NSAuditor AI EE 0.10.0 Ships NIST Cybersecurity Framework 2.0 as Third Compliance Framework
NSAuditor AI EE 0.10.0 introduces NIST CSF 2.0 as its third compliance framework. Subcategory-level mapping across 106 of 107 Core Subcategories. One scan, three evidence packs.
Triple-Framework Compliance in a Single Scan
Nsasoft US LLC today shipped NSAuditor AI Enterprise Edition v0.10.0 — introducing NIST Cybersecurity Framework 2.0 (NIST CSWP 29, February 2024) as the third supported compliance framework alongside SOC 2 (AICPA TSC 2017) and HIPAA Security Rule §164.312. This marks the twenty-eighth consecutive trio-publish.
The headline feature is subcategory-level CSF 2.0 mapping — the auditor-canonical granularity for the framework. Functions and Categories serve as navigation headers; Subcategories are the outcome statements auditors attach evidence to. EE 0.10.0 maps across 106 of 107 CSF 2.0 Core Subcategories: 13 covered, 10 partial, and 83 explicitly out-of-scope with named architectural-limit reasons.
Coverage Breakdown
The 13 fully covered subcategories span the Protect, Detect, Identify, and Recover functions: PR.AA-01/03/05, PR.DS-01/02/11, PR.PS-04, PR.IR-01, DE.CM-01/09, ID.AM-01/03, and RC.RP-03. Each maps directly to infrastructure-scanner-observable evidence — IAM policy state, encryption configuration, logging enablement, asset inventory, and backup integrity.
The 10 partial subcategories include GV.SC-04, ID.AM-02, ID.RA-01, PR.DS-10, PR.PS-01/02, PR.IR-03, DE.CM-03, DE.AE-02, and RC.RP-04 — where substrate-level evidence is available but application-layer or organizational-maturity dimensions fall outside scanner scope.
OOS-by-Design: Govern and Respond
Two entire functions are explicitly out of scope with documented reasoning. The Govern (GV) function is OOS-by-design — policy, strategy, workforce management, and supply-chain governance evidence requires a GRC platform, not an infrastructure scanner. The single exception is GV.SC-04 partial, where VPC endpoints and cross-account vault grants provide a supplier-known substrate dimension.
The Respond (RS) function is OOS-entirely. Incident response runbook execution is an IR platform concern. Implementation Tiers 1–4 are also OOS-by-design — organizational maturity claims cannot be evidenced by infrastructure scanning; rendered reports surface an explicit Tiers OOS disclaimer.
Triple-Framework One-Scan Workflow
A single command produces three complete, separate evidence packs:
nsauditor-ai scan --host aws --plugins all \
--compliance soc2,hipaa,nist-csf \
--out evidence/This produces scan_compliance_soc2.{md,html,json}, scan_compliance_hipaa.{md,html,json}, and scan_compliance_nist-csf.{md,html,json} from the same underlying scan — no duplicate API calls.
Federal and Air-Gapped Deployments
Informative references to NIST SP 800-53 Rev. 5 and CIS Controls v8 are baked into nist-csf.json per subcategory. The zero data exfiltration architecture means findings never leave customer infrastructure — directly applicable to air-gapped federal deployments. Federal contractors, DOD-adjacent organizations, and teams in DFARS/CMMC pre-audit preparation can use the NIST CSF 2.0 evidence pack as a technical infrastructure baseline alongside GRC platform coverage of Govern and policy-layer controls.
Full subcategory mapping documentation is at nsauditor.com/ai/docs/nist/. Install: npm install -g @nsasoft/nsauditor-ai-ee@0.10.0.
