-
Notifications
You must be signed in to change notification settings - Fork 1
Crosswalk Index
Evidentia bundles 13 inter-framework crosswalks (864 control-to-control mapping rows in total). A crosswalk maps controls in a source framework to related controls in a target framework, so a single piece of evidence can satisfy obligations across multiple frameworks at once.
This page is the verification-posture view: the one thing you must know before relying on a crosswalk for an audit is how trustworthy each mapping is. For the flat, always-current table of every crosswalk + source/target + row count, see the auto-generated Reference → Crosswalks page. For how the crosswalk engine loads and applies these files, see Concepts → Crosswalk engine.
Every crosswalk records a verification field. There are three possible
states; only two are currently in use:
| Posture | Meaning | Trust for audit use |
|---|---|---|
self-attested-via-upstream |
Auto-extracted from an upstream source's own cross-references; not independently SME-verified | Verify each mapping before relying on it |
| (empty / not set) | Evidentia-authored concordance; no formal verification posture declared | Treat as a working draft; verify before relying on it |
hand-checked |
SME-confirmed against both frameworks' control text | (not yet used — see below) |
No crosswalk is currently marked hand-checked. Of the 13:
-
5 are
self-attested-via-upstream— the OSPS Baseline crosswalks (all carryprovenance: upstream-osps-guidelines). - 8 have no posture set — the pre-v0.10.6 Evidentia-authored concordances.
So: always verify a mapping before relying on it for an audit. The
v0.10.7+ roadmap targets upgrading the 5 OSPS crosswalks from
self-attested-via-upstream to hand-checked once SME review confirms
their accuracy.
You can read the posture programmatically:
from evidentia_core.catalogs.crosswalk import load_crosswalk
cw = load_crosswalk("osps-baseline_to_nist-ssdf-800-218")
print(cw.verification) # "self-attested-via-upstream"
print(cw.provenance) # "upstream-osps-guidelines"
print(len(cw.mappings)) # 115The provenance / verification / verification_note fields were added
additively to CrosswalkDefinition in v0.10.6 (the 8 older crosswalks
load unchanged with these fields defaulting to None).
These are mechanical extracts of the upstream OpenSSF OSPS Baseline
guidelines[] array at the pinned commit ac6bbec. They reflect what
the OSPS Baseline says maps to each target framework — they are NOT an
independent SME mapping against (for example) the actual text of NIST
SSDF PO.1.1. Consumers requiring independent verification should plan a
hand-check pass.
| Source | Target | Rows | Provenance |
|---|---|---|---|
| OSPS Baseline 2026.02.19 | NIST 800-161 | 200 | upstream-osps-guidelines |
| OSPS Baseline 2026.02.19 | PCI DSS 4.0 | 200 | upstream-osps-guidelines |
| OSPS Baseline 2026.02.19 | NIST SSDF 800-218 | 115 | upstream-osps-guidelines |
| OSPS Baseline 2026.02.19 | EU CRA | 107 | upstream-osps-guidelines |
| OSPS Baseline 2026.02.19 | NIST CSF 2.0 | 52 | upstream-osps-guidelines |
See the OSPS Baseline mapping showcase page for the full verification-posture rationale (the v0.10.6 brainstorm decision to ship these raw, with an explicit disclaimer, rather than withhold them pending SME review).
These predate the v0.10.6 posture fields and were authored as Evidentia
concordances. They have no formal verification posture declared, so the
same "verify before relying" guidance applies.
| Source | Target | Rows |
|---|---|---|
| NIST CSF 2.0 | NIST 800-53 (mod) | 36 |
| FedRAMP Rev 5 Moderate | CMMC 2.0 L2 | 32 |
| NIST AI RMF 1.0 | EU AI Act | 26 |
| NIST AI RMF 1.0 | ISO/IEC 42001:2023 | 23 |
| ISO/IEC 27001:2022 | NIST 800-53 (mod) | 23 |
| NIST 800-53 (mod) | HIPAA Security | 20 |
| NIST 800-53 (mod) | SOC 2 TSC | 17 |
| Virginia VCDPA | California CCPA/CPRA | 13 |
These cover the highest-traffic compliance overlaps: the AI-governance pair (NIST AI RMF ↔ EU AI Act / ISO 42001), the federal pair (FedRAMP ↔ CMMC, CSF ↔ 800-53), the privacy pair (VCDPA ↔ CCPA), and the audit-staple ISO 27001 / HIPAA / SOC 2 mappings onto NIST 800-53.
Crosswalks are audit-critical, so Evidentia does not generate them
from an LLM at runtime — that is a
deliberately rejected item on correctness
grounds. The 5 OSPS crosswalks are extracted from a pinned, authoritative
upstream (hence self-attested-via-upstream, not "LLM-generated"); the 8
concordances are committed, reviewable artifacts. Any new crosswalk
should be authored, reviewed, and committed — never produced on the fly.
- Reference → Crosswalks — the flat, always-current table (auto-generated from the mapping files).
-
Concepts → Crosswalk engine — how
crosswalks load + apply; the
CrosswalkDefinitionschema. - OSPS Baseline mapping — deep-dive on the 5 OSPS crosswalks + their upstream-attested posture.
- Guides → Run gap analysis — using crosswalks for cross-framework gap-analysis efficiency.
-
- AI Governance
- Air Gapped Install
- Ci Integration
- CONMON Deployment
- Emit Cyclonedx VEX
- Emit OCSF Detection
- Emit SARIF
- Explain Controls
- Generate And Quantify Risk
- Governance Metrics And Workflows
- Ingest OCSF
- Manage Model Risk
- Manage POAM
- Manage Third Party Risk
- MCP Client Setup
- OSPS Self Assessment
- Run Gap Analysis
- Serve The Web Ui
- Sign And Verify Evidence