Controls Mapping Pack
A procurement‑friendly crosswalk that maps common control language (SOC 2 / ISO 27001 / NIST CSF) to MVG mechanisms (Verify → Permit → Gate; fail‑closed), with direct evidence pointers.
Informational only. This pack is not a certification, attestation, or audit opinion. Auditors and customers remain authoritative for control conclusions.
Recommended start: Trust Center → DSSE Viewer → Verify offline.
Receipt scaffold (optional)
If you need a single signed “receipt” for this mapping pack, sign the checksums file offline. (Signing is performed on the designated offline key machine.)
- SHA256SUMS.controls_mapping
- Detached signature (.asc) Status: HOLD (signature unpublished)
Signing runbook: RUNBOOK_PLACEHOLDER0_SIGNING_v71_3.md.
Once a real armored signature is published, the transparency builder can commit its sha256 into the procurement proof chain
(append‑only; deterministic regeneration).
Agentic / GenAI controls map (OWASP ↔ MVG)
A procurement‑friendly crosswalk for agentic / GenAI security discussions: OWASP Agentic Top 10 (ASI01–ASI10) mapped to MVG mechanisms (Verify → Permit → Gate; fail‑closed), with evidence pointers and offline verification hints.
Checksums: .sha256 · Signature: .asc Status: HOLD (signature unpublished)
Why this exists
- Aligns agentic / GenAI risk review to deterministic outcomes: PASS / FAIL / HOLD.
- Evidence pointers are canonical and replayable offline (no uploads, no tracking).
- Coverage notes are explicit; this is a crosswalk, not a certification.
What this pack maps
- MVG mechanism: Verify → Permit → Gate (fail‑closed).
- Evidence URLs: DSSE / proofs / packets / policies.
- Verification hints: offline verifier, expected PASS/HOLD/FAIL.
Expected outputs (fail‑closed)
PASS = signatures verify + hashes match.
HOLD = missing/unverifiable proof/signature/pointer (intentional).
FAIL = integrity mismatch (tamper evidence) — escalate.