Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Set Theory Relationship Mapping (STRM)

Starting with release 2024.1, the SCF now leverages the Set Theory Relationship Mapping (STRM) for crosswalk mapping, since STRM is generally well-suited to evaluate cybersecurity and data privacy laws, regulations and frameworks. With the publishing of NIST IR 8477Mapping Relationships Between Documentary Standards, Regulations, Frameworks, and Guidelines: Developing Cybersecurity and Privacy Concept Mappings it establishes the US Government's playbook for how to perform crosswalk mapping between different cybersecurity and data privacy laws, regulations and frameworks. This document is part of NIST’s broader NIST OLIR Program that is an “effort to facilitate Subject Matter Experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents…” The SCF currently participates in the National Online Informative References (OLIR) Program and with NIST's preference for STRM, we decided an aligned crosswalk mapping methodology makes sense. 

Expert-Derived Content (EDC) vs Natural Language Processing (NLP)

What NIST IR 8477 does is provide the “gold standard” practice for how an individual can perform crosswalk mapping with no technology needed, where it can literally be performed with a pencil and piece of paper. Children learn the process of diagramming sentences in grade school (e.g., Reed–Kellogg model) with pencils and paper. This is the process of graphically identifying nouns, verbs, adjectives and modifiers to teach proper sentence structure for how various components of language work together to communicate an idea. With the advent of Artificial Intelligence (AI), the ability to diagram sentences in both computer and human-readable format is achievable through Natural Language Processing (NLP). From a cybersecurity crosswalking perspective, NLP can be used to evaluate a control statement (e.g., must have firewall) to identify the noun (e.g., firewall) and verb (e.g., must have) to determine the relative strength it maps to a different control (e.g., shall have network defense appliances). Where that becomes interesting is both in protecting the underlying content (e.g., Intellectual Property (IP)) and patentability.

While the SCF leverages expert-derived content (e.g., human subject-matter experts), other solutions use NLP to create their crosswalk mapping. One significant downside for those solutions leveraging NLP is their forfeit of IP since AI-generated content is currently prohibited from copyright protections due to the content not being the work of a human creator. Therefore, NLP-generated content could be considered free content from an IP perspective, since a copyright of AI-generated content would not be enforceable.

Where it gets even more fascinating with AI-based solutions in the compliance space is with patentability for inventions due to the "mental steps" doctrine. In 2014, the US Supreme Court ruled that inventions are ineligible for patenting if the patent claim is something a human could do in their mind or with paper and pencil (e.g., a human performing sentence diagramming on a piece of paper and comparing the results of that sentence diagram with another). That landmark case (Alice Corp. v. CLS Bank International) established a new uncertainty about patent eligibility of AI and machine learning technologies. The result of Alice is that patents issued for compliance solutions leveraging NLP to perform crosswalk mapping may not hold up to scrutiny by the Patent Trial and Appeal Board (PTAB) given NIST published a document that describes how to perform crosswalk mapping without the assistance of technology. 

How The SCF Is Utilizing STRM

You can click on the image below to see a PDF version of how the SCF is utilizing STRM, as well as an example for what that looks like with a few NIST CSF 2.0 controls:

Set Theory Relationship Mapping (STRM) NIST IR 8477

Set Theory Relationship Mapping NIST 8477 NIST CSF 2.0

STRM Examples

The list of Set Theory Relationship Mappings (STRM) for 2024.2 include:


STRM Community Participation

The SCF welcomes community involvement and we provide the ability for community-suggested mapping. The SCF Council provides a downloadable SCF Community STRM Template, that SCF Practitioners can then use to perform their own STRM and submit it to the SCF Council, where it can be evaluated for the possible inclusion in a future SCF release.

Step 1. Define The Focal Document To Be Mapped

We are not here to teach you STRM, so if you want to participate in any community mapping, it is expected that you (1) are very familiar the practices described in NIST IR 8477 and (2) possess the professional competence to conduct crosswalk mapping in accordance with those principles. 

The first tab on the STRM template is called "STRM Overview" and there are two highlighted cells near the top of the sheet: the focal document cell and the focal document URL cell. 

  • In the focal document cell, you must provide the official name of the law, regulation, or framework you are providing mapping for. 
  • In the focal document URL cell, you must provide a valid hyperlink where the focal document can be downloaded.

Without either of these two pieces of information, the SCF Council will not review your STRM submission.

Step 2. Perform STRM 

The second tab of the STRM template is called "Community STRM submission." This is purposely left as a blank template for you to perform your crosswalk mapping:

  • Column A is the Focal Document Element #. This is the specific law, regulation, or framework control number. This is a mandatory field. Without a unique FDE value, there is no granularity and means there is nothing that can be mapped to.
  • Column B is the Focal Document Element Name. Most laws, regulations and frameworks do not have FDE names, so this is required only if it is available.
  • Column C is the Focal Document Element Description. This is the actual text of the law, regulation, or framework. Essentially, it is a cut & paste effort to populate this cell.
  • Column D is the proposed SCF Control Name that you feel maps to the Focal Document Element.
  • Column E is tied to Column D. This is the SCF control number.
  • Column F is tied to Column D. This is the SCF control description.
  • Column G is the proposed STRM relationship. There are only 5 options. The relationship can be (1) a Subset Of, (2) Intersects With, (3) Equal to, (4) a Superset Of, or (5) there is No Relationship.
  • Column H is the proposed strength of the STRM relationship that has a 1 to 10 rating. A rating of 1 indicates a nominal relationship, a rating of 5 indicates a moderately strong relationship, and a rating of 10 indicates a strong relationship. Realistically, a rating of 10 is going to be given if the STRM relationship is either equal to or where the F-D-E is a subset of the SCF control.
  • Column I is an optional notes section where you can provide textual justification for your recommendations.

Step 3. Submit To SCF Council

Once you complete your STRM exercise, you can then email it to the SCF Council for review. Just email the Excel spreadsheet as an attachment to