Cybersecurity Knowledge Graphs with RAG: Discovering CSF v2.0 Compliance Use-Cases

Within the fast-evolving compliance and regulation landscape, companies dedicate considerable time and resources to re-assess security processes and remain compliant with multiple frameworks. According to Thomson Reuters 2021, 78% of companies expect regulatory information to increase, while 62% anticipate more compliance involvement in cyber resilience.

In the IDG 2019 Security Priorities Study, 66% of companies said compliance mandates drove their security spending. Agencies like NIST provide a rich corpus of cybersecurity resources, standards, guidelines, and best practices targeting businesses. There is also a plethora of commercial tooling capturing convergence and mapping across compliance frameworks. Nevertheless, cross-framework assessments are complex engagements requiring investment in qualified staff/SMEs, and often involving manual processes and lengthy communication chains.

“We are trying to stay ahead of generative AI.”

CISO, government organization 


According to Splunk’s 2023 Chief Information Security Officer (CISO) report, the rapid advancements in Generative AI have made it possible to go beyond the automation of mundane technical tasks. Opportunities now span into strategic functions, addressing challenges around data quality assurance, managing security posture, communication, and training for an improved understanding of what continuous compliance entails regarding policies, procedures, best practices, risks, and emerging cybersecurity threats, including those associated with Generative AI.

Knowledge Graphs (KG) and Generative AI (GenAI) provide advanced modeling, inference, extended analytics, and explanation capabilities, capturing real-world information and constituting a natural fit for the compliance applications domain. Our approach combines Knowledge Graph (KG) and Retrieval Augmented Generation (RAG) to facilitate the discovery of concept associations across frameworks. For a proof-of-concept (POC) targeting NIST CSF versions 2.0 and 1.1 as scope, a framework-agnostic, bottom-up approach is adopted to identify a semantic network of:

  • Fundamental notions/concepts, including cybersecurity standards with hierarchies of functional domains, subdomains, and controls
  • Relations that capture  a multitude of ways these notions/concepts associate and affect each other

In the process, we relied on GenAI/LLM support to build a large corpus of self-assessment questionnaires and cross-standard, cross-version mapping documentation leveraging publicly available Open-Source cybersecurity resources, e.g., documentation and data published by agencies, primarily by NIST and the Center for Internet Security (CIS). With GenAI support, the POC: open-source cybersecurity compliance KG can be continuously extended to effectively learn and provide advanced inference capabilities about related standards and frameworks such as NIST 800-53, SANS Critical Security Controls (CSC), and CIS Controls with relative ease, allowing organizations and businesses to stay up-to-date in streamlining compliance efforts, reduce resource burdens, and ensure robust adherence to evolving regulatory standards.

Challenges in Staying Current and the Complexity of Mapping Efforts

NIST Cybersecurity Framework (CSF), is increasingly used as a common standard in vendor/supplier questionnaires, including by companies like SpaceX. The first version (CSF 1.0) was released in 2014, followed by a revision in 2018 (CSF 1.1). The journey for CSF 2.0 started with the 2022 RFI,  taking over 8 years to release the new and far more extensive version of this widely adopted and useful Framework in (CSF 2.0) in 2024. Within a single Framework life-cycle, for NIST to be able to help organizations more easily and effectively manage cybersecurity risks, it has been critical to continuously adapt to the ever-evolving cybersecurity landscape and, ensure community engagement, and coordination with other standard and framework authorities and agencies. 

Considering CSF is a framework and not a standard, to streamline the response and adoption processes, it is critical to identify the controls in a more granular standard that aligns with CSF, a process referred to as “mapping”. For instance, in support of clients in the DoD supply chain subject to NIST 800-171 controls for protecting Controlled Unclassified Information (CUI), NIST provides a CSF mapping for 800-171 to assist in addressing the NIST CSF questionnaire.  Like in the case of NIST CSF – 800-171, it is necessary to emphasize that most mappings are complex and incomplete due to the lack of “one-to-one” correspondence between standard controls and CSF (i.e., not all CSF requirements are addressed by standard controls, and there are single controls addressing multiple CSF requirements). 

Compliance with CSF 2.0: Challenges and Pain Points

Organizations across various verticals, small and large, transitioning from NIST CSF version 1.1 to version 2.0 must address new and expanded requirements, and face unique challenges in staying compliant.  Key challenges include:

  1. Complexity of Regulations:
  •    Navigating multiple regulatory frameworks (e.g., GDPR, CCPA, HIPAA, CIS, CSC, NIST CSF).
  •    Keeping up with frequent updates and changes in compliance requirements.
  •    Implementing comprehensive compliance programs that align with diverse regulations.
  1. Resource Constraints:
  • Limitations on the cybersecurity budgets, especially for small and mid-sized businesses (SMBs).
  • Shortage of skilled cybersecurity professionals.
  • High costs associated with compliance tools and services.
  1. Data and Technology Integration with emphasis on preserving privacy and confidentiality:
  •    Integrating compliance solutions with existing IT infrastructure
  •    Ensuring interoperability between various security tools and platforms 
  1. Meeting SEC and other Regulatory Reporting mandates (e.g., May 2021 Executive Order 14028, “Improving the Nation’s Cybersecurity,”, March 2024 Executive Order on Artificial Intelligence)
  •    Timely reporting of security incidents to regulatory authorities.
  •    Maintaining continuous monitoring of compliance status.
  •    Conducting regular audits and assessments to ensure ongoing compliance.

These challenges are the driving motivation behind the development of a holistic, semantically rich cybersecurity compliance KG and RAG capabilities is our anticipation that organizations and related R&D initiatives, Community Engagements, and Coordinated Mapping efforts, would greatly benefit from improved effectiveness of compliance processes, timeliness of implementations, reduced resource allocation, and spending, with GenAI leveraged in a variety of cross-framework compliance application scenarios.

Why Knowledge Graphs and RAG?

Leveraging LLM, Knowledge Graphs, and RAG approaches can facilitate the transition to CSF 2.0 and support organizations in addressing the complexities and challenges of compliance more efficiently, accurately, and automatically. These technologies enable a deeper understanding of regulatory requirements, streamline compliance efforts, and ensure that organizations stay ahead of evolving standards like NIST CSF version 2.0. 

KGs provide a structured, interconnected representation of various regulatory requirements, allowing organizations can easily navigate and understand the relationships and dependencies between different standards and controls. Retrieval-augmented generation (RAG) leverages these knowledge graphs to retrieve relevant regulatory information and generate contextualized guidance or documentation, simplifying compliance efforts. 

General Use Cases Leveraging LLM and KG-supported RAG Approaches


Leveraging GenAI – KG with RAG

Automated Compliance Documentation and Reporting

Implement Retrieval-Augmented Generation (RAG) to extract relevant compliance data from internal systems and generate accurate reports for audits and regulatory submissions. Knowledge graphs simplify the retrieval of relevant regulatory information and the generation of contextualized guidance or documentation.

Policy and Procedure Development

With a KG built to represent a model with security policies and procedures that align with NIST CSF version 2.0, retrieve best practices and guidelines from authoritative sources to enhance policy development and ensure adherence to industry standards.

Employee Training and Awareness

In developing interactive training programs, create a KG that includes training materials, regulatory requirements, and best practices. Use RAG to gather and present the latest compliance updates and case studies, developing personalized training content that is relevant and up-to-date for the organization and ensuring that employees are well-informed about compliance requirements.

Risk Assessment and Management

Create a KG that links various risk factors, controls, and mitigation strategies, and use RAG to retrieve relevant risk information and generate comprehensive risk assessment reports, highlighting areas that need attention.

Specific Context: Application Scenarios for Transitioning to NIST CSF Version 2.0

  • Gap Analysis: Involves conducting thorough analyses to identify gaps between current practices and the new framework requirements.
  • Mapping Controls: Using Knowledge Graphs to map existing controls to the new framework, ensuring comprehensive coverage and compliance.
  • Automated Updates: Keeping policies, procedures, and documentation aligned with the latest NIST CSF version 2.0 updates through automated KG/RAG-driven processes.
  • Enhanced Reporting: RAG can provide detailed and accurate compliance reports and audit documentation that reflect adherence to the new framework, facilitating easier audits and inspections using the knowledge graph to ensure all compliance aspects/controls/functional domains are covered.

Leave a Reply

Your email address will not be published. Required fields are marked *