Mapping Format
Mappings establish relationships between CSE signals and framework controls. This enables automatic correlation of findings to compliance requirements across multiple frameworks simultaneously.
Cross-framework by design. A single signal can map to controls in multiple frameworks. When a finding is recorded against that signal, it automatically applies to all mapped controls.
Schema Overview
Mapping files are stored in the mappings/ directory, with one file per signal. Each file contains all framework mappings for that signal.
{
"$schema": "https://cseregistry.org/schemas/mapping.schema.json",
"signal_id": "CSE-HIPAA-TECH-ENCRYPT-REST-001",
"version": "1.0.0",
"updated": "2024-06-15",
"mappings": [
{
"framework": "HIPAA",
"control_id": "§164.312(a)(2)(iv)",
"control_title": "Encryption and decryption",
"relationship": "primary",
"rationale": "Encryption at rest directly implements the addressable encryption specification for ePHI protection"
},
{
"framework": "NIST-CSF",
"control_id": "PR.DS-1",
"control_title": "Data-at-rest is protected",
"relationship": "primary",
"rationale": "Signal detects absence of data-at-rest protection controls"
},
{
"framework": "SOC2",
"control_id": "CC6.1",
"control_title": "Logical and physical access controls",
"relationship": "supporting",
"rationale": "Encryption provides supplementary access control layer"
}
]
}Required Fields
signal_id
| Type | string |
| Example | CSE-HIPAA-TECH-ENCRYPT-REST-001 |
The CSE signal ID this mapping file applies to. Must match an existing signal in the registry.
mappings
| Type | array of objects |
| Min Items | 1 |
Array of framework control mappings. Each mapping links the signal to a specific control in a compliance framework.
Mapping Object Fields
framework
| Type | string |
| Values | HIPAA, SOC2, ISO27001, NIST-CSF, PCI-DSS, CMMC, GDPR, CCPA, CIS, HITRUST, FEDRAMP |
The compliance framework this control belongs to. Uses standardized framework identifiers.
control_id
| Type | string |
| Examples | §164.312(a)(2)(iv), CC6.1, A.8.24, PR.DS-1 |
The official control identifier as defined by the framework. Uses the framework's canonical identifier format.
control_title
| Type | string |
| Max Length | 200 characters |
The human-readable title or name of the control as defined in the framework.
relationship
| Type | string (enum) |
| Values | primary, supporting, partial |
Describes how strongly the signal relates to the control:
| Relationship | Description | Use Case |
|---|---|---|
| primary | Signal directly addresses the control requirement | Encryption signal → encryption control |
| supporting | Signal provides evidence that supports control compliance | Encryption signal → access control |
| partial | Signal addresses only part of the control requirement | At-rest encryption → full data protection control |
rationale
| Type | string |
| Max Length | 500 characters |
Explanation of why this signal maps to this control. Should provide enough context for auditors and compliance teams to understand the relationship.
Optional Fields
control_description
Extended description of the control requirement (optional, for reference):
{
"framework": "HIPAA",
"control_id": "§164.312(a)(2)(iv)",
"control_title": "Encryption and decryption",
"control_description": "Implement a mechanism to encrypt and decrypt electronic protected health information",
"relationship": "primary",
"rationale": "..."
}control_url
Link to official control documentation:
{
"framework": "NIST-CSF",
"control_id": "PR.DS-1",
"control_title": "Data-at-rest is protected",
"control_url": "https://csf.tools/reference/nist-cybersecurity-framework/v2-0/pr/pr-ds/pr-ds-01/",
"relationship": "primary",
"rationale": "..."
}notes
Additional context or caveats about the mapping:
{
"framework": "PCI-DSS",
"control_id": "3.5.1",
"control_title": "Restrict access to cryptographic keys",
"relationship": "partial",
"rationale": "Signal addresses key storage but not access restrictions",
"notes": "This mapping is partial because the signal only detects encryption status, not key management practices"
}Framework Control Identifiers
Each framework uses its own control identifier format. CSE mappings preserve the original framework identifiers:
| Framework | ID Format | Example |
|---|---|---|
| HIPAA | CFR citation format | §164.312(a)(2)(iv) |
| SOC2 | Trust Services Criteria | CC6.1, CC7.2 |
| ISO27001 | Annex A controls | A.8.24, A.5.15 |
| NIST-CSF | Function.Category-Subcategory | PR.DS-1, ID.AM-2 |
| PCI-DSS | Requirement numbering | 3.5.1, 8.3.1 |
| CMMC | Domain.Level.Practice | AC.L2-3.1.1 |
| GDPR | Article numbers | Art. 32(1)(a) |
| CIS | Control.Safeguard | 3.11, 4.1 |
Complete Example
{
"$schema": "https://cseregistry.org/schemas/mapping.schema.json",
"signal_id": "CSE-CMMC-COMMS-UNRESTRICTED-SSH-001",
"version": "1.0.0",
"updated": "2024-06-15",
"mappings": [
{
"framework": "CMMC",
"control_id": "AC.L2-3.1.12",
"control_title": "Remote Access Sessions",
"relationship": "primary",
"rationale": "Unrestricted SSH access violates requirements for controlling and monitoring remote access sessions"
},
{
"framework": "CMMC",
"control_id": "SC.L2-3.13.1",
"control_title": "Boundary Protection",
"relationship": "primary",
"rationale": "Open SSH to internet indicates inadequate network boundary protection"
},
{
"framework": "NIST-CSF",
"control_id": "PR.AC-5",
"control_title": "Network integrity is protected",
"relationship": "primary",
"rationale": "Unrestricted inbound SSH compromises network integrity controls"
},
{
"framework": "PCI-DSS",
"control_id": "1.3.1",
"control_title": "Restrict inbound traffic",
"relationship": "primary",
"rationale": "SSH from 0.0.0.0/0 violates requirement to restrict inbound traffic to only necessary sources"
},
{
"framework": "CIS",
"control_id": "4.4",
"control_title": "Implement and Manage a Firewall on Servers",
"relationship": "supporting",
"rationale": "Finding indicates firewall rules are overly permissive"
},
{
"framework": "ISO27001",
"control_id": "A.8.20",
"control_title": "Networks security",
"relationship": "primary",
"rationale": "Unrestricted administrative access violates network security controls"
}
]
}Using Mappings
Fetching Mappings for a Signal
# Fetch mappings for a specific signal
curl https://raw.githubusercontent.com/cse-registry/cse-registry/main/mappings/CSE-HIPAA-TECH-ENCRYPT-REST-001.json
# Extract only HIPAA controls
curl -s https://raw.githubusercontent.com/cse-registry/cse-registry/main/mappings/CSE-HIPAA-TECH-ENCRYPT-REST-001.json | \
jq '.mappings[] | select(.framework == "HIPAA")'Finding Controls Affected by a Signal
import requests
def get_affected_controls(signal_id):
"""Get all framework controls affected by a signal."""
url = f"https://raw.githubusercontent.com/cse-registry/cse-registry/main/mappings/{signal_id}.json"
response = requests.get(url)
mapping_data = response.json()
controls = []
for mapping in mapping_data["mappings"]:
controls.append({
"framework": mapping["framework"],
"control": mapping["control_id"],
"relationship": mapping["relationship"]
})
return controls
# Example usage
controls = get_affected_controls("CSE-HIPAA-TECH-ENCRYPT-REST-001")
for c in controls:
print(f"{c['framework']} {c['control']} ({c['relationship']})")