NIST CSF 2.0: Vectimus Mapping

The NIST Cybersecurity Framework 2.0 organises security outcomes into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Vectimus operates at the Protect and Detect layers, enforcing deterministic pre-action controls on AI agent tool calls.

This document maps Vectimus policies to specific CSF subcategories. Vectimus is a tool-level enforcement layer. It does not replace organisational security programmes covering Govern, Identify, Respond or Recover functions.

PR.DS: Data Security

Coverage: HIGH

Vectimus enforces data security controls across multiple policy packs:

• PR.DS-01 (Confidentiality): Blocks agent reads of .env files, SSH keys, AWS credentials, npmrc tokens and secrets directories. Blocks destructive operations that could destroy data (rm -rf, mkfs, format commands). Blocks agent writes to governance config and sensitive system files.
• PR.DS-02 (Data in transit): Blocks data exfiltration patterns including base64-encoded data piped to curl/wget, DNS tunnelling via nslookup with encoded subdomains, and credential file contents piped to network tools.

Key rules: destructive-ops (001-003), secrets (001-004), data-exfiltration (001-003), file-integrity (001-012)

PR.PS: Platform Security

Coverage: HIGH

• PR.PS-01 (Configuration management): Blocks agent writes to CI/CD configs (GitHub Actions, GitLab CI, Jenkinsfiles), IDE settings, tool hook configs, Dockerfiles and docker-compose files. Blocks force push to protected branches, git reset —hard and git clean -f.

Key rules: file-integrity (001-012), git-safety (001-003)

PR.AA: Identity Management, Authentication and Access Control

Coverage: PARTIAL

• PR.AA-05 (Access control): Blocks privilege escalation via sudo, su, cloud CLI role assumption and cross-account access. Blocks infrastructure mutations including terraform apply/destroy, kubectl delete and cloud resource creation without review.

Key rules: infrastructure (001-008), destructive-ops (004)

DE.CM: Continuous Monitoring

Coverage: PARTIAL

• DE.CM-01 (Network monitoring): Detects data exfiltration attempts, reverse shell patterns, download-and-execute chains and eval/exec patterns in agent shell commands.
• DE.CM-06 (External service provider monitoring): Default-deny for all MCP servers. Blocks unapproved MCP tool calls and inspects approved MCP tool inputs for credential paths, dangerous commands and governance tampering.

Key rules: code-execution (001-005), data-exfiltration (001-003), mcp-safety (001-007)

DE.AE: Adverse Event Analysis

Coverage: PARTIAL

• DE.AE-02 (Anomaly detection): Blocks autonomous agent spawning, excessive turn counts, broadcast amplification, background agents with bypass permissions and spawn/message floods.

Key rules: agent-governance (001-005)

GV.SC: Supply Chain Risk Management

Coverage: HIGH

• GV.SC-05 (Supply chain requirements): Blocks npm publish, pip installs from non-standard indexes, npm installs from URLs, cargo installs from git. Blocks lockfile tampering across npm, yarn, pnpm, pip, poetry, uv, cargo, bundler and composer. Blocks registry config writes (.npmrc, .pypirc).

Key rules: supply-chain (001-008)

Summary

What Vectimus does not cover

NIST CSF 2.0 is a comprehensive organisational framework. Vectimus covers the Protect and Detect functions where AI agent actions produce observable tool calls. The following sit outside scope:

• Govern (GV): Organisational context, risk management strategy, roles and responsibilities, policy establishment, oversight.
• Identify (ID): Asset management, risk assessment, improvement planning.
• Respond (RS): Incident management, analysis, mitigation, reporting.
• Recover (RC): Recovery planning, communication.

Organisations should treat Vectimus as one control within their CSF implementation, not as a replacement for the framework itself.