--- id: concept:cross-mapping type: concept title: Cross-Framework Mapping status: active confidence: 0.85 sources: - 2026-05-09-cybersec-mappings-overview.md - 2026-05-09-cybersec-mapping-mitre-attack.md - 2026-05-09-cybersec-mapping-nist-csf.md - 2026-05-09-cybersec-library-overview.md - 2026-05-09-cybersec-skill-cloud-siem.md created: 2026-05-09 updated: 2026-05-09 updated_log: - 2026-05-09: created tiers: semantic half_life_days: 180 tags: [cross-mapping, frameworks, value-prop] --- # Cross-Framework Mapping ## Summary Cross-mapping is the value proposition of the [[concept:cybersec-skill-library]] — a single skill, expressed simultaneously across all five industry frameworks. One skill, five compliance checkboxes. The library is the only open-source skills library to achieve this unified coverage. For each skill, MITRE ATT&CK answers "what adversary technique?", NIST CSF answers "which lifecycle function?", ATLAS handles AI/ML adversarial threats, D3FEND lists defensive countermeasures, and AI RMF anchors the AI-risk story. Cross-mapping turns one practitioner playbook into evidence usable for detection engineering, compliance, threat-informed defense, and audit — without writing five different documents. ## Claims - The library's headline example shows one skill (`analyzing-network-traffic-of-malware`) mapping to T1071 in ATT&CK, DE.CM in NIST CSF, AML.T0047 in ATLAS, D3-NTA in D3FEND, and MEASURE-2.6 in AI RMF — illustrating the one-skill-five-frameworks pattern. `[src: raw/2026-05-09-cybersec-library-overview.md] {conf: 0.85}` - Cross-mapping enables four concrete wins: threat-informed defense (prioritize skills by real adversary behavior), gap analysis (find uncovered techniques), purple-team exercises (pair offensive and defensive skills), and agent-driven discovery (query skills by framework ID). `[src: raw/2026-05-09-cybersec-mapping-mitre-attack.md] {conf: 0.8}` - For organizations, CSF mappings let teams align skill development to their CSF implementation tier, identify training gaps, build role-based learning paths, and automate compliance mapping via AI agent queries. `[src: raw/2026-05-09-cybersec-mapping-nist-csf.md] {conf: 0.8}` - Cross-mapping is encoded directly in skill frontmatter: e.g. `building-cloud-siem-with-sentinel` declares `nist_ai_rmf`, `atlas_techniques`, and `nist_csf` lists, plus its body mentions ATT&CK Navigator. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.85}` - The library's mapping directories (`mappings/mitre-attack/`, `mappings/nist-csf/`, `mappings/owasp/`) provide both per-framework methodology docs and aggregate coverage tables — the cross-reference is bidirectional: OWASP→ATT&CK and OWASP→CSF tables exist. `[src: raw/2026-05-09-cybersec-mappings-overview.md] {conf: 0.7}` - The pattern is asymmetric across skills: not every skill maps to all five frameworks (e.g. `acquiring-disk-image-with-dd-and-dcfldd` only declares `nist_csf` in frontmatter, with no atlas/d3fend/ai_rmf fields). Coverage depends on relevance. `[src: raw/2026-05-09-cybersec-skill-cloud-siem.md] {conf: 0.7}` ## Relationships - composes → [[concept:cybersec-skill-library]] `{conf: 0.85}` - maps-to → [[framework:mitre-attack]] `{conf: 0.9}` - maps-to → [[framework:nist-csf-20]] `{conf: 0.85}` - maps-to → [[framework:mitre-atlas]] `{conf: 0.7}` - maps-to → [[framework:mitre-d3fend]] `{conf: 0.7}` - maps-to → [[framework:nist-ai-rmf]] `{conf: 0.7}` - complements → [[pattern:cross-mapping-in-practice]] `{conf: 0.85}` ## Open questions - [ ] What percentage of the 754 skills carry all five framework mappings vs. partial coverage? Raw sources don't quantify this. ## Changelog - 2026-05-09 — created