)
PCAP-R3.1PCAP · P7
PCAP-to-SIEM pivot for incident reconstruction (duplicated from SIEM-R3.3)
PCAP-R3.2PCAP · P7
Chain-of-custody for cloud-acquired PCAP
PCAP-R3.3PCAP · P7
PCAP query interface accessible from DISN management network (duplicated from SIEM-R6.5)
PCAP-R3.4PCAP · P7
SOC analyst training and workflow readiness for cloud PCAP investigation
PCAP-R4.1PCAP · P7
Egress cost for cross-cloud PCAP retrieval at investigation time (duplicated from SIEM-R1.5)
AD
PCAP-R4.2PCAP · P7
PCAP capture-buffer overrun risk during cloud workload bursts (duplicated from SIEM-R4.2)
PCAP-R4.3PCAP · P7
Capture-appliance cloud deployment cost vs. on-prem capex
AD
PCAP-R4.4PCAP · P7
Bandwidth provisioning for PCAP mirror traffic at cloud capture points
AD
PCAP-R5.1PCAP · P7
Cloud-native flow logs as PCAP substitute: fidelity comparison
PCAP-R5.2PCAP · P7
Sample-sovereignty and IL constraints on PCAP placement (SRG § 5.1)
PCAP-R5.3PCAP · P7
Loss-of-fidelity acceptance per COA and formal risk documentation (CA-5 first-primary)
PCAP-R5.4PCAP · P7
SCCA "cloud service equivalent FPC" interpretation per COA
FW-R1.1Firewall (perimeter) · P5
Default-deny ingress/egress rule base at all perimeter boundaries
FW-R1.2Firewall (perimeter) · P5
PPSM CAL compliance for permitted ports, protocols, and services
FW-R1.3Firewall (perimeter) · P5
Security attribute-based information flow control
FW-R1.4Firewall (perimeter) · P5
Immediate rule-base update propagation upon policy change
FW-R2.1Firewall (perimeter) · P5
Ingress filter enforcement at all external-facing interfaces
FW-R2.2Firewall (perimeter) · P5
Egress filter enforcement including anti-spoofing (uRPF)
FW-R2.3Firewall (perimeter) · P5
Management traffic egress blocking
FW-R2.4Firewall (perimeter) · P5
VPN tunnel ingress filtering for management network traffic
FW-R3.1Firewall (perimeter) · P5
Application-layer traffic inspection (deep packet inspection / NGFW function)
FW-R3.2Firewall (perimeter) · P5
IPv6 extension header inspection and filtering
FW-R3.3Firewall (perimeter) · P5
Packet header and attribute-based filtering for unauthorized flows
FW-R3.4Firewall (perimeter) · P5
BCAP/VDSS application-layer block and inspection for unauthorized application traffic
FW-R4.1Firewall (perimeter) · P5
DoS attack filtering and rate-limiting rules in firewall rule base
FW-R4.2Firewall (perimeter) · P5
Excess bandwidth / packet flood rate-management
FW-R4.3Firewall (perimeter) · P5
DoS alert generation to ISSO/ISSM
FW-R4.4Firewall (perimeter) · P5
BCAP/ICAP advanced persistent threat detection and correlation at boundary
FW-R5.1Firewall (perimeter) · P5
Traffic log generation with required content fields
FW-R5.2Firewall (perimeter) · P5
Traffic log forwarding to central audit server via reliable transport
FW-R5.3Firewall (perimeter) · P5
Traffic log immutability and protection from unauthorized modification/deletion
FW-R5.4Firewall (perimeter) · P5
Firewall log record completeness — zone transition events
FW-R6.1Firewall (perimeter) · P5
Fail-secure state upon system initialization, shutdown, or abort
FW-R6.2Firewall (perimeter) · P5
Alternate communications path for command and control during firewall failure
FW-R6.3Firewall (perimeter) · P5
Unnecessary services and functions disabled (attack surface reduction)
FW-R6.4Firewall (perimeter) · P5
BCAP unauthorized data exfiltration prevention
FW-R7.1Firewall (perimeter) · P5
BCAP boundary firewall for off-premises IL4/5 DISN connections
FW-R7.2Firewall (perimeter) · P5
VDSS virtual enclave boundary firewall for Mission Owner cloud enclaves
FW-R7.3Firewall (perimeter) · P5
BCAP IP spoofing and route hijacking prevention
FW-R7.4Firewall (perimeter) · P5
VDSS traffic plane separation (management, user, data)
FW-R8.1Firewall (perimeter) · P5
Centralized firewall rule-base authoring and change management process (CM-3 reuse-from-WAF-R3.3 at firewall-rule-base-change-management-authority scope)
FW-R8.2Firewall (perimeter) · P5
Rule-base consistency verification across hybrid boundaries (configuration baseline) (CM-3 reuse-from-WAF-R3.3 at firewall-rule-base-drift-detection scope)
FW-R8.3Firewall (perimeter) · P5
Segmentation policy isolation of critical system components
FW-R9.1Firewall (perimeter) · P5
Cross-zone unauthorized communication attempt logging for SOC investigation
FW-R9.2Firewall (perimeter) · P5
Firewall egress cost envelope for SIEM log forwarding (analyst-derived)
AD
FW-R9.3Firewall (perimeter) · P5
BCAP/VDSS network enumeration scanning prevention
PB-R6.1Packet Broker · P5
Tap aggregation tier hierarchy and port-density design
PB-R6.2Packet Broker · P5
Optical tap and regeneration tap placement for high-availability physical capture
PB-R6.3Packet Broker · P5
Tap aggregation capacity planning and headroom for traffic growth (CP-2 reuse-from-PAM-R7.2)
PB-R6.4Packet Broker · P5
Broker lifecycle management, hardware refresh, and end-of-support planning
PB-R7.1Packet Broker · P5
Broker-tier HA design (active-active or active-standby failover)
PB-R7.2Packet Broker · P5
Broker control-plane HA and state synchronization
PB-R7.3Packet Broker · P5
Broker-to-BCAP/boundary failover path continuity
PB-R8.1Packet Broker · P5
Broker management plane isolation on out-of-band management network
PB-R8.2Packet Broker · P5
Broker configuration change control and authorization discipline
PB-R8.3Packet Broker · P5
Broker configuration backup and restoration
PB-R8.4Packet Broker · P5
Broker log offload to SIEM (broker health and audit telemetry)
PB-R9.1Packet Broker · P5
Broker-to-tool link aggregation and redundant interconnect design
PB-R9.2Packet Broker · P5
Broker fan-out replication design (single mirror source to multiple tool consumers)
PB-R9.3Packet Broker · P5
Broker packet-slicing and header-stripping for tool-specific traffic preparation (CM-7 reuse)
PB-R10.1Packet Broker · P5
Multi-site broker peering architecture for distributed enclave coverage
PB-R10.2Packet Broker · P5
ERSPAN/tunnel-based remote mirror aggregation on management network
PB-R11.1Packet Broker · P5
Tunnel decapsulation at broker tier for encapsulated overlay traffic (SI-4(4) reuse-from-EDR-R5.x)
PB-R11.2Packet Broker · P5
Broker-tier metadata extraction and tagging for tool correlation
PB-R12.1Packet Broker · P5
Broker-tier operational continuity during hybrid-transition re-architecture (CP-2 reuse-from-PAM-R7.2)
PB-R12.2Packet Broker · P5
SOC familiarity with broker topology and steering policy documentation (AT-3 first-primary project-wide)
PB-R12.3Packet Broker · P5
Broker-tier health monitoring integration with SOC alert pipeline
IDS-R1.1IDS (absorbs NDR) · P5
Signature-based intrusion detection at all north-south boundaries
IDS-R1.2IDS (absorbs NDR) · P5
Signature feed currency and update automation
IDS-R1.3IDS (absorbs NDR) · P5
IAVA/CTO-driven signature implementation compliance
IDS-R1.4IDS (absorbs NDR) · P5
Signature set cross-environment normalization (CA-7 reuse-from-EDR-R5.3)
IDS-R1.5IDS (absorbs NDR) · P5
Fail-secure / fail-safe behavior at boundary sensor on failure
IDS-R2.1IDS (absorbs NDR) · P5
Behavioral baseline establishment for east-west cloud workload traffic
IDS-R2.2IDS (absorbs NDR) · P5
Cold-start behavioral baseline period for cloud-onboarded workloads (CA-7 reuse-from-EDR-R5.3)
IDS-R2.3IDS (absorbs NDR) · P5
North-south anomaly detection for cloud egress traffic
IDS-R2.4IDS (absorbs NDR) · P5
Lateral movement detection across cloud micro-segment boundaries
IDS-R3.1IDS (absorbs NDR) · P5
On-prem inline sensor placement continuity during hybrid transition
IDS-R3.2IDS (absorbs NDR) · P5
Cloud-resident virtual sensor deployment and lifecycle management
IDS-R3.3IDS (absorbs NDR) · P5
IL5/6 sensor placement constraints and boundary-layer fallback
IDS-R3.4IDS (absorbs NDR) · P5
Network architecture sensor placement documentation
IDS-R4.1IDS (absorbs NDR) · P5
Centralized detection content authority across hybrid sensor estate
IDS-R4.2IDS (absorbs NDR) · P5
ML model retraining cadence and accuracy governance for NDR-mode detection (CA-7 reuse-from-EDR-R5.3)
IDS-R4.3IDS (absorbs NDR) · P5
Unauthorized service and port detection content alignment with PPSM
IDS-R4.4IDS (absorbs NDR) · P5
Code injection and application-layer detection content coverage
IDS-R5.1IDS (absorbs NDR) · P5
Real-time alert offload to centralized log server / SIEM
IDS-R5.2IDS (absorbs NDR) · P5
Alert content completeness per audit record requirements
IDS-R5.3IDS (absorbs NDR) · P5
Alert severity classification and escalation
IDS-R5.4IDS (absorbs NDR) · P5
Alert format normalization for cross-environment SIEM correlation
IDS-R6.1IDS (absorbs NDR) · P5
SOC IDS tuning workflow continuity for cloud-origin alerts (CA-7 reuse-from-EDR-R5.3)
IDS-R6.2IDS (absorbs NDR) · P5
Audit failure alerting and detection system health monitoring
IDS-R6.3IDS (absorbs NDR) · P5
Detection coverage gap acknowledgment — PaaS/serverless blind spots (RA-3 reuse-from-CAASM-R3.4)
IDS-R6.4IDS (absorbs NDR) · P5
Cross-environment behavioral-baseline parity validation (CA-7 reuse-from-EDR-R5.3)
IDS-R7.1IDS (absorbs NDR) · P5
IDS sensor throughput headroom for cloud workload traffic bursts
IDS-R7.2IDS (absorbs NDR) · P5
Egress cost envelope for alert and flow data from cloud-resident sensors
AD
DNS-R1.1DNS Security / Filtering · P5
Cloud workload DNS resolution path with policy enforcement
DNS-R1.2DNS Security / Filtering · P5
VDMS-provided DNS service continuity for cloud enclaves
DNS-R1.3DNS Security / Filtering · P5
DNS resolver fault tolerance and internal/external role separation
DNS-R1.4DNS Security / Filtering · P5
Recursion source restriction on cloud-resident resolvers
DNS-R2.1DNS Security / Filtering · P5
RPZ feed authority and consistency across hybrid resolver chain (NIST-80053 § SI-3 reuse-from-EDR-R1.1)
DNS-R2.2DNS Security / Filtering · P5
RPZ feed currency and update latency SLA (NIST-80053 § SI-3 reuse-from-EDR-R1.1)
DNS-R2.3DNS Security / Filtering · P5
RPZ integration operational cost in cloud environments (analyst-derived strategic constraint)
AD
DNS-R3.1DNS Security / Filtering · P5
DNSSEC validation on recursive resolvers serving cloud workloads
DNS-R3.2DNS Security / Filtering · P5
DNSSEC signing and key management for authoritative zones
DNS-R3.3DNS Security / Filtering · P5
DNSSEC trust anchor management across hybrid
DNS-R4.1DNS Security / Filtering · P5
DNS audit record generation and event type coverage
DNS-R4.2DNS Security / Filtering · P5
DNS log aggregation into central SIEM for SOC investigation
DNS-R4.3DNS Security / Filtering · P5
DNS log volume and SIEM ingest cost (analyst-derived strategic constraint)
AD
DNS-R5.1DNS Security / Filtering · P5
Split-horizon zone data segregation (internal vs. external)
DNS-R5.2DNS Security / Filtering · P5
Zone transfer authentication between on-prem and cloud-hosted name servers
DNS-R5.3DNS Security / Filtering · P5
Zone file integrity across hybrid authoritative name servers
DNS-R6.1DNS Security / Filtering · P5
Response rate limiting and amplification attack mitigation
DNS-R6.2DNS Security / Filtering · P5
Resolver hardening and minimal functionality configuration
DNS-R6.3DNS Security / Filtering · P5
DNS server software currency and patch cadence
DNS-R7.1DNS Security / Filtering · P5
DNS-tunneling detection coverage for cloud workload traffic
DNS-R7.2DNS Security / Filtering · P5
DNS anomaly event forwarding to SIEM for SOC correlation
DNS-R8.1DNS Security / Filtering · P5
.mil DNS record authority maintained on DoD name servers for cloud-hosted applications
DNS-R8.2DNS Security / Filtering · P5
BCAP optional DNS proxy for cloud-hosted URL resolution
DNS-R8.3DNS Security / Filtering · P5
DNS architecture risk assessment for CSP-managed DNS services
SOAR-R1.1SOAR · P6
Cloud-native response action library for CAT 1 and CAT 2 incidents
SOAR-R1.2SOAR · P6
Playbook coverage for CAT 4 (Denial of Service) cloud-edge events
SOAR-R1.3SOAR · P6
Playbook coverage for CAT 7 (Malicious Logic) and cloud workload containment
SOAR-R1.4SOAR · P6
Playbook lifecycle and coverage-gap tracking for hybrid surface (IR-8 first-primary)
SOAR-R1.5SOAR · P6
SOC playbook re-skilling and authoring readiness for cloud-native actions
SOAR-R2.1SOAR · P6
Automated alert triage and playbook matching within CAT 1 notification window
SOAR-R2.2SOAR · P6
Response action execution time for containment-class actions
SOAR-R2.3SOAR · P6
CJCSM 6510.01B CAT 1-9 report generation integration with JIMS
SOAR-R2.4SOAR · P6
Follow-on report automation and CJCSM 6510.01B update cadence
SOAR-R3.1SOAR · P6
Privileged credential scope and lifecycle management for SOAR cloud action accounts
SOAR-R3.2SOAR · P6
Human-in-the-loop approval gate for high-impact SOAR actions
SOAR-R3.3SOAR · P6
SOAR action audit log completeness and integrity for cloud-executed actions
SOAR-R3.4SOAR · P6
SOAR action authorization revocation and emergency stop capability
SOAR-R4.1SOAR · P6
SOAR alert ingestion from central SIEM across hybrid enclave sources
SOAR-R4.2SOAR · P6
Bi-directional SOAR-SIEM integration for action status and case updates
SOAR-R4.3SOAR · P6
SOAR throughput and concurrency for multi-vector incidents (IR-4(3) first-primary)
SOAR-R4.4SOAR · P6
Alert enrichment and threat intelligence correlation before playbook matching
SOAR-R5.1SOAR · P6
SOAR action log retention period compliance
SOAR-R5.2SOAR · P6
SOAR action records as input to CJCSM 6510.01B incident reports
SOAR-R5.3SOAR · P6
SOAR action log immutability and tamper protection
SOAR-R6.1SOAR · P6
Cross-CSP playbook coordination architecture for multi-surface incidents (ZT-RA reuse)
SOAR-R6.2SOAR · P6
Cross-CSP incident case federation and deduplication (IR-4(4) reuse)
SOAR-R6.3SOAR · P6
Cross-CSP response action sequencing and dependency management (IR-4(2) first-primary)
SOAR-R7.1SOAR · P6
Evidence preservation protocol before SOAR containment actions
SOAR-R7.2SOAR · P6
SOAR-to-ForIR case handoff protocol and data transfer
SOAR-R7.3SOAR · P6
SOAR escalation trigger criteria for forensic engagement
SOAR-R8.1SOAR · P6
Playbook testing and validation in non-production cloud environments
SOAR-R8.2SOAR · P6
SOAR platform configuration and credential security posture
SOAR-R8.3SOAR · P6
SOAR action cost governance for cloud API-driven response actions
AD
TIP-R1.1Threat Intel Platform · P6
Warning intelligence ingestion from approved government sources
TIP-R1.2Threat Intel Platform · P6
CSP-native threat signal feed integration as additional feed source
TIP-R1.3Threat Intel Platform · P6
Feed schema normalization across heterogeneous source formats
TIP-R1.4Threat Intel Platform · P6
Feed deduplication and quality scoring for high-volume hybrid feed environment (PM-16(1) first-primary)
TIP-R1.5Threat Intel Platform · P6
Commercial threat feed subscription continuity and coverage governance (SI-5 reuse-from-EDR-R7.2)
TIP-R2.1Threat Intel Platform · P6
IOC distribution to cloud-native detection services per CSP
TIP-R2.2Threat Intel Platform · P6
IOC distribution to on-prem detection tools — continuity during transition
TIP-R2.3Threat Intel Platform · P6
IOC freshness and propagation latency budget across hybrid distribution targets
AD
TIP-R2.4Threat Intel Platform · P6
Cross-CSP IOC distribution consistency for distributed enforcement
AD
TIP-R2.5Threat Intel Platform · P6
IOC distribution pipeline audit trail and delivery confirmation
TIP-R3.1Threat Intel Platform · P6
Exchange of threat intel, AS&W information, and countermeasures with USCYBERCOM
TIP-R3.2Threat Intel Platform · P6
Cloud-environment threat content contribution to outbound sharing
TIP-R3.3Threat Intel Platform · P6
Outbound sharing authorization and classification handling
TIP-R4.1Threat Intel Platform · P6
SOC analyst portal access from cloud-managed endpoints
TIP-R4.2Threat Intel Platform · P6
Threat hunt integration — IOC search across cloud telemetry
TIP-R4.3Threat Intel Platform · P6
Analyst re-skill for cloud-native threat source interpretation
TIP-R5.1Threat Intel Platform · P6
Threat awareness program documentation and update cadence
TIP-R5.2Threat Intel Platform · P6
IOC expiry and lifecycle policy for time-bounded threat indicators
AD
TIP-R5.3Threat Intel Platform · P6
CSSP community participation — threat intel sharing community enrollment
TIP-R6.1Threat Intel Platform · P6
Feed subscription cost governance for hybrid feed portfolio
AD
TIP-R6.2Threat Intel Platform · P6
IOC distribution egress cost for on-prem TIP to cloud enforcement tools (COA 1)
AD
PAM-R1.1PAM (absorbs CIEM) · P1
On-prem privileged credential vault continuity during hybrid transition
PAM-R1.2PAM (absorbs CIEM) · P1
Cloud privileged credential storage mechanism integration
PAM-R1.3PAM (absorbs CIEM) · P1
Privileged credential rotation cadence and elimination of long-lived static credentials
PAM-R1.4PAM (absorbs CIEM) · P1
Privileged-account namespace consistency and unique-attribution naming across hybrid surface
PAM-R1.5PAM (absorbs CIEM) · P1
Privileged-credential trust-anchor mastership architectural decision (duplicated from IdP-R1.5 — privileged-access scoring context)
AD
PAM-R2.1PAM (absorbs CIEM) · P1
On-prem privileged session capture continuity (session proxy / jump-host with session recording, keystroke and command logging)
PAM-R2.2PAM (absorbs CIEM) · P1
Cloud-side privileged session capture mechanism (CSP-native session manager logs, control-plane API call logs, structural reach-back gap for full screen capture)
PAM-R2.3PAM (absorbs CIEM) · P1
Command logging granularity and session replay coverage parity across hybrid surface (NIST-80053 § AU-14 reuse-from-PAM-R7.4)
PAM-R2.4PAM (absorbs CIEM) · P1
Privileged session audit log integrity and out-of-reach storage from privileged users
PAM-R2.5PAM (absorbs CIEM) · P1
Privileged session audit forwarding to SIEM (duplicated from SIEM-R6.4 — privileged-session-mechanism scoring context)
PAM-R3.1PAM (absorbs CIEM) · P1
On-prem JIT elevation continuity (time-bounded admin group membership, vault-orchestrated elevation workflow with justification capture)
PAM-R3.2PAM (absorbs CIEM) · P1
Cloud-native JIT IAM role elevation mechanism (CSP-native PIM-style time-bounded role assumption, justification-required activation, approval workflow integration)
PAM-R3.3PAM (absorbs CIEM) · P1
JIT elevation justification capture and approval workflow (auditable approval chain, time-bounded approval validity, role-based approver assignment)
PAM-R3.4PAM (absorbs CIEM) · P1
JIT elevation time-bounding policy and TTL alignment across hybrid surface (mid-session expiration handling, TTL alignment between on-prem and cloud elevation, automatic deprovisioning at TTL expiry)
PAM-R3.5PAM (absorbs CIEM) · P1
Privileged-session-lifetime architectural decision (duplicated from IdP-R3.2 — privileged-session-lifetime scoring context)
AD
PAM-R4.1PAM (absorbs CIEM) · P1
Cloud entitlement landscape inventory and visibility across hybrid surface
PAM-R4.2PAM (absorbs CIEM) · P1
Over-privileged role detection and toxic-combination analytics (NIST-80053 § AC-6(7) reuse-from-PAM-R4.3)
PAM-R4.3PAM (absorbs CIEM) · P1
Entitlement right-sizing recommendation and approval workflow
PAM-R4.4PAM (absorbs CIEM) · P1
Cross-CSP entitlement consistency and normalization
AD
PAM-R4.5PAM (absorbs CIEM) · P1
CIEM tooling deployment model and cost (architectural strategic decision)
AD
PAM-R5.1PAM (absorbs CIEM) · P1
Structural prevention of privileged-function execution by non-privileged users across hybrid surface
PAM-R5.2PAM (absorbs CIEM) · P1
Separation-of-duties enforcement for privileged operations across hybrid surface
PAM-R5.3PAM (absorbs CIEM) · P1
Network-restricted privileged command execution and privilege-level controls for code execution
PAM-R5.4PAM (absorbs CIEM) · P1
Privileged-account enumeration and quarterly review across hybrid surface
PAM-R5.5PAM (absorbs CIEM) · P1
Cross-CSP privileged-role consistency and least-privilege application to cloud workload identities (NIST-80053 § AC-6(5) first-primary)
PAM-R6.1PAM (absorbs CIEM) · P1
Privileged-account MFA enforcement coverage on cloud console, cloud control-plane API, and privileged-administration paths across hybrid surface
PAM-R6.2PAM (absorbs CIEM) · P1
Phishing-resistant MFA factor strength for privileged accounts (CAC/PIV smart card, FIDO2/WebAuthn hardware security key; elimination of phishing-susceptible factors for privileged)
PAM-R6.3PAM (absorbs CIEM) · P1
Privileged session re-authentication on elevated-risk events (PIM step-up, JIT activation, time-based re-prompt)
PAM-R6.4PAM (absorbs CIEM) · P1
Privileged MFA enrollment lifecycle (initial issuance, lost-factor recovery, factor revocation on departure / role-change / suspected-compromise)
PAM-R6.5PAM (absorbs CIEM) · P1
Privileged MFA bypass-exception governance (duplicated from IdP-R5.3 — privileged-MFA-bypass scoring context)
PAM-R7.1PAM (absorbs CIEM) · P1
Emergency / break-glass privileged-account provisioning and storage across hybrid surface
PAM-R7.2PAM (absorbs CIEM) · P1
Privileged-access continuity / vault-unavailable contingency path across hybrid surface
PAM-R7.3PAM (absorbs CIEM) · P1
Cross-CSP break-glass coordination during multi-edge / multi-cloud privileged-access incidents (NIST-80053 § CP-2 reuse-from-PAM-R7.2)
PAM-R7.4PAM (absorbs CIEM) · P1
Post-emergency privileged-access audit reconstruction across hybrid surface
PAM-R7.5PAM (absorbs CIEM) · P1
Break-glass procedure governance and exercise / testing across hybrid surface
PAM-R8.1PAM (absorbs CIEM) · P1
SOC analyst training for cloud privileged-access tooling familiarity (CIEM consoles, cloud IAM role-management UIs, cloud session-manager log navigation)
PAM-R8.2PAM (absorbs CIEM) · P1
Privileged-account JIT-workflow and elevation-decision training (privileged-user training for JIT activation procedures, justification requirements, approval-chain navigation, and elevation-time-bounded operational discipline)
PAM-R8.3PAM (absorbs CIEM) · P1
Cross-CSP privileged-event correlation training (heterogeneous CSP IAM audit log schemas, cross-CSP entitlement mapping for CIEM analytics, cloud-native session manager log interpretation)
PAM-R8.4PAM (absorbs CIEM) · P1
Privileged-credential incident-handling training (vault-compromise response, JIT-system-down break-glass procedures per PAM-R7, suspected-privileged-credential-misuse investigation, help-desk privileged-account-reset social-engineering resistance)
PAM-R8.5PAM (absorbs CIEM) · P1
Hybrid privileged-access attack pattern training (cross-tenant privilege escalation, cloud IAM toxic-combination exploitation, privileged-credential federation abuse, CIEM-bypass / over-privileged-role exploitation)
EDR-R1.1EDR · P2
On-prem EDR agent coverage continuity (managed Windows / Linux endpoints, server endpoints, virtual workstations)
EDR-R1.2EDR · P2
Cloud-hosted VM EDR agent coverage and deployment via CSP-native mechanisms
EDR-R1.3EDR · P2
Cloud-managed workstation EDR agent coverage and CSP-native deployment integration
EDR-R1.4EDR · P2
Ephemeral cloud workload EDR coverage gap acknowledgment (auto-scaling groups, container instances pre-CWPP scope, serverless functions)
AD
EDR-R1.5EDR · P2
EDR agent-management-server-to-endpoint communication continuity across hybrid network paths (BCAP / VPN / direct cloud connectivity)
EDR-R2.1EDR · P2
Signature-based malicious-code detection on managed endpoints across hybrid surface
EDR-R2.2EDR · P2
Behavioral / non-signature endpoint detection (process-behavior anomaly, command-line argument analysis, parent-child process tree analysis)
EDR-R2.3EDR · P2
Endpoint detection content lifecycle (signature/rule deployment, behavioral content updates, detection coverage cadence aligned with threat landscape)
EDR-R2.4EDR · P2
Cloud-workload-specific endpoint detection content (cloud-native attack patterns, IAM credential exfiltration patterns, cloud-VM lateral movement)
AD
EDR-R2.5EDR · P2
Endpoint detection alert forwarding to SIEM (duplicated from SIEM-R5.4 — EDR-source-side scoring context)
EDR-R3.1EDR · P2
On-prem endpoint response actions — host isolation, process kill, file quarantine, registry remediation
EDR-R3.2EDR · P2
Cloud-VM endpoint response actions — network isolation via CSP security group, instance quarantine, snapshot for forensics, IAM credential revocation
EDR-R3.3EDR · P2
Automated containment workflow integration — SOAR-orchestrated response, playbook-driven action chains across hybrid surface
EDR-R3.4EDR · P2
Response action audit trail and reversibility — action logging, post-action audit, undo capability for false-positive response
EDR-R3.5EDR · P2
Cross-CSP response action coordination and authorization — privileged-credential bounds for response actions across CSP enclaves
AD
EDR-R4.1EDR · P2
Process-tree, file-modification, registry, and on-host execution-event telemetry collection on managed endpoints (foundational EDR event-type coverage)
EDR-R4.2EDR · P2
Host-level network-connection and network-flow telemetry from the EDR agent (inbound/outbound connection metadata at the host, distinct from network-side IDS/PCAP)
EDR-R4.3EDR · P2
Authentication, privileged-action, and on-host-identity event telemetry (logon/logoff, privilege elevation, credential-usage events collected by EDR agent)
EDR-R4.4EDR · P2
Telemetry forwarding architecture from EDR agent to SIEM across hybrid network paths (the COA-discriminator for cloud-resident endpoint telemetry reachability)
AD
EDR-R4.5EDR · P2
EDR telemetry retention scope and OMB M-21-31 EDR-specific compliance (12-month active / 18-month cold retention obligations on endpoint telemetry)
EDR-R5.1EDR · P2
STIG/CIS/hardening-baseline compliance assessment on managed Windows and Linux endpoints (foundational configuration-posture coverage)
EDR-R5.2EDR · P2
Software inventory and unauthorized-software detection on managed endpoints (component inventory parity with ground truth and detection of unauthorized installations)
EDR-R5.3EDR · P2
Continuous posture drift detection and re-assessment cadence (EDR agent ongoing measurement of baseline conformance and drift alerting)
EDR-R5.4EDR · P2
Endpoint posture attestation feed to ZT policy engine for access-decision input (device-trust signal from EDR posture producing conditional-authorization input) (NIST-80053 § AC-2(11) reuse-from-MDM-R3.3 at EDR-posture-attestation-feed-to-ZT-policy-engine scope)
EDR-R5.5EDR · P2
Continuous compliance scoring and remediation tracking across hybrid endpoint estate (dashboard, reporting, and scoring function aggregating per-endpoint posture into hybrid-estate compliance posture)
EDR-R6.1EDR · P2
Endpoint memory acquisition support — EDR-agent-initiated volatile data capture at incident time
EDR-R6.2EDR · P2
Endpoint disk and filesystem artifact acquisition — MFT, registry, persistence artifacts, evidence integrity
EDR-R6.3EDR · P2
Process-context and lateral-movement evidence preservation at incident time
EDR-R6.4EDR · P2
Cross-CSP forensic acquisition reachability and cloud-resident endpoint forensic workflow
AD
EDR-R6.5EDR · P2
Evidence chain-of-custody and integrity preservation through hybrid acquisition path
EDR-R7.1EDR · P2
IOC ingestion and real-time matching on managed endpoints (file-hash, IP, domain, URL, registry-key IOCs distributed to EDR agent for matching against host events)
EDR-R7.2EDR · P2
Threat-feed-driven detection content distribution and signature update (custom YARA / sigma / behavioral detection rule distribution from TIP-curated source to EDR agent fleet)
EDR-R7.3EDR · P2
Hunt-query distribution and TIP-driven proactive threat hunting on managed endpoints (EDR agent execution of TIP-curated hunt hypotheses across endpoint telemetry)
EDR-R7.4EDR · P2
Threat-attribution context enrichment of EDR detections (enriching EDR alerts with threat-actor / campaign / TTP attribution from TIP before SIEM correlation)
EDR-R7.5EDR · P2
Cross-CSP IOC feed reachability and per-enclave IOC consistency for EDR agent fleet across hybrid surface
AD
EDR-R8.1EDR · P2
SOC analyst re-skill for hybrid endpoint alert triage (Tier 1/2 analyst training on EDR alert triage across on-prem + cloud endpoint surfaces, EDR product-family platform proficiency, alert-context interpretation across hybrid telemetry sources)
EDR-R8.2EDR · P2
IR team re-skill for hybrid endpoint response (Tier 3 IR analyst training on cross-CSP endpoint isolation workflows, hybrid lateral-movement reconstruction, cloud-resident endpoint forensic-acquisition workflow execution)
EDR-R8.3EDR · P2
Threat-hunt analyst re-skill for hybrid hunt operations (proactive hunt query authoring across hybrid endpoint estate, hunt-result triage including cloud-hosted endpoint context, cross-surface hunt campaign management)
EDR-R8.4EDR · P2
EDR platform administration re-skill — EDR management-server, agent deployment workflows, signature distribution, and response-action authorization for hybrid environment
EDR-R8.5EDR · P2
Cross-CSP investigation skill development and continuous-improvement loop (periodic re-training on CSP-specific investigation patterns, lessons-learned integration into analyst training, hybrid-IR tabletop exercises, and EDR-specific adversarial-technique training for hybrid endpoint attack patterns)
MDM-R1.1Device Management (MDM/UEM) · P2
On-prem managed workstation and server endpoint enrollment into the on-prem MDM/UEM management plane
MDM-R1.2Device Management (MDM/UEM) · P2
Cloud-managed UEM enrollment for cloud-hosted and cloud-managed workstation compute (cloud-PC, VDI, cloud-managed laptop fleet)
MDM-R1.3Device Management (MDM/UEM) · P2
Corporate-issued mobile device enrollment (iOS/Android smartphones and tablets) into the UEM mobile management plane
MDM-R1.4Device Management (MDM/UEM) · P2
BYOD scope definition — personally owned device enrollment constraints (permitted / restricted container-only / excluded)
MDM-R1.5Device Management (MDM/UEM) · P2
Device enrollment trust-anchor mastership decision — on-prem MDM authoritative for all enrollment vs. cloud-managed UEM authoritative vs. hybrid split
AD
MDM-R2.1Device Management (MDM/UEM) · P2
Workstation configuration baseline distribution (Windows/Linux configuration profiles and Group-Policy-equivalent settings via UEM platform)
MDM-R2.2Device Management (MDM/UEM) · P2
Mobile device configuration baseline distribution (iOS/Android configuration profiles, restrictions payloads, and certificate/VPN/Wi-Fi configuration distribution via UEM mobile management plane)
MDM-R2.3Device Management (MDM/UEM) · P2
Cloud-managed UEM integration with CSP-native policy distribution (NIST-80053 § CM-2(2) first-primary)
MDM-R2.4Device Management (MDM/UEM) · P2
Configuration baseline mapping to STIG/CIS hardening requirements at the UEM policy layer (hardening baseline overlay applied as UEM configuration profiles — distinct from EDR-agent-side STIG compliance assessment)
MDM-R2.5Device Management (MDM/UEM) · P2
Configuration drift detection and remediation at the UEM platform layer (platform-enforced change control and profile-deviation remediation — distinct from EDR-agent-side posture drift detection)
MDM-R3.1Device Management (MDM/UEM) · P2
Continuous compliance evaluation at the UEM platform layer — devices measured against distributed compliance policies
MDM-R3.2Device Management (MDM/UEM) · P2
Compliance state reporting and dashboard surfaces — admin console compliance posture visibility per device class
MDM-R3.3Device Management (MDM/UEM) · P2
Non-compliant device handling — remediation triggers, conditional-access integration, and access-restriction enforcement
MDM-R3.4Device Management (MDM/UEM) · P2
Compliance policy update lifecycle and version control — CCB-equivalent governance for compliance policy evolution
MDM-R3.5Device Management (MDM/UEM) · P2
Cross-platform compliance scoring consistency — comparable scoring across Windows, Linux, iOS, Android on-prem-managed and cloud-managed UEM populations
MDM-R4.1Device Management (MDM/UEM) · P2
Remote wipe capability on managed devices — full device wipe and selective/container wipe
MDM-R4.2Device Management (MDM/UEM) · P2
Remote lock and password reset capability on enrolled devices
MDM-R4.3Device Management (MDM/UEM) · P2
Device locate and geolocation tracking capability (lost-device recovery support)
MDM-R4.4Device Management (MDM/UEM) · P2
Device retire and decommission workflow — data sanitization, enrollment record removal, and asset disposition
MDM-R4.5Device Management (MDM/UEM) · P2
Cross-CSP remote-action reachability (NIST-80053 § MP-6(8) reuse-from-MDM-R4.1)
MDM-R5.1Device Management (MDM/UEM) · P2
Managed app push and provisioning — mandatory app installation, app catalog, and managed-app distribution to enrolled devices
MDM-R5.2Device Management (MDM/UEM) · P2
App configuration management — per-app configuration, managed-app data control settings, and MAM container configuration
MDM-R5.3Device Management (MDM/UEM) · P2
User-installed software policy enforcement at the UEM platform layer — side-loading prevention, prohibited-app blocking, and compliance monitoring
MDM-R5.4Device Management (MDM/UEM) · P2
App allowlisting and app reputation enforcement at the UEM management-plane layer
MDM-R5.5Device Management (MDM/UEM) · P2
Mobile-specific app sandboxing and data protection — managed-app container, data-loss prevention at the mobile layer, and managed/personal data separation on BYOD
MDM-R6.1Device Management (MDM/UEM) · P2
Device-management posture data publication mechanism (UEM platform's mechanism for emitting compliance-state telemetry)
MDM-R6.2Device Management (MDM/UEM) · P2
Posture-feed integration with ZT policy engine (PEP/PDP) — UEM platform compliance data as a ZT access-decision input
MDM-R6.3Device Management (MDM/UEM) · P2
Posture-feed integration with C2C compliance gating — MDM management-agent compliance check as C2C interrogation-category input
MDM-R6.4Device Management (MDM/UEM) · P2
Posture-data freshness and staleness handling — assessment cadence floor for ZT and C2C consumption
MDM-R6.5Device Management (MDM/UEM) · P2
Posture-feed reliability and fault tolerance for hybrid topology — fail behavior when UEM management plane is unavailable (NIST-80053 § SI-17 reuse-from-CWPP-R6.4)
MDM-R7.1Device Management (MDM/UEM) · P2
UEM platform consolidation strategy — on-prem MDM single platform vs. cloud-managed UEM single platform vs. multi-CSP per-enclave UEM
AD
MDM-R7.2Device Management (MDM/UEM) · P2
Per-platform integration parity and cross-platform device coverage — feature parity and inventory completeness across UEM platforms when multi-platform architecture is adopted
MDM-R7.3Device Management (MDM/UEM) · P2
Management-plane availability requirements — UEM SaaS uptime, on-prem MDM HA, and cross-platform availability planning
MDM-R7.4Device Management (MDM/UEM) · P2
Hybrid network reachability between UEM management plane and managed devices — management channel path design across DISN-CSP boundary and per-enclave management path
MDM-R7.5Device Management (MDM/UEM) · P2
Cross-CSP credential and policy synchronization in multi-UEM-platform architectures — policy-consistency and management-credential architecture across per-CSP-enclave UEM instances (NIST-80053 § CM-6 reuse-from-EDR-R5.1)
MDM-R8.1Device Management (MDM/UEM) · P2
UEM platform admin training for hybrid environments (UEM management console proficiency, policy authoring workflows, compliance configuration, cloud-managed enrollment procedure administration)
MDM-R8.2Device Management (MDM/UEM) · P2
Mobile policy and compliance admin training (mobile-specific policy configuration, MAM/MDM container governance, BYOD policy administration, app protection policy lifecycle)
MDM-R8.3Device Management (MDM/UEM) · P2
Cross-platform device-management plane training (multi-CSP UEM console proficiency, per-platform enrollment and compliance differences, cross-platform policy-consistency verification procedures)
MDM-R8.4Device Management (MDM/UEM) · P2
IR training for device-management platform incidents (lost-device IR workflow execution, mass-wipe scenario IR, UEM platform-compromise IR response, mobile-specific incident containment)
MDM-R8.5Device Management (MDM/UEM) · P2
Continuous-improvement training loop for device-management operations (lessons-learned curriculum updates, hybrid device-management tabletop exercises, mobile threat landscape updates, cross-CSP UEM attack pattern awareness)
NAC-R1.1Network Access Control (NAC) · P2
On-prem 802.1X port-based network admission continuity — physical LAN admission for managed wired and wireless endpoints
NAC-R1.2Network Access Control (NAC) · P2
AAA / RADIUS authentication infrastructure continuity — the on-prem AAA backbone serving 802.1X authenticators
NAC-R1.3Network Access Control (NAC) · P2
Cloud workload network-admission mechanism (concept-transform) — identity-and-posture-verified admission replacing 802.1X port-based admission for cloud-resident compute
NAC-R1.4Network Access Control (NAC) · P2
BYOD / contractor / guest network admission scope — un-managed-device admission policy and enforcement
NAC-R1.5Network Access Control (NAC) · P2
Device-network identity trust-anchor mastership architectural decision — where does the device-trust anchor for cloud-side network admission live?
AD
NAC-R2.1Network Access Control (NAC) · P2
On-prem posture check at 802.1X admission — RADIUS posture-attribute exchange and posture-evaluation-result-driven admission decision
NAC-R2.2Network Access Control (NAC) · P2
Cloud-side posture verification at admission — ZT policy engine evaluates posture attributes before issuing admission decision
NAC-R2.3Network Access Control (NAC) · P2
Posture-attribute schema and content — the compliance attribute vocabulary that flows into the NAC admission decision
NAC-R2.4Network Access Control (NAC) · P2
Posture-fail handling at admission — admission-time decision branch when posture check fails (quarantine VLAN, restricted-access network, remediation portal redirect)
NAC-R2.5Network Access Control (NAC) · P2
Posture-evaluation freshness and continuous re-verification — managing posture-state drift after admission (NIST-80053 § CA-7 reuse-from-EDR-R5.3)
NAC-R3.1Network Access Control (NAC) · P2
Role-and-attribute-based authorization decision content — RBAC + ABAC fusion at NAC admission
NAC-R3.2Network Access Control (NAC) · P2
On-prem dynamic VLAN/SGT/ACL assignment at 802.1X admission — RADIUS attribute-driven enforcement instructions to the authenticator
NAC-R3.3Network Access Control (NAC) · P2
Cloud-side authorization decision content — ZT policy engine outputs for network admission (identity-tagged segment assignment, conditional-access policy class, ZT access-control policy outputs)
NAC-R3.4Network Access Control (NAC) · P2
Identity-and-posture combined policy decision — authorization-policy-engine combined identity+device-hygiene decision
NAC-R3.5Network Access Control (NAC) · P2
Authorization decision auditability and decision-record retention — admission decisions logged per AU-2, decision rationale captured for after-the-fact review
NAC-R4.1Network Access Control (NAC) · P2
On-prem VLAN/SGT assignment as 802.1X admission enforcement — the L2 switch / wireless controller applies dynamic VLAN or SGT as instructed by the AAA decision
NAC-R4.2Network Access Control (NAC) · P2
Identity-based micro-segmentation enforcement cloud-side — ZT-aligned micro-segmentation policy applied to cloud workloads at the SDN policy plane
NAC-R4.3Network Access Control (NAC) · P2
SDN policy enforcement integration — the cloud admission mechanism integrates with the underlying SDN policy plane to enforce segmentation decisions at admission time
NAC-R4.4Network Access Control (NAC) · P2
Post-admission segmentation policy continuity — segmentation decisions persist across session lifetimes; re-authentication and re-enforcement on policy change
NAC-R4.5Network Access Control (NAC) · P2
Cross-management-plane segmentation consistency — on-prem VLAN/SGT plane and cloud-side micro-segmentation plane must produce coherent end-to-end segmentation; identity-tagged segments must be recognizable across the boundary
AD
NAC-R5.1Network Access Control (NAC) · P2
Quarantine VLAN / isolation segment assignment for posture-fail and policy-fail admissions
NAC-R5.2Network Access Control (NAC) · P2
Remediation portal / captive portal redirect for non-compliant devices in quarantine segment
NAC-R5.3Network Access Control (NAC) · P2
MDM-driven remediation trigger — NAC non-compliance event notification to MDM management plane for corrective action dispatch
NAC-R5.4Network Access Control (NAC) · P2
Cloud-side quarantine and remediation flow (concept-transform) — cloud analog to VLAN quarantine and captive portal
AD
NAC-R5.5Network Access Control (NAC) · P2
Quarantine event logging and audit trail — quarantine assignment, release, and remediation actions as security-significant audit events
NAC-R6.1Network Access Control (NAC) · P2
MDM compliance posture feed integration — NAC ingests UEM platform compliance evaluation as admission-decision input (consumer-side)
NAC-R6.2Network Access Control (NAC) · P2
EDR posture-attestation feed integration — NAC ingests EDR-agent host-attestation as admission-decision input (consumer-side)
NAC-R6.3Network Access Control (NAC) · P2
CAASM and VulnMgmt feed integration — NAC ingests cyber-asset inventory and vulnerability findings as posture inputs to admission decisions
NAC-R6.4Network Access Control (NAC) · P2
Posture-aggregation architecture — multi-source posture inputs into a single admission decision context, precedence rules, and C2C-boundary blur in cloud
NAC-R6.5Network Access Control (NAC) · P2
NAC-side posture-feed publisher to upstream consumers — NAC admission-decision telemetry to SIEM, ZT policy engine, and C2C
NAC-R7.1Network Access Control (NAC) · P2
NAC platform consolidation strategy — single NAC platform vs. per-CSP-enclave NAC-equivalent platforms vs. hybrid admission architecture
AD
NAC-R7.2Network Access Control (NAC) · P2
Per-platform integration parity — consistent admission-decision coverage across device classes and cross-platform inventory completeness for NAC enforcement components
NAC-R7.3Network Access Control (NAC) · P2
NAC enforcement layer availability requirements — continuity-plan obligations for the admission-enforcement infrastructure and fail-open/fail-closed posture during outage
NAC-R7.4Network Access Control (NAC) · P2
Hybrid network reachability between NAC enforcement points and policy/identity authorities — RADIUS/IdP/posture-data source connectivity across hybrid network paths
NAC-R7.5Network Access Control (NAC) · P2
Cross-CSP credential and policy synchronization architecture — multi-enclave admission consistency, identity-tagged segment recognition, and per-CSP-enclave NAC policy governance
AD
NAC-R8.1Network Access Control (NAC) · P2
NAC platform admin training for hybrid environments (RADIUS/AAA admin proficiency, 802.1X authenticator configuration, ZT policy engine administration, and micro-segmentation policy authoring for the concept-transform cloud-side admission mechanism)
NAC-R8.2Network Access Control (NAC) · P2
Posture-policy admin training (admin proficiency on posture-evaluation policy — posture attribute schema, posture-fail handling rules, MDM/EDR/CAASM/VulnMgmt feed integration configuration)
NAC-R8.3Network Access Control (NAC) · P2
Cross-platform NAC plane training (admin proficiency across hybrid admission surface — on-prem 802.1X, cloud-side ZT policy engine, per-CSP NAC-equivalent platform; concept-transform pattern proficiency)
NAC-R8.4Network Access Control (NAC) · P2
IR training for NAC platform incidents (NAC platform compromise, AAA-server compromise, ZT policy engine compromise, mass-quarantine scenarios, cross-pillar IR coordination with MDM/EDR teams)
NAC-R8.5Network Access Control (NAC) · P2
Continuous-improvement training loop for hybrid network-admission operations (post-incident lessons-learned, NAC-policy-effectiveness retrospectives, periodic re-training cadence, and AT-3(2) Practical Exercises cross-cite)
CWPP-R1.1Cloud Workload Protection Platform (CWPP) · P3
Cloud-VM workload-runtime agent deployment — primary cloud-VM scope
CWPP-R1.2Cloud Workload Protection Platform (CWPP) · P3
Serverless function runtime instrumentation — uniquely CWPP scope
CWPP-R1.3Cloud Workload Protection Platform (CWPP) · P3
PaaS workload runtime evaluation — PaaS-opacity coverage architectural decision
CWPP-R1.4Cloud Workload Protection Platform (CWPP) · P3
Agentless cloud-workload scanning service — architectural alternative to agent-based runtime protection
CWPP-R1.5Cloud Workload Protection Platform (CWPP) · P3
Workload-runtime identity trust-anchor mastership architectural decision — where workload-identity attestation anchors live across COAs
AD
CWPP-R2.1Cloud Workload Protection Platform (CWPP) · P3
Per-workload-type baseline configuration policy — STIG-equivalent for cloud workloads
CWPP-R2.2Cloud Workload Protection Platform (CWPP) · P3
Configuration drift detection at runtime — continuous evaluation of workload configuration state against baseline
CWPP-R2.3Cloud Workload Protection Platform (CWPP) · P3
CSP-native workload-config-evaluation service integration — cloud-side primitives for configuration assessment
CWPP-R2.4Cloud Workload Protection Platform (CWPP) · P3
Configuration exception/exemption handling — governed exception process for workload baseline deviations (NIST-80053 § CM-6(c) first-primary at exception-authority scope)
CWPP-R2.5Cloud Workload Protection Platform (CWPP) · P3
Config-evaluation telemetry to SIEM/CAASM — downstream feed for configuration drift findings
CWPP-R3.1Cloud Workload Protection Platform (CWPP) · P3
Process-behavior anomaly detection — in-workload behavioral evaluation via host-based monitoring device
CWPP-R3.2Cloud Workload Protection Platform (CWPP) · P3
Workload-network-behavior anomaly detection — egress, lateral, and C2 pattern detection via multi-source event correlation
CWPP-R3.3Cloud Workload Protection Platform (CWPP) · P3
Credential-misuse detection at workload — workload-identity-misuse and cloud-credential-anomaly detection
CWPP-R3.4Cloud Workload Protection Platform (CWPP) · P3
Cross-workload lateral-movement detection — workload-traversal-pattern identification via multi-workload behavioral correlation
CWPP-R3.5Cloud Workload Protection Platform (CWPP) · P3
Behavioral-finding routing to SIEM/SOAR — downstream detection-feed integration and finding-source registration
CWPP-R4.1Cloud Workload Protection Platform (CWPP) · P3
Process-kill / quarantine / isolation enforcement at workload runtime — CWPP-triggered enforcement of behavioral detections at the workload execution layer
CWPP-R4.2Cloud Workload Protection Platform (CWPP) · P3
Workload-network-isolation actions — cloud-side micro-segmentation enforcement triggered by CWPP detection, producing network-level isolation of compromised workloads
CWPP-R4.3Cloud Workload Protection Platform (CWPP) · P3
CSP-native enforcement-action integration — CWPP calls CSP control-plane APIs to execute enforcement actions (workload stop, snapshot, security-group update) as CWPP-orchestrated operations
CWPP-R4.4Cloud Workload Protection Platform (CWPP) · P3
Enforcement-action audit trail — event integrity, cryptographic signing where applicable, enforcement-action log completeness
CWPP-R4.5Cloud Workload Protection Platform (CWPP) · P3
Cross-CSP enforcement-action consistency — per-CSP-enclave enforcement primitive parity and behavioral equivalence across cloud-hosted workload enforcement
AD
CWPP-R5.1Cloud Workload Protection Platform (CWPP) · P3
VulnMgmt feed integration (consumer-side — CWPP ingestion of vulnerability scan findings)
CWPP-R5.2Cloud Workload Protection Platform (CWPP) · P3
CSPM/CAASM configuration-posture feed integration (consumer-side — CWPP ingestion of cloud misconfiguration findings)
CWPP-R5.3Cloud Workload Protection Platform (CWPP) · P3
Runtime CVE-exploitation detection (CWPP-side correlation of static vulnerability finding with active exploitation behavior) (NIST-80053 § RA-5(10) reuse-from-VULNMGMT-R3.5)
CWPP-R5.4Cloud Workload Protection Platform (CWPP) · P3
Prioritization via runtime-context (CWPP enrichment of static vulnerability findings with workload runtime-context for risk-ranked remediation)
CWPP-R5.5Cloud Workload Protection Platform (CWPP) · P3
Finding-routing to ticketing and SOAR (downstream consumer-feed for CWPP-integrated vulnerability and configuration findings)
CWPP-R6.1Cloud Workload Protection Platform (CWPP) · P3
Workload-posture telemetry feed publishing — CWPP platform emits cloud-VM/serverless/PaaS posture findings as a continuous producer-side feed
CWPP-R6.2Cloud Workload Protection Platform (CWPP) · P3
Feed schema and content — workload-posture-attribute taxonomy for downstream consumer interoperability
CWPP-R6.3Cloud Workload Protection Platform (CWPP) · P3
Feed-consumer integration — NAC, C2C, and CAASM consumer integration for CWPP workload-posture feed
CWPP-R6.4Cloud Workload Protection Platform (CWPP) · P3
Workload-posture staleness handling — TTL, freshness obligations, and ephemeral-workload lifecycle management
CWPP-R6.5Cloud Workload Protection Platform (CWPP) · P3
Feed-publishing audit trail — workload-posture-publication event log retention and OMB-LOG floor compliance
CWPP-R7.1Cloud Workload Protection Platform (CWPP) · P3
CWPP platform consolidation strategy — single CWPP across hybrid vs. CSP-native CWPP per cloud vs. dual-platform with normalization
AD
CWPP-R7.2Cloud Workload Protection Platform (CWPP) · P3
Per-platform integration parity — consistent workload-protection coverage scope and feature-floor across CWPP platform deployments and cloud enclaves
CWPP-R7.3Cloud Workload Protection Platform (CWPP) · P3
CWPP management-plane availability and fail-mode — continuity-plan obligations for the CWPP platform management infrastructure and workload-protection posture during platform unavailability
CWPP-R7.4Cloud Workload Protection Platform (CWPP) · P3
CWPP management-plane network reachability — management channel between per-CSP-enclave CWPP components and the central CWPP policy authority across hybrid network paths
CWPP-R7.5Cloud Workload Protection Platform (CWPP) · P3
Cross-CSP CWPP synchronization architectural decision — policy normalization across CSPs and the per-CSP-enclave CWPP platform governance model
AD
CWPP-R8.1Cloud Workload Protection Platform (CWPP) · P3
CWPP platform admin training (cloud-workload-runtime-protection administration — agent-management-server administration, behavioral-detection-engine configuration, and workload-runtime-agent deployment automation)
CWPP-R8.2Cloud Workload Protection Platform (CWPP) · P3
Workload-runtime-detection-and-protection-policy admin training (behavioral detection rule authoring, exception handling, and policy lifecycle management for cloud workload populations)
CWPP-R8.3Cloud Workload Protection Platform (CWPP) · P3
Cross-platform CWPP plane training (multi-CSP CWPP operational fluency — per-CSP CWPP deployment model differences, cross-CSP behavioral-telemetry normalization, and concept-transform pattern proficiency)
CWPP-R8.4Cloud Workload Protection Platform (CWPP) · P3
IR training for CWPP-platform incidents and cross-pillar coordination (CWPP-platform-compromise, workload-runtime-agent mass-deletion, CSP-native-CWPP-service outage, serverless-function-instrumentation failure, cross-pillar IR coordination with Container/K8s, EDR, and MDM teams)
CWPP-R8.5Cloud Workload Protection Platform (CWPP) · P3
Continuous-improvement training loop for hybrid CWPP operations (post-incident lessons-learned integration, new-CSP-CWPP-feature uplift, AT-3(b)/(c) curriculum updates, and training audit for CWPP operational readiness)
K8S-R1.1Container / Kubernetes Security · P3
Registry-integrated image scanning at build time — vulnerability discovery before image publication
K8S-R1.2Container / Kubernetes Security · P3
Image-signing trust-anchor architecture and provenance verification at admission — 6th trust-anchor mastership instance
K8S-R1.3Container / Kubernetes Security · P3
Pull-time scanning gate — cluster pull enforcement with registry-whitelist policy
K8S-R1.4Container / Kubernetes Security · P3
Exception/exemption authority for image-policy bypass — governed process for approved deviations (NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4)
K8S-R1.5Container / Kubernetes Security · P3
Cross-CSP image-registry consistency — image artifacts, signing keys, and registry trust anchored across CSPs (NIST-80053 § SC-12 reuse-from-PKI-R1.4)
K8S-R2.1Container / Kubernetes Security · P3
Admission webhook deployment and activation — fail-closed posture, webhook timeout, and ValidatingAdmissionWebhook lifecycle
K8S-R2.2Container / Kubernetes Security · P3
Policy-as-code definition for admission rules — image-source allowlist, privileged-pod prohibition, and root-user prohibition
K8S-R2.3Container / Kubernetes Security · P3
CSP-managed admission webhook integration — CSP-native admission services and managed policy engine integration
K8S-R2.4Container / Kubernetes Security · P3
Exception and exemption authority for admission-policy bypass — governed deviation process for approved admission-policy exceptions (NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4; 2nd exception-authority instance)
K8S-R2.5Container / Kubernetes Security · P3
Admission-decision audit trail — admission outcomes logged for forensic and compliance review
K8S-R3.1Container / Kubernetes Security · P3
Pod-process-behavior anomaly detection — kubelet and pod-runtime agent telemetry at the pod-execution layer
K8S-R3.2Container / Kubernetes Security · P3
Pod-network-behavior anomaly detection — egress, lateral, and C2 pattern detection at the Kubernetes network layer
K8S-R3.3Container / Kubernetes Security · P3
Credential-misuse-at-pod detection — service-account abuse, pod-to-API-server suspicious calls, and RBAC role-abuse monitoring (CSSP-ESM § DE.CM-7 reuse-from-CWPP-R3.3)
K8S-R3.4Container / Kubernetes Security · P3
Kubelet and control-plane API-anomaly detection — control-plane component telemetry and etcd/kubelet API-call audit monitoring
K8S-R3.5Container / Kubernetes Security · P3
Behavioral-finding routing to SIEM/SOAR — pod and node telemetry feed integration and finding-source registration
K8S-R4.1Container / Kubernetes Security · P3
Kubernetes NetworkPolicy enforcement — default-deny ingress and egress with explicit pod-to-pod and namespace-to-namespace permit rules at the CNI layer
K8S-R4.2Container / Kubernetes Security · P3
Namespace-level segmentation — namespace as security boundary for multi-tenancy isolation and workload tier separation
K8S-R4.3Container / Kubernetes Security · P3
Service-mesh sidecar L7 policy enforcement — mTLS at workload-to-workload communications and identity-based L7 policy at the pod-sidecar layer
AD
K8S-R4.4Container / Kubernetes Security · P3
Egress policy enforcement — pod-to-CSP-API and pod-to-internet egress filtering via NetworkPolicy egress rules and cluster egress gateway controls
K8S-R4.5Container / Kubernetes Security · P3
Cross-CSP NetworkPolicy consistency — CNI NetworkPolicy semantics and enforcement posture across managed Kubernetes services per CSP enclave
AD
K8S-R5.1Container / Kubernetes Security · P3
Cluster RBAC authorization-mode baseline evaluation — API Server, kubelet, and control-plane authorization configuration
K8S-R5.2Container / Kubernetes Security · P3
Cluster-configuration drift detection — continuous monitoring of control-plane component parameters against STIG-derived baseline
K8S-R5.3Container / Kubernetes Security · P3
etcd and control-plane manifest hardening evaluation (file ownership, permissions, and component isolation) — CIS K8s benchmark-equivalent via STIG/SRG
K8S-R5.4Container / Kubernetes Security · P3
Cluster-configuration exception/exemption authority — governance for STIG deviation from cluster baseline (NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4)
K8S-R5.5Container / Kubernetes Security · P3
Cluster-configuration evaluation telemetry to SIEM — forwarding cluster STIG finding records for continuous monitoring and audit trail
K8S-R6.1Container / Kubernetes Security · P3
Cluster-posture telemetry feed — managed-K8s platform emits cluster-scope posture findings as a continuous producer-side feed
K8S-R6.2Container / Kubernetes Security · P3
Feed schema and content — cluster-posture attribute taxonomy for downstream consumer interoperability
K8S-R6.3Container / Kubernetes Security · P3
Feed-consumer integration — NAC and C2C posture-aggregation consumers integrate cluster-posture feed (partial-duplication awaiting C2C authoring)
K8S-R6.4Container / Kubernetes Security · P3
Posture-staleness handling — when cluster-posture telemetry goes stale and how expired findings affect downstream admission and C2C decisions
K8S-R6.5Container / Kubernetes Security · P3
Feed-publishing audit trail — cluster-posture feed publication events captured and retained in a tamper-resistant audit trail
K8S-R7.1Container / Kubernetes Security · P3
Per-CSP managed-K8s platform inventory — system component inventory for Kubernetes service components across CSP enclaves
K8S-R7.2Container / Kubernetes Security · P3
Cross-CSP managed-K8s policy normalization — admission-webhook, NetworkPolicy, and RBAC configuration consistency across CSP enclaves
AD
K8S-R7.3Container / Kubernetes Security · P3
Kubernetes management-plane availability and fail-mode — contingency-plan obligations for managed-K8s control-plane unavailability and admission-enforcement posture during outage
K8S-R7.4Container / Kubernetes Security · P3
Kubernetes API server management-plane reachability — management channel from administrative tooling and CI-CD automation to the per-CSP managed-K8s API server across hybrid network paths
K8S-R7.5Container / Kubernetes Security · P3
Cross-CSP K8s synchronization architectural decision — signing-key federation, image-registry replication, admission-policy distribution, and NetworkPolicy normalization synchronization across CSP enclaves
AD
K8S-R8.1Container / Kubernetes Security · P3
K8s cluster-security platform admin training (K8s cluster-security administration — admission webhook policy authoring, kubelet-RBAC administration, pod-security policy lifecycle, and cluster-control-plane configuration management)
K8S-R8.2Container / Kubernetes Security · P3
K8s pod-runtime detection and admission-policy admin training (pod-runtime behavioral telemetry triage, admission-control policy rule authoring, image-pipeline security training, and policy lifecycle management for K8s cluster populations)
K8S-R8.3Container / Kubernetes Security · P3
Cross-platform K8s plane training (multi-CSP K8s operational fluency — per-CSP managed-K8s service differences, cross-CSP cluster-posture normalization, and concept-transform pattern proficiency)
K8S-R8.4Container / Kubernetes Security · P3
IR training for K8s-platform incidents and cross-pillar coordination (admission-webhook-compromise, pod-runtime-agent mass-removal, cluster-control-plane compromise, etcd data exfiltration, pod-level IR playbook execution, cross-pillar IR coordination with CWPP and EDR teams)
K8S-R8.5Container / Kubernetes Security · P3
Continuous-improvement training loop for hybrid K8s operations (post-incident lessons-learned integration, new-CSP-K8s-feature uplift, AT-3(b)/(c) curriculum updates, and training audit for K8s cluster-security operational readiness)
CAASM-R1.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
On-prem CMDB extension to cloud — asset-discovery scope and inventory continuity across hybrid surface
CAASM-R1.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Asset-attribution authority architectural decision — which upstream source wins per asset class (7th trust-anchor mastership family instance)
AD
CAASM-R1.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Per-CSP asset-discovery API integration depth — event-driven vs. scheduled ingestion architectural decision
CAASM-R1.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Asset-discovery telemetry routing to attribution model — criticality tagging and feed prioritization
CAASM-R1.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Cross-CSP asset-inventory consistency — normalization and deduplication across CSP-specific resource taxonomies (NIST-80053 § CM-8 first-primary at cross-CSP deduplication normalization scope)
CAASM-R2.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Per-CSP misconfiguration detection — CSPM-absorbed primary scope and posture-rollup producer architecture (closes CWPP-R2.x cluster partial-dup)
CAASM-R2.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Compliance scoring against vendor-/regulator-defined baselines — CIS, NIST, FedRAMP, and DoD-equivalent baseline scoring architecture
CAASM-R2.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Drift detection at cloud-resource configuration level — posture-rollup layer drift detection (closes K8S-R5.x partial-dup; extends CWPP-R2.2 posture-rollup perspective)
CAASM-R2.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Exception/exemption handling for posture-finding bypass — governed deviation process for approved CSPM-finding suppression (NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4; 3rd exception-authority instance)
CAASM-R2.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Configuration-finding routing to ticketing/SOAR — downstream dispatch of posture findings for remediation tracking
CAASM-R3.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Exposure scoring algorithm — quantitative attack-surface risk scoring across asset inventory (NIST-80053 § RA-3 reuse-from-CAASM-R3.4)
CAASM-R3.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Vulnerability and configuration-finding correlation against asset-inventory model
CAASM-R3.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
External-attack-surface tracking — internet-exposed assets and per-CSP API-driven public-resource discovery
CAASM-R3.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Prioritization weighting per asset criticality — risk-adjusted attack-surface scoring consuming R1.4 criticality tagging
CAASM-R3.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Attack-path / attack-graph analysis — multi-asset relationship traversal for exposure-path identification
CAASM-R4.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Asset-criticality scoring — mission and business value classification for attack-surface prioritization
CAASM-R4.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Data-classification labeling — asset-level classification labels within the SSOT inventory (NIST-80053 § AC-16 reuse-from-NETDLP-R3.5; forward-pointer: partial-dup with NetDLP/HostDLP at classification-taxonomy layer) (intentional-open: forward-pointer to NetDLP/HostDLP classification-enforcement planted at CAASM-R4.2; both NetDLP and HostDLP were subsequently authored in Phase J; the enforcement-layer partial-dup was addressed at NETDLP-R3.x and HOSTDLP-R3.x; pointer is considered closed by those authoring events.)
CAASM-R4.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Ownership attribution for IR routing — per-asset owner and CSSP assignment for incident-response handoff
CAASM-R4.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
IT-service-mapping integration — asset-to-business-service linkage for business-impact-aware attack-surface management (NIST-80053 § CP-2 reuse-from-PAM-R7.2)
CAASM-R4.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Supply-chain-asset-attribution — contracted-vendor and SAM-compliance tracking for supply-chain-sourced hardware and software in the SSOT inventory
CAASM-R5.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
VulnMgmt feed integration (consumer-side — CAASM ingestion of vulnerability scan findings into attack-surface inventory model)
CAASM-R5.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
CWPP feed integration (consumer-side — closes CWPP-R5.2 partial-dup; CAASM posture rollup of workload-runtime configuration findings)
CAASM-R5.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
K8s cluster-config-drift feed integration (consumer-side — closes K8S-R5.x partial-dups; CAASM posture rollup of K8S cluster-configuration evaluation findings)
CAASM-R5.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Runtime-finding correlation across VulnMgmt + CWPP + K8S feeds — multi-source posture correlation at the CAASM layer
CAASM-R5.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Configuration-finding routing to ticketing/SOAR — downstream consumer-feed for CAASM-aggregated configuration and vulnerability posture findings
CAASM-R6.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Asset-inventory and attack-surface scoring feed — CAASM SSOT model emits posture-rollup as a continuous producer-side feed (ZT-RA § 9.6 Capability 2.2.1 fifth-use)
CAASM-R6.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Feed schema and content — CAASM SSOT posture-rollup export schema and per-record field taxonomy
CAASM-R6.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Feed-consumer integration — SIEM and C2C posture-aggregation consumers integrate CAASM posture-rollup feed (C2C 5th-instance C2C-boundary partial-duplication awaiting C2C authoring)
CAASM-R6.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Posture-staleness handling — CAASM SSOT posture-rollup TTL design and expired-findings disposition
CAASM-R6.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Feed-publishing audit trail — CAASM posture-rollup publication events captured and retained in a tamper-resistant audit trail
CAASM-R7.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Per-CSP CAASM platform inventory — system component inventory for CAASM discovery-service and CSPM-scanner components across CSP enclaves
CAASM-R7.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
On-prem-CMDB-to-cloud-CAASM normalization architectural decision — bridging the partial-transform on-prem CMDB schema to the cloud CAASM platform's asset-data model (NIST-80053 § CM-8 reuse-from-CAASM-R1.5; on-prem-to-cloud schema bridging scope)
CAASM-R7.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
CAASM management-plane availability and fail-mode — contingency-plan obligations for CAASM platform infrastructure unavailability and asset-inventory currency during outage
CAASM-R7.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
CAASM management-plane network reachability — management channel between per-CSP CAASM discovery components and the central CAASM platform authority across hybrid network paths
CAASM-R7.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Cross-CSP CAASM synchronization architectural decision — posture-data synchronization, asset-discovery state replication, and per-CSP-enclave CAASM governance model across CSP enclaves (NIST-80053 § CM-8(2) FIRST-primary)
CAASM-R8.1Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
CAASM platform admin training (asset-discovery platform administration — CMDB-extension configuration, per-CSP discovery API integration management, and asset-attribution pipeline administration)
CAASM-R8.2Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
CAASM tooling familiarization training (cloud-configuration-posture-management tooling operation, asset-attribution platform UI/API proficiency, and CSPM-absorbed posture-evaluation tooling)
CAASM-R8.3Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
IR playbook training for asset-attribution incidents and cross-pillar CAASM coordination (asset-inventory-gap IR, attribution-conflict resolution escalation, CMDB-extension-feed-compromise, and attack-surface-data quality incidents)
CAASM-R8.4Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Cross-pillar IR coordination training for CAASM-related incidents (joint IR workflows with CWPP, K8S, EDR, MDM, NAC, VulnMgmt, and SIEM teams for asset-discovery-impact incidents and posture-gap response)
CAASM-R8.5Cyber Asset Attack Surface Management (CAASM, with CSPM absorbed) · P3
Continuous-improvement training loop for hybrid CAASM operations (post-incident lessons-learned integration, new-CSP-CAASM-feature uplift, AT-3(b)/(c) curriculum updates, and training audit for CAASM operational readiness)
VULNMGMT-R1.1Vulnerability Management · P3
Scan-target enumeration from CAASM SSOT — vulnerability scanner authoritative target list anchored to asset inventory
VULNMGMT-R1.2Vulnerability Management · P3
Agent deployment scope on-prem and cloud — host-based scanner agent coverage decision across asset classes
VULNMGMT-R1.3Vulnerability Management · P3
Agentless cloud-VM scanning architecture — CSP-native vulnerability assessment service consumption for workloads where agent deployment is infeasible
VULNMGMT-R1.4Vulnerability Management · P3
Scan-cadence policy and ephemeral-asset reconciliation — scheduled vs. event-driven scan triggering architectural decision (NIST-80053 § RA-5 reuse-from-VULNMGMT-R1.2 at scan-cadence-policy / ephemeral-asset-reconciliation-architecture scope)
VULNMGMT-R1.5Vulnerability Management · P3
Scanner-credential handling — authenticated-scan service-account PAM vault integration and JIT issuance
VULNMGMT-R2.1Vulnerability Management · P3
CVE database currency and scan-engine versioning — vulnerability database update cadence and scan-engine plugin version management
VULNMGMT-R2.2Vulnerability Management · P3
Scan-coverage breadth — OS, application, container-image, network-device, and cloud-config vulnerability coverage architecture
VULNMGMT-R2.3Vulnerability Management · P3
Authenticated vs. unauthenticated scanning strategy — depth tradeoff architecture and credential integration with scanner service accounts
VULNMGMT-R2.4Vulnerability Management · P3
Plugin/check architecture — modular vulnerability check repository design, SCAP/OVAL standards adoption, and check-content governance (NIST-80053 § RA-5(b) first-primary project-wide at SCAP/OVAL interoperability-standards implementation scope)
VULNMGMT-R2.5Vulnerability Management · P3
Container image vulnerability scanning at registry build/pull time — producer-side scope and output routing to CAASM/SIEM/C2C (closes K8S-R1.1 partial-dup producer-side)
VULNMGMT-R3.1Vulnerability Management · P3
CVSS-based severity classification — CVSS base, temporal, and environmental scoring for vulnerability findings
VULNMGMT-R3.2Vulnerability Management · P3
EPSS integration — exploit prediction scoring supplement to CVSS base for probabilistic active-exploitation prioritization
AD
VULNMGMT-R3.3Vulnerability Management · P3
Asset-criticality weighting — CAASM-R1.4 asset-classification tags applied to vulnerability finding priority scoring
VULNMGMT-R3.4Vulnerability Management · P3
Threat-intel-driven prioritization — TIP feed consumption elevating findings with active-exploitation-in-wild context
VULNMGMT-R3.5Vulnerability Management · P3
CAASM-R3.2 forward-pointer producer-side closure — vulnerability-finding correlation against asset-inventory model before export to CAASM consumer
VULNMGMT-R4.1Vulnerability Management · P3
Ticketing and SOAR integration — finding-to-ticket lifecycle and automated response actions
VULNMGMT-R4.2Vulnerability Management · P3
SLA enforcement — remediation timeframes by severity and cloud-side SRG obligations
VULNMGMT-R4.3Vulnerability Management · P3
Exception and exemption authority — risk-acceptance for remediation-SLA exceptions with documented compensating controls (NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4; 4th exception-authority instance at vulnerability-remediation-SLA exception scope)
VULNMGMT-R4.4Vulnerability Management · P3
Closure verification scanning — rescan after patch to confirm remediation effectiveness
VULNMGMT-R4.5Vulnerability Management · P3
False-positive handling — finding-disposition workflow and baseline establishment
VULNMGMT-R5.1Vulnerability Management · P3
CAASM feed integration producer-side — VulnMgmt scan-finding export to CAASM for asset-correlated attack-surface input (closes CAASM-R5.1 forward-pointer)
VULNMGMT-R5.2Vulnerability Management · P3
Finding-export schema design — interoperability standards adoption for CVE-ID, asset-ID, severity fields, and lifecycle-status in exported findings
VULNMGMT-R5.3Vulnerability Management · P3
Deduplication-key design — finding-deduplication across scan runs to prevent alert fatigue; primary-key composition (CVE + asset + plugin-version)
AD
VULNMGMT-R5.4Vulnerability Management · P3
CWPP feed integration producer-side — VulnMgmt broader-scope findings feeding CWPP workload-runtime context-enrichment (closes CWPP-R5.1 + R5.2 forward-pointers)
VULNMGMT-R5.5Vulnerability Management · P3
Retention policy and audit trail — scan-output retention windows and feed-publishing event audit trail
VULNMGMT-R6.1Vulnerability Management · P3
Vulnerability-finding publishing for cross-pillar consumers — VulnMgmt scanner emits a continuous producer-side finding feed to SIEM, CAASM, and C2C (ZT-RA § 9.6 Capability 2.2.1 sixth-use)
VULNMGMT-R6.2Vulnerability Management · P3
Aggregate vulnerability metrics publishing — vulnerability-density, exposure-trend, and remediation-velocity dashboards (NIST-80053 § RA-5(6) first-project-primary)
VULNMGMT-R6.3Vulnerability Management · P3
C2C-boundary backlog — VulnMgmt posture publishing partial-duplicates with C2C orchestration scope; forward-pointer to C2C P5/7 (6th instance; DOD-CYBER C2C Step 2 sixth-use) (intentional-open: forward-pointer to C2C P5/7 planted at VULNMGMT-R6.3; C2C was subsequently authored at Phase J5; VulnMgmt-to-C2C posture integration is addressed at C2C-R6.3 orchestration-completion ratification; pointer is considered closed by C2C authoring.)
VULNMGMT-R6.4Vulnerability Management · P3
Posture-staleness handling — last-scan-time threshold architecture and staleness signaling to downstream consumers (NIST-80053 § CA-7 reuse-from-EDR-R5.3 at per-asset-class monitoring-frequency / scan-finding-staleness-threshold scope)
VULNMGMT-R6.5Vulnerability Management · P3
Feed-publishing audit trail — log-and-retention for VulnMgmt finding-publication events
VULNMGMT-R7.1Vulnerability Management · P3
Per-CSP VulnMgmt platform inventory — system component inventory for VulnMgmt scanner components, agent deployments, and scan-output pipeline components across CSP enclaves
VULNMGMT-R7.2Vulnerability Management · P3
On-prem-scanner-to-cloud-vulnerability-service finding-normalization — architectural decision for bridging on-prem scanner CVE finding schema to per-CSP native vulnerability assessment service output format (NIST-80053 § RA-5(b) reuse-from-VULNMGMT-R2.4 at cross-platform finding-schema interoperability / normalization-architecture scope)
VULNMGMT-R7.3Vulnerability Management · P3
VulnMgmt management-plane availability and fail-mode — contingency-plan obligations for VulnMgmt scan-management platform unavailability and scan-finding currency during outage
VULNMGMT-R7.4Vulnerability Management · P3
VulnMgmt management-plane network reachability — management channel between per-CSP scanner components and the centralized VulnMgmt scan-management authority across hybrid network paths
VULNMGMT-R7.5Vulnerability Management · P3
Cross-CSP VulnMgmt synchronization architectural decision — scan-task orchestration state and scan-finding synchronization model across CSP enclaves (NIST-80053 § CA-7 reuse-from-EDR-R5.3 at cross-CSP continuous-monitoring-strategy / scan-finding-synchronization scope)
VULNMGMT-R8.1Vulnerability Management · P3
VulnMgmt operator training program — scanner-engineer and vuln-analyst training curriculum for hybrid-cloud vulnerability management operations
VULNMGMT-R8.2Vulnerability Management · P3
VulnMgmt tooling familiarization — scanner-platform admin training and CVE database curation training for hybrid-cloud deployment
VULNMGMT-R8.3Vulnerability Management · P3
Vulnerability-finding triage training — finding interpretation, false-positive identification, severity-context training, and vulnerability-exploitation-incident IR playbook coverage
VULNMGMT-R8.4Vulnerability Management · P3
Cross-pillar IR coordination training for VulnMgmt-related incidents — joint IR workflows with SIEM, EDR, CWPP, K8S, and CAASM teams for vulnerability-exploitation-incident response and VulnMgmt-platform outage coordination
VULNMGMT-R8.5Vulnerability Management · P3
VulnMgmt training audit and lifecycle — training-completion tracking, periodic re-certification, and continuous-improvement loop for VulnMgmt operations readiness
WAF-R1.1Web Application Firewall (absorbs API Security Gateway) · P3
On-prem reverse-proxy WAF deployment topology — DMZ positioning, centralized policy manager + distributed enforcement nodes, OWASP-class rule-set baseline, backend re-encryption pattern
WAF-R1.2Web Application Firewall (absorbs API Security Gateway) · P3
Per-CSP-native WAF service consumption + cloud-distributed WAF with edge presence — deployment topology for cloud-published applications
WAF-R1.3Web Application Firewall (absorbs API Security Gateway) · P3
TLS-termination-vs-passthrough mode selection — trust-anchor 8th-instance; PKI cert-provisioning architecture for WAF TLS inspection
WAF-R1.4Web Application Firewall (absorbs API Security Gateway) · P3
CDN-integrated WAF deployment + traffic-flow architecture per published-app class — private/internal vs. public-facing; throughput and latency considerations
WAF-R1.5Web Application Firewall (absorbs API Security Gateway) · P3
Deployment-mode selection per published-application risk profile — risk-tiering policy authority for on-prem WAF vs. CSP-native WAF vs. cloud-distributed WAF per app (NIST-80053 § RA-2 first-primary)
WAF-R2.1Web Application Firewall (absorbs API Security Gateway) · P3
OWASP-class rule-set baseline coverage — OWASP CRS-class engine pattern, OWASP Top 10 coverage, web-payload signature inspection
WAF-R2.2Web Application Firewall (absorbs API Security Gateway) · P3
Anomaly-based detection coverage breadth — non-signature behavioral attack detection beyond OWASP rule-set signature matching
WAF-R2.3Web Application Firewall (absorbs API Security Gateway) · P3
API-shape policy + schema validation — API-security-gateway-absorption surface; OpenAPI schema enforcement, JSON Schema validation, parameter typing, OWASP API Top 10 coverage
WAF-R2.4Web Application Firewall (absorbs API Security Gateway) · P3
API-specific rate limiting + abuse prevention — absorbed API security gateway-absorption surface; per-API-endpoint rate limiting, per-client request quotas, sliding-window enforcement, abuse-pattern detection
AD
WAF-R2.5Web Application Firewall (absorbs API Security Gateway) · P3
Rule-set versioning + currency — rule-set update cadence, community-feed and vendor-rule-feed integration, virtual-patching readiness for newly-disclosed CVEs
WAF-R3.1Web Application Firewall (absorbs API Security Gateway) · P3
Policy baseline consistency across on-prem WAF + per-CSP-native WAF instances — common OWASP-CRS-class rule-set baseline maintained across all WAF instances with centralized policy authority
WAF-R3.2Web Application Firewall (absorbs API Security Gateway) · P3
Per-instance tuning policy — local rule tuning at each WAF instance for application-specific false-positive remediation with governance boundaries
WAF-R3.3Web Application Firewall (absorbs API Security Gateway) · P3
Drift-detection workflow — automated detection of rule-set drift between WAF instances; alert and reconciliation process
WAF-R3.4Web Application Firewall (absorbs API Security Gateway) · P3
Change-control + audit trail for rule-set updates — change management process for OWASP-CRS-class baseline updates; per-instance tuning approval workflow; audit log of rule changes
WAF-R3.5Web Application Firewall (absorbs API Security Gateway) · P3
On-prem-master-vs-per-instance-tuned architectural decision — COA-discriminating policy authority model for WAF rule-set governance across hybrid surface
AD
WAF-R4.1Web Application Firewall (absorbs API Security Gateway) · P3
Block-mode vs. log-only-mode selection per rule — initial deployment in log-only, promotion to block after FP analysis (NIST-80053 § SI-4 reuse-from-SIEM)
WAF-R4.2Web Application Firewall (absorbs API Security Gateway) · P3
False-positive remediation cadence — FP triage workflow, tuning iteration cycle, and FP-rate reporting metrics per rule (NIST-80053 § CA-7 reuse-from-EDR-R5.3)
WAF-R4.3Web Application Firewall (absorbs API Security Gateway) · P3
Virtual-patching-rule-deployment authority during incident response — SOAR-orchestrated rapid rule push for newly-disclosed CVEs against unpatched backend applications
WAF-R4.4Web Application Firewall (absorbs API Security Gateway) · P3
Exception/exemption authority — applications or rule classes where blocking is suspended for legacy-app-incompatible rules (NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4 fifth-instance)
WAF-R4.5Web Application Firewall (absorbs API Security Gateway) · P3
Closure-verification workflow — verify FP remediation effective and virtual-patching rule blocks target attack pattern
WAF-R5.1Web Application Firewall (absorbs API Security Gateway) · P3
Inspection-event log schema — per-event WAF log record format; structured logging schema per WAF capability class including API gateway inspection events
WAF-R5.2Web Application Firewall (absorbs API Security Gateway) · P3
Deduplication-key design — deduplicate inspection events across distributed WAF nodes (CDN-edge, per-CSP-native, on-prem appliance); event-correlation-key strategy for downstream consumers (NIST-80053 § AU-12(1) first-primary)
WAF-R5.3Web Application Firewall (absorbs API Security Gateway) · P3
Integration to SIEM (Row 1) — WAF inspection-event stream to SIEM for correlation, alerting, and detection of web-application attack patterns
WAF-R5.4Web Application Firewall (absorbs API Security Gateway) · P3
Integration to SOAR (Row 24) + Forensic/IR (Row 28) — WAF alert events to SOAR for automated block-rule push and investigation context to ForIR for post-incident HTTP/S-layer reconstruction
WAF-R5.5Web Application Firewall (absorbs API Security Gateway) · P3
Retention policy + audit trail — WAF inspection-event log retention duration, immutability requirements, and feed-publishing audit trail; OMB M-21-31 federal retention floor
WAF-R6.1Web Application Firewall (absorbs API Security Gateway) · P3
WAF posture feed publishing — rule-set currency, TLS-inspection-coverage, signing-cert validity, and block-rate metrics published for cross-pillar consumers (ZT-RA Pillar 7 + Capability 2.2.1 seventh-use)
WAF-R6.2Web Application Firewall (absorbs API Security Gateway) · P3
WAF posture-staleness handling — degraded-mode policy for cross-pillar consumers when WAF posture stream is stale or unavailable (NIST-80053 § SI-17 reuse-from-CWPP-R6.4)
WAF-R6.4Web Application Firewall (absorbs API Security Gateway) · P3
WAF posture feed-publishing audit trail — audit log of posture-feed-publishing events; cross-cite to R5 inspection-event logging (AU-12 reuse from R5)
WAF-R6.5Web Application Firewall (absorbs API Security Gateway) · P3
Cross-pillar consumer integration — SIEM and CAASM consume WAF posture feed for detection enrichment and attack-surface analysis (ZT-RA Pillar 7 reuse) (intentional-open: "CAASM-R3.2 and R5.1 forward-pointers from prior capabilities anticipated this" refers to CAASM's outbound forward-pointers to WAF producer integration; CAASM was authored before WAF; this WAF-R6.5 sub-element IS the producer-side closure of those CAASM-planted forward-pointers, not an open forward-pointer itself.)
WAF-R7.1Web Application Firewall (absorbs API Security Gateway) · P3
Per-CSP WAF instance inventory — system component inventory for WAF enforcement nodes, API-gateway service instances, and policy-manager components across the hybrid surface
WAF-R7.2Web Application Firewall (absorbs API Security Gateway) · P3
On-prem-WAF-to-cloud-native-WAF rule-set normalization — architectural decision for translating on-prem WAF rule format to per-CSP-native WAF rule format across the hybrid inspection surface
AD
WAF-R7.3Web Application Firewall (absorbs API Security Gateway) · P3
WAF management-plane availability and fail-mode — contingency-plan obligations for WAF policy-manager unavailability and enforcement-plane posture during outage
WAF-R7.4Web Application Firewall (absorbs API Security Gateway) · P3
WAF management-plane network reachability — secure remote access to WAF management interfaces across CSPs and the on-prem-to-cloud management channel architecture
WAF-R7.5Web Application Firewall (absorbs API Security Gateway) · P3
Cross-CSP WAF synchronization architectural decision — rule-set synchronization cadence and conflict-resolution policy when on-prem and per-CSP WAF rule sets diverge
AD
WAF-R8.1Web Application Firewall (absorbs API Security Gateway) · P3
WAF tooling familiarization training — admin training on WAF rule-set authoring, tuning, deployment workflows; per-CSP-native WAF service training
WAF-R8.2Web Application Firewall (absorbs API Security Gateway) · P3
WAF IR playbook coverage — IR playbooks for web-app-attack incidents (SQL injection, XSS, RCE, API abuse); virtual-patching workflow training
WAF-R8.3Web Application Firewall (absorbs API Security Gateway) · P3
OWASP-class rule-set authoring training — admins authoring custom rules atop OWASP CRS-class baseline; signature/anomaly rule design
WAF-R8.4Web Application Firewall (absorbs API Security Gateway) · P3
Cross-pillar coordination training — coordination with VulnMgmt (DAST findings → virtual patching), SIEM (inspection event correlation), SOAR (automated rule push), PKI (TLS cert lifecycle)
WAF-R8.5Web Application Firewall (absorbs API Security Gateway) · P3
Training audit and currency tracking — annual training requirement; certification currency tracking; gap remediation
MALWARELAB-R1.1Malware Analysis Lab · P3
On-prem segregated-detonation-enclave deployment topology — DMZ-class isolation, sandbox-host network segregation, and NIST SC-44 detonation-chambers baseline architecture
MALWARELAB-R1.2Malware Analysis Lab · P3
Per-CSP-native sandbox/detonation service consumption — cloud-detonation enclave deployment and IL-class-aware boundary discipline
MALWARELAB-R1.3Malware Analysis Lab · P3
Dedicated-cloud detonation environments + government-cloud detonation environments per IL class — IL5/IL6 sample-class routing and cloud-detonation environment class selection
AD
MALWARELAB-R1.4Malware Analysis Lab · P3
Hypervisor-introspection-vs-guest-agent-instrumented engine selection — sandbox isolation enforcement and process-isolation discipline per NIST SC-39
MALWARELAB-R1.5Malware Analysis Lab · P3
Cloud-detonation-environment-class selection per sample classification — recurring-AD pattern; classification-handling architectural choice for multi-tenant vs. dedicated vs. government-cloud detonation routing
AD
MALWARELAB-R2.1Malware Analysis Lab · P3
Sample intake hash recording + chain-of-custody initialization — media marking at sample entry point, intake hash computation, and chain-of-custody record initialization per NIST-80053 § MP-3
MALWARELAB-R2.2Malware Analysis Lab · P3
Sample storage encryption-at-rest — sample file storage protection, key management architecture, and CSP-native vs. on-prem-HSM key governance cross-cite to Secrets/key mgmt (Row 22)
MALWARELAB-R2.3Malware Analysis Lab · P3
Sample integrity re-verification through analysis lifecycle — hash re-computation at lifecycle gates, integrity-check automation, and PKI-signed hash attestation as forward-looking design option
MALWARELAB-R2.4Malware Analysis Lab · P3
Sample transit + custody chain across acquisition→detonation→analysis-output sub-flow — media transport controls and custodian designation per NIST-80053 § MP-5 and § MP-5(3)
MALWARELAB-R2.5Malware Analysis Lab · P3
Trust-anchor 9th-instance evaluation point — sample-integrity-hash-signing at PKI Row 23 cross-cite scope; honest disposition: NOT ACHIEVED
MALWARELAB-R3.1Malware Analysis Lab · P3
Sample-sovereignty governance — on-prem-retained-only vs. cloud-permitted-by-IL-class; information-flow enforcement for detonation-artifact data-residency
MALWARELAB-R3.2Malware Analysis Lab · P3
Classification-handling routing per sample-class — IL5/IL6 sample-class cross-IL transit governance; routing policy architecture for cross-classification sample transit
AD
MALWARELAB-R3.3Malware Analysis Lab · P3
Sample-class inventory across on-prem + cloud detonation environments — classification-aware sample tracking; DOD-CRA § 3.1 evaluation point
MALWARELAB-R3.4Malware Analysis Lab · P3
Vendor-cloud-isolation tier selection — multi-tenant cloud detonation vs. dedicated/government-cloud detonation vs. on-prem-retained detonation for higher-classification samples; per parent spec §8.4 defensive-narrative treatment
AD
MALWARELAB-R3.5Malware Analysis Lab · P3
Sovereignty + classification + isolation tradeoff governance synthesis — three-tradeoff methodology surface; integrated COA governance model for MalwareLab hybrid deployment
AD
MALWARELAB-R4.1Malware Analysis Lab · P3
Sample-submission authority model — analyst-direct vs. tier-mediated submission workflow (CM-6(c) reuse-from-CWPP-R2.4 at detonation-queue-submission deviation-approval scope)
MALWARELAB-R4.2Malware Analysis Lab · P3
Detonation-as-IR-action invocation authority — SOAR-orchestrated detonation as IR containment action (§ IR-4 REUSE; first-primary was WAF-R4.3)
MALWARELAB-R4.3Malware Analysis Lab · P3
Malware-analysis-incident playbook coverage — § IR-4(12) Malicious Code and Forensic Analysis FRESH FIRST-PRIMARY at MalwareLab
MALWARELAB-R4.4Malware Analysis Lab · P3
Cross-pillar IR coordination — sample-as-IR-input handoff and sample-handoff-back between MalwareLab and Forensic/IR (§ IR-4(11) primary)
MALWARELAB-R4.5Malware Analysis Lab · P3
Submission rate limiting + queue management — organizational design choice for detonation queue governance and analyst-submission throttling
AD
MALWARELAB-R5.1Malware Analysis Lab · P3
Per-detonation analysis-event audit + log schema — structured audit record for each detonation event; AU-12 audit-record-generation reuse at MalwareLab analysis-event scope
MALWARELAB-R5.2Malware Analysis Lab · P3
IOC publishing schema + downstream TIP feed integration — detonation-produced IOC structured format and TIP (Row 25) ingest path
AD
MALWARELAB-R5.3Malware Analysis Lab · P3
Analysis-event log routing across hybrid surface to SIEM (Row 1) + SOAR (Row 24) + Forensic/IR (Row 28) — DE.CM-1 reuse at analysis-event-stream scope
MALWARELAB-R5.4Malware Analysis Lab · P3
DE.CM-4 re-evaluation at MalwareLab analysis-output scope — NON-SURFACE confirmed; SI-3(10) Malicious Code Analysis primary; same-subcategory-two-contexts methodology note
MALWARELAB-R5.5Malware Analysis Lab · P3
Detonation-output retention policy — sample-plus-artifact vs. analysis-output-only retention; OMB M-21-31 retention floor; AU-11 cross-cite
AD
MALWARELAB-R6.1Malware Analysis Lab · P3
MalwareLab posture feed publishing — detonation-environment availability, queue depth, analysis throughput, and sample-class coverage by IL published for cross-pillar consumers (ZT-RA Pillar 7 + Capability 2.2.1 eighth-use)
MALWARELAB-R6.2Malware Analysis Lab · P3
MalwareLab posture-staleness handling — degraded-mode policy for cross-pillar consumers when MalwareLab posture stream is stale or unavailable (SI-17 reuse-from-CWPP-R6.4 at posture-staleness fail-safe-procedure scope)
MALWARELAB-R6.4Malware Analysis Lab · P3
Cross-pillar posture consumer integration — Forensic/IR, SIEM, and SOAR consume MalwareLab posture feed for triage routing, detection enrichment, and orchestration awareness (ZT-RA Pillar 7 reuse)
MALWARELAB-R6.5Malware Analysis Lab · P3
MalwareLab posture-publishing audit trail — audit log of posture-feed-publishing events; retention governance (AU-12 reuse from R5); ANALYST-DERIVED retention policy
MALWARELAB-R7.1Malware Analysis Lab · P3
Per-CSP detonation-environment inventory — system component inventory for sandbox-host worker nodes, per-CSP detonation service instances, and sample-management-console components across the hybrid surface
MALWARELAB-R7.2Malware Analysis Lab · P3
On-prem-detonation-to-cloud-native-detonation analysis-output normalization — architectural decision for schema-translation and behavioral-log normalization across on-prem and per-CSP detonation environments (CM-3 reuse-from-WAF-R3.3 at analysis-output-normalization schema-change deployment-authority scope)
MALWARELAB-R7.3Malware Analysis Lab · P3
Management-plane availability + fail-mode — contingency-plan obligations for sample-management-console unavailability and detonation-capacity during outage
MALWARELAB-R7.4Malware Analysis Lab · P3
Management-plane network reachability across hybrid + cross-CSP boundary — secure remote access to detonation service management interfaces and sample-submission orchestration channel architecture
MALWARELAB-R7.5Malware Analysis Lab · P3
Cross-CSP synchronization architectural decision — detonation-rule-set and behavioral-signature synchronization across on-prem enclave and per-CSP detonation environments
AD
MALWARELAB-R8.1Malware Analysis Lab · P3
SOC/IR/admin training program for MalwareLab operations — sandbox-engine-class operation, sample-submission workflow, detonation-environment administration
MALWARELAB-R8.2Malware Analysis Lab · P3
Dynamic-analysis-tooling familiarization — sandbox-engine-class operation, IOC-extraction workflow, behavioral-signature interpretation
MALWARELAB-R8.3Malware Analysis Lab · P3
Malware-analysis-incident IR playbook training — cross-cite to R4 IR-playbook coverage; § IR-2 (Incident Response Training) cross-cite
MALWARELAB-R8.4Malware Analysis Lab · P3
Cross-pillar coordination training — Forensic/IR handoff, SIEM analyst-pivot, SOAR playbook handoff
MALWARELAB-R8.5Malware Analysis Lab · P3
Training audit + readiness verification — annual training requirement; certification currency tracking; gap remediation
PKI-R1.1Public Key Infrastructure · P1
Root-CA-hierarchy authority placement — on-prem-anchored-vs-cloud-hosted root-CA, trust-anchor mastership, and NIST SC-17 PKI-certificates baseline architecture (9th trust-anchor instance)
PKI-R1.2Public Key Infrastructure · P1
Subordinate CA hierarchy + cert-issuance topology — chain depth, TLS-interception sub-CA distinct trust boundary, and per-consumer-class issuance partitioning
PKI-R1.3Public Key Infrastructure · P1
Cross-CA-trust paths between on-prem root and cloud subordinate — trust-chain consistency, AD trust-anchor distribution, and SCCA cross-enclave trust governance
PKI-R1.4Public Key Infrastructure · P1
HSM-backed key custody — FIPS 140-3 / 140-2 boundary, on-prem HSM vs. cloud HSM service consumption, and CA private-key protection for root and subordinate CAs
PKI-R1.5Public Key Infrastructure · P1
CA-software protection + integrity attestation — CA-hosting-platform hardening, software integrity attestation, and configuration baseline for on-prem and cloud CA deployments
PKI-R2.1Public Key Infrastructure · P1
Cert-issuance authority — manual RA approval workflow + automated enrollment paths, IA-5(2) PKI-Based Authentication architecture, and cert-policy authority governance
PKI-R2.2Public Key Infrastructure · P1
Renewal / re-enrollment automation — cert-expiry-driven renewal triggers, automated re-enrollment workflows, and hybrid-environment renewal consistency
PKI-R2.3Public Key Infrastructure · P1
Revocation + CRL/OCSP authority — canonical revocation-publishing authority, OCSP responder architecture, and CRL distribution point governance
PKI-R2.4Public Key Infrastructure · P1
Cert-template policy governance — per-consumer-class template structure, key usage extension assignment, template approval authority, and recurring exception/exemption authority pattern (NIST-80053 § CM-6 reuse-from-EDR-R5.1)
PKI-R2.5Public Key Infrastructure · P1
Enrollment-protocol selection — SCEP / EST / CMP / ACME (capability-class), per-consumer-class protocol normalization, and CSP-side protocol compatibility
AD
PKI-R3.1Public Key Infrastructure · P1
User identity binding — smartcard / PIV / CAC cert-to-user-identity binding; IA-2 primary; cross-cite PAM Row 16
PKI-R3.2Public Key Infrastructure · P1
Device identity binding — MDM-issued certs via SCEP/EST; NAC-consumed device certs; IA-3 primary
PKI-R3.3Public Key Infrastructure · P1
Workload identity binding — cloud workload identity / SPIFFE-class / per-CSP workload identity certs; IA-3 cross-cite; SC-12 cross-cite for key custody
PKI-R3.4Public Key Infrastructure · P1
Service identity binding — mTLS service-to-service auth; cross-CSP service identity; TLS edge cert; cross-cite SWG/proxy Row 16 TLS-interception sub-CA; cross-cite WAF Row 18 inbound-edge TLS termination
PKI-R3.5Public Key Infrastructure · P1
Identity-attribute-to-certificate-extension mapping — subject alternative names, policy OIDs, EKU assertions, organizational attribute embedding (NIST-80053 § IA-5(2) reuse-from-PKI-R2.1)
PKI-R4.1Public Key Infrastructure · P1
Federation trust between on-prem CA and cloud CSP CA hierarchies — cross-cert path authority, bridge-CA vs. dual-root trust-store model, and SCCA cross-enclave trust-relationship governance (10th trust-anchor instance)
PKI-R4.2Public Key Infrastructure · P1
Cross-organization PKI trust — DoD external partner cross-cert, DoD PKI bridge CA reliance, and interoperability with external CA hierarchies
PKI-R4.3Public Key Infrastructure · P1
External (public) CA reliance for cloud-published services — internet-facing cloud service cert governance, public CA approval criteria, and DoD-internal CA non-extension policy (NIST-80053 § SC-17 reuse-from-PKI-R1.1)
PKI-R4.4Public Key Infrastructure · P1
PKI policy synchronization between hybrid environments — certificate policy distribution, policy versioning, and on-prem-to-cloud policy consistency (NIST-80053 § CM-6 reuse-from-EDR-R5.1)
PKI-R4.5Public Key Infrastructure · P1
Trust-relationship governance + exception authority — cross-CA trust exception authority, time-limited trust grants, and organizational authority chain for cross-cert decisions (7th project-wide / first User-pillar exception/exemption-authority pattern instance; NIST-80053 § CM-6(c) reuse-from-CWPP-R2.4)
PKI-R5.1Public Key Infrastructure · P1
Cert inventory publishing — cert-as-asset-class feed to CAASM Row 7; DOD-CRA § 3.1 second-primary-use (extending CAASM-R1.1 lineage); CM-8 substitution for ID.AM-3
PKI-R5.2Public Key Infrastructure · P1
Cert-lifecycle-event publishing — issuance, renewal, revocation, expiration warnings; DE.AE-3 first primary at cert-lifecycle-event-publishing scope
PKI-R5.3Public Key Infrastructure · P1
Cert-discovery — rogue / unauthorized cert detection; DE.CM-3 first primary at PKI-admin-activity-monitoring and unauthorized-cert-issuance-monitoring scope
PKI-R5.4Public Key Infrastructure · P1
Integration to SIEM (Row 1) + SOAR (Row 24) + TIP (Row 25) + Forensic/IR (Row 28) for cert-incident-response context
PKI-R5.5Public Key Infrastructure · P1
Audit trail per cert-lifecycle event — AU-10 non-repudiation first primary at cert-lifecycle audit scope; AU-12 cross-cite
PKI-R6.1Public Key Infrastructure · P1
PKI posture feed publishing — CA availability, queue depth, cert-issuance throughput, expiring-cert backlog, and cert-coverage by consumer class published for cross-pillar consumers (ZT-RA Pillar 7 + Capability 2.2.1 ninth-use)
PKI-R6.2Public Key Infrastructure · P1
Cross-pillar cert consumer mapping — mapping which capabilities consume which cert types (IdP/PAM smartcard, MDM/NAC device, CWPP/K8S workload identity, WAF/SWG TLS) and publishing cert-coverage state per consumer class
PKI-R6.4Public Key Infrastructure · P1
Posture-staleness handling — cert-issuance-velocity vs. CA-availability staleness threshold and degraded-mode policy for cross-pillar consumers when PKI posture stream is stale or unavailable (NIST-80053 § SI-17 reuse-from-CWPP-R6.4)
PKI-R6.5Public Key Infrastructure · P1
Cert-shortage / expiration impact-radius rollup — which consumer classes are at-risk when CA is unavailable or cert-issuance backlog grows; cross-pillar consumer-class exposure summary
PKI-R7.1Public Key Infrastructure · P1
Per-CSP cert service inventory — cross-CSP cert service component registration, IL-class coverage, and cert-issuance topology completeness across the hybrid surface
PKI-R7.2Public Key Infrastructure · P1
On-prem-CA-to-cloud-CA normalization — cross-CSP cert format, validity periods, key sizes, and trust-chain consistency across the hybrid PKI surface
PKI-R7.3Public Key Infrastructure · P1
Management-plane availability + fail-mode — CA management service contingency planning for the hybrid PKI management infrastructure
PKI-R7.4Public Key Infrastructure · P1
Management-plane network reachability — secure remote access to CA administration consoles and per-CSP cert-service management API channels across the hybrid surface
PKI-R7.5Public Key Infrastructure · P1
Cross-CSP synchronization architectural decision — which PKI management plane is authoritative for hybrid-PKI-policy synchronization
PKI-R8.1Public Key Infrastructure · P1
CA-administration tooling familiarity — CA-software consoles, HSM management UIs, automated-enrollment workflow consoles
PKI-R8.2Public Key Infrastructure · P1
HSM-administration training — key-ceremony procedures, HSM partition management, FIPS 140-3 boundary maintenance, key-recovery workflow
PKI-R8.3Public Key Infrastructure · P1
Cert-incident-response training — cert-compromise rotation, cross-cert revocation propagation, CRL/OCSP service incidents, cert-fingerprint-as-IOC handling
PKI-R8.4Public Key Infrastructure · P1
Cross-CA-trust-chain analysis training — cross-cert path validation, federation-trust troubleshooting, hybrid-PKI synchronization fault analysis
PKI-R8.5Public Key Infrastructure · P1
Hybrid-PKI-attack-pattern training — cert-mis-issuance, rogue-CA detection, cert-pinning bypass, certificate-transparency log monitoring
NETDLP-R1.1Network DLP · P4
Egress-traffic content-inspection topology — on-prem inline taps, cloud traffic mirroring, cross-IL boundary handling, and inspection-plane placement across COAs
NETDLP-R1.2Network DLP · P4
TLS-interception architecture — centralized inline TLSI vs. distributed gateway TLSI, TLSI-CA mastership, and decrypt-inspect-re-encrypt key custody (11th trust-anchor instance; PR.DS-2 first primary project-wide)
NETDLP-R1.3Network DLP · P4
Content-classification engine — regex/dictionary/fingerprinting/ML capability-class, classification-rule governance, and data-type coverage (CAASM-R4.2 forward-pointer close)
NETDLP-R1.4Network DLP · P4
Cert-trust distribution — TLSI-CA cert installation, cert-pinning exemption handling, and endpoint-side trust-posture monitoring
NETDLP-R1.5Network DLP · P4
On-prem-vs-cloud inspection-plane placement governance — tier-shift decision, inspection-policy ownership, and cross-IL inspection-plane authority (AD candidate; first-cap-of-new-pillar tier-shift scope)
AD
NETDLP-R2.1Network DLP · P4
Egress policy lifecycle — policy authoring, review, publication, enforcement activation, and review-cycle governance
NETDLP-R2.2Network DLP · P4
Content-classification policy — regex/dictionary/fingerprint/ML rule registry, rule lifecycle management, and classification-engine rule governance
NETDLP-R2.3Network DLP · P4
Egress-policy enforcement modes — block/quarantine/alert/audit-only mode selection per data classification class
NETDLP-R2.4Network DLP · P4
Policy-exception authority — recurring exception/exemption authority pattern (8th project-wide instance, first Data-pillar instance); egress-policy exemption approval workflow, exception registry, and AO-level authority for data-type exemptions (CM-6(c) reuse-from-CWPP-R2.4)
NETDLP-R2.5Network DLP · P4
Cross-on-prem-and-cloud policy inheritance — policy synchronization between on-prem inline TLSI/inspection and cloud-side CASB-API or cloud-native DLP service enforcement planes; SCCA cross-IL policy-distribution constraints
NETDLP-R3.1Network DLP · P4
Subject-data binding via classification labels — CAASM-layer-produced labels consumed by NetDLP for label-aware egress-policy enforcement; AC-4 reuse; AC-4(21) reuse; CAASM-R4.2 closure cross-confirmation
NETDLP-R3.2Network DLP · P4
Content-classification at session level — per-session TLSI-decrypted content matched against classification rules; SI-4 reuse; SI-4(4) reuse; AC-4 reuse; PR.DS-5 substitute via AC-4(21)
NETDLP-R3.3Network DLP · P4
NetDLP↔CASB lateral-layering boundary — scope-boundary annotation; forward-ref to CASB ticket [004]; TLS-INTERCEPTION TRUST-ANCHOR CANDIDATE B evaluation (Distributed gateway TLSI — per-CSP-edge-CA); CM-6 reuse-from-NETDLP-R2.1
NETDLP-R3.4Network DLP · P4
TLSI replacement-cert binding to subject session — which CA signs the replacement cert; cross-cite PKI-R1.2 + PKI-R3.4 UPSTREAM; SC-8(1) reuse; SC-13 baseline reuse; IA-3 at session-cert-binding; WAF-R3.x lateral note
NETDLP-R3.5Network DLP · P4
Identity-attribute-to-policy mapping — subject attributes driving egress policy decisions; AC-16 first-primary at subject-attribute-binding-to-egress-policy scope; organizational decision about which directory attributes govern data-handling policy per subject
NETDLP-R4.1Network DLP · P4
Cross-CSP egress-flow inspection coverage — per-CSP-native DLP service consumption, SCCA cross-CSP egress-policy governance, and cross-IL egress routing constraints (AD)
NETDLP-R4.2Network DLP · P4
Cloud-egress proxy inspection — proxy-based inspection enforcement for SWG/proxy-deployed architectures (deferred to C15)
NETDLP-R4.3Network DLP · P4
External-egress (internet-bound) policy — destination-class policy, allow-list governance, and deny-by-default internet egress enforcement
NETDLP-R4.4Network DLP · P4
NetDLP↔CASB federation architectural decision — application-plane vs. network-plane scope-boundary, TLS-interception Candidate B (Distributed gateway TLSI) and Candidate C (No-interception-relies-on-CASB) evaluation (AD)
AD
NETDLP-R4.5Network DLP · P4
Cross-CSP normalization mastership — cross-CSP DLP policy consistency authority, normalization-plane governance, and recurring exception/exemption-authority pattern extension (AD)
AD
NETDLP-R5.1Network DLP · P4
Egress-event-as-data-flow-class inventory — egress-flow inventory published to SIEM and downstream consumers; DE.AE-3 reuse from PKI-R5.2 at egress-event-publishing scope
NETDLP-R5.2Network DLP · P4
Egress-event publishing to SIEM — feed integration for egress-event ingest; DE.CM-1 first primary at egress-flow-monitoring scope
NETDLP-R5.3Network DLP · P4
Egress-event publishing to SOAR and TIP — orchestration feed for egress-incident response and IOC enrichment; AU-12 reuse + AU-10 reuse
NETDLP-R5.4Network DLP · P4
Unauthorized-egress-flow detection — unauthorized egress connection and unauthorized egress destination detection; DE.CM-7 first primary at unauthorized-egress-flow scope
NETDLP-R5.5Network DLP · P4
Chain-of-custody handoff to Forensic/IR — egress-incident artifact preservation; AU-10 non-repudiation reuse + AU-10(3) chain-of-custody primary cross-cite
NETDLP-R6.1Network DLP · P4
NetDLP posture feed publishing — coverage by egress channel (on-prem / per-CSP / internet-bound), policy-evaluation throughput, TLSI coverage rate, and policy-exception backlog published for cross-pillar consumers (ZT-RA Pillar 7 + Capability 2.2.1 tenth-use)
NETDLP-R6.2Network DLP · P4
Coverage rollup by data-classification class — coverage broken out per classification label (PII, financial, controlled technical information, etc.) published as a posture-analytics input to SIEM and CAASM
NETDLP-R6.5Network DLP · P4
Posture-staleness handling + impact-radius rollup — coverage-gap impact-radius by egress channel and classification class when NetDLP posture stream is stale or enforcement coverage degrades
NETDLP-R7.1Network DLP · P4
Per-CSP NetDLP capability inventory — cross-CSP DLP service component registration, IL-class coverage, and capability-matrix completeness across the hybrid surface
NETDLP-R7.2Network DLP · P4
Per-CSP TLS-interception-viability assessment — TLSI feasibility, gateway-load-balancer pattern availability, and coverage delta per CSP
NETDLP-R7.3Network DLP · P4
Management-plane availability + fail-mode — NetDLP management service contingency planning for the hybrid NetDLP management infrastructure
NETDLP-R7.4Network DLP · P4
Management-plane network reachability — secure remote access to DLP management consoles and per-CSP DLP service management API channels across the hybrid surface
NETDLP-R7.5Network DLP · P4
Cross-CSP policy synchronization mastership — which NetDLP management plane is authoritative for hybrid-DLP-policy synchronization (TRUST-ANCHOR CANDIDATE 4 evaluation)
NETDLP-R8.1Network DLP · P4
IA certifications + egress-policy administration tooling familiarity — DLP console operation, egress-policy authoring workflows, content-classification rule management consoles
NETDLP-R8.2Network DLP · P4
Content-classification engine training — regex/dictionary/fingerprinting/ML rule authoring, classification-rule governance, data-type coverage management
NETDLP-R8.3Network DLP · P4
TLSI-cert-management training — TLSI-CA lifecycle, cert-pinning exemption handling, TLSI-cert-rotation procedures, inspection-bypass governance
NETDLP-R8.4Network DLP · P4
Egress-incident-response training — chain-of-custody handoff to Forensic/IR, egress-flow analysis, DLP-policy-triggered-incident triage
NETDLP-R8.5Network DLP · P4
Cross-CSP-DLP-architecture training — per-CSP TLS-interception-viability awareness, cloud-native DLP service consumption, cloud-egress-cost-vs-coverage tradeoffs
HOSTDLP-R1.1Host-based DLP · P4
Endpoint data-at-rest inspection coverage and classification scope — on-prem workstations, cloud-managed VMs, mobile devices, and data-at-rest protection policy mandate
HOSTDLP-R1.2Host-based DLP · P4
Endpoint encryption-state as DLP enforcement prerequisite — full-disk encryption, file-level encryption, and cryptographic-protection execution mandate (SC-28(1) first-primary project-wide; AC-19(5) reuse-from-MDM-R5.5)
HOSTDLP-R1.3Host-based DLP · P4
Endpoint local-storage protection mastership — MP-4 base media-storage governance and MP-4(2) Automated Restricted Access (MP-4 first-primary project-wide)
HOSTDLP-R1.4Host-based DLP · P4
Endpoint classification-label consumption — CAASM-produced label binding at the endpoint enforcement plane (parallel to NETDLP-R3.1 network-plane pattern)
HOSTDLP-R1.5Host-based DLP · P4
Endpoint agent deployment-plane mastership — on-prem-managed vs. cloud-managed-endpoint agent-deployment authority and management-channel reachability governance (CM-3 reuse-from-WAF-R3.3 at hybrid-endpoint agent deployment-plane governance scope)
HOSTDLP-R2.1Host-based DLP · P4
Endpoint policy lifecycle — policy authoring, distribution, version-management, and review-cycle governance
HOSTDLP-R2.2Host-based DLP · P4
Content-classification rule registry — dictionary/regex/fingerprint/ML rule management, rule lifecycle, and classification-engine rule governance (trust-anchor Candidate C evaluation)
HOSTDLP-R2.3Host-based DLP · P4
Endpoint-DLP-policy enforcement modes — block/alert/audit-only/user-justification-prompt mode selection per data classification class and user-action type
HOSTDLP-R2.4Host-based DLP · P4
Endpoint-DLP-policy exception authority — 9th project-wide exception/exemption-authority instance (second Data-pillar instance); endpoint-DLP-policy exemption approval workflow, exception registry, and AO-level authority for user-action-type exemptions (CM-6(c) reuse-from-CWPP-R2.4 at endpoint-DLP exception-authority scope)
HOSTDLP-R2.5Host-based DLP · P4
Cross-on-prem-and-cloud endpoint policy inheritance — policy synchronization between on-prem-managed and cloud-managed-endpoint enforcement planes; cross-CSP policy-distribution constraints (CM-6 reuse-from-NETDLP-R2.1 at cross-plane endpoint DLP policy-inheritance scope; SCCA cross-IL constraint secondary anchor)
HOSTDLP-R3.1Host-based DLP · P4
Per-action policy enforcement — USB and removable-media write/read access governance (MP-2 first-primary project-wide)
HOSTDLP-R3.2Host-based DLP · P4
Per-action policy enforcement — clipboard, print, screenshot, and sanitization-resistant media use restriction (MP-7 base and MP-7(2) first-primary project-wide)
HOSTDLP-R3.3Host-based DLP · P4
CSSP-ESM PR.PT-2 anchor — removable-media governance inventory, use restriction, and acceptable-use policy enforcement (PR.PT-2 first-primary project-wide)
HOSTDLP-R3.4Host-based DLP · P4
Endpoint subject-data binding via classification labels — per-action policy enforcement driven by CAASM-produced labels at the endpoint enforcement plane; trust-anchor Candidate B evaluation (NOT LANDED); AC-3 reuse; NETDLP-R3.1 parallel
HOSTDLP-R3.5Host-based DLP · P4
HostDLP↔CASB scope-boundary at the endpoint→SaaS-upload decision point — endpoint agent enforcement layer vs. SaaS application policy layer; defense-in-depth lateral layering; ANALYST-DERIVED; forward-ref to CASB ticket [004]
AD
HOSTDLP-R4.1Host-based DLP · P4
Cloud-managed-endpoint extension — workstations and cloud-managed VMs at cloud UEM enrollment scope (AC-19 reuse; AC-19(5) reuse-from-R1.2 + MDM-R5.5)
HOSTDLP-R4.2Host-based DLP · P4
Per-CSP-native endpoint-DLP-service consumption — capability-class architectural decision for cloud-managed endpoints where CSP offers native endpoint protection with DLP module (AD)
AD
HOSTDLP-R4.3Host-based DLP · P4
Content-fingerprint catalog distribution to cloud-managed endpoints — fingerprint-catalog update delivery, consistency-guarantee model, and distribution-plane governance (CM-6 primary; CM-8 cross-cite)
HOSTDLP-R4.4Host-based DLP · P4
Cross-CSP coverage parity — policy delivery latency normalization, posture-attestation cadence governance, and on-prem-vs-cloud-managed-endpoint policy parity (AD)
AD
HOSTDLP-R4.5Host-based DLP · P4
Cross-CSP endpoint-DLP normalization mastership — cross-CSP DLP policy consistency authority and normalization-plane governance (AD; recurring pattern extension per NETDLP-R7.5 / PKI-R7.5 precedent; AC-17 reuse)
AD
HOSTDLP-R5.1Host-based DLP · P4
Endpoint DLP event audit and non-repudiation — audit record generation per endpoint user-action event; DOD-CRA § 3.1 evaluation point
HOSTDLP-R5.2Host-based DLP · P4
Endpoint-to-network-egress events publishing to SIEM — feed integration for endpoint-originating egress-event ingest; DE.CM-1 reuse-from-NETDLP-R5.2
HOSTDLP-R5.3Host-based DLP · P4
UAM incident data handling — PR.DS-1 UAM MoP Indicator 3 first-primary at endpoint user-activity-monitoring incident data scope
HOSTDLP-R5.4Host-based DLP · P4
Endpoint unauthorized-action monitoring — unauthorized data-access and unauthorized-egress-attempt detection at the endpoint; DE.CM-7 reuse-from-NETDLP-R5.4
HOSTDLP-R5.5Host-based DLP · P4
Chain-of-custody handoff to Forensic/IR — endpoint-DLP incident artifact preservation and handoff non-repudiation; AU-10 reuse from PKI-R5.5 at chain-of-custody scope
HOSTDLP-R6.1Host-based DLP · P4
HostDLP posture feed publishing — coverage by endpoint class (on-prem workstation / cloud-managed VM / mobile device), policy-evaluation throughput, agent-coverage rate, and policy-exception backlog published for cross-pillar consumers (ZT-RA Capability 2.2.1 eleventh-use)
HOSTDLP-R6.2Host-based DLP · P4
Per-classification-class endpoint coverage rollup — coverage broken out per classification label at the endpoint enforcement plane, published as posture-analytics input to SIEM and CAASM (SI-4 reuse-from-NETDLP; PR.DS-1 reuse-from-R1.1)
HOSTDLP-R7.1Host-based DLP · P4
Per-CSP endpoint-DLP-service component inventory — cross-CSP DLP agent and management component registration, IL-class coverage, and capability-matrix completeness across the hybrid endpoint surface
HOSTDLP-R7.2Host-based DLP · P4
Endpoint agent deployment authority — organizational authority for HostDLP agent updates, version management, and deployment-exclusion governance across on-prem-managed and cloud-managed endpoint populations (CM-3 reuse-from-WAF-R3.3 at endpoint DLP agent deployment-authority scope; MDM upstream dependency)
HOSTDLP-R7.3Host-based DLP · P4
Management-plane availability — HostDLP management console contingency planning for the hybrid endpoint-DLP management infrastructure (CP-2 12th-use)
HOSTDLP-R7.4Host-based DLP · P4
Management-plane reachability — secure remote access to HostDLP management consoles and per-CSP cloud-UEM management API channels across the hybrid endpoint surface (AC-17 11th-use)
HOSTDLP-R7.5Host-based DLP · P4
Cross-CSP policy synchronization mastership — which HostDLP management plane is authoritative for hybrid-endpoint-DLP-policy synchronization across on-prem-managed and cloud-managed endpoint populations (ANALYST-DERIVED; trust-anchor Candidate A NOT LANDED)
HOSTDLP-R8.1Host-based DLP · P4
IA certifications + endpoint-DLP-event interpretation training — alert-type taxonomy, classification-policy-violation event semantics, false-positive triage, endpoint-context investigation
HOSTDLP-R8.2Host-based DLP · P4
Endpoint forensic acquisition for DLP incidents — disk imaging, memory acquisition, removable-media artifact handling, chain-of-custody at endpoint
HOSTDLP-R8.3Host-based DLP · P4
Cloud-managed-endpoint-specific tooling familiarity — cloud-managed-VM agent administration, CSP-native endpoint-DLP service operation, cloud-IAM-context for endpoint policy distribution
HOSTDLP-R8.4Host-based DLP · P4
Classification-engine rule-authoring training — regex pattern authoring, dictionary maintenance, ML-classifier model tuning, false-positive reduction
HOSTDLP-R8.5Host-based DLP · P4
USB/removable-media policy administration training — PR.PT-2 acceptable-use policy operationalization, removable-media inventory administration, exception-approval workflow
CASB-R1.1CASB · P4
CASB capability scope and inline-vs.-API-mode architectural mastership decision — COA-discriminating mode-selection at the SaaS application enforcement plane (AD candidate; partial-transform transition major-decision-point)
AD
CASB-R1.2CASB · P4
CASB↔SaaS API-mode trust binding architectural-mastership — OAuth2/SAML federation trust-root authority, SaaS-tenant trust establishment and revocation governance, and cross-SaaS trust normalization mastership (CLOSES NETDLP-R4.4; trust-anchor Candidate A evaluation)
CASB-R1.3CASB · P4
SaaS-tenant inventory and CASB-asset-discovery integration with CAASM — SaaS-application-estate visibility, unauthorized SaaS-tenant detection, and CAASM upstream asset-discovery provider relationship (§ AC-22 first-primary candidate project-wide)
CASB-R1.4CASB · P4
Inline-CASB-proxy and SWG co-deployment integration — TLS interception co-deployment with PKI upstream cert-trust infrastructure and SWG forward-reference (§ SC-7(8) reuse-from-NETDLP-R4.2; inline-mode-conditional)
CASB-R1.5CASB · P4
CASB↔IdP federation trust source — upstream identity provider cross-cite for SaaS-application-tenant access governance and federated identity credential flow (§ PR.AC-1 reuse-from-IdP-R6.4 + PAM-R5.4)
CASB-R2.1CASB · P4
CASB SaaS-application policy lifecycle — policy authoring, distribution, version-management, and review-cycle governance
CASB-R2.2CASB · P4
Content-classification rule registry for SaaS-application policies — regex/keyword/fingerprint/ML rule governance, SaaS-tenant-specific rule scoping, and classification-rule lifecycle at the CASB enforcement plane
CASB-R2.3CASB · P4
CASB enforcement-mode operational selection per SaaS-application policy — inline-mode vs. API-mode per-policy enforcement-plane selection and block/alert/audit-only mode governance (§ AC-4 reuse)
CASB-R2.4CASB · P4
CASB-policy exception authority — 10th project-wide exception/exemption-authority instance (third Data-pillar instance); CASB-policy exemption approval workflow, exception registry, and authority structure for SaaS-application-policy exemptions
CASB-R2.5CASB · P4
Cross-SaaS-tenant policy inheritance and synchronization mastership — policy consistency governance across heterogeneous SaaS providers and per-CSP CASB service normalization (AD candidate)
AD
CASB-R3.1CASB · P4
CASB SaaS-data classification consumption — CAASM-sourced SaaS-application-asset labels drive per-SaaS-tenant policy enforcement; SaaS-data-at-rest protection policy at SaaS-tenant-storage scope (§ PR.DS-1 reuse-from-HOSTDLP-R1.1; CAASM UPSTREAM)
CASB-R3.2CASB · P4
Per-SaaS-application policy enforcement — block, quarantine, alert, and audit actions at the SaaS application policy plane (§ AC-3 reuse; § AC-4 reuse-from-NETDLP-R1.1; NIST § AC-4(21) reuse-from-NETDLP-R1.3 at PR.DS-5 substitute scope)
CASB-R3.3CASB · P4
CASB↔NetDLP lateral-layering scope-boundary CLOSURE — network-plane content inspection (NetDLP) vs. SaaS-application-plane policy enforcement (CASB); defense-in-depth non-duplicative layering; ANALYST-DERIVED; CLOSES NETDLP-R3.3 forward-pointer (Working Rule 19)
AD
CASB-R3.4CASB · P4
CASB SaaS-data-sharing-policy governance — cross-SaaS-tenant data sharing controls, cross-org sharing governance, and automated sharing-decision support (§ AC-21 FIRST-primary-project-wide; § AC-21(1) FIRST-primary-project-wide; CAASM UPSTREAM; CyberBackup forward-ref)
CASB-R3.5CASB · P4
CASB↔HostDLP scope-boundary CLOSURE — endpoint-agent enforcement layer (HostDLP) vs. SaaS-application-plane enforcement layer (CASB) at the endpoint→SaaS-upload decision point; defense-in-depth non-duplicative layering; ANALYST-DERIVED; CLOSES HOSTDLP-R3.5 forward-pointer (Working Rule 19)
AD
CASB-R4.1CASB · P4
Cross-SaaS-tenant CASB integration architecture — integration topology governing CASB policy enforcement span across multiple SaaS tenants and the organizational authority that controls cross-tenant integration governance (AD)
AD
CASB-R4.2CASB · P4
Per-CSP-native CASB-class service consumption — capability-class architectural decision for CSP-native cloud-access-security-broker services where the cloud provider offers native CASB-class functions as platform services (AD)
AD
CASB-R4.3CASB · P4
Cross-SaaS-tenant data-flow inventory and automated policy distribution — CASB enforcement of information-sharing decisions across SaaS-tenant boundaries and automated data-sharing-decision support (§ AC-21 reuse-from-CASB-R3.4; § AC-21(1) reuse-from-CASB-R3.4 — Opus controller fix-up per R-ID-first-wins; R3.4 holds AC-21 + AC-21(1) first-primary at SaaS-data-sharing-policy governance scope)
CASB-R4.4CASB · P4
Cross-CSP shadow-IT-discovery normalization — unified discovery taxonomy, cross-CSP discovery output harmonization, and normalization authority for unauthorized SaaS-application detection across heterogeneous CSP environments (AD; recurring on-prem↔cloud-parity pattern)
AD
CASB-R4.5CASB · P4
Cross-SaaS-tenant policy synchronization mastership — cross-SaaS-tenant CASB policy consistency authority and synchronization-plane governance
AD
CASB-R5.1CASB · P4
CASB SaaS-event audit and non-repudiation — SaaS-application-transaction audit record generation and SaaS-event integrity; DOD-CRA § 3.1 evaluation point
CASB-R5.2CASB · P4
Downstream SIEM ingest of CASB SaaS-application events — feed integration for SaaS-application-traffic monitoring; DE.CM-1 reuse-from-NETDLP-R5.2
CASB-R5.3CASB · P4
Shadow-IT-discovery feed authority and unauthorized-SaaS-tenant detection — § AU-13 family FIRST-primary-project-wide at shadow-IT-discovery scope; Candidate C trust-anchor disposition (AD candidate)
CASB-R5.4CASB · P4
Unauthorized SaaS-application-access monitoring and SaaS-admin-activity monitoring — DE.CM-7 reuse-from-NETDLP-R5.4 at unauthorized-SaaS-access scope; DE.CM-3 reuse-from-PKI-R5.x at SaaS-admin-activity scope
CASB-R5.5CASB · P4
Chain-of-custody handoff to Forensic/IR — CASB SaaS-incident artifact preservation and handoff non-repudiation; AU-10 reuse-from-PKI-R5.5 at chain-of-custody scope
CASB-R6.1CASB · P4
CASB posture-rollup publishing — coverage by SaaS tenant, by data-classification class, policy-evaluation throughput, and shadow-IT-discovery rate published for cross-pillar consumers (ZT-RA Capability 2.2.1 twelfth-use)
CASB-R6.2CASB · P4
Per-classification-class SaaS-application-plane coverage rollup — coverage broken out per classification label at the SaaS enforcement plane, published as posture-analytics input to SIEM and CAASM (SI-4 reuse-from-NETDLP; PR.DS-1 reuse-from-HOSTDLP-R1.1)
CASB-R6.4CASB · P4
Three-plane defense-in-depth ratification — CASB completes the SaaS-application plane; first capability where all three planes (network = NetDLP, endpoint = HostDLP, SaaS-application = CASB) are simultaneously ratifiable; explicit non-overlap disposition across all three planes (methodology-novel; ANALYST-DERIVED)
AD
CASB-R7.1CASB · P4
Per-CSP CASB-service component inventory — cross-CSP CASB API-mode connector, inline-proxy service node, management console instance, and per-CSP-native CASB module registration across the hybrid SaaS-application enforcement plane (§ CM-8 15th-use)
CASB-R7.2CASB · P4
CASB connector/agent deployment authority — organizational authority for CASB connector updates, SaaS-API integration version governance, and deployment-exclusion approval across the per-CSP SaaS-provider integration estate (§ CM-3 reuse-from-WAF-R3.3; Secrets/KMS upstream cross-ref)
CASB-R7.3CASB · P4
Management-plane availability — CASB management console contingency planning for the SaaS-application-plane policy enforcement infrastructure (§ CP-2 13th-use)
CASB-R7.4CASB · P4
Management-plane reachability — secure remote access to CASB management console, cross-SaaS-tenant API management channels, and cross-CSP policy synchronization paths across the hybrid SaaS-application enforcement plane (§ AC-17 12th-use)
CASB-R7.5CASB · P4
Cross-SaaS-tenant policy synchronization mastership — which CASB management plane is authoritative for hybrid cross-SaaS-tenant-DLP-policy synchronization across API-mode SaaS-provider integrations and inline-CASB-proxy enforcement nodes (ANALYST-DERIVED; trust-anchor NOT LANDED per PKI-R7.5 / NETDLP-R7.5 / HOSTDLP-R7.5 precedent)
CASB-R8.1CASB · P4
SaaS-tenant administration tooling familiarity — per-SaaS-provider CASB connector administration, OAuth2/SAML federation configuration, SaaS-tenant policy distribution
CASB-R8.2CASB · P4
Shadow-IT analysis training — CASB-discovered shadow-IT triage, unauthorized-SaaS-tenant remediation workflow, public-cloud-content investigation
CASB-R8.3CASB · P4
Cloud-IAM federation troubleshooting — SAML assertion debugging, OAuth2 token-flow diagnostics, federated-IdP integration troubleshooting
CASB-R8.4CASB · P4
Per-CSP-native CASB service operation training — per-CSP CASB management modules, capability-class alternative operation, cross-CSP policy normalization console
CASB-R8.5CASB · P4
CASB incident response training — SaaS-data-exfiltration incident response, OAuth2-token revocation, SaaS-tenant compromise response
SECRETS-R1.1Secrets/KMS · P4
Secrets vault inspection-point, HSM control authority, and on-prem-vs-cloud-canonical-vault mastership decision — COA-discriminating architectural mastership at the cryptographic substrate plane (AD candidate; partial-transform transition major-decision-point; § IA-7 first-primary; Trust-anchor Candidate B evaluation)
AD
SECRETS-R1.2Secrets/KMS · P4
Root-secret + key-establishment mastership — canonical custody of root cryptographic secrets across the enterprise cryptographic substrate plane (CLOSES CASB-R1.2 SaaS-API-key custody forward-ref; re-acknowledges NETDLP-R1.2 TLSI-CA private-key custody forward-ref; Trust-anchor Candidate A evaluation; § SC-12(2)/(3) cross-cite; § SC-12 base reuse-from-PKI-R1.4)
SECRETS-R1.3Secrets/KMS · P4
FIPS-validated cryptographic protection requirements — algorithm and key-length mandates governing enterprise cryptographic operations (§ SC-13 first-primary project-wide)
SECRETS-R1.4Secrets/KMS · P4
Service-credential identity-binding — machine-identity binding for vault clients and service-account authentication to Secrets vault infrastructure (§ PR.AC-1 reuse-from-IdP-R6.4 + PAM-R5.4; § AC-3 reuse-from-NETDLP-R1.1; PAM lateral-distinct disambiguation)
SECRETS-R1.5Secrets/KMS · P4
Secrets/KMS-plane policy framing and four-plane defense-in-depth introduction — cryptographic-substrate-plane policy coverage and REQ-DT-25 first Secrets requirement (methodology-novel four-plane framing; AD candidate; § PR.DS-2 cross-cite reuse-from-NETDLP-R1.2; HOSTDLP-R7.x endpoint-agent-secrets re-acknowledgment)
AD
SECRETS-R2.1Secrets/KMS · P4
Secrets policy lifecycle — secrets-policy authoring, distribution, version-management, and review-cycle governance (§ CM-3 reuse-from-CASB-R2.1; § CM-6 reuse; PR.IP-3 ABSENT-from-ESM-v11 substitute)
SECRETS-R2.2Secrets/KMS · P4
Secret-rotation-cadence policy registry — rotation-cadence governance per credential class, rotation-schedule tracking, and rotation-enforcement audit for vault-custodied secrets
SECRETS-R2.3Secrets/KMS · P4
Cross-CSP/cross-tenant secret-policy inheritance and normalization — policy consistency governance for vault secrets across heterogeneous CSP secrets-stores and per-CSP-native vault-integration normalization (§ AC-4 reuse-from-NETDLP-R1.1)
SECRETS-R2.4Secrets/KMS · P4
Service-credential exception/exemption authority — 11th project-wide exception/exemption-authority instance (fourth Data-pillar instance); vault-client emergency-access exemption workflow, service-credential-rotation exception registry, and authority structure for non-policy-conforming secret lifecycle exemptions (§ CM-6(c) reuse-from-CWPP-R2.4)
SECRETS-R2.5Secrets/KMS · P4
Vault-policy-enforcement and cross-tenant secret-policy synchronization mastership — secrets-policy consistency governance across heterogeneous vault infrastructure and per-CSP vault-integration enforcement normalization (§ AC-3 reuse-from-NETDLP-R1.1; AD candidate)
AD
SECRETS-R3.1Secrets/KMS · P4
TLSI-CA private-key custody classification — upstream custodianship ratification of TLSI-CA private key material for NetDLP inline-SSL-inspection architecture (CLOSES NETDLP-R1.2 TLSI-CA private-key custody at custody-classification scope; § SC-12(3) reuse-from-SECRETS-R3.3 at TLSI-CA-specific custody-classification scope; § SC-12 base reuse-from-PKI-R1.x; defense-in-depth cryptographic-substrate close-back-ref)
SECRETS-R3.2Secrets/KMS · P4
Symmetric-key custody and lifecycle — data-encryption key and key-encryption key custody classification, rotation cadence, and FIPS-validated key management for symmetric cryptographic material (§ SC-12(2) FIRST primary project-wide; § AC-4 reuse-from-NETDLP-R1.1 at key-distribution scope)
SECRETS-R3.3Secrets/KMS · P4
Asymmetric-key custody and lifecycle — root-CA, TLSI-CA, endpoint-agent, and federation-signing asymmetric-key custody classification and lifecycle governance (§ SC-12(3) FIRST primary project-wide; CLOSES HOSTDLP-R7.x endpoint-agent-secrets custody at custody-classification scope; defense-in-depth close-back-ref)
SECRETS-R3.4Secrets/KMS · P4
HSM-vault data-at-rest protection — cryptographic protection of vault-resident key material, SaaS-API credentials, and endpoint-agent secrets at-rest in HSM-backed vault storage and CSP-native key services (§ SC-28 FIRST primary project-wide; § SC-28(2) FIRST primary; § SC-28(3) FIRST primary; § PR.DS-1 reuse-from-HOSTDLP-R1.2; § SC-28(1) reuse-from-HOSTDLP; CLOSES CASB-R7.2 SaaS-API-key custody at custody-classification scope)
SECRETS-R3.5Secrets/KMS · P4
Cross-CSP key-custody normalization, key-escrow governance, and key-recovery authority — organizational governance framework for enterprise cryptographic material custody across heterogeneous CSP key management surfaces (§ SC-12 reuse-from-PKI-R1.x; ANALYST-DERIVED; cross-CSP FIPS-endorsement normalization; key-recovery emergency-authority)
AD
SECRETS-R4.1Secrets/KMS · P4
Per-CSP-native cloud-KMS consumption — capability-class architectural decision for CSP-native cloud key-management-service functions at each authorized CSP boundary + SCCA cross-CSP secrets-coverage governance (AD; ANALYST-DERIVED; SCCA § 2.1.2.13 cross-cite)
AD
SECRETS-R4.2Secrets/KMS · P4
Cross-CSP secrets-vault integration — IL-boundary applicability per CSP integration + SCCA VDSS-boundary cryptographic-key-management authorization (§ SC-12 reuse-from-PKI-R1.x; SCCA primary; SRG cross-cite)
SECRETS-R4.3Secrets/KMS · P4
Hybrid synchronization architecture — on-prem-vault ↔ cloud-vault sync mechanism, cadence, and reconciliation authority (AD; ANALYST-DERIVED; partial-transform second P4 major-decision-point)
AD
SECRETS-R4.4Secrets/KMS · P4
Hybrid vault synchronization mastership — operational hybrid-sync reconciliation authority across on-prem vault and per-CSP cloud-secrets stores
AD
SECRETS-R4.5Secrets/KMS · P4
Cross-CSP key-policy normalization + per-CSP secret-rotation cadence consistency — cross-CSP cryptographic-key-policy governance authority and per-CSP secret-rotation cadence normalization (AD; recurring on-prem↔cloud-parity pattern; ANALYST-DERIVED; § SC-12 reuse-from-PKI-R1.x; § CM-6 reuse)
AD
SECRETS-R5.1Secrets/KMS · P4
Key-access event publishing to SIEM — Secrets vault and HSM audit-log forwarding for key-operation event audit; DE.AE-3 reuse at multi-source event-publishing scope; DOD-CRA § 3.1 evaluation point
SECRETS-R5.2Secrets/KMS · P4
Secret-access monitoring — Secrets vault event-stream to SIEM for continuous key-access traffic monitoring; DE.CM-1 reuse-from-NETDLP-R5.2 at cryptographic-substrate-plane monitoring scope
SECRETS-R5.3Secrets/KMS · P4
Unauthorized-secret-access monitoring — SIEM-driven detection of unauthorized vault-access attempts and anomalous key-operation patterns; DE.CM-7 reuse-from-NETDLP-R5.4 at unauthorized-secret-access-monitoring scope
SECRETS-R5.4Secrets/KMS · P4
Key-compromise IR forwarding to SOAR + AU-9(3) audit-record cryptographic protection — key-incident orchestration and vault audit-log integrity assurance; AU-2 / AU-12 reuse; AU-9(3) self-referential architectural framing
SECRETS-R5.5Secrets/KMS · P4
ForIR chain-of-custody handoff for key-compromise artifacts — Secrets vault incident artifact preservation and handoff non-repudiation; AU-10 reuse-from-PKI-R5.5 at key-compromise chain-of-custody scope
SECRETS-R6.1Secrets/KMS · P4
Secrets posture-rollup publishing — vault availability, HSM availability, key-rotation backlog, secret-access throughput, and key-compromise event count published for cross-pillar consumers (ZT-RA Capability 2.2.1 thirteenth-use)
SECRETS-R6.2Secrets/KMS · P4
Per-CSP secrets-coverage rollup — coverage broken out per CSP secrets-store and per on-prem vault plane; published as posture-analytics input to SIEM and CAASM
SECRETS-R6.4Secrets/KMS · P4
Four-plane defense-in-depth ratification — Secrets completes the cryptographic-substrate plane; first capability where all four planes (network = NetDLP, endpoint = HostDLP, SaaS-application = CASB, cryptographic-substrate = Secrets) are simultaneously ratifiable; explicit non-overlap and substrate-dependency disposition across all four planes (methodology-novel; ANALYST-DERIVED)
AD
SECRETS-R6.5Secrets/KMS · P4
Pillar 7 V&A posture rollup integration — Secrets key-access event telemetry and vault-availability metrics as V&A posture inputs; cryptographic-substrate posture as a cross-pillar dependency signal for SIEM, CAASM, and ZT policy engine (ANALYST-DERIVED at cross-pillar integration framing scope)
AD
SECRETS-R7.1Secrets/KMS · P4
Per-CSP secrets-service component inventory — HSM appliances, on-prem vault cluster nodes, per-CSP cloud-native KMS registrations, cloud-native secrets-store instances, and hybrid-sync agent inventory across the hybrid cryptographic substrate plane (§ CM-8 16th-use)
SECRETS-R7.2Secrets/KMS · P4
HostDLP endpoint-agent-secrets and CASB SaaS-API-key management-plane closes — rotation governance, distribution authority, and cross-plane credential-lifecycle management for endpoint-agent shared secrets and SaaS-API credentials (§ IA-5 reuse-from-PAM-R6.4 at endpoint-agent-secrets + SaaS-API-key authenticator-rotation-governance scope; CLOSES HOSTDLP-R7.x + CLOSES CASB-R7.2; CyberBackup recovery-key forward-ref)
SECRETS-R7.3Secrets/KMS · P4
Management-plane availability — Secrets vault management infrastructure contingency planning for the enterprise cryptographic substrate (§ CP-2 14th-use)
SECRETS-R7.4Secrets/KMS · P4
Management-plane reachability — secure remote access to Secrets vault administrative console, per-CSP KMS management channels, and hybrid-sync control paths across the cryptographic substrate plane (§ AC-17 13th-use)
SECRETS-R7.5Secrets/KMS · P4
Cross-CSP secret synchronization mastership — which vault administrative plane is authoritative for hybrid cross-CSP secrets synchronization across on-prem vault and per-CSP cloud-native secrets-store instances (§ SC-12(1) Availability first-primary; ANALYST-DERIVED at synchronization-mechanism-class scope; trust-anchor NOT LANDED per PKI-R7.5 / NETDLP-R7.5 / HOSTDLP-R7.5 / CASB-R7.5 precedent)
SECRETS-R8.1Secrets/KMS · P4
Secrets-policy administration tooling proficiency — secret-rotation administration, vault-policy authoring tooling, and HSM-partition credential-management console
SECRETS-R8.2Secrets/KMS · P4
HSM operational tooling proficiency — FIPS-validated module operational training, HSM partition administration, and key-ceremony tooling
SECRETS-R8.3Secrets/KMS · P4
Key-compromise incident-response training — key-revocation procedures, emergency rotation, and root-key-recovery operations
SECRETS-R8.4Secrets/KMS · P4
Cross-CSP secrets-management training and SaaS-credential-incident triage — per-CSP-native KMS operational tooling, cross-CSP key-policy normalization investigation, and SaaS-credential-compromise triage
SECRETS-R8.5Secrets/KMS · P4
Key-recovery / escrow operations training and Forensic/IR chain-of-custody for key-compromise artifacts
CYBACKUP-R1.1CyberBackup / Data Protection / Recovery · P4
Immutable backup repository inspection-point and air-gap credential-path-isolation authority — COA-discriminating architectural mastership at the recovery-substrate plane (AD; extension transition major-decision-point; CP-9 first-primary; Trust-anchor Candidate A LANDED)
CYBACKUP-R1.2CyberBackup / Data Protection / Recovery · P4
On-prem-vs-cloud-tier backup mastership and air-gap trust root selection — COA-discriminating canonical-authority decision at the hybrid backup architecture boundary (AD; CP-9 reuse; major-decision-point)
AD
CYBACKUP-R1.3CyberBackup / Data Protection / Recovery · P4
Cryptographic protection requirements for backup data — FIPS-validated encryption mandate and backup-encryption-key custody upstream dependency
CYBACKUP-R1.4CyberBackup / Data Protection / Recovery · P4
Backup-agent identity-binding and service-credential authentication to backup repository
CYBACKUP-R1.5CyberBackup / Data Protection / Recovery · P4
CyberBackup plane policy framing — extension boundary annotation, five-plane defense-in-depth framing heads-up, and fifth-Data-pillar closure (AD; ZT-RA Cap 2.2.1; ANALYST-DERIVED five-plane framing)
AD
CYBACKUP-R2.1CyberBackup / Data Protection / Recovery · P4
Backup policy lifecycle — backup-policy authoring, distribution, version-management, and review-cycle governance (§ CM-3 reuse-from-CASB-R2.1; § CM-6 reuse; PR.IP-3 ABSENT-from-ESM-v11 substitute)
CYBACKUP-R2.2CyberBackup / Data Protection / Recovery · P4
Backup retention-policy registry — retention-cadence governance per data class and backup tier, retention-schedule tracking, and backup-retention-enforcement audit
CYBACKUP-R2.3CyberBackup / Data Protection / Recovery · P4
Cross-CSP/cross-tier backup-policy inheritance and normalization — backup-policy consistency governance across heterogeneous on-prem and cloud-tier backup repositories and per-CSP-native backup-integration normalization (§ AC-4 reuse-from-NETDLP-R1.1)
CYBACKUP-R2.4CyberBackup / Data Protection / Recovery · P4
Backup-policy exception/exemption authority — 12th project-wide exception/exemption-authority instance (fifth Data-pillar instance); backup-coverage emergency-exemption workflow, backup-retention-cadence exception registry, and authority structure for non-policy-conforming backup lifecycle exemptions (ANALYST-DERIVED; § CP-9(7) first-primary)
AD
CYBACKUP-R2.5CyberBackup / Data Protection / Recovery · P4
Backup-policy-enforcement and cross-tier backup-policy synchronization mastership — backup-policy consistency governance across heterogeneous on-prem and cloud-tier backup infrastructure and per-CSP backup-integration enforcement normalization (§ AC-3 reuse-from-NETDLP-R1.1; ANALYST-DERIVED)
AD
CYBACKUP-R3.1CyberBackup / Data Protection / Recovery · P4
Backup data classification and air-gap separation governance — critical backup data separate storage mandate and air-gap facility classification (§ CP-9(3) FIRST primary project-wide; § PR.DS-1 reuse-from-HOSTDLP-R1.2; § SC-28 reuse-from-SECRETS-R3.4)
CYBACKUP-R3.2CyberBackup / Data Protection / Recovery · P4
Backup encryption and cryptographic protection at air-gap tier — cryptographic mechanisms preventing unauthorized disclosure and modification of backup information (§ CP-9(8) FIRST primary project-wide; § SC-12 family reuse-from-SECRETS; § SC-13 reuse-from-SECRETS; § SC-28 reuse-from-SECRETS-R3.4)
CYBACKUP-R3.3CyberBackup / Data Protection / Recovery · P4
Recovery-key custody mastership and emergency-restoration key governance — architectural mastership of backup-encryption keys + recovery-key escrow + emergency-restoration keys for restoration scenarios where production credentials are presumed compromised (CLOSES SECRETS-R7.2 last P4 forward-pointer; Trust-anchor Candidate B evaluation; § CP-9(8) reuse-from-R3.2; § SC-12 family reuse-from-SECRETS; § MP-5(3) FIRST primary project-wide at air-gap-courier custodian scope)
CYBACKUP-R3.4CyberBackup / Data Protection / Recovery · P4
Backup media storage governance and physical media controls — physical control and secure storage of air-gap tier backup media within controlled areas (§ MP-4 REUSE-ONLY from HOSTDLP-R1.3; § SC-28 reuse-from-SECRETS-R3.4; CORA Cybersecurity and Resiliency cross-cite; § AC-3 reuse-from-NETDLP-R1.1)
CYBACKUP-R3.5CyberBackup / Data Protection / Recovery · P4
Backup media transport and air-gap courier governance — protection and control of backup media during transport outside controlled areas including cross-CSP backup-transfer at SCCA boundary (§ MP-5 REUSE-ONLY from MALWARELAB-R2.4; § AC-4 reuse-from-NETDLP-R1.1; DOD-CYBER cross-cite; SCCA cross-cite)
CYBACKUP-R4.1CyberBackup / Data Protection / Recovery · P4
SCCA cross-CSP backup-coverage governance and per-CSP backup-storage integration — SCCA IL-boundary authorization for CSP-native immutable storage services (SCCA primary; § CM-8 forward-ref to R7.1 17th-use candidate)
CYBACKUP-R4.2CyberBackup / Data Protection / Recovery · P4
Cloud-tier offsite transfer and alternate storage site governance — CP-9(5) first-primary project-wide at cloud-tier offsite-transfer scope (§ CP-9(5) FIRST-PRIMARY; § AC-4 reuse-from-NETDLP-R1.1; NetDLP cross-cite at backup-egress)
CYBACKUP-R4.3CyberBackup / Data Protection / Recovery · P4
Per-CSP-native object-lock/WORM consumption and cross-CSP backup-policy normalization — CSP-native immutable storage governance and backup-coverage normalization (§ AC-4 reuse-from-NETDLP-R1.1; § CP-9 reuse-from-R1.1; SCCA cross-cite)
CYBACKUP-R4.4CyberBackup / Data Protection / Recovery · P4
Hybrid retention mastership — on-prem-backup-as-canonical vs. cloud-backup-tier-as-canonical authority
AD
CYBACKUP-R4.5CyberBackup / Data Protection / Recovery · P4
Cross-CSP backup-sync and backup-service synchronization authority — cross-CSP backup-coverage verification and per-CSP backup-state reconciliation governance (AD; recurring cross-CSP-normalization pattern; § CM-8 reuse at per-CSP backup-service inventory; § AC-17 cross-cite at cross-CSP management-plane reachability)
AD
CYBACKUP-R5.1CyberBackup / Data Protection / Recovery · P4
Recovery testing — backup reliability integrity testing and sampled-restoration testing (CP-9(1) FIRST-PRIMARY + CP-9(2) FIRST-PRIMARY + PR.IP-9 FIRST-PRIMARY)
CYBACKUP-R5.2CyberBackup / Data Protection / Recovery · P4
Recovery execution — system recovery and reconstitution + transaction recovery (CP-10 FIRST-PRIMARY + CP-10(2) FIRST-PRIMARY + RC.RP-1 FIRST-PRIMARY — FIRST RC.* family first-primary in project)
CYBACKUP-R5.3CyberBackup / Data Protection / Recovery · P4
Restore-within-RTO attestation and RTO-RPO governance (CP-10(4) FIRST-PRIMARY + MalwareLab pre-restoration cross-cite + AU-9(3) audit-record protection)
CYBACKUP-R5.4CyberBackup / Data Protection / Recovery · P4
Backup-event publishing to SIEM and recovery-incident IR forwarding to SOAR — DOD-CRA § 3.1 evaluation point + five-plane 24/7 monitoring ratification carry-forward
CYBACKUP-R5.5CyberBackup / Data Protection / Recovery · P4
Recovery-incident chain-of-custody and backup-snapshot evidence handling — chain-of-custody handoff for backup-snapshot evidence to Forensic/IR; AU-10 reuse-from-PKI-R5.5 at chain-of-custody scope
CYBACKUP-R6.1CyberBackup / Data Protection / Recovery · P4
Backup posture-rollup publishing — backup-coverage posture, immutability-lock compliance, recovery-capability health, and air-gap-tier availability published for cross-pillar consumers (ZT-RA Capability 2.2.1 fourteenth-use)
CYBACKUP-R6.2CyberBackup / Data Protection / Recovery · P4
Per-CSP backup-coverage posture rollup — backup-coverage broken out per CSP backup-tier and per on-prem backup plane; cross-CSP backup inventory published as posture-analytics input to SIEM and CAASM
CYBACKUP-R6.4CyberBackup / Data Protection / Recovery · P4
Five-plane defense-in-depth ratification — CyberBackup completes the recovery-substrate plane; first capability where all five planes (network = NetDLP, endpoint = HostDLP, SaaS-application = CASB, cryptographic-substrate = Secrets, recovery-substrate = CyberBackup) are simultaneously ratifiable; explicit non-overlap and temporal-redundancy-substrate disposition across all five planes (methodology-novel; extends SECRETS-R6.4 four-plane ratification; ANALYST-DERIVED)
AD
CYBACKUP-R6.5CyberBackup / Data Protection / Recovery · P4
RC.IM-1 lessons-learned integration — backup-recovery lessons-learned incorporation into recovery strategies, joint lessons-learned sharing, and cyber incident after-action review at backup-recovery scope (CSSP-ESM first-primary candidate or deferred to R8.x)
CYBACKUP-R7.1CyberBackup / Data Protection / Recovery · P4
Per-CSP backup-service component inventory — on-prem immutable backup repositories, per-CSP cloud-native object-lock storage service registrations, backup-agent deployment instances, hybrid-sync agent instances, and immutable-storage service instances across the hybrid recovery-substrate plane (§ CM-8 17th-use)
CYBACKUP-R7.2CyberBackup / Data Protection / Recovery · P4
Recovery-key custody management-plane close and alternative SECRETS-R7.2 secondary close — rotation governance, distribution authority, and emergency-recovery-key-access workflows for backup-encryption keys + escrow keys + emergency-restoration keys (§ CP-9(6) first-primary; § CP-9(8) reuse; § SC-12 family reuse; CLOSES SECRETS-R7.2 last P4 forward-pointer)
CYBACKUP-R7.3CyberBackup / Data Protection / Recovery · P4
Backup management-plane availability — CyberBackup management infrastructure contingency planning for the enterprise recovery-substrate (§ CP-2 15th-use; § CP-10(6) first-primary)
CYBACKUP-R7.4CyberBackup / Data Protection / Recovery · P4
Backup management-plane reachability — secure remote access to CyberBackup management console, per-CSP cloud-native backup-service management channels, and hybrid-sync control paths across the recovery-substrate plane (§ AC-17 14th-use)
CYBACKUP-R7.5CyberBackup / Data Protection / Recovery · P4
Cross-CSP backup-service synchronization mastership — which backup-catalog administrative plane is authoritative for hybrid cross-CSP backup-catalog synchronization across on-prem backup-catalog and per-CSP cloud-native backup-catalog instances (ANALYST-DERIVED at synchronization-mechanism-class scope; trust-anchor NOT LANDED per PKI-R7.5 / NETDLP-R7.5 / HOSTDLP-R7.5 / CASB-R7.5 / SECRETS-R7.5 precedent; NO outbound forward-pointer — terminal P4)
AD
CYBACKUP-R8.1CyberBackup / Data Protection / Recovery · P4
Backup-system operations training and WORM/immutability policy administration — backup-repository operations tooling, immutable-storage lock-period management, and air-gap credential-isolation procedures
CYBACKUP-R8.2CyberBackup / Data Protection / Recovery · P4
Recovery-key ceremony and air-gap-tier operational procedures training — recovery-key ceremony tooling, restoration credential handling, and emergency-restoration key escrow operations
CYBACKUP-R8.3CyberBackup / Data Protection / Recovery · P4
Cloud-backup-service operation and cross-CSP backup-management training — per-CSP-native immutable-storage service administration, cloud-backup-tier audit-log access, and cross-tier backup-policy synchronization
CYBACKUP-R8.4CyberBackup / Data Protection / Recovery · P4
Restoration test execution, RTO/RPO compliance attestation, and backup-failure incident response — restoration test procedures, RTO/RPO compliance verification, and pre-restoration malware-scan
CYBACKUP-R8.5CyberBackup / Data Protection / Recovery · P4
Backup-monitoring tooling and backup-posture reporting training — backup-coverage audit, cross-tier backup-status monitoring, and backup-posture compliance reporting — **22nd PR.AT-5 (fifth Data-pillar — CLOSES THE FAMILY)**
C2C-R1.1C2C (Comply-to-Connect) · P7
Cloud-side enforcement-primitive choice mastership — COA-discriminating architectural decision at the hybrid access-enforcement boundary (AD; major-decision-point; CA-9 first-primary; Trust-anchor Candidate A LANDED)
C2C-R1.2C2C (Comply-to-Connect) · P7
On-prem 802.1X continuity at hybrid boundary — enforcement continuity at the on-prem/cloud transition point (ZT-RA; AC-17 reuse; trust-anchor Candidate A carry-forward)
C2C-R1.3C2C (Comply-to-Connect) · P7
Step 1 identification asset enumeration — DOD-CYBER C2C Step 1 first-primary; downstream-consumer of CAASM-R1.1 DAAS enumeration (DOD-CYBER; CAASM-R1.1 cross-cite)
C2C-R1.4C2C (Comply-to-Connect) · P7
Cross-CSP cloud-side enforcement-primitive parity — enforcement consistency across multi-cloud footprint (SRG; SCCA; AC-3 reuse; Candidate A carry-forward)
C2C-R1.5C2C (Comply-to-Connect) · P7
Enforcement-primitive policy authority during transition — operational-readiness architectural gap during hybrid coexistence period (AD; ANALYST-DERIVED; policy-authority governance during transition)
AD
C2C-R2.1C2C (Comply-to-Connect) · P7
Step 2 interrogation compliance-category-evaluation policy authoring + versioning + distribution lifecycle (ID.GV-1 first-primary; DOD-CYBER Interrogation Guidance § 1.4 REUSE-from-MDM-R6.3; CM-3 reuse-from-CASB-R2.1; PR.IP-3 ABSENT substitute)
C2C-R2.2C2C (Comply-to-Connect) · P7
Multi-source posture-input ingestion architecture — cryptographic bidirectional authentication of MDM/NAC/EDR/CAASM/CWPP/K8S/VulnMgmt posture-feed integration channels (IA-3(1) first-primary; DOD-CYBER Interrogation Guidance § 1.4 REUSE; PR.AC-1 reuse)
C2C-R2.3C2C (Comply-to-Connect) · P7
Posture-source onboarding policy — authorization for new posture sources + mandatory vs. optional per compliance category (ZT-RA; ANALYST-DERIVED; CA-9 reuse-from-R1.1; AC-4 reuse; ZT-RA Cap 2.2.1 cross-cite)
C2C-R2.4C2C (Comply-to-Connect) · P7
Compliance exception/exemption authority governance — 13th project-wide instance; FIRST P5/7 instance; maintenance-window + emergency-access + waiver + ephemeral-workload exception governance (§ CM-6(c) reuse-from-CWPP-R2.4)
C2C-R2.5C2C (Comply-to-Connect) · P7
Posture-staleness consumer-side handling at orchestration layer — explicit-no-pointer from MDM-R6.4 documented; C2C-primary posture-verdict expiry and re-interrogation trigger governance (§ SI-17 reuse-from-CWPP-R6.4)
C2C-R3.1C2C (Comply-to-Connect) · P7
Authorization decision content — compliance-verdict structure pass/fail/quarantine/remediate at access enforcement boundary (§ AC-3(9) FIRST primary project-wide; § AC-3(11) FIRST primary project-wide; AC-3 reuse-from-NetDLP-R1.1; CASB boundary explicit disposition)
C2C-R3.2C2C (Comply-to-Connect) · P7
Identity-attribute consumption — IdP cross-cite + PAM cross-cite at authorization-decision scope (PR.AC-1 reuse-from-IdP-R6.4 + PAM-R5.4; PR.DS-1 reuse-from-HOSTDLP-R1.2; identity-attribute binding at compliance-verdict framing)
C2C-R3.3C2C (Comply-to-Connect) · P7
Step 3 remediation orchestration — auto-remediation actions (quarantine VLAN / access revocation / patch-trigger / SOAR-playbook-invocation / ticket-generation) (DOD-CYBER Step 3 REUSE-from-R1.3; § AC-2(13) FIRST primary project-wide; § SI-4(7) reuse-from-EDR-R3.1; § AC-3(8) reuse-from-NAC-R2.4)
C2C-R3.4C2C (Comply-to-Connect) · P7
Remediation playbook authority — C2C compliance-gating boundary vs. SOAR incident-response playbook boundary at the auto-remediation trigger overlap (ZT-RA cross-cite; DOD-CYBER cross-cite; SOAR Row 24 scope-boundary disposition)
C2C-R3.5C2C (Comply-to-Connect) · P7
CSSP-CARV RS.RP-1 — subscriber-side response plan execution triggered by C2C compliance-verdict non-compliance detection (FIRST RS.*-family CSSP-CARV use in project; methodology-novel; DISTINCT from RC.RP-1 Recover function at CYBACKUP)
C2C-R4.1C2C (Comply-to-Connect) · P7
Cross-CSP C2C policy synchronization — SCCA boundary-control scope and on-prem-to-cloud orchestration consistency at each CSP zone (SRG + SCCA primary; AC-3 + AC-4 reuse-from-NETDLP)
C2C-R4.2C2C (Comply-to-Connect) · P7
Per-CSP enforcement-primitive policy normalization — parity of enforcement-primitive policy across multi-cloud footprint (NIST-80053 § AC-3 + § AC-4 reuse; Candidate A carry-forward; Row 31 cross-cite)
C2C-R4.3C2C (Comply-to-Connect) · P7
Cross-CSP C2C platform federation — operational-readiness scope for C2C orchestration framework spanning multiple CSP-hosted enforcement points (AD; ANALYST-DERIVED; authoritative-gap AD pattern; 12-slug-search-exhaustion)
AD
C2C-R4.4C2C (Comply-to-Connect) · P7
CASB SaaS-access-control overlap boundary close — C2C general-orchestration-side vs. CASB SaaS-side per-application enforcement scope delineation (CASB-R{x} cross-cite; Row 31 explicit overlap; scope-boundary record)
C2C-R4.5C2C (Comply-to-Connect) · P7
Cross-IL C2C reachability — per-IL (IL2/IL4/IL5) enforcement-primitive applicability and cross-IL compliance-posture reporting deconfliction (AD; ANALYST-DERIVED; authoritative-gap AD pattern carry-forward from R1.1; Row 31 explicit gap; 12-slug-search-exhaustion)
AD
C2C-R5.1C2C (Comply-to-Connect) · P7
C2C compliance-event publishing to SIEM — event-bus integration scope; SIEM-R5.5 forward-pointer closure (CSSP-ESM DE.AE-3 reuse; AU-12 reuse; DE.AE-3 reuse)
C2C-R5.2C2C (Comply-to-Connect) · P7
C2C compliance-event ingestion at SOAR — remediation-playbook trigger; SOAR lateral boundary; RS.RP-1 REUSE-from-C2C-R3.5 (first RS.*-family first-primary LOCKED at R3.5 per R-ID-first-wins)
C2C-R5.3C2C (Comply-to-Connect) · P7
Step 4 compliance reporting chain — JFHQ-DODIN / CSSP / Mission Owner reporting chain authority; DOD-CYBER C2C Reporting Guide v1.0 first-primary; PM-31 first-primary (Continuous Monitoring Strategy)
C2C-R5.4C2C (Comply-to-Connect) · P7
Audit-trail completeness for C2C compliance decisions — per-decision audit records (verdict per asset; remediation actions; exception grants; policy changes); AU-12 reuse + AU-2 reuse + AU-6 reuse + AU-9(3) reuse
C2C-R5.5C2C (Comply-to-Connect) · P7
C2C administrator privileged-activity monitoring — PEP/PDP policy-authoring, compliance-policy modification, exception-approval monitoring; CA-7(4) first-primary (Risk Monitoring); DE.CM-5 first-primary (Unauthorized Mobile Code Detected)
C2C-R6.1C2C (Comply-to-Connect) · P7
PEP/PDP orchestration framework architectural mastership — which entity governs the policy-decision-point aggregating compliance-category posture from all sibling-cap inputs into a single compliance verdict (ZT-RA Capability 2.2.1 fifteenth-use; Trust-anchor Candidate B LANDED)
C2C-R6.2C2C (Comply-to-Connect) · P7
Compliance category schema enumeration — C2C compliance categories governing the posture-aggregation input taxonomy (AC-3 family; IA-3 reuse; ID.AM-1/ID.AM-2 REUSE-ONLY)
C2C-R6.3C2C (Comply-to-Connect) · P7
Orchestration-completion ratification — 6-forward-pointer-closure at C2C-R6.3 (methodology-novel; first capability where 6 sibling-cap forward-pointers close at a single R-bucket; DOD-CYBER C2C Interrogation Guidance v1.1.0 § 1.4 REUSE for each of 6 closes; C2C-boundary backlog 6→0)
C2C-R6.4C2C (Comply-to-Connect) · P7
Posture-aggregation precedence rules — cross-source posture-consistency validation and conflict-resolution rules for multi-source compliance-verdict aggregation (CA-7(5) first-primary; ANALYST-DERIVED for specific precedence model)
C2C-R6.5C2C (Comply-to-Connect) · P7
Orchestration-decision auditability at scale — per-asset compliance verdict audit records and per-policy-update orchestration logs (AU-12 reuse; DE.CM-3 REUSE-from-PKI-R5.3; cross-cite SIEM-R6)
C2C-R7.1C2C (Comply-to-Connect) · P7
Per-CSP C2C platform component inventory — C2C enforcement-primitive integration registrations per CSP, on-prem PDP component inventory, interrogation-agent deployment instances, and CAASM SSOT posture-feed integration registrations across the hybrid C2C platform (§ CM-8 18th-use)
C2C-R7.2C2C (Comply-to-Connect) · P7
C2C management-plane resilience — PEP/PDP orchestration-framework management-plane availability contingency planning for the hybrid C2C platform (§ CP-2 16th-use)
C2C-R7.3C2C (Comply-to-Connect) · P7
Cross-CSP C2C administrator management channel — C2C orchestration-framework administrator remote-access governance and per-CSP C2C management-plane reachability (§ AC-17 15th-use; PAM cross-cite)
C2C-R7.4C2C (Comply-to-Connect) · P7
C2C as self-publishing capability of ZT-RA Cap 2.2.1 — cross-cite framing extending R6.1 primary use; C2C IS the capability about which Cap 2.2.1 is most directly relevant; DIAT Flash 23-01 disposition at R7.x; ID.GV-2 first-primary at C2C governance-roles scope (CSSP-ESM); ID.RM-1 first-primary at C2C risk-management-process scope (CSSP-ESM)
C2C-R7.5C2C (Comply-to-Connect) · P7
C2C compliance reporting-chain authority disposition — trust-anchor Candidate C evaluation NOT LANDED + cross-CSP reporting-chain normalization gap (ANALYST-DERIVED) + CORA Cybersecurity and Resiliency compliance-gating management-plane enrollment + DOD-CYBER C2C Reporting Guide v1.0 reporting-chain authority REUSE-from-C2C-R5.3 (AD; Candidate C NOT LANDED; ID.GV-1 REUSE-from-C2C-R2.1)
C2C-R8.1C2C (Comply-to-Connect) · P7
C2C orchestration framework administration training — PEP/PDP policy-engine administration, compliance-category schema management, and posture-source registration and authorization
C2C-R8.2C2C (Comply-to-Connect) · P7
Step 1 identification asset-inventory + Step 2 interrogation policy administration training — compliance-category policy authoring, interrogation cadence management, and DOD-CYBER C2C Step 2 Interrogation Guidance § 1.4 operational application
C2C-R8.3C2C (Comply-to-Connect) · P7
Step 3 remediation playbook administration + PEP/PDP policy-decision-point administrator certification training — remediation action library management, automated-remediation policy configuration, and PDP policy update authorization
C2C-R8.4C2C (Comply-to-Connect) · P7
C2C compliance-incident response + cross-pillar coordination with SOAR / SIEM / IR-Forensic — compliance-incident escalation, SOAR remediation-playbook handoff procedures, and SIEM compliance-event correlation workflows
C2C-R8.5C2C (Comply-to-Connect) · P7
C2C Step 4 reporting + dashboard administration training — reporting-chain workflow training, JFHQ-DODIN reporting compliance, and compliance-trend dashboard interpretation — **23rd PR.AT-5 (first P5/7 instance — OPENS THE P5/7 FAMILY)**
SWG-R1.1SWG / proxy · P5
Web traffic inspection placement architecture mastership — COA-discriminating architectural decision at the web-egress inspection boundary (AD; major-decision-point; ANALYST-DERIVED; Trust-anchor Candidate A LANDED)
AD
SWG-R1.2SWG / proxy · P5
TLS-interception sub-CA mastership / SSL inspection cert-trust distribution authority — PKI-R3.4 upstream-cert-issuance; closes NETDLP-R1.x forward-pointer; Trust-anchor Candidate B LANDED
SWG-R1.3SWG / proxy · P5
Web traffic inspection coverage scope — managed-endpoint, cloud-managed-endpoint, cloud-workload, and remote-access inspection coverage (CSSP-CARV PR.PT-4 first-primary; SC-23 first-primary)
SWG-R1.4SWG / proxy · P5
Cross-CSP enforcement parity governance — operational continuity of web traffic inspection coverage across CSP boundaries (ANALYST-DERIVED; SCCA cross-CSP framing)
AD
SWG-R1.5SWG / proxy · P5
On-prem proxy retention scope during hybrid transition — operational continuity of on-prem SWG infrastructure; SC-7(22) first-primary; ANALYST-DERIVED transition-scope
AD
SWG-R2.1SWG / proxy · P5
Inspection policy authoring lifecycle — URL-category-list management + SSL-inspection-bypass list management + content-filter rule authoring (CM-3 reuse-from-CASB-R2.1; PR.IP-3 ABSENT substitute; cross-cite NetDLP-R1.x at content-classification scope)
SWG-R2.2SWG / proxy · P5
URL categorization governance — commercial category-list integration + local-override category authoring + category-list update cadence governance (CM-6 reuse-from-EDR-R5.1 at URL-category-list configuration-settings lifecycle scope; SI-4 reuse-from-SIEM at monitoring scope)
SWG-R2.3SWG / proxy · P5
SSL inspection policy + cert-pinning exception governance — SC-23(1) first-primary evaluation; session-ID invalidation at SSL bypass boundary (SC-23(1) first-primary candidate; CSSP-CARV PR.PT-4 reuse)
SWG-R2.4SWG / proxy · P5
SWG exception/exemption authority — 14th project-wide instance (second P5/7); SWG-policy maintenance-window exception governance + user-class bypass exception + temporary-bypass-exception governance (CM-6 reuse-from-EDR-R5.1 at deviation-approval scope; CASB-R2.4/C2C-R2.4 precedent)
SWG-R2.5SWG / proxy · P5
Inspection policy distribution to enforcement points — on-prem proxy clusters + cloud-hosted SWG instances; per-CSP policy distribution; CA-9(1) first-primary
SWG-R3.1SWG / proxy · P5
User-identity binding at SWG proxy decision — SAML / OAuth-token / Kerberos / explicit-proxy user-auth consumption from IdP at per-user-class enforcement (PR.AC-1 reuse-from-IdP-R6.4 + PAM-R5.4; no first-primary re-claim)
SWG-R3.2SWG / proxy · P5
Per-session user-attribution audit at proxy decision scope — user-attribution audit log; PR.PT-1 reuse-from-CWPP-R2.5 + K8S-R5.5; AU-3 cross-cite at audit-record-content scope
SWG-R3.3SWG / proxy · P5
CASB-SWG inline-mode co-deployment scope-boundary close — defense-in-depth lateral layering at the web-traffic / SaaS-application inspection boundary (HARD CLOSE CASB-R1.4; § SC-7(8) reuse-from-NETDLP-R4.2; ANALYST-DERIVED co-deployment governance; cross-cite NetDLP-R3.3 adjacency)
AD
SWG-R3.4SWG / proxy · P5
HostDLP soft adjacency — endpoint-agent inspection plane vs. network-egress-proxy inspection plane scope-boundary (ANALYST-DERIVED; closes HostDLP forward-ref at line 9372; no first-primary)
AD
SWG-R3.5SWG / proxy · P5
Malicious-web-traffic containment + access-revocation — user-session invalidation at proxy boundary; § SC-23(1) REUSE-from-SWG-R2.3 per R-ID-first-wins; § AC-3(8) reuse-from-NAC-R2.4; NIST IR-4 + SI-4(7) cross-cite (RS.MI-1 ABSENT both ESM and CARV); § AC-3 base reuse at authorization-decision scope
SWG-R4.1SWG / proxy · P5
Cloud-egress proxy architectural-mastership — HARD CLOSE NETDLP-R4.2 (methodology-novel "deferred-architectural-mastership-redemption"); centralized cloud-hosted proxy / per-CSP proxy / hybrid deployment-mode choice; SC-7(8) REUSE-from-NETDLP-R4.2
SWG-R4.2SWG / proxy · P5
DOD-CYBER Cloud Deployment Models doctrine at SWG deployment-mode-selection scope — FIRST project primary for Cloud Deployment Models source; cloud-hosted vs. on-prem proxy deployment-mode doctrine
SWG-R4.3SWG / proxy · P5
Cross-CSP enforcement parity governance — per-CSP SWG inspection-coverage consistency across multiple CSP environments (AD; ANALYST-DERIVED; SCCA cross-CSP coverage framing)
AD
SWG-R4.4SWG / proxy · P5
On-prem proxy retention scope during hybrid transition — Row 16 verbatim COA-architectural decision; hybrid split-routing trigger criteria; SC-7(22) cross-cite (AD; ANALYST-DERIVED)
AD
SWG-R4.5SWG / proxy · P5
Cross-CSP SWG policy normalization governance — Trust-anchor Candidate C evaluation (NOT LANDED); per-CSP URL-category-list synchronization + block-rule consistency + SSL-inspection-exception-list normalization (AD; ANALYST-DERIVED)
AD
SWG-R5.1SWG / proxy · P5
SWG inspection-event publishing to SIEM — URL-block events, content-filter events, SSL-inspection events, user-attribution events, and block-policy-decision audit events; SIEM lateral cross-cite; AU-12 reuse; AU-2 reuse
SWG-R5.2SWG / proxy · P5
URL-decision audit log content — per-session, per-URL-category, and per-user-identity decision audit; AU-3 reuse; PR.PT-1 REUSE-from-CWPP-R2.5 + K8S-R5.5; DE.CM-1 REUSE-from-SIEM/NETDLP-R5.2; AU-14 family REUSE-from-PAM-R2.1
SWG-R5.3SWG / proxy · P5
DE.CM-7 (Monitoring for unauthorized personnel, connections, devices, and software is performed) — FIRST DE.CM-7 USE IN PROJECT; CSSP-ESM first-primary; SWG SOC alert-feed scope; unauthorized web-access detection, unauthorized connection pattern detection, unauthorized device-class web-access, unauthorized software downloads
SWG-R5.4SWG / proxy · P5
SOAR remediation-orchestration handoff at SWG-R5 — SWG block-decisions feed SOAR incident-response playbooks for complex remediation; SOAR Row 24 lateral; RS.RP-1 REUSE-from-C2C-R3.5 (CSSP-CARV); IR-4 reuse
SWG-R5.5SWG / proxy · P5
ForIR evidence handoff + CORA Cyber Defense Monitor cross-cites — SWG session evidence for investigation; CORA Para 2.5.4 network-log-review; CORA Para 2.7.1 abnormal/suspicious activity; CORA Para 2.3.2 IDS-event-monitoring chain; ForIR Row 28 lateral
SWG-R6.1SWG / proxy · P5
SWG inspection-coverage posture rollup publishing — per-asset-class SWG inspection-coverage state and rollup-publishing-mastership authority (CA-7 reuse-from-EDR-R5.3 at security-status-reporting scope; cross-cite CAASM Row 13)
SWG-R6.2SWG / proxy · P5
Per-CSP SWG coverage rollup — per-CSP cloud-hosted SWG presence + inline-vs-DNS-redirect mode + per-CSP inspection-coverage state (CA-7(5) reuse-from-C2C-R6.4 at consistency-analysis scope; SCCA cross-CSP coverage governance cross-cite)
SWG-R6.5SWG / proxy · P5
Cross-CSP SWG inspection-coverage status reporting — CA-7(4) REUSE-from-C2C-R5.5 at cross-coverage risk-monitoring scope; CA-7(5) REUSE-from-C2C-R6.4 at cross-source consistency-analysis scope; SIEM Row 1 cross-cite for coverage-state event publishing
SWG-R7.1SWG / proxy · P5
Per-CSP SWG component inventory — per-CSP cloud-hosted SWG instance enumeration, on-prem SWG cluster component inventory, SWG management-plane component enumeration, and per-CSP SWG component versioning (§ CM-8 19th-use)
SWG-R7.2SWG / proxy · P5
SWG management-plane resilience — SWG management cluster availability, SWG policy-distribution-plane availability, and contingency plan for SWG management-plane failure including last-known-good policy retention at SWG enforcement points (§ CP-2 17th-use)
SWG-R7.3SWG / proxy · P5
SWG administrator management channel — SWG management-plane administrator remote-access governance, DODIN-bound management-channel governance, and cross-CSP SWG management-plane admin access (§ AC-17 16th-use; SCCA cross-CSP boundary cross-cite; PAM cross-cite)
SWG-R7.4SWG / proxy · P5
SWG-as-remote-access-egress-point — cryptographic protection of user-egress remote-access sessions traversing the SWG inspection plane (§ AC-17(2) FIRST-PRIMARY; scope-distinct from management-channel cross-cite pattern at WAF/MalwareLab/NETDLP; SC-8(1) REUSE-from-PKI)
SWG-R7.5SWG / proxy · P5
Cross-CSP SWG management-plane reachability + trust-anchor Candidate C re-evaluation NOT LANDED + cross-CSP SWG policy normalization gap (ANALYST-DERIVED; SCCA cross-CSP coverage cross-cite; final SWG trust-anchor count = 19)
AD
SWG-R8.1SWG / proxy · P5
SWG proxy administration training — proxy-policy authoring, URL-category-list management, SSL-inspection-bypass-list management, and proxy cluster availability and failover operations
SWG-R8.2SWG / proxy · P5
SSL inspection cert-trust administration training — sub-CA management, client-side cert-trust distribution governance, cert-trust revocation operations, and TLS-interception trust-boundary operations
SWG-R8.3SWG / proxy · P5
URL category policy administration training + content-filter policy administration + cloud-egress proxy deployment-mode operations training — per-category enforcement policy authoring, per-user-class policy variation management, category-list update cadence governance, inline-vs-DNS-redirect mode operations, and on-prem-vs-cloud-hosted split-routing operations
SWG-R8.4SWG / proxy · P5
SOC SWG event triage training — SWG inspection-event interpretation, URL-block-event triage, content-filter-event triage, SSL-inspection-anomaly investigation, user-attribution-anomaly investigation, and cross-pillar SWG↔CASB↔NetDLP coordination
SWG-R8.5SWG / proxy · P5
SWG exception/exemption authority training + SWG admin certification — exception-approval workflow operations, SWG-policy maintenance-window exception governance, and SWG admin certification training — **24th PR.AT-5 (second P5/7 instance — CONTINUES the family C2C opened)**
EMAIL-R1.1Email security gateway · P5
Email gateway placement architecture mastership — COA-discriminating architectural decision at the mail-inspection boundary (AD; partial-transform; ANALYST-DERIVED; Trust-anchor Candidate A LANDED)
AD
EMAIL-R1.2Email security gateway · P5
MTA-relay-to-API-inspection transformation mastership / cloud-mail-platform inspection-integration authority — partial-transform-distinctive architectural-mastership scope (ANALYST-DERIVED; Trust-anchor Candidate B LANDED; PKI upstream-cert cross-cite)
AD
EMAIL-R1.3Email security gateway · P5
STARTTLS / DMARC / SPF / DKIM authentication enforcement — mail-authentication protocol governance at MTA-relay boundary (CSSP-CARV PR.PT-4 REUSE-from-SWG-R1.3; SC-20 REUSE-from-DNS-R8.x; PR.DS-2 REUSE-from-NETDLP-R1.2; PKI upstream-cert cross-cite)
EMAIL-R1.4Email security gateway · P5
NETDLP-R1.x soft adjacency cross-cite — defense-in-depth lateral layering at SaaS-mail egress between Email mail-protocol content inspection and NetDLP network-plane content classification (cross-cite acknowledgment; NOT a HARD closure)
EMAIL-R1.5Email security gateway · P5
On-prem MTA retention scope during hybrid transition — operational continuity of on-prem MTA-relay for on-prem user mail flow; ANALYST-DERIVED transition-scope
AD
EMAIL-R2.1Email security gateway · P5
Anti-spam and anti-phishing policy enforcement — mail-protection mechanisms at inbound/outbound mail boundary (SI-8 base first-primary; DoDM 8530.01 § 3.4.b.(3) DOD-CYBER first-primary; CM-3 REUSE-from-CASB-R2.1 at inspection-policy configuration-change scope)
EMAIL-R2.2Email security gateway · P5
Mail-inspection-policy configuration-change cadence governance — spam-rule / DMARC-enforcement-rule / URL-rewrite-rule review cadence + commercial threat-feed integration cadence + locally-authored rule lifecycle (CM-3 reuse-from-CASB-R2.1 at locally-authored-rule configuration-change cadence scope; SI-4 reuse from SIEM at monitoring scope)
EMAIL-R2.3Email security gateway · P5
TLS-mail-inspection-visibility governance — encrypted mail-stream access provisions for monitoring + DoDM 8530.01 § 3.4.b.(2) DOD-CYBER first-primary + SI-4(10) first-primary (SI-4(10) Visibility of Encrypted Communications; CSSP-CARV PR.PT-4 REUSE-from-SWG-R1.3)
EMAIL-R2.4Email security gateway · P5
Email exception/exemption authority — 15th project-wide instance (THIRD P5/7 — CLOSES THE P5/7 EXCEPTION-AUTHORITY FAMILY); Email-inspection maintenance-window exception governance + sender-domain exception governance + legitimate-mass-mail exemption governance (CM-6 reuse-from-EDR-R5.1 at Email inspection-enforcement exception-authority scope; CM-6(c) exception-authority pattern reuse-from-CWPP-R2.4 — 15th instance)
EMAIL-R2.5Email security gateway · P5
Spam-signature-update governance — automatic spam-protection-mechanism update cadence + SI-8(2) first-primary + SI-8(3) first-primary (AI/ML-based continuous-learning anti-phishing detection); CORA inspection-evidence requirement for update-cadence documentation
EMAIL-R3.1Email security gateway · P5
Mail-body and attachment content inspection — content-classification for anti-phishing, BEC detection, and mail-DLP at MTA-relay / cloud-mail-platform API-inspection plane (AC-4(15) FIRST-PRIMARY; AC-23 FIRST-PRIMARY; AC-4(21) REUSE PR.DS-5 ABSENT substitute; NETDLP-R1.x soft adjacency cross-cite; outbound-mail-flow-separation scope)
EMAIL-R3.2Email security gateway · P5
Attachment sandboxing / detonation-chamber inspection — malicious-attachment code-authentication and behavioral detonation at Email inspection boundary (SI-7(15) FIRST-PRIMARY; SC-44 REUSE-from-MALWARELAB-R1.1; SI-3 REUSE; DE.CM-5 REUSE-from-C2C-R5.5; SI-3(10) REUSE-from-WAF-R2.2; MalwareLab upstream lateral cross-cite)
EMAIL-R3.3Email security gateway · P5
Email↔CASB and Email↔HostDLP soft adjacency scope-boundary — defense-in-depth lateral layering at mail-protocol vs. SaaS-application-plane inspection boundary and endpoint↔mail-gateway inspection boundary (ANALYST-DERIVED co-deployment governance; cross-cite NetDLP adjacency; 0 HARD closures confirmed)
AD
EMAIL-R3.4Email security gateway · P5
User-identity binding at mail-delivery decision — per-sender / per-recipient identity-class mail-delivery enforcement; PR.AC-1 REUSE-from-IdP-R6.4 + PAM-R5.4; ANALYST-DERIVED privileged-account mail-flow governance; cloud-mail-platform API-inspection-integrated identity binding
EMAIL-R3.5Email security gateway · P5
Malicious-mail containment + access-revocation — mail-quarantine and session-invalidation at delivery scope; NIST IR-4 + SI-4(7) RS.MI-1 ABSENT substitute; RS.RP-1 REUSE-from-C2C-R3.5 (CARV V1); AC-3(8) REUSE at mail-access-revocation scope; DoDM 8530.01 § 3.4.b.(2) DOD-CYBER cross-cite at malicious-payload-alert scope
EMAIL-R4.1Email security gateway · P5
Cloud-mail-platform deployment-mode binary architecture — CSP-native vs. third-party cloud-hosted SEG at mail-protocol-plane; Row 17 partial-transform binary cloud-side option set; SC-7(8) REUSE-from-SWG-R4.1
EMAIL-R4.2Email security gateway · P5
DOD-CYBER Cloud Deployment Models doctrine at cloud-mail-platform deployment-mode scope — REUSE-from-SWG-R4.2; mail-platform deployment-model authorization envelope; per-IL cloud-hosted SEG deployment applicability
EMAIL-R4.3Email security gateway · P5
Per-CSP cloud-mail-platform integration governance — per-CSP cloud-hosted SEG API-integration configuration consistency across multiple CSP cloud-mail environments (AD; ANALYST-DERIVED; SCCA cross-CSP coverage framing)
AD
EMAIL-R4.4Email security gateway · P5
CASB-R4.3/R4.4 soft adjacency close — defense-in-depth lateral layering at cloud-mail-platform CASB co-deployment boundary between Email mail-protocol content inspection and CASB SaaS-application-plane access control (cross-cite acknowledgment; NOT a HARD closure)
EMAIL-R4.5Email security gateway · P5
Cross-CSP Email policy normalization governance — per-CSP DMARC policy / anti-phishing-rule / mail-DLP policy normalization across multiple CSP cloud-mail environments
AD
EMAIL-R5.1Email security gateway · P5
Mail gateway significant-event audit — SI-7(8) first-primary (FIRST SI-7(8) USE IN PROJECT); integrity-violation detection audit capability; DKIM failure, DMARC failure, spoofed-sender events; AU-12 reuse; CORA Para 2.5.4 network-log-review cross-cite
EMAIL-R5.2Email security gateway · P5
Mail-inspection audit log content — per-message, per-sender, per-recipient decision audit; DE.CM-3 REUSE-from-PKI-R5.3 (personnel-mail-activity monitoring scope; ESM v11); PR.PT-1 REUSE-from-CWPP-R2.5 + K8S-R5.5; DE.CM-1 REUSE-from-SIEM; AU-3 reuse
EMAIL-R5.3Email security gateway · P5
SOC mail-alert-feed — DE.CM-7 REUSE-from-SWG-R5.3 (unauthorized mail-activity monitoring; ESM v11); mail-threat SOC alert taxonomy; CORA Para 2.7.1 abnormal/suspicious-activity definition; IDS Row 5 lateral; SIEM Row 1 lateral
EMAIL-R5.4Email security gateway · P5
SOAR mail-incident remediation-orchestration handoff — mail-gateway block-decisions and behavioral-alert triggers feed SOAR incident-response playbooks; SOAR Row 24 lateral; RS.RP-1 REUSE-from-C2C-R3.5 (CSSP-CARV); IR-4 reuse; CORA Para 2.5.4 mail-log-retention at incident scope
EMAIL-R5.5Email security gateway · P5
ForIR mail-incident-evidence handoff + CORA Cyber Defense Monitor cross-cites — mail-gateway session evidence for investigation; CORA Para 2.5.4 network-log-review; CORA Para 2.7.1 abnormal/suspicious activity; CORA Para 2.3.2 IDS-event-monitoring chain; ForIR Row 28 lateral; AU-12 reuse; OMB-LOG M-21-31 evidence retention
EMAIL-R6.1Email security gateway · P5
Email inspection-coverage posture rollup publishing — per-user-class Email inspection-coverage state and rollup-publishing-mastership authority (CA-7 reuse-from-EDR-R5.3 at Email inspection-coverage posture rollup-publishing scope; cross-cite CAASM Row 13)
EMAIL-R6.2Email security gateway · P5
Per-CSP Email inspection-coverage rollup — per-CSP cloud-hosted SEG presence + MTA-relay-vs-API-inspection mode + per-CSP inspection-coverage state (CA-7 reuse-from-EDR-R5.3 + CA-7(5) reuse-from-C2C-R6.4 at per-CSP Email coverage-rollup aggregation scope; SCCA cross-CSP coverage governance cross-cite)
EMAIL-R6.5Email security gateway · P5
Mail-archive/retention information-management scope — SI-12 FIRST-PRIMARY (Information Management and Retention); mail-event-audit-log retention; CA-7(4) REUSE-from-C2C-R5.5 at coverage-risk-monitoring scope; CA-7(5) REUSE-from-C2C-R6.4 at cross-CSP coverage-state consistency-analysis scope; SIEM Row 1 coverage-state event publishing
EMAIL-R7.1Email security gateway · P5
Per-CSP Email component inventory — per-CSP cloud-hosted Email security gateway instance enumeration, on-prem MTA-relay component inventory, Email management-plane component enumeration, and per-CSP Email component versioning (§ CM-8 20th-use)
EMAIL-R7.2Email security gateway · P5
Email management-plane resilience — Email management infrastructure contingency planning, policy-distribution-plane availability, last-known-good policy retention at Email enforcement points, and management-plane recovery procedures (§ CP-2 18th-use; CORA Cybersecurity and Resiliency cross-cite)
EMAIL-R7.3Email security gateway · P5
Email administrator management channel — Email management-plane administrator remote-access governance, DODIN-bound management-channel governance, and cross-CSP Email management-plane admin access (§ AC-17 17th-use; SCCA cross-CSP boundary cross-cite; PAM cross-cite; CORA Cybersecurity and Resiliency cross-cite)
EMAIL-R7.4Email security gateway · P5
Mail-archive retention governance and Email-management-plane-as-remote-egress-point cryptographic session protection — SI-12 REUSE-from-EMAIL-R6.5 at scope-distinct mail-data-disposition management-plane scope; AC-17(2) REUSE-only at Email-management-plane-as-remote-egress-point scope (§ SI-12 REUSE-from-EMAIL-R6.5; § AC-17(2) REUSE-from-SWG-R7.4) — **R-ID-first-wins controller normalization: SI-12 first-primary LOCKED at EMAIL-R6.5 mail-archive retention information-management scope; EMAIL-R7.4 SI-12 demoted to scope-distinct re-use at management-plane retention scope per R-ID-first-wins discipline (same pattern as SWG-R2.3/R3.5 SC-23(1) collision normalization)**
EMAIL-R7.5Email security gateway · P5
Cross-CSP Email policy normalization authority — final trust-anchor Candidate C NOT LANDED disposition + cross-CSP DMARC-policy / anti-phishing-rule / cloud-hosted-SEG-configuration normalization governance (ANALYST-DERIVED; SCCA cross-CSP coverage cross-cite; **terminal-Phase-J no-outbound-forward-pointer discipline — Email is terminal Pillar 5 N&E and terminal Phase J capability; Phase J 100% complete; P5/7 group 3/3 COMPLETE**)
AD
EMAIL-R8.1Email security gateway · P5
Email gateway administration training — MTA-relay administration, cloud-hosted SEG administration, mail-routing policy management, and Email-platform API-integration operations
EMAIL-R8.2Email security gateway · P5
Anti-spam / anti-phishing policy administration training — per-sender spam-scoring, DMARC / SPF / DKIM enforcement, URL-rewriting time-of-click analysis, and BEC detection operations
EMAIL-R8.3Email security gateway · P5
Attachment-sandbox policy administration + mail-DLP policy administration training — sandbox detonation policy, content disarm and reconstruction (CDR), mail-content-classification for DLP enforcement, and malicious-mail containment operations
EMAIL-R8.4Email security gateway · P5
SOC Email event triage training + cloud-mail-platform API-integration operations training + cross-cap Email↔CASB↔NetDLP coordination at SaaS-mail egress-inspection plane
EMAIL-R8.5Email security gateway · P5
Email exception/exemption authority training + Email admin certification — exception-approval workflow, sender whitelist lifecycle, URL-rewrite bypass governance, DMARC enforcement exception governance, and quarantine-release exception governance — **25th PR.AT-5 (THIRD P5/7 instance — CLOSES the P5/7 PR.AT-5 family; terminal Phase J cap)**