NSAuditor AI EE 0.13.0 adds CIS Controls v8 as sixth compliance framework

NSAuditor AI Enterprise Edition 0.13.0 is live on npm, introducing CIS Critical Security Controls v8 as the sixth supported compliance framework alongside SOC 2 (AICPA TSC 2017), HIPAA Security Rule §164.312, NIST Cybersecurity Framework 2.0, PCI DSS v4.0.1, and ISO/IEC 27001:2022. With this release, a single scan now produces six separate auditor-ready evidence packs.

Per-Safeguard mapping at the atomic unit

CIS Controls v8 is structured as 18 Controls and 153 Safeguards. NSAuditor AI EE maps coverage at the Safeguard level — the atomic, attestable unit where evidence actually lives — rather than at the Control level, which is derived as a roll-up. The shipped matrix covers 17 Safeguards fully, 21 partial, and 115 out of scope, with each in-scope Safeguard tagged for the smallest Implementation Group that requires it.

Implementation Group cumulative discipline

CIS v8’s three Implementation Groups (IG1, IG2, IG3) are cumulative by design — IG2 includes everything in IG1, and IG3 includes everything in IG2. The renderer enforces that discipline explicitly:

IG1 = 56 Safeguards — the cyber-insurance baseline; roughly 50–70% of mid-market cyber policies require IG1 attestation as a coverage prerequisite.
IG2 cumulative = 130 (IG1 + 74 IG2-only).
IG3 cumulative = 153 (IG2 + 23 IG3-only).

Reports never claim IG2 as “74-of-74” in isolation. The IG1 base must be intact before any IG2 or IG3 claim is valid, so an IG1 gap is surfaced as a commercial-impact finding (potential cyber-insurance coverage invalidation), not just a control gap.

No certification body — honest attestation framing

Unlike ISO 27001 (assessed by ISO/IEC 17021-1 accredited certification bodies) or PCI DSS (assessed by Qualified Security Assessors), CIS Controls has no formal certification body. The EE renderer makes this explicit: engine output is INPUT to one of three downstream validation paths — the CIS Self-Assessment Tool (CSAT) or CIS-CAT Pro Assessor for self-attestation, a SOC 2 auditor cross-validating CIS scope, or CIS-SecureSuite peer review. The word “certified” never appears in a CIS report.

Cloud Companion Guide v8 + CIS-Hardened-Image credit

Every in-scope Safeguard carries a shared-responsibility-model tag per the CIS Cloud Companion Guide v8 — operator-owned, cloud-provider-owned, or shared. Safeguards 4.1, 4.2, and 4.6 (secure configuration of enterprise assets and software) additionally surface substrate-evidence credit for operators running CIS-Hardened-Images on AWS, Azure, or GCP, so the report differentiates between operators that built their own configuration baseline and operators inheriting a CIS-published one.

Five Security Functions — not six

CIS v8 organizes Safeguards across five Security Functions (Identify, Protect, Detect, Respond, Recover). Reports explicitly do not carry the Govern function — that is unique to NIST CSF 2.0 — so the two frameworks do not get conflated in one-scan workflows.

Hexa-framework one-scan workflow

The CLI now accepts CIS v8 as a first-class target in the multi-framework flag:

nsauditor-ai scan <target> --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8

The output is six separate evidence packs from one scan, each rendered with its framework-specific cover-page sections — for CIS, that includes the Implementation Group Coverage Summary, the Attestation Discipline section, and the Cloud Companion Guide table. All five prior framework coverage matrices remain unchanged in this release; the CIS introduction is additive-only and the plugin count is unchanged at 24.

Full coverage matrix, Safeguard-by-Safeguard tables, and the v7.1-to-v8 cross-reference are documented on the CIS Controls v8 landing page. NSAuditor AI EE remains local-first with zero data exfiltration — all evidence is generated inside the operator’s infrastructure.

Install: npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee

Sources:

]]>