Out of the box: TSA SD 1580-21-01, NIST CSF 2.0, NIST 800-82r3, IEC 62443, SOX, HIPAA, PCI DSS v4. Each closed remediation plan and OT compensating-control record is mapped to one or more control IDs and exported as both a machine-readable bundle and an auditor-ready PDF.
| Section | Control summary | Mythal evidence |
|---|---|---|
| 3.A | Network segmentation between IT and OT | Asset Estate graph · zone tags · OT Safety Officer compensating-control records |
| 3.B | Access controls for Critical Cyber Systems | Approval workflow · dual-approval keys · RBAC log · Inventory ccs_no_owner rec |
| 3.C | Continuous monitoring | Scanner Liaison ingest cadence · Threat Intel poll telemetry |
| 3.D | Vulnerability remediation timelines | Remediation plan history with timestamps + verification records |
| 4 | Incident reporting | Reasoning traces · executor failure escalations · escalation queue |
| Function | Category | Mythal evidence |
|---|---|---|
| Identify | ID.AM Asset Management | Asset Estate · CMDB sync · asset_dependencies graph · Inventory Insights sweep |
| Protect | PR.IP Information Protection | Policy gate · prompt-injection defense · signed agent messages · HMAC ledger |
| Detect | DE.CM Security Continuous Monitoring | Scanner Liaison feeds · Threat Intel poll cadence · KEV uplift handling |
| Respond | RS.MI Mitigation | Remediation Planner + Executor + Verifier reasoning traces · compensating controls |
| Recover | RC.RP Recovery Planning | Rollback plans recorded on every execution · validated by policy gate |
§5.1 ICS Risk Management — OT Safety Officer veto + compensating controls + reasoning traces.
§5.4 Zones & conduits — IEC 62443-style zone tagging enforced on every asset.
§6.2 Patch management for ICS — Maintenance-window enforcement · dual approval · canary peer · tested rollback.
§6.3.2 Identity controls — Inventory Insights identity_hygiene recommendations.
2-1 Program management — Captured in Policy Studio · OPA bundles versioned.
2-3 Patch management — Enforced by policy gate · vendor advisories consumed · compensating controls deployed.
2-4 Service-provider requirements — Integrations health · scanner connector telemetry.
3-2 Security risk assessment — Captured in ChangeRiskScore + BusinessImpactProfile.
3-3 System security (incl. IAC-1) — OPA bundles · policy gate · audit log.
Change management evidence — every plan has approvals, rollback, executor identity, verifier record. Suitable for IT general controls testing.
Where tenants carry PHI-adjacent systems. Same evidence pipeline tagged to §164.308 / §164.312 controls.
For transit-payment systems (rail PCI environments). Maps to 6.3, 6.4, 11.3, 12.10.
JSON Lines with one record per evidence unit. Suitable for ingestion into GRC platforms (Archer, MetricStream, ServiceNow IRM).
Generated by Compliance Reporter via ReportLab. Watermarked SIMULATED on demo tenants; clean on production. Control-by-control, with reasoning-trace excerpts and signed message IDs.