Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Set Theory Relationship Mapping (STRM)

Starting with release 2024.1, the SCF now leverages the Set Theory Relationship Mapping (STRM) for crosswalk mapping, since STRM is generally well-suited to evaluate cybersecurity and data privacy laws, regulations and frameworks. With the publishing of NIST IR 8477Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings it establishes the US Government's playbook for how to perform crosswalk mapping between different cybersecurity and data privacy laws, regulations and frameworks. This document is part of NIST’s broader NIST OLIR Program that is an “effort to facilitate Subject Matter Experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents…” The SCF currently participates in the National Online Informative References (OLIR) Program and with NIST's preference for STRM, we decided an aligned crosswalk mapping methodology makes sense. 

Expert-Derived Content (EDC) vs Natural Language Processing (NLP)

What NIST IR 8477 does is provide the “gold standard” practice for how an individual can perform crosswalk mapping with no technology needed, where it can literally be performed with a pencil and piece of paper. Children learn the process of diagramming sentences in grade school (e.g., Reed–Kellogg model) with pencils and paper. This is the process of graphically identifying nouns, verbs, adjectives and modifiers to teach proper sentence structure for how various components of language work together to communicate an idea. With the advent of Artificial Intelligence (AI), the ability to diagram sentences in both computer and human-readable format is achievable through Natural Language Processing (NLP). From a cybersecurity crosswalking perspective, NLP can be used to evaluate a control statement (e.g., must have firewall) to identify the noun (e.g., firewall) and verb (e.g., must have) to determine the relative strength it maps to a different control (e.g., shall have network defense appliances). Where that becomes interesting is both in protecting the underlying content (e.g., Intellectual Property (IP)) and patentability.

While the SCF leverages expert-derived content (e.g., human subject-matter experts), other solutions use NLP to create their crosswalk mapping. One significant downside for those solutions leveraging NLP is their forfeit of IP since AI-generated content is currently prohibited from copyright protections due to the content not being the work of a human creator. Therefore, NLP-generated content could be considered free content from an IP perspective, since a copyright of AI-generated content would not be enforceable.

Where it gets even more fascinating with AI-based solutions in the compliance space is with patentability for inventions due to the "mental steps" doctrine. In 2014, the US Supreme Court ruled that inventions are ineligible for patenting if the patent claim is something a human could do in their mind or with paper and pencil (e.g., a human performing sentence diagramming on a piece of paper and comparing the results of that sentence diagram with another). That landmark case (Alice Corp. v. CLS Bank International) established a new uncertainty about patent eligibility of AI and machine learning technologies. The result of Alice is that patents issued for compliance solutions leveraging NLP to perform crosswalk mapping may not hold up to scrutiny by the Patent Trial and Appeal Board (PTAB) given NIST published a document that describes how to perform crosswalk mapping without the assistance of technology. 

How The SCF Is Utilizing STRM

You can click on the image below to see a PDF version of how the SCF is utilizing STRM, as well as an example for what that looks like with a few NIST CSF 2.0 controls:

Set Theory Relationship Mapping (STRM) NIST IR 8477

Set Theory Relationship Mapping NIST 8477 NIST CSF 2.0

STRM Examples

The list of Set Theory Relationship Mappings (STRM) for 2024.1 include: