This crosswalk maps HATS capabilities to the NIST Cybersecurity Framework (CSF) 2.0 published by the National Institute of Standards and Technology in February 2024. NIST CSF 2.0 organizes cybersecurity outcomes into six functions: Govern (GV), Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC).
Each mapping identifies the CSF category or subcategory, the HATS capability that addresses it, the evidence artifact type produced, and the method by which an assessor can independently verify the evidence.
This crosswalk is a technical mapping. It does not constitute a NIST CSF compliance assessment or certification. Organizations should evaluate applicability within their risk management context.
The Govern function establishes and monitors the organization's cybersecurity risk management strategy, expectations, and policy. HATS addresses Govern primarily through governance replay and evidence chain capabilities.
| CSF Category | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
GV.OC Organizational Context |
Governance Replay | Governance decision attestation receipts recording policy context at decision time | Replay the governance decision chain to reconstruct the organizational context under which each decision was made |
GV.RM Risk Management Strategy |
Evidence Chains | Cryptographically linked chain of risk assessment attestations | Verify chain integrity via predecessor hash validation; confirm temporal ordering via timestamp deltas |
GV.RR Roles, Responsibilities, and Authorities |
Agent Attestation | Per-agent attestation receipts binding each action to an authenticated identity and role | Verify the tenant_id and agent identity fields in attestation receipts against organizational role assignments |
GV.PO Policy |
Governance Replay | Policy-versioned attestation receipts recording which policy version governed each decision | Deterministic replay of governance decisions confirms each was evaluated under the stated policy version |
GV.OV Oversight |
Independent Verification | Third-party-verifiable attestation receipts with three PQ signatures | Independent verifier validates all three signatures without access to the attesting system |
GV.SC Cybersecurity Supply Chain Risk Management |
Evidence Chains + Continuous Attestation | Supply chain event attestation receipts anchored to evidence chains | Verify chain continuity across supply chain boundaries; confirm no gaps in attestation coverage |
The Identify function helps organizations understand their cybersecurity risk by identifying assets, vulnerabilities, and threats. HATS contributes through continuous attestation of asset state and configuration.
| CSF Category | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
ID.AM Asset Management |
Continuous Attestation | Periodic asset-state attestation receipts recording configuration and inventory snapshots | Verify receipt timestamp continuity; confirm asset inventory hashes match known-good baselines |
ID.RA Risk Assessment |
Governance Replay | Risk assessment decision attestation receipts with policy binding | Replay risk assessment decisions to verify they followed the documented methodology |
ID.IM Improvement |
Evidence Chains | Longitudinal evidence chain showing security posture changes over time | Traverse the evidence chain to observe control effectiveness trends; verify chain integrity |
The Protect function implements safeguards to manage cybersecurity risks. HATS addresses Protect through encrypted computation, continuous attestation, and cryptographic identity management.
| CSF Category | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
PR.AA Identity Management, Authentication, and Access Control |
Continuous Attestation + Agent Attestation | Per-access attestation receipts binding identity, authentication method, and access target | Verify attestation receipt signatures and confirm identity binding; check tenant_id consistency |
PR.AT Awareness and Training |
Governance Replay | Training completion attestation receipts | Verify receipt authenticity; confirm temporal coverage of training attestations |
PR.DS Data Security |
Encrypted Computation | FHE computation attestation receipts demonstrating data processed without decryption | Verify the computation_type field indicates FHE_COMPUTE (0x05); confirm receipt chain integrity |
PR.PS Platform Security |
Continuous Attestation | Platform configuration attestation receipts at configurable intervals | Verify attestation receipt continuity; confirm no gaps exceed the configured attestation interval |
PR.IR Technology Infrastructure Resilience |
Evidence Chains | Infrastructure event attestation chain recording availability and resilience events | Traverse evidence chain to verify infrastructure state was attested continuously during the assessment period |
The Detect function identifies cybersecurity events. HATS addresses Detect through continuous monitoring via attestation receipt streams and anomaly detection through evidence chain analysis.
| CSF Category | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
DE.CM Continuous Monitoring |
Continuous Attestation | Real-time attestation receipt stream with sub-second granularity | Verify receipt stream continuity; confirm attestation frequency meets the monitoring SLA |
DE.AE Adverse Event Analysis |
Evidence Chains + Governance Replay | Event analysis attestation receipts linking detected events to response actions | Replay the governance decision chain from event detection through response; verify causal linkage via predecessor hashes |
The Respond function manages detected cybersecurity incidents. HATS provides attestation coverage of incident response actions and governance decisions made during response.
| CSF Category | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
RS.MA Incident Management |
Continuous Attestation + Governance Replay | Incident response action attestation receipts with governance decision binding | Replay incident response decisions; verify each action was attested with the correct governance context |
RS.AN Incident Analysis |
Evidence Chains | Post-incident evidence chain providing tamper-evident timeline of all actions taken | Verify chain integrity; confirm no receipts were inserted, removed, or reordered |
RS.CO Incident Response Reporting and Communication |
Independent Verification | Third-party-verifiable incident report attestation receipts | External parties verify incident report receipts using public keys without system access |
RS.MI Incident Mitigation |
Continuous Attestation | Mitigation action attestation receipts recording each containment and remediation step | Verify temporal ordering of mitigation actions via timestamp deltas in the receipt chain |
The Recover function restores capabilities or services impaired by cybersecurity incidents. HATS addresses Recover through evidence chains that document recovery actions and governance replay that verifies recovery decisions.
| CSF Category | HATS Capability | Evidence Type | Verification Method |
|---|---|---|---|
RC.RP Incident Recovery Plan Execution |
Governance Replay + Evidence Chains | Recovery plan execution attestation receipts linked to the incident evidence chain | Replay recovery decisions; verify linkage to incident chain via predecessor hashes |
RC.CO Incident Recovery Communication |
Independent Verification | Recovery status attestation receipts verifiable by external stakeholders | External parties verify recovery status receipts independently; confirm timestamps align with communication records |
HATS capabilities provide evidence relevant to 20 of the 22 NIST CSF 2.0 categories. The two categories without direct HATS coverage are physical environment security (not addressable by software-based attestation) and workforce management (organizational process, not technical control).
For categories with HATS coverage, the evidence is cryptographically bound, independently verifiable, and tamper-evident. Assessors can verify evidence without access to the attesting system, using only the published public keys and the attestation receipt chain.