feat(compliance): add mapping confidence warnings for DORA, ISO 27001, ISO 42001
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Some checks failed
Aegis CI / lint-and-test (push) Has been cancelled
Amber banner for DORA and ISO 27001:2022 — community-based mapping, no official CTID source. Orange banner for ISO 42001:2023 — experimental, MITRE ATT&CK has no AI-specific techniques yet. Each notice explains the mapping source, limitations, and what executives should consider before using the data in formal audits or regulatory submissions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
kitos
@@ -1,6 +1,6 @@
|
|||||||
import { useState } from "react";
|
import { useState } from "react";
|
||||||
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
|
import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
|
||||||
import { Loader2, AlertCircle, Download, FileText, Plus, ExternalLink, BookOpen } from "lucide-react";
|
import { Loader2, AlertCircle, Download, FileText, Plus, ExternalLink, BookOpen, AlertTriangle, FlaskConical } from "lucide-react";
|
||||||
import {
|
import {
|
||||||
getComplianceFrameworks,
|
getComplianceFrameworks,
|
||||||
getFrameworkStatus,
|
getFrameworkStatus,
|
||||||
@@ -49,6 +49,48 @@ export default function CompliancePage() {
|
|||||||
const controls = frameworkStatus?.controls || [];
|
const controls = frameworkStatus?.controls || [];
|
||||||
const activeFramework = frameworks?.find((f) => f.id === activeFrameworkId) ?? null;
|
const activeFramework = frameworks?.find((f) => f.id === activeFrameworkId) ?? null;
|
||||||
|
|
||||||
|
// Mapping confidence notices for frameworks that lack an official CTID ATT&CK mapping
|
||||||
|
type ConfidenceLevel = "community" | "experimental";
|
||||||
|
const MAPPING_NOTICES: Record<string, { level: ConfidenceLevel; source: string; notice: string }> = {
|
||||||
|
"DORA": {
|
||||||
|
level: "community",
|
||||||
|
source: "ENISA guidance + TIBER-EU threat-led testing framework",
|
||||||
|
notice:
|
||||||
|
"No official MITRE CTID ATT&CK mapping exists for DORA (EU 2022/2554). " +
|
||||||
|
"The technique mappings in Aegis are based on ENISA ICT risk management guidelines and the TIBER-EU " +
|
||||||
|
"threat-led penetration testing framework — both authoritative sources for this regulation. " +
|
||||||
|
"They reflect regulatory intent and established industry practice, but have not been " +
|
||||||
|
"formally certified. We recommend reviewing coverage with a compliance specialist " +
|
||||||
|
"before submitting to supervisory authorities (EBA / ESMA / EIOPA / ECB).",
|
||||||
|
},
|
||||||
|
"ISO/IEC 27001:2022": {
|
||||||
|
level: "community",
|
||||||
|
source: "ISO/IEC 27002:2022 + industry consensus",
|
||||||
|
notice:
|
||||||
|
"No official MITRE CTID ATT&CK mapping exists for ISO/IEC 27001:2022. " +
|
||||||
|
"ISO charges for its published standards, which prevents the open-source community from " +
|
||||||
|
"producing a formally certified mapping. The technique mappings in Aegis are based on " +
|
||||||
|
"ISO/IEC 27002:2022 implementation guidance (the companion standard) and widely adopted " +
|
||||||
|
"industry practice from the security community. They are directionally correct and " +
|
||||||
|
"representative, but should be validated against your organisation's specific control " +
|
||||||
|
"implementation before use in a formal ISO 27001 audit or certification exercise.",
|
||||||
|
},
|
||||||
|
"ISO/IEC 42001:2023": {
|
||||||
|
level: "experimental",
|
||||||
|
source: "Interpretation — MITRE ATT&CK Enterprise v14 has no AI-specific techniques",
|
||||||
|
notice:
|
||||||
|
"ISO/IEC 42001 was published in December 2023. MITRE ATT&CK Enterprise v14 does not yet " +
|
||||||
|
"include adversarial techniques specifically targeting AI systems (model poisoning, " +
|
||||||
|
"adversarial examples, training data exfiltration, etc.). " +
|
||||||
|
"The mappings in Aegis cover threats to the IT INFRASTRUCTURE that supports AI systems — " +
|
||||||
|
"data pipelines, model-serving APIs, ML framework supply chains, and cloud AI services — " +
|
||||||
|
"using the closest available ATT&CK techniques. " +
|
||||||
|
"This is a best-effort directional mapping intended to identify where Red Team coverage " +
|
||||||
|
"of AI infrastructure is lacking. It should NOT be treated as a formal ISO 42001 " +
|
||||||
|
"compliance assessment until MITRE publishes dedicated AI attack techniques.",
|
||||||
|
},
|
||||||
|
};
|
||||||
|
|
||||||
const handleExportCSV = async () => {
|
const handleExportCSV = async () => {
|
||||||
if (activeFrameworkId) {
|
if (activeFrameworkId) {
|
||||||
await downloadComplianceCSV(activeFrameworkId);
|
await downloadComplianceCSV(activeFrameworkId);
|
||||||
@@ -197,6 +239,46 @@ export default function CompliancePage() {
|
|||||||
</div>
|
</div>
|
||||||
)}
|
)}
|
||||||
|
|
||||||
|
{/* Mapping confidence notice — shown for frameworks without official CTID mapping */}
|
||||||
|
{activeFramework && MAPPING_NOTICES[activeFramework.name] && (() => {
|
||||||
|
const notice = MAPPING_NOTICES[activeFramework.name];
|
||||||
|
const isExperimental = notice.level === "experimental";
|
||||||
|
return (
|
||||||
|
<div className={`rounded-xl border px-5 py-4 ${
|
||||||
|
isExperimental
|
||||||
|
? "border-orange-500/30 bg-orange-500/5"
|
||||||
|
: "border-amber-500/25 bg-amber-500/5"
|
||||||
|
}`}>
|
||||||
|
<div className="flex items-start gap-3">
|
||||||
|
{isExperimental
|
||||||
|
? <FlaskConical className="mt-0.5 h-4 w-4 shrink-0 text-orange-400" />
|
||||||
|
: <AlertTriangle className="mt-0.5 h-4 w-4 shrink-0 text-amber-400" />
|
||||||
|
}
|
||||||
|
<div className="flex-1 min-w-0">
|
||||||
|
<div className="flex flex-wrap items-center gap-2 mb-2">
|
||||||
|
<span className={`text-xs font-semibold ${isExperimental ? "text-orange-300" : "text-amber-300"}`}>
|
||||||
|
{isExperimental ? "Experimental mapping — use with caution" : "Community-based mapping — not officially certified"}
|
||||||
|
</span>
|
||||||
|
<span className={`rounded-full border px-2 py-0.5 text-[10px] font-medium ${
|
||||||
|
isExperimental
|
||||||
|
? "border-orange-500/30 bg-orange-500/10 text-orange-400"
|
||||||
|
: "border-amber-500/25 bg-amber-500/10 text-amber-400"
|
||||||
|
}`}>
|
||||||
|
{isExperimental ? "Experimental" : "Community"}
|
||||||
|
</span>
|
||||||
|
</div>
|
||||||
|
<p className={`text-xs leading-relaxed mb-2 ${isExperimental ? "text-orange-200/80" : "text-amber-200/70"}`}>
|
||||||
|
{notice.notice}
|
||||||
|
</p>
|
||||||
|
<p className={`text-[10px] ${isExperimental ? "text-orange-400/60" : "text-amber-400/50"}`}>
|
||||||
|
<span className="font-semibold">Mapping source:</span> {notice.source}
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
);
|
||||||
|
})()}
|
||||||
|
|
||||||
{/* Summary cards */}
|
{/* Summary cards */}
|
||||||
{summary && (
|
{summary && (
|
||||||
<div className="grid grid-cols-2 gap-4 lg:grid-cols-5">
|
<div className="grid grid-cols-2 gap-4 lg:grid-cols-5">
|
||||||
|
|||||||
Reference in New Issue
Block a user