Informative Appendix (non-normative)
This appendix is part of the OWASP Autonomous Penetration Testing Standard (APTS) and provides a cross-reference mapping of APTS requirements to major regulatory frameworks and standards. Use this matrix to understand how APTS controls align with external compliance frameworks. It is intended for both external reviewers mapping a vendor or service-provider platform against known frameworks, and enterprise security teams running an internal autonomous pentest platform who need to position APTS conformance against their existing governance program (SOC 2, ISO 27001, NIST CSF, and so on). Note: This mapping identifies areas of overlap and does not constitute legal advice or guarantee compliance with any external regulation. APTS requirements are often more specific to autonomous pentesting than external frameworks; compliance with APTS does not automatically mean compliance with mapped frameworks, and vice versa.
Note: Mappings in this matrix identify areas where APTS requirements address concerns within external frameworks. A mapping does NOT constitute full compliance with the external framework. Organizations should perform their own compliance assessments for each applicable framework independently of APTS.
This appendix maps APTS requirements to nine external frameworks, in the order they appear below:
The first four frameworks are mapped comprehensively across all domains. PCI DSS 4.0.1, GDPR, and HIPAA mappings apply primarily to data-handling, privacy, and supply chain requirements. NIST SP 800-53, CIS Controls, and other frameworks address specific governance and technical control areas.
Each framework requires specific controls. The standard's requirements often address areas relevant to multiple framework controls simultaneously.
NIST CSF 2.0 organizes controls into six Functions and multiple Categories. APTS addresses categories across all functions.
GV.RR-01: Organizational Leadership and Governance Structure
GV.RR-02: Roles, Responsibilities, and Authorities
GV.RM-01: Risk Management Strategy
GV.SC-01: Cybersecurity Supply Chain Risk Management
ID.AM-01: Asset Inventory
ID.AM-04: Supplier-Provided Services Inventory
ID.RA-01: Vulnerability Identification
ID.AM-03: Authorized Communication and Scope Boundary Maintenance
PR.AA-01: Identity Management
PR.AA-05: Access Enforcement
PR.DS-01: Data Security (classification and minimization before external transmission)
PR.DS-02: Data-in-Transit Confidentiality and Integrity
PR.DS-01: Data-at-Rest Protection (encryption, key management, secure deletion)
PR.PS-01: Configuration and Security Policy Management
DE.AE-02: Adverse Event Analysis
DE.CM-01: Network Monitoring
DE.CM-03: Personnel and Data Activity Monitoring
DE.CM-06: External Service Provider Monitoring
RS.MA-01: Incident Management Plan Execution
RS.MI-01: Incident Mitigation
RS.CO-02: Incident Reporting and Communication
RC.RP-01: Incident Recovery Plan Execution
ISO/IEC 27001:2022 contains 93 controls organized into four themes: A.5 Organizational (37 controls), A.6 People (8 controls), A.7 Physical (14 controls), and A.8 Technological (34 controls). Below are key controls addressed by APTS.
A.5.1: Policies for information security
A.5.2: Information security roles and responsibilities
A.5.7: Threat intelligence
A.5.8: Information security in project management
A.5.19: Information security in supplier relationships
A.5.20: Addressing information security within supplier agreements
A.5.21: Managing information security in the ICT supply chain
A.5.22: Monitoring, review and change management of supplier services
A.5.23: Information security for use of cloud services
A.5.24: Information security incident management planning and preparation
A.5.25: Assessment and decision on information security events
A.5.26: Response to information security incidents
A.5.28: Collection of evidence
A.5.29: Information security during disruption
A.5.30: ICT readiness for business continuity
A.5.31: Legal, statutory, regulatory and contractual requirements
A.5.33: Protection of records
A.5.34: Privacy and protection of PII
A.5.36: Conformance with policies, rules and standards for information security
A.5.37: Documented operating procedures
A.6.3: Information security awareness, education and training
A.7.1: Physical security perimeters
A.8.1: User endpoint devices
A.8.2: Privileged access rights
A.8.3: Information access restriction
A.8.4: Access to source code
A.8.5: Secure authentication
A.8.7: Protection against malware
A.8.8: Management of technical vulnerabilities
A.8.9: Configuration management
A.8.10: Information deletion
A.8.11: Data masking
A.8.12: Data leakage prevention
A.8.15: Logging
A.8.16: Monitoring activities
A.8.20: Networks security
A.8.21: Security of network services
A.8.22: Segregation of networks
A.8.24: Use of cryptography
A.8.25: Secure development life cycle
A.8.28: Secure coding
A.8.31: Separation of development, test and production environments
A.8.32: Change management
A.8.33: Test information
A.8.34: Protection of information systems during audit testing
SOC 2 defines five trust services categories, each with specific Trust Services Criteria. Mappings reference the AICPA 2017 Trust Services Criteria as revised with 2022 Points of Focus. The standard addresses all five categories.
CC1: Control Environment - integrity, governance structures, and security objectives.
CC2: Communication and Information - internal and external communication of security responsibilities.
CC3: Risk Assessment - identification and analysis of risks to security objectives.
CC4: Monitoring Activities - ongoing evaluation and accountability for control effectiveness.
CC6: Logical and Physical Access Controls - access provisioning, restriction, and enforcement.
CC7: System Operations - detection and handling of security events and anomalies.
CC9: Risk Mitigation - mitigation of risks arising from business operations and vendors.
A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and enable additional capacity.
A1.2: The entity authorizes, designs, develops, implements, operates, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its availability objectives.
A1.3: The entity tests recovery plan procedures supporting system recovery to meet its availability objectives.
PI1.1: The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services.
PI1.2: The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting that meet the entity's objectives.
PI1.3: The entity implements policies and procedures over system processing to result in products, services, and reporting that meet the entity's objectives.
PI1.4: The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives.
PI1.5: The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives.
C1.1: The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.
C1.2: The entity disposes of confidential information to meet the entity's objectives related to confidentiality.
C1.3: The entity authorizes, designs, develops, configures, documents, tests, approves, implements, and maintains technologies to achieve objectives.
P1.1 / P3.1: The entity provides notice to data subjects about its privacy practices and obtains consent for the collection, use, retention, disclosure, and disposal of personal information.
P3.2: The entity obtains explicit consent for sensitive personal information, and obtains and documents consent prior to the collection, use, and sharing of personal information.
NIST AI RMF 1.0 defines four functions for managing AI system risks. APTS addresses controls across all four functions, with particular depth in GOVERN and MANAGE.
GOVERN 1: Policies and Procedures
GOVERN 2: Accountability Structures
MAP 1: AI System Context and Risk Framing
MAP 2: AI Impact Characterization
MEASURE 1: AI System Performance and Risk Metrics
MEASURE 2: AI System Trustworthiness Characteristics
MANAGE 1: AI Risk Treatment and Response
MANAGE 2: Continuous Monitoring
PCI DSS 4.0.1 contains 12 requirements for payment card security. The standard addresses applicable controls (not all apply if the platform doesn't handle payment cards directly).
Requirement 1: Install and Maintain Network Security Controls
Requirement 2: Apply Secure Configurations to All System Components
Requirement 3: Protect Stored Account Data
Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
Requirement 6: Develop and Maintain Secure Systems and Software
Requirement 7: Restrict Access to System Components and Cardholder Data by Business Need to Know
Requirement 8: Identify Users and Authenticate Access to System Components
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data
Requirement 11: Test Security of Systems and Networks Regularly
Requirement 12: Support Information Security with Organizational Policies and Programs
GDPR (EU privacy regulation) contains key obligations for processing personal data. The standard addresses applicable articles.
Article 4: Definitions
Article 5: Principles
Article 6: Lawfulness of Processing
Article 9: Processing Special Categories
Article 12-14: Transparency
Article 17: Right to Erasure
Article 18: Right to Restriction
Article 28: Data Processing Agreements
Article 32: Security of Processing
Article 33: Breach Notification
Article 34: Individual Notification
This section maps all 8 APTS domains to external frameworks, organized by domain.
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-SE-001: Rules of Engagement (RoE) Specification and Validation | GV.PO-01 | A.5.8 | GOVERN 1 | CC3.2 | Scope definition and validation process control |
| APTS-SE-002: IP Range Validation and RFC 1918 Awareness | ID.AM-01 | A.8.20, A.8.22 | GOVERN 1 | CC1.1 | Asset inventory validation, scope boundary enforcement |
| APTS-SE-003: Domain Scope Validation and Wildcard Handling | ID.AM-01 | A.8.20 | GOVERN 1 | CC1.1 | Domain ownership verification, third-party detection |
| APTS-SE-004: Temporal Boundary and Timezone Handling | GV.PO-01 | A.5.37, A.8.16 | GOVERN 1 | CC2.1 | Time-based operational controls, timezone handling |
| APTS-SE-005: Asset Criticality Classification and Integration | ID.AM-05 | A.5.12 | GOVERN 1 | CC4.1 | Risk-based testing restrictions per asset tier |
| APTS-SE-006: Pre-Action Scope Validation | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | Authorization boundary enforcement before action |
| APTS-SE-007: Dynamic Scope Monitoring and Drift Detection | DE.CM-01 | A.8.16 | MAP 1 | CC9.1 | Continuous drift detection, boundary violation alerts |
| APTS-SE-008: Temporal Scope Compliance Monitoring | DE.CM-01 | A.5.1 | GOVERN 1 | CC9.1 | Engagement window enforcement, deadline alerts |
| APTS-SE-009: Hard Deny Lists and Critical Asset Protection | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | Immutable asset protection, cryptographic enforcement |
| APTS-SE-010: Production Database Safeguards | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | Multi-layer database protection, read-only mode |
| APTS-SE-011: Multi-Tenant Environment Awareness | PR.AA-05 | A.8.5 | GOVERN 1 | CC7.2 | Cross-tenant isolation, shared infrastructure detection |
| APTS-SE-012: DNS Rebinding Attack Prevention | PR.AA-01 | A.8.9 | GOVERN 1 | CC6.6 | Network-level attack prevention, resolution validation |
| APTS-SE-013: Network Boundary and Lateral Movement Enforcement | ID.AM-01 | A.8.20 | GOVERN 1 | CC6.6 | VLAN/subnet/cloud security group boundaries |
| APTS-SE-014: Network Topology Discovery Limitations | DE.CM-01 | A.8.9 | GOVERN 1 | CC9.1 | Reconnaissance scope limitations, host/port count limits |
| APTS-SE-015: Scope Enforcement Audit and Compliance Verification | PR.PS-01 | A.5.36 | MAP 1 | CC9.1 | Complete audit trail of scope decisions |
| APTS-SE-016: Scope Refresh and Revalidation Cycle | DE.CM-01 | A.8.16 | MAP 1 | CC9.1 | Infrastructure change detection, delta reporting |
| APTS-SE-017: Engagement Boundary Definition for Recurring Tests | GV.PO-01 | A.5.1 | GOVERN 1 | CC2.1 | Recurring test cycle management, authorization renewal |
| APTS-SE-018: Cross-Cycle Finding Correlation and Regression Detection | DE.AE-02 | A.5.36 | MAP 1 | PI1.1 | Finding lifecycle tracking, regression detection |
| APTS-SE-019: Rate Limiting, Adaptive Backoff, and Production Impact Controls | DE.CM-01 | A.8.9 | GOVERN 1 | CC9.1 | Per-target and global rate limits, adaptive throttling, production impact prevention, response time monitoring |
| APTS-SE-020: Deployment-Triggered Testing Governance | GV.PO-01 | A.8.25 | GOVERN 1 | CC3.2 | CI/CD integration governance, scope validation for auto-triggers |
| APTS-SE-021: Scope Conflict Resolution for Overlapping Engagements | DE.CM-01 | A.8.9 | GOVERN 1 | CC6.6 | Multi-engagement overlap handling, restrictive constraint application |
| APTS-SE-022: Client-Side Agent Scope and Safety Boundaries | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | Agent boundary enforcement, kill switch integration |
| APTS-SE-023: Credential and Secret Lifecycle Governance | PR.DS-01, PR.AA-01 | A.8.3, A.5.33, A.8.24 | GOVERN 1 | C1.2 | Credential inventory, provenance classification, reuse policy, delegation control, and secure disposal |
| APTS-SE-024: Cloud-Native and Ephemeral Infrastructure Governance | PR.PS-01 | A.8.9, A.5.23 | GOVERN 1 | CC3.2 | Cloud control plane, serverless, and ephemeral infrastructure governance |
| APTS-SE-025: API-First and Business Logic Testing Governance | PR.PS-01 | A.5.23 | GOVERN 1 | CC3.2 | API business logic traversal, token propagation, and schema drift governance |
| APTS-SE-026: Out-of-Distribution Action Monitoring | DE.AE-02, DE.CM-01 | A.8.16 | MEASURE 2 | CC9.1 | Baseline-driven action-distribution monitoring with staffed review queue |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-SC-001: Impact Classification and CIA Scoring | ID.RA-04 | A.5.1 | GOVERN 1 | CC4.1 | Risk assessment framework with discrete tiers |
| APTS-SC-002: Industry-Specific Impact Considerations | ID.RA-04 | A.5.1 | GOVERN 1 | CC4.1 | Regulatory impact elevation (Healthcare/Finance/CI) |
| APTS-SC-003: Real-World Impact Classification Examples | PR.PS-01 | A.5.1 | GOVERN 1 | CC3.2 | Documented scenarios with classification rationale |
| APTS-SC-004: Rate Limiting, Bandwidth, and Payload Constraints | DE.CM-01 | A.8.9 | GOVERN 1 | CC9.1 | Target-specific rate enforcement by impact tier |
| APTS-SC-005: Cascading Failure Prevention in Interconnected Systems | DE.CM-01 | A.8.9 | GOVERN 1 | A1.1 | Dependency mapping, upstream impact detection |
| APTS-SC-006: Threshold Escalation Workflow (Automated → Approval → Prohibited) | GV.RR-02 | A.5.1 | GOVERN 1 | CC4.1 | Graduated approval gates with timeout defaults |
| APTS-SC-007: Cumulative Risk Scoring with Time-Based Decay | DE.CM-01, ID.RA-05 | A.5.1 | GOVERN 1 | CC4.1 | Cumulative impact tracking with multi-factor risk algorithm and audit trail |
| APTS-SC-008: Threshold Configuration with Schema Validation | PR.PS-01 | A.5.8 | GOVERN 1 | CC3.2 | Schema-validated threshold configuration |
| APTS-SC-009: Kill Switch | PR.PS-01, RS.MA-01 | A.5.26, A.5.29 | GOVERN 1 | CC4.1 | Independent halt mechanisms, Phase 1/2 sequencing |
| APTS-SC-010: Health Check Monitoring, Threshold Adjustment, and Automatic Halt | DE.CM-01 | A.8.9 | MEASURE 1 | A1.1 | Dynamic threshold adjustment and automatic halt on target degradation |
| APTS-SC-011: Condition-Based Automated Termination | DE.CM-01 | A.5.1 | MEASURE 1 | A1.1 | Automated service unavailability response |
| APTS-SC-012: Network-Level Circuit Breaker | DE.CM-01 | A.8.9 | MEASURE 1 | A1.1 | Degradation-triggered suspension with recovery probe |
| APTS-SC-013: Time-Based Automatic Termination with Operator Override | DE.CM-01 | A.5.1 | GOVERN 1 | CC2.1 | Engagement duration limits with advance warning |
| APTS-SC-014: Reversible Action Tracking and Rollback | PR.PS-01 | A.5.1 | MANAGE 1 | CC7.2 | State capture, rollback procedures, verification |
| APTS-SC-015: Post-Test System Integrity Validation | DE.CM-01 | A.8.9 | MANAGE 1 | CC7.2 | Baseline comparison, discrepancy escalation |
| APTS-SC-016: Evidence Preservation and Automated Cleanup | PR.PS-01 | A.5.28 | MANAGE 1 | CC7.2 | Immutable evidence storage, idempotent artifact removal |
| APTS-SC-017: External Watchdog and Operator Notification | DE.CM-01 | A.8.9 | MEASURE 1 | A1.1 | Independent health verification, operator SLA |
| APTS-SC-018: Incident Containment and Recovery | RS.MA-01 | A.5.24 | MANAGE 1 | A1.1 | Automatic isolation, credential rotation, recovery RTO |
| APTS-SC-019: Kernel-Enforced Execution Sandbox for Agent Runtime | PR.PS-01, PR.IR-01 | A.8.22, A.8.25 | GOVERN 1 | CC6.6 | Kernel-enforced sandbox (namespaces, seccomp, AppArmor/SELinux, hypervisor/gVisor/Kata); agent holds no credentials to move its own boundary |
| APTS-SC-020: External Enforcement of Tool and Action Allowlist | PR.PS-01, PR.AA-01 | A.8.5, A.8.25 | GOVERN 1 | CC6.6 | Allowlist enforced by external gateway or policy engine, not by the model system prompt |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-HO-001: Mandatory Pre-Approval Gates for Autonomy Levels L1 and L2 | GV.RR-02 | A.5.2 | GOVERN 1 | CC3.2 | Mandatory approval for autonomy levels L1 and L2 |
| APTS-HO-002: Real-Time Monitoring and Intervention Capability | DE.CM-01 | A.8.16 | MEASURE 2 | CC9.1 | Live activity visualization and monitoring of autonomous operations |
| APTS-HO-003: Decision Timeout and Default-Safe Behavior | GV.RR-01 | A.5.3 | GOVERN 1 | CC4.1 | SLA-based approval windows with safe fallback behavior |
| APTS-HO-004: Authority Delegation Matrix | GV.RR-02 | A.5.2 | GOVERN 1 | CC4.1 | Clear definition and enforcement of delegated authorities |
| APTS-HO-005: Delegation Chain-of-Custody and Decision Audit Trail | GV.RR-03 | A.5.3 | GOVERN 1 | CC3.2 | Complete chain of delegation with audit trail |
| APTS-HO-006: Graceful Pause Mechanism with State Preservation | PR.IR-01 | A.5.24 | MEASURE 1 | CC9.1 | Operator-initiated pause with full state recovery capability |
| APTS-HO-007: Mid-Engagement Redirect Capability | PR.IR-01 | A.5.37 | GOVERN 1 | CC3.2 | Ability to redirect engagement scope mid-test |
| APTS-HO-008: Immediate Kill Switch with State Dump | RS.MA-01 | A.5.24 | MANAGE 1 | CC4.1 | Immediate termination with complete state capture |
| APTS-HO-009: Multi-Operator Kill Switch Authority and Handoff | RS.MA-01 | A.5.26 | MAP 1 | CC9.1 | Multiple kill switch authorities with handoff procedures |
| APTS-HO-010: Mandatory Human Decision Points Before Irreversible Actions | GV.RR-02 | A.5.2 | GOVERN 1 | CC4.1 | Human approval required for permanent or irreversible actions |
| APTS-HO-011: Unexpected Findings Escalation Framework | DE.AE-02 | A.5.24 | GOVERN 1 | CC3.2 | Escalation procedures for unexpected or anomalous findings |
| APTS-HO-012: Impact Threshold Breach Escalation | DE.AE-02 | A.5.25 | MEASURE 1 | CC4.1 | Automatic escalation when impact thresholds exceeded |
| APTS-HO-013: Confidence-Based Escalation (Scope Uncertainty) | DE.AE-02 | A.5.24 | GOVERN 1 | CC4.1 | Escalation triggers based on confidence levels |
| APTS-HO-014: Legal and Compliance Escalation Triggers | RS.CO-02 | A.5.25 | GOVERN 1 | CC3.2 | Escalation for legal and compliance boundary concerns |
| APTS-HO-015: Real-Time Activity Monitoring and Multi-Channel Notification | DE.CM-01 | A.8.16 | MEASURE 1 | CC9.1 | Real-time monitoring with multi-channel alerts |
| APTS-HO-016: Alert Fatigue Mitigation and Smart Aggregation | DE.AE-03 | A.8.16 | MEASURE 1 | CC9.1 | Intelligent alert filtering and aggregation |
| APTS-HO-017: Stakeholder Notification and Engagement Closure | RS.CO-03 | A.5.37 | MANAGE 1 | CC3.2 | Notification procedures and engagement conclusion |
| APTS-HO-018: Operator Qualification, Training, and Competency Governance | GV.RR-02 | A.6.3 | GOVERN 1 | CC3.2 | Minimum competency and certification requirements, full training curriculum and incident response, continuous competency assessment and succession planning |
| APTS-HO-019: 24/7 Operational Continuity and Shift Handoff | GV.RR-02 | A.5.2, A.5.3 | MANAGE 2 | CC3.2 | Shift handoff, stale approval expiry, suppression drift, and operator desensitization monitoring |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-AL-001: Single Technique Execution | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | Atomic action constraint at L1 |
| APTS-AL-002: Human-Directed Target and Technique Selection | GV.RR-02 | A.5.1 | GOVERN 1 | CC3.2 | Operator-driven targeting at L1 |
| APTS-AL-003: Parameter Configuration by Human Operator | PR.PS-01 | A.5.8 | GOVERN 1 | CC3.2 | No defaults without explicit confirmation |
| APTS-AL-004: No Automated Chaining or Sequential Decision-Making | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | Prohibition on autonomous workflow sequencing at L1 |
| APTS-AL-005: Mandatory Logging and Human-Reviewable Audit Trail | DE.CM-01 | A.8.15 | MAP 1 | CC9.1 | Complete audit trail with structured fields |
| APTS-AL-006: Basic Scope Validation and Policy Enforcement | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | Policy enforcement before technique execution |
| APTS-AL-007: Multi-Step Technique Chaining Within Single Phase | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | L2 multi-step chaining within phase boundaries |
| APTS-AL-008: Real-Time Human Monitoring and Approval Gates | DE.CM-01 | A.8.16 | GOVERN 1 | CC4.1 | L2 real-time monitoring with approval gates |
| APTS-AL-009: Tool-Proposed Actions with Operator Modification Capability | GV.RR-02 | A.5.2 | GOVERN 1 | CC4.1 | L2 tool proposes, operator modifies/approves |
| APTS-AL-010: Step-by-Step Audit Log with Phase Transitions | DE.CM-01 | A.8.15 | MAP 1 | CC9.1 | L2 detailed phase transition logging |
| APTS-AL-011: Escalation Triggers and Exception Handling | DE.AE-02 | A.5.24 | GOVERN 1 | CC4.1 | Automatic escalation on boundary conditions |
| APTS-AL-012: Kill Switch and Pause Capability | PR.IR-01 | A.5.24 | GOVERN 1 | CC4.1 | Immediate halt and pause at all levels |
| APTS-AL-013: Complete Attack Chain Execution Within Boundaries | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | L3 full attack chain within defined boundaries |
| APTS-AL-014: Boundary Definition and Enforcement Framework | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | L3 boundary definition and runtime enforcement |
| APTS-AL-015: Pre-Approved Action Categories and Decision Trees | PR.PS-01 | A.5.8 | GOVERN 1 | CC3.2 | L3 pre-approved action categories |
| APTS-AL-016: Continuous Boundary Monitoring and Breach Detection | DE.CM-01 | A.8.16 | MEASURE 1 | CC4.1 | L3 continuous monitoring for boundary violations |
| APTS-AL-017: Multi-Target Assessment Management | DE.CM-01 | A.8.25 | GOVERN 1 | CC9.1 | L3 concurrent multi-target management |
| APTS-AL-018: Incident Response During Autonomous Testing | RS.MA-01 | A.5.24 | MANAGE 1 | CC4.1 | Incident response procedures during autonomous ops |
| APTS-AL-019: Multi-Target Campaign Management Without Intervention | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | L4 fully autonomous campaign management |
| APTS-AL-020: Dynamic Scope Adjustment and Target Discovery | GV.PO-01 | A.8.16, A.5.37 | GOVERN 1 | CC4.1 | L4 dynamic scope within pre-approved boundaries |
| APTS-AL-021: Adaptive Testing Strategy and Resource Reallocation | PR.PS-01 | A.5.37 | GOVERN 1 | CC3.2 | L4 adaptive strategy with resource optimization |
| APTS-AL-022: Continuous Risk Assessment and Automated Escalation | DE.AE-02 | A.5.24 | MEASURE 1 | CC4.1 | L4 continuous risk assessment |
| APTS-AL-023: Complete Audit Trail and Forensic Reconstruction | DE.CM-01 | A.8.15 | MAP 1 | CC9.1 | L4 complete forensic-grade audit trail |
| APTS-AL-024: Periodic Autonomous Review Cycles | DE.CM-01 | A.5.36 | MEASURE 1 | CC9.1 | L4 periodic review cycles |
| APTS-AL-025: Autonomy Level Authorization, Transition, and Reauthorization | GV.RR-01 | A.5.2 | GOVERN 1 | CC3.2 | Level authorization and periodic reauthorization |
| APTS-AL-026: Incident Investigation and Autonomy Level Adjustment | RS.MA-01 | A.5.24 | MANAGE 1 | CC4.1 | Post-incident autonomy level review |
| APTS-AL-027: Evasion and Stealth Mode Governance | GV.PO-01 | A.5.2, A.5.31 | GOVERN 1 | CC3.2 | Default-off evasion, explicit authorization, disclosure, prohibited classes, impact reclassification |
| APTS-AL-028: Containment Verification for L3 and L4 Autonomy | DE.CM-01, ID.IM-02 | A.8.16, A.8.29 | MEASURE 1 | CC7.2 | Operator-run probes of sandbox and allowlist boundaries at quarterly (L3) or monthly (L4) cadence; verification MUST NOT be performed by the agent runtime |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-AR-001: Structured Event Logging with Schema Validation | DE.CM-01, PR.PS-01 | A.8.15 | MAP 1 | CC9.1 | Millisecond-precision timestamps, correlation IDs, schema-validated structured format |
| APTS-AR-002: State Transition Logging | DE.CM-01 | A.8.15 | MEASURE 1 | CC9.1 | Phase change documentation with authorization |
| APTS-AR-003: Resource Utilization Metrics Logging | DE.CM-01 | A.8.9 | MEASURE 1 | CC9.1 | Network/system metrics per operation |
| APTS-AR-004: Decision Point Logging and Confidence Scoring | DE.AE-02 | A.8.15 | MAP 1 | CC9.1 | Confidence scores, alternatives, rationale |
| APTS-AR-005: Log Retention and Archival Requirements | PR.PS-01 | A.5.33 | MANAGE 1 | A1.1 | Minimum retention per engagement, compliance alignment |
| APTS-AR-006: Decision Chain of Reasoning and Alternative Evaluation | DE.AE-02 | A.8.15 | MAP 1 | CC9.1 | Complete reasoning chain with alternative evaluation and rejection rationale |
| APTS-AR-007: Risk Assessment Documentation Before Action Execution | ID.RA-05 | A.5.1 | GOVERN 1 | CC4.1 | Pre-action risk assessment documentation |
| APTS-AR-008: Context-Aware Decision Logging | DE.AE-02 | A.8.15 | MAP 1 | CC9.1 | Environmental context captured with decisions |
| APTS-AR-009: Transparency Report Requirements | GV.OC-02 | A.5.37 | GOVERN 1 | CC2.1 | Public transparency reporting requirements |
| APTS-AR-010: Cryptographic Hashing of All Evidence | PR.DS-01 | A.8.24 | MANAGE 1 | C1.1 | SHA-256+ hashing of all evidence artifacts |
| APTS-AR-011: Chain of Custody for Evidence | PR.DS-01 | A.5.28 | MANAGE 1 | CC9.1 | Evidence provenance and custody tracking |
| APTS-AR-012: Tamper-Evident Logging with Hash Chains | PR.DS-01 | A.8.24 | MANAGE 1 | CC7.2 | Append-only hash chain integrity |
| APTS-AR-013: RFC 3161 Trusted Timestamp Integration | PR.DS-01 | A.8.24 | MANAGE 1 | CC9.1 | External trusted timestamping for evidence integrity |
| APTS-AR-014: Screenshot and Packet Capture Evidence Standards | PR.PS-01 | A.5.28 | MEASURE 1 | CC9.1 | Evidence capture format and integrity requirements |
| APTS-AR-015: Evidence Classification and Sensitive Data Handling | PR.DS-01 | A.5.12 | MANAGE 1 | C1.1 | Evidence classification and redaction procedures |
| APTS-AR-016: Platform Integrity and Supply Chain Attestation | PR.PS-01 | A.5.21 | GOVERN 1 | CC7.2 | Platform binary and supply chain verification |
| APTS-AR-017: Safety Control Regression Testing After Platform Updates | PR.PS-01 | A.8.25 | MEASURE 1 | CC9.1 | Post-update safety validation |
| APTS-AR-018: Customer Notification for Behavior-Affecting Updates | RS.CO-03 | A.8.32 | MANAGE 1 | C1.1 | Advance notification of behavior changes |
| APTS-AR-019: AI/ML Model Change Tracking and Drift Detection | DE.CM-01 | A.8.25 | MEASURE 1 | CC9.1 | Model version tracking and drift monitoring |
| APTS-AR-020: Audit Trail Isolation from Agent Runtime | PR.DS-01, PR.PS-01 | A.8.15, A.8.24 | MAP 1 | CC7.2 | Authoritative audit trail on append-only infrastructure the agent runtime cannot reach (WORM, external SIEM, dedicated log service) |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-MR-001: Instruction Boundary Enforcement | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | Operator instruction isolation from target content |
| APTS-MR-002: Response Validation & Sanitization | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | Target content parsing in sandbox, injection detection |
| APTS-MR-003: Error Message Neutrality | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | Error data analysis without behavioral influence |
| APTS-MR-004: Configuration File Integrity Verification | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | Configuration content as data, not directives |
| APTS-MR-005: Authority Claim Detection & Rejection | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | Target-sourced authority claims rejected |
| APTS-MR-006: Decision Boundary Enforcement | PR.PS-01 | A.8.25 | GOVERN 1 | CC6.6 | Decision logic isolated from target influence |
| APTS-MR-007: Redirect Following Policy | PR.AA-01 | A.8.20 | GOVERN 1 | CC6.6 | HTTP redirect scope validation |
| APTS-MR-008: DNS and Network-Level Redirect Prevention | PR.AA-01 | A.8.20 | GOVERN 1 | CC6.6 | DNS rebinding and network redirect defense |
| APTS-MR-009: Server-Side Request Forgery (SSRF) Prevention in Testing | PR.AA-01 | A.8.25 | GOVERN 1 | CC6.6 | SSRF prevention in testing operations |
| APTS-MR-010: Scope Expansion Social Engineering Prevention | PR.PS-01 | A.5.2 | GOVERN 1 | CC3.2 | Social engineering scope expansion defense |
| APTS-MR-011: Out-of-Band Communication Prevention | PR.PS-01 | A.8.25 | GOVERN 1 | CC6.6 | No out-of-band communication channels |
| APTS-MR-012: Immutable Scope Enforcement Architecture | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | Scope cannot be modified by target interaction |
| APTS-MR-013: Adversarial Example Detection in Vulnerability Classification | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | Adversarial input detection in classification |
| APTS-MR-014: Resource Exhaustion and Tarpit Attack Prevention | DE.CM-01 | A.8.9 | MEASURE 1 | CC9.1 | Tarpit and resource exhaustion defense |
| APTS-MR-015: Deceptive Authentication Honeypots | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | Honeypot and deceptive credential detection |
| APTS-MR-016: Anti-Automation Defense Detection | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | CAPTCHA and anti-automation detection |
| APTS-MR-017: Anomaly Detection in Response Patterns | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | Response pattern anomaly detection |
| APTS-MR-018: AI Model Input/Output Architectural Boundary | PR.PS-01, PR.IR-01 | A.8.22, A.8.27 | GOVERN 1 | CC3.2 | AI model I/O isolation architecture |
| APTS-MR-019: Discovered Credential Protection | PR.DS-01 | A.8.3 | GOVERN 1 | C1.2 | Discovered credentials not auto-used cross-system |
| APTS-MR-020: Adversarial Validation and Resilience Testing of Safety Controls | DE.CM-01 | A.8.25 | MEASURE 1 | CC9.1 | Periodic red-team testing of safety controls, safety control resilience under adversarial conditions |
| APTS-MR-021: Data Isolation Adversarial Testing | DE.CM-01 | A.8.22 | MEASURE 1 | CC7.2 | Cross-tenant isolation adversarial testing |
| APTS-MR-022: Inter-Model Trust Boundaries and Output Validation | PR.DS-01 | A.8.25, A.8.26 | MANAGE 1 | CC7.2 | Inter-component sanitization, shared state integrity, pipeline documentation |
| APTS-MR-023: Agent Runtime as Untrusted Component in Threat Model | ID.RA-01, GV.RM-01 | A.5.7, A.8.27 | MAP 1 | CC3.2 | Threat model names agent runtime as untrusted; agent-originated threats traced to architectural containment controls (SC-019, SC-020, AR-020, MR-012) |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-TP-001: Third-Party Provider Selection and Vetting | GV.SC-03, GV.SC-04 | A.5.19, A.5.21 | GOVERN 1 | CC3.2 | Vendor vetting, SOC 2 Type II review, SaaS vendor evaluation and contract review |
| APTS-TP-002: Model Version Pinning and Change Management | GV.SC-03, GV.SC-04 | A.5.23, A.8.32 | GOVERN 1 | CC3.2 | Explicit model versions, no "latest" tracking |
| APTS-TP-003: API Security and Authentication | PR.AA-01, PR.AA-03 | A.8.5 | GOVERN 1 | CC6.6 | Transport encryption, key rotation, mutual authentication |
| APTS-TP-004: Provider Availability, SLA Management, and Failover | GV.SC-07 | A.5.22 | GOVERN 1 | A1.2 | Documented uptime SLA, metrics tracking, failover procedures |
| APTS-TP-005: Provider Incident Response, Breach Notification, and Mid-Engagement Compromise | RS.MA-01, RS.CO-02 | A.5.24, A.5.26 | MANAGE 1 | C1.1 | Provider breach notification, mid-engagement compromise detection and response |
| APTS-TP-006: Dependency Inventory, Risk Assessment, and Supply Chain Verification | GV.SC-05, GV.SC-07 | A.5.19, A.5.21 | GOVERN 1 | CC3.2 | Annual or more frequent security review, dependency integrity verification and monitoring |
| APTS-TP-007: Data Residency and Sovereignty Requirements | GV.OC-03 | A.5.31 | GOVERN 1 | CC3.2 | Geographic data storage and sovereignty compliance |
| APTS-TP-008: Cloud Security Configuration and Hardening | PR.PS-01 | A.8.9 | GOVERN 1 | CC4.1 | AWS/Azure/GCP security baseline enforcement |
| APTS-TP-009: Incident Response and Service Continuity Planning | RS.MA-01, RS.CO-02 | A.5.24, A.5.26 | MANAGE 1 | CC4.1 | Vendor incident response procedures |
| APTS-TP-010: Vulnerability Feed Selection and Management | ID.RA-01, ID.RA-02 | A.8.8 | MEASURE 1 | PI1.1 | Vulnerability/threat feed accuracy verification |
| APTS-TP-011: Feed Quality Assurance and Incident Response | ID.RA-01, ID.RA-02 | A.8.8 | MEASURE 1 | PI1.1 | Cross-feed correlation, false positive identification |
| APTS-TP-012: Client Data Classification Framework | PR.DS-01, PR.DS-02 | A.5.12, A.5.13 | GOVERN 1 | C1.1 | Public/Sensitive/Confidential/Restricted taxonomy |
| APTS-TP-013: Sensitive Data Discovery and Handling | PR.DS-01, PR.DS-02 | A.5.12, A.5.13 | MEASURE 1 | C1.3 | Automatic PII/PHI/credentials identification |
| APTS-TP-014: Data Encryption and Cryptographic Controls | PR.DS-01, PR.DS-02 | A.8.24 | GOVERN 1 | C1.1 | Encryption at rest, encryption in transit, secure key management |
| APTS-TP-015: Data Retention and Secure Deletion | PR.DS-01 | A.8.10 | MANAGE 1 | C1.3 | Crypto-shred, disposal verification |
| APTS-TP-A01: Breach Notification and Regulatory Reporting (Advisory) | RS.CO-02, RS.CO-03 | A.5.24, A.5.5 | MANAGE 1 | CC7.4 | Client notification per applicable regulatory timelines |
| APTS-TP-016: Data Destruction Proof and Certification | PR.DS-01 | A.8.10 | MANAGE 1 | C1.3 | Certified data destruction and audit trail |
| APTS-TP-017: Multi-Tenant and Engagement Isolation | PR.DS-01, PR.AA-01 | A.8.22 | GOVERN 1 | CC7.2 | Engagement and tenant isolation verification |
| APTS-TP-018: Tenant Breach Notification | RS.CO-02, RS.CO-03 | A.5.24, A.5.26 | MANAGE 1 | CC7.4 | Timely breach notification to affected tenants per contractual terms |
| APTS-TP-A02: Privacy Regulation Compliance (Advisory) | GV.OC-03 | A.5.34 | GOVERN 1 | P2.1 | GDPR, CCPA, and regional privacy compliance |
| APTS-TP-A03: Professional Liability and Engagement Agreements (Advisory) | GV.OC-02 | A.5.31 | GOVERN 1 | CC9.2 | E&O insurance, service agreements, liability caps |
| APTS-TP-019: AI Model Provenance and Training Data Governance | GV.SC-03, GV.SC-04 | A.5.23, A.8.32 | GOVERN 1 | CC3.2 | Model training data documentation and verification |
| APTS-TP-020: Persistent Memory and Retrieval State Governance | PR.DS-01 | A.5.12, A.8.10 | GOVERN 1 | C1.1 | State inventory, cross-engagement isolation, operator visibility, decision influence auditing |
| APTS-TP-021: Foundation Model Disclosure and Capability Baseline | GV.SC-03, GV.SC-04 | A.5.23, A.8.32 | GOVERN 1 | CC3.2 | Disclose provider, family, version, release date, and operator customizations of the foundation model; publish a capability baseline in the conformance claim |
| APTS-TP-022: Re-attestation on Material Foundation Model Change | GV.SC-07, ID.IM-02 | A.8.32, A.5.23 | GOVERN 1 | CC7.2 | Re-assess SE, SC, MR, AL when the foundation model undergoes material change (provider/family/generation/fine-tune/capability shift); block promotion until workpaper is complete |
| APTS Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | Notes |
|---|---|---|---|---|---|
| APTS-RP-001: Evidence-Based Finding Validation | RS.AN-03, ID.IM-01 | A.5.28 | MEASURE 2 | CC9.1 | Raw artifacts separate from summaries |
| APTS-RP-002: Finding Verification and Human Review Pipeline | ID.IM-01 | A.5.28, A.8.29 | MEASURE 2 | CC9.1 | Critical/High findings re-verified before delivery |
| APTS-RP-003: Confidence Scoring with Auditable Methodology | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | Auditable, formula-based confidence methodology |
| APTS-RP-004: Finding Provenance Chain | PR.DS-01 | A.5.28 | MEASURE 1 | CC9.1 | Cryptographic linkage to audit logs |
| APTS-RP-005: Cryptographic Evidence Chain Integrity | PR.DS-01 | A.8.24 | MANAGE 1 | CC9.1 | Evidence cryptographically linked to findings |
| APTS-RP-006: False Positive Rate Disclosure | ID.IM-01 | A.5.37, A.8.29 | MEASURE 2 | CC9.1 | Methodology section includes accuracy statistics |
| APTS-RP-007: Independent Finding Reproducibility | ID.IM-02 | A.8.25 | MEASURE 1 | CC9.1 | Independent validation of findings mid-assessment |
| APTS-RP-008: Vulnerability Coverage Disclosure | ID.IM-01 | A.5.36, A.8.29 | MEASURE 2 | CC2.1 | Coverage scope and limitations disclosed |
| APTS-RP-009: False Negative Rate Disclosure and Methodology | ID.IM-01 | A.5.36, A.8.29 | MEASURE 2 | CC9.1 | Missed vulnerability rate methodology |
| APTS-RP-010: Detection Effectiveness Benchmarking | ID.IM-02 | A.5.37 | MEASURE 1 | PI1.1 | Detection rate benchmarking methodology |
| APTS-RP-011: Executive Summary and Risk Overview | GV.OC-02 | A.5.37 | MANAGE 1 | CC2.1 | Risk-focused narrative for decision-makers |
| APTS-RP-012: Remediation Guidance and Prioritization | ID.IM-01 | A.8.8 | MANAGE 1 | CC4.1 | Prioritized remediation with effort estimation |
| APTS-RP-013: Engagement SLA Compliance Reporting | ID.IM-01 | A.5.35 | MEASURE 2 | CC9.1 | SLA adherence documentation |
| APTS-RP-014: Trend Analysis for Recurring Engagements | DE.CM-01 | A.5.37 | MEASURE 1 | PI1.1 | Cross-engagement trend analysis |
| APTS-RP-015: Downstream Finding Pipeline Integrity | PR.DS-01, PR.DS-02 | A.5.12, A.5.14 | MANAGE 1 | CC7.2 | Finding sync fidelity, tenant isolation, deduplication, sensitive data redaction, delivery assurance |
| Requirement | NIST CSF 2.0 | ISO/IEC 27001:2022 | NIST AI RMF 1.0 | SOC 2 TSC 2017 (2022 PoF) | PCI DSS 4.0.1 | GDPR |
|---|---|---|---|---|---|---|
| APTS-SE-001: Rules of Engagement (RoE) Specification and Validation | GV.PO-01 | A.5.8 | GOVERN 1 | CC3.2 | - | - |
| APTS-SE-002: IP Range Validation and RFC 1918 Awareness | ID.AM-01 | A.8.20, A.8.22 | GOVERN 1 | CC1.1 | - | - |
| APTS-SE-009: Hard Deny Lists and Critical Asset Protection | PR.AA-01 | A.8.5 | GOVERN 1 | CC6.6 | - | - |
| APTS-SC-009: Kill Switch | PR.PS-01, RS.MA-01 | A.5.26, A.5.29 | GOVERN 1 | CC4.1 | - | - |
| APTS-SC-017: External Watchdog and Operator Notification | DE.CM-01 | A.8.9 | MEASURE 1 | A1.1 | - | - |
| APTS-HO-001: Mandatory Pre-Approval Gates for Autonomy Levels L1 and L2 | GV.RR-02 | A.5.2 | GOVERN 1 | CC3.2 | - | - |
| APTS-HO-002: Real-Time Monitoring and Intervention Capability | DE.CM-01 | A.8.16 | MEASURE 2 | CC9.1 | - | - |
| APTS-AL-001: Single Technique Execution | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | - | - |
| APTS-AL-002: Human-Directed Target and Technique Selection | GV.RR-02 | A.5.1 | GOVERN 1 | CC3.2 | - | - |
| APTS-AR-001: Structured Event Logging with Schema Validation | DE.CM-01, PR.PS-01 | A.8.15 | MAP 1 | CC9.1 | Req 10 | - |
| APTS-AR-004: Decision Point Logging and Confidence Scoring | DE.AE-02 | A.8.15 | MAP 1 | CC9.1 | - | - |
| APTS-MR-001: Instruction Boundary Enforcement | PR.PS-01 | A.8.25 | GOVERN 1 | CC3.2 | - | - |
| APTS-MR-002: Response Validation & Sanitization | DE.AE-02 | A.8.25 | MEASURE 1 | CC9.1 | - | - |
| APTS-TP-001: Third-Party Provider Selection and Vetting | GV.SC-03, GV.SC-04 | A.5.19, A.5.21 | GOVERN 1 | CC3.2 | - | - |
| APTS-TP-003: API Security and Authentication | PR.AA-01, PR.AA-03 | A.8.5 | GOVERN 1 | CC6.6 | Req 7-8 | Art 32 |
| APTS-TP-014: Data Encryption and Cryptographic Controls | PR.DS-01, PR.DS-02 | A.8.24 | GOVERN 1 | C1.1 | Req 3-4 | Art 32 |
| APTS-TP-018: Tenant Breach Notification | RS.CO-02, RS.CO-03 | A.5.24, A.5.26 | MANAGE 1 | CC7.4 | Req 12 | Art 33-34 |
| APTS-RP-001: Evidence-Based Finding Validation | RS.AN-03, ID.IM-01 | A.5.28 | MEASURE 2 | CC9.1 | - | - |
| APTS-RP-002: Finding Verification and Human Review Pipeline | ID.IM-01 | A.5.28, A.8.29 | MEASURE 2 | CC9.1 | - | - |
APTS requirements map to the following NIST SP 800-53 control families relevant to autonomous testing governance:
| NIST SP 800-53 Control | Description | APTS Requirements |
|---|---|---|
| AC-4 Information Flow Enforcement | Control information flows between systems | APTS-SE-006, APTS-SE-013, APTS-MR-012 |
| AC-6 Least Privilege | Restrict system access to authorized functions | APTS-HO-004, APTS-AL-025, APTS-SE-023 |
| AU-2 Event Logging | Define auditable events | APTS-AR-001, APTS-AR-002, APTS-AR-004 |
| AU-3 Content of Audit Records | Ensure audit records contain required information | APTS-AR-001, APTS-AR-006, APTS-AR-008 |
| AU-6 Audit Record Review | Review and analyze audit records | APTS-AR-009, APTS-AR-012, APTS-HO-002 |
| AU-9 Protection of Audit Information | Protect audit information from unauthorized access | APTS-AR-010, APTS-AR-011, APTS-AR-012 |
| AU-10 Non-Repudiation | Protect against individual falsely denying actions | APTS-AR-010, APTS-AR-011, APTS-AR-013 |
| CA-7 Continuous Monitoring | Implement continuous monitoring | APTS-SC-010, APTS-SC-017, APTS-AR-020 |
| CM-3 Configuration Change Control | Control changes to systems | APTS-TP-002, APTS-AR-017, APTS-AR-019 |
| CP-2 Contingency Plan | Establish contingency plans | APTS-TP-004, APTS-TP-009, APTS-SC-018 |
| IA-2 Identification and Authentication | Authenticate users and devices | APTS-TP-003, APTS-SE-023 |
| IR-4 Incident Handling | Implement incident handling capability | APTS-SC-018, APTS-TP-005, APTS-AL-018 |
| IR-5 Incident Monitoring | Track and document incidents | APTS-HO-011, APTS-HO-012, APTS-SC-017 |
| IR-6 Incident Reporting | Report incidents to appropriate authorities | APTS-TP-A01 (Advisory), APTS-TP-018, APTS-HO-017 |
| PE-3 Physical Access Control | Enforce physical access authorizations | Not directly addressed (APTS is a logical governance standard) |
| RA-5 Vulnerability Monitoring and Scanning | Monitor and scan for vulnerabilities | APTS-TP-010, APTS-RP-008, APTS-RP-009 |
| SA-9 External System Services | Require external service providers to comply | APTS-TP-001, APTS-TP-006, APTS-TP-019 |
| SC-7 Boundary Protection | Monitor and control communications at boundaries | APTS-SE-006, APTS-SE-009, APTS-SC-012 |
| SC-8 Transmission Confidentiality | Protect transmitted information | APTS-TP-014, APTS-TP-003 |
| SC-28 Protection of Information at Rest | Protect information at rest | APTS-TP-014, APTS-AR-015, APTS-MR-019 |
| SI-4 System Monitoring | Monitor systems for attacks and indicators | APTS-SC-010, APTS-MR-017, APTS-HO-015 |
| SR-3 Supply Chain Controls | Implement supply chain risk management | APTS-TP-001, APTS-TP-006, APTS-TP-019 |
For autonomous testing platforms operating in healthcare environments or handling protected health information (PHI):
| HIPAA Requirement | Description | APTS Requirements |
|---|---|---|
| 164.312(a) Access Control | Implement access controls for ePHI | APTS-SE-009, APTS-SE-023, APTS-HO-004 |
| 164.312(b) Audit Controls | Record and examine system activity | APTS-AR-001, APTS-AR-004, APTS-AR-012 |
| 164.312(c) Integrity | Protect ePHI from improper alteration | APTS-AR-010, APTS-AR-011, APTS-TP-014 |
| 164.312(d) Authentication | Verify identity of persons seeking access | APTS-TP-003, APTS-SE-023 |
| 164.312(e) Transmission Security | Guard against unauthorized access during transmission | APTS-TP-014, APTS-TP-003 |
| 164.308(a)(1) Security Management | Implement policies to prevent security violations | APTS-SC-001, APTS-HO-004, APTS-AL-025 |
| 164.308(a)(5) Security Awareness | Implement security awareness and training | APTS-HO-018 |
| 164.308(a)(6) Security Incident Procedures | Implement incident response procedures | APTS-SC-018, APTS-TP-005, APTS-TP-A01 (Advisory) |
| 164.308(a)(7) Contingency Plan | Establish contingency plans | APTS-TP-004, APTS-TP-009 |
| 164.310(d) Device and Media Controls | Govern receipt and removal of hardware and media | APTS-TP-015, APTS-TP-016 |
| 164.314(a) Business Associate Contracts | Require BAAs with business associates | APTS-TP-A03 (Advisory) |
| 164.404-410 Breach Notification | Notify following breach of unsecured PHI | APTS-TP-A01 (Advisory), APTS-TP-018 |
| CIS Control | Description | APTS Requirements |
|---|---|---|
| 1 Inventory and Control of Enterprise Assets | Maintain asset inventory | APTS-SE-001, APTS-SE-005, APTS-SE-024 |
| 2 Inventory and Control of Software Assets | Maintain software inventory | APTS-TP-006, APTS-AR-018 |
| 3 Data Protection | Develop processes to identify, classify, and protect data | APTS-TP-012, APTS-TP-013, APTS-TP-014 |
| 4 Secure Configuration | Establish secure configurations | APTS-TP-008, APTS-SC-008 |
| 6 Access Management | Control access based on need-to-know | APTS-HO-004, APTS-SE-023, APTS-AL-025 |
| 8 Audit Log Management | Collect, manage, and analyze audit logs | APTS-AR-001, APTS-AR-005, APTS-AR-012 |
| 9 Email and Web Browser Protections | Not directly addressed (APTS governs testing platforms) | |
| 11 Data Recovery | Establish data recovery practices | APTS-SC-014, APTS-SC-016, APTS-TP-009 |
| 13 Network Monitoring and Defense | Monitor and defend network infrastructure | APTS-SC-010, APTS-SC-012, APTS-SC-017 |
| 15 Service Provider Management | Develop processes to evaluate service providers | APTS-TP-001, APTS-TP-004, APTS-TP-006 |
| 16 Application Software Security | Manage security lifecycle of software | APTS-AR-017, APTS-AR-019, APTS-MR-020 |
| 17 Incident Response Management | Establish incident response program | APTS-SC-018, APTS-AL-018, APTS-TP-005 |
Adapt this matrix to your:
Review annually as frameworks and APTS evolve.