Anthropic-Cybersecurity-Skills/skills/building-vulnerability-exception-tracking-system/references/standards.md

# Standards and References - Vulnerability Exception Tracking

## Primary Standards

### NIST SP 800-53 Rev 5 - RA-5(5)
- **Title**: Vulnerability Monitoring and Scanning - Privileged Access
- **URL**: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
- **Relevance**: Requires organizations to track and manage vulnerability exceptions with documented risk acceptance

### PCI DSS v4.0 - Compensating Controls
- **URL**: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
- **Relevance**: Appendix B defines requirements for compensating controls when a PCI requirement cannot be met as stated

### ISO 27001:2022 - Clause 6.1.3
- **Title**: Information Security Risk Treatment
- **Relevance**: Risk acceptance must be formally documented with appropriate authority approval

### CIS Controls v8 - Control 7
- **Title**: Continuous Vulnerability Management
- **Sub-control 7.7**: Remediate detected vulnerabilities within prescribed timelines; document exceptions with compensating controls

### SOC 2 - CC3.2
- **Title**: Risk Assessment
- **Relevance**: Requires evidence of risk acceptance decisions and compensating controls documentation

## Compliance Requirements for Exceptions

| Framework | Exception Requirement | Documentation Required |
|-----------|----------------------|----------------------|
| PCI DSS 4.0 | Compensating Controls Worksheet | Constraint, objective, controls, validation |
| SOC 2 Type II | Risk acceptance evidence | Approval chain, justification, review cadence |
| HIPAA | Risk analysis documentation | PHI impact, safeguards, timeline |
| NIST CSF 2.0 | Risk response decisions | Acceptance criteria, residual risk |
| ISO 27001 | Statement of Applicability | Risk owner approval, review schedule |