SP 800-53 Rev. 5 Coverage
How Vorion maps to NIST SP 800-53 Rev. 5 control families for AI system governance.
SP 800-53 Rev. 5 Control Coverage
NIST SP 800-53 Rev. 5 defines security and privacy controls for federal information systems. The COSAiS (Control Overlays for Securing AI Systems) framework applies these controls to AI-specific contexts through Use Case 3 (Single Agent) and Use Case 4 (Multi-Agent) scenarios.
Vorion maps to 10 control families with strong coverage in 9 of them. Every claim below is verified against actual source code and automated tests.
Coverage Matrix
Control Family UC3 Coverage UC4 Coverage Overall
-----------------------------------------------------------------
AC (Access) ████████░░ ████████░░ Strong
AU (Audit) ██████████ ██████████ Strong
CA (Assessment) ████████░░ ████████░░ Strong
CM (Configuration) ████████░░ ████████░░ Strong
IA (Identity) ████████░░ ████████░░ Strong
IR (Incident) ████████░░ ████████░░ Strong
RA (Risk) ████████░░ ████████░░ Strong
SA (Acquisition) ██████░░░░ ████░░░░░░ Moderate
SC (Sys/Comms) ████████░░ ████████░░ Strong
SI (Integrity) ██████████ ████████░░ Strong
AC -- Access Control
Access control is enforced through two coordinated systems: the
Validation Gate (packages/basis/src/validation-gate.ts) and the
Policy Engine (src/enforce/policy-engine.ts).
Key Controls
AC-2 (Account Management): Full agent lifecycle management through the Agent Registry. States transition from T0_SANDBOX through T7_AUTONOMOUS, plus negative states (QUARANTINE, SUSPENDED, REVOKED, EXPELLED).
AC-3 (Access Enforcement): The Validation Gate returns PASS, REJECT, or ESCALATE based on agent manifest, trust tier, and capability matching. The Policy Engine short-circuits on deny.
AC-6 (Least Privilege): Agents initialize at trust score 0 with only 3 capabilities (read public data, generate responses, observe metrics). Capabilities unlock progressively:
// From packages/basis/src/trust-capabilities.ts
// T0: 3 capabilities | T1: 6 | T2: 10 | T3: 15
// T4: 20 | T5: 25 | T6: 30 | T7: 35
AC-24 (Access Control Decisions): Four-outcome model:
| Decision | Meaning | |----------|---------| | ALLOW | Action proceeds | | DENY | Action blocked, override impossible | | ESCALATE | Routed to human reviewer | | DEGRADE/LIMIT/MONITOR | Action proceeds with restrictions |
Deny overrides all; escalate takes precedence over allow.
AU -- Audit and Accountability
The Proof Plane (packages/proof-plane/) provides the complete audit
subsystem.
Key Controls
AU-2 (Event Logging): Six typed proof events cover the full lifecycle:
type ProofEventType =
| 'INTENT_RECEIVED' // Action requested
| 'DECISION_MADE' // ALLOW/DENY/ESCALATE rendered
| 'TRUST_DELTA' // Trust score changed
| 'EXECUTION_STARTED' // Action execution began
| 'EXECUTION_COMPLETED' // Action completed successfully
| 'EXECUTION_FAILED'; // Action failed
AU-9 (Protection of Audit Information): SHA-256 hash chain links each event to its predecessor. Events are hashed using deterministic JSON serialization with sorted keys. Any tampering breaks the chain.
AU-10 (Non-repudiation): Ed25519 digital signatures on every proof
event. Batch verification available. Combined chain + signature
verification via verifyChainAndSignatures().
// Verify the entire proof chain
const result = await proofPlane.verifyChainAndSignatures({
startIndex: 0,
endIndex: events.length - 1,
});
// result.valid === true if no tampering detected
CA -- Assessment, Authorization, and Monitoring
Key Controls
CA-2 (Control Assessments): The 16-factor trust model evaluates agents
against tier-gated requirements. calculateTrustScore() identifies missing
factors and below-threshold scores across four weight classes: Foundational,
Operational, and Sophisticated.
CA-7 (Continuous Monitoring): The Trust Oracle provides continuous monitoring with anomaly detection running 7 detectors:
- Geographic (impossible travel)
- Temporal (unusual time patterns)
- Volume (spike detection)
- Account-compromise
- Data-exfiltration
- Lateral-movement
- Privilege-escalation
Prometheus metrics track agent counts by state, transitions, attestation outcomes, and A2A latencies.
CM -- Configuration Management
Key Controls
CM-3 (Configuration Change Control): The Policy Engine supports versioned policies with rollback capability:
// Update a policy (creates new version, preserves history)
const updated = policyEngine.updatePolicy(policyId, changes);
// Rollback to previous version if needed
const rolledBack = policyEngine.rollbackPolicy(policyId);
// Inspect version history
const versions = policyEngine.getPolicyVersions(policyId);
CM-5 (Access Restrictions for Change): Policy creation requires T6_CERTIFIED (CAP-POLICY-CREATE). Limited policy modification requires T5_TRUSTED with constraints: non-critical only, reversible, logged. Full governance authority requires T7_AUTONOMOUS.
CM-7 (Least Functionality): The capability taxonomy defines exactly 35 capabilities across 8 categories. Each trust tier unlocks a specific subset. Capabilities carry explicit constraints (e.g., "No network", "Size limited", "Time limited").
IA -- Identification and Authentication
Key Controls
IA-2 (Identification and Authentication): CAR strings encode registry, organization, agent class, domain bitmask, capability level, and version. Trust proofs signed with HMAC-SHA256 or Ed25519 provide cryptographic authentication.
IA-5 (Authenticator Management): Multiple key management options:
- Ed25519 key pairs for proof plane signing
- HMAC-SHA256 for trust proof signatures
- HSM integration (AWS CloudHSM, Azure HSM, GCP HSM, Thales Luna, SoftHSM)
- Key rotation via dedicated service
- Post-quantum cryptography: Kyber (KEM) and Dilithium (signatures)
IR -- Incident Response
Key Controls
IR-4 (Incident Handling): Full lifecycle:
DETECTED -> INVESTIGATING -> CONTAINED -> ERADICATED -> RECOVERED -> CLOSED.
Timeline entries track all activities. Evidence collection uses SHA-256
hashes for integrity.
IR-8 (Incident Response Plan): Automated playbooks for 8 incident types: account-compromise, data-breach, denial-of-service, malware, ransomware, unauthorized-access, insider-threat, configuration-error. Steps support manual or automated execution with approval gates and rollback.
IR-AI-1 (Agent Circuit Breaker): Trust score suspension on policy violations (-50 points). Agent states include QUARANTINE, SUSPENDED, REVOKED, EXPELLED for isolating compromised agents.
RA -- Risk Assessment
Key Controls
RA-3 (Risk Assessment): calculateTrustScore() produces a
TrustEvaluation result:
interface TrustEvaluation {
totalScore: number; // 0-1000
percentile: number; // Relative position
compliant: boolean; // Meets tier requirements
missingFactors: string[]; // Factors not yet assessed
belowThreshold: string[]; // Factors below minimum
}
RA-7 (Risk Response): Graduated response maps risk levels to
capability restrictions. High-risk actions trigger ESCALATE decisions.
Trust score impacts amplify failure signals (3x for task_failed,
-50 for policy_violation).
SC -- System and Communications Protection
Key Controls
SC-3 (Security Function Isolation): The governance pipeline layers have isolated responsibilities. T3 code execution is explicitly sandboxed: "Time limited, Memory limited, No network."
SC-12 (Cryptographic Key Establishment): HSM integration across five providers. Post-quantum cryptography with hybrid mode for migration. PKCS#11 wrapper for hardware security modules.
SC-13 (Cryptographic Protection):
- SHA-256 for hash chains
- Ed25519 for event signatures (128-bit security, 64-byte signatures)
- HMAC-SHA256 for trust proofs
- Shamir secret sharing with security analysis
- FIPS mode support
SI -- System and Information Integrity
Key Controls
SI-3 (Malicious Code Protection): The injection detector covers 8 attack types: SQL, XSS, Command, Template, Path Traversal, LDAP, XML, NoSQL. A separate prompt injection defense handles AI-specific attacks with configurable sensitivity and encoding attack detection.
SI-7 (Software Integrity): The hash chain provides tamper detection. Combined chain + signature verification detects any modification:
const integrity = await proofPlane.verifyChainWithDetails(0, lastIndex);
// integrity.brokenLinks: number[] -- empty if chain is intact
// integrity.missingSignatures: number[]
// integrity.invalidSignatures: number[]
SI-AI-1 (AI Output Integrity): Proof Plane logs ExecutionCompletedPayload
with outputHash (hash of execution output). Output filter and bias detection
in the AI governance module. Trust scoring penalizes failed executions.
Gaps and Remediation Plan
| ID | Control | Gap | Severity | Target | |----|---------|-----|----------|--------| | G-1 | SA-12 | No formal third-party agent vetting. No runtime SBOM. | Medium | Q2 2026 | | G-2 | SA-15 | No enforced secure development requirements for registering agents. | Medium | Q2 2026 | | G-3 | AU-9(1) | No hardware-backed immutable storage (e.g., QLDB). | Medium | Q3 2026 | | G-4 | IR-10 | Incident outcomes do not auto-feed trust scores. | Low | Q2 2026 | | G-5 | SC-38 | No OPSEC controls for agent operational patterns. | Low | Q3 2026 | | G-6 | CA-8 | No automated adversarial testing of governance boundaries. | Medium | Q2 2026 | | G-7 | AC-4(MA) | A2A rate limiting defined but not enforced in protocol layer. | Medium | Q2 2026 |
Remediation priority: G-6 and G-7 are P1 (Q2 2026), G-1/G-2/G-3 are P2 (Q2-Q3 2026), G-4/G-5 are P3 (Q3 2026).
Next Steps
- NIST AI RMF Mapping -- Higher-level framework alignment
- OWASP ASI Top 10 -- Agent-specific security threats
- Building Compliance Reports -- Automated evidence generation