KORTHEXkorthex.flowence.cc

Compliance / Overview

Recognized Authorities & Frameworks

Korthex does not invent its own opinion of what counts as weak cryptography. Findings are graded against baseline channels curated from the recognized authorities (NIST, BSI, ANSSI, CISA, IETF, OWASP) plus jurisdiction overlays for regulated regions, delivered as signed updates, and every finding carries the framework tags it trips. This page is the map.

How authority baselines work

Each authority is a baseline channel: a deterministic rule set curated from that authority's primary documents. Most regulatory upstreams publish PDFs, so their channels are hand-curated through reviewed changes; the OWASP ASVS channel is pulled live from the official OWASP repository. The backend re-checks every channel on a 24-hour cycle and ships differences as signed update patches, so a new deprecation reaches your scans without a product update.

When authorities disagree (they do: key-size floors and deprecation dates differ between NIST, BSI and ANSSI), a documented priority order decides the reported verdict, and the finding still lists every authority's stance in its sources, so an auditor sees the full picture instead of a single opinion.

Per-finding evidence

Every finding carries the framework tags of the rule that graded it. A single MD5 hit can trip NIST FIPS 140-3, BSI TR-02102, NIS2 and PCI DSS 4.0 at once, and the scan report says so, with file and line. The CBOM export aggregates this into the artifact compliance teams hand to auditors: which frameworks are affected, where, and what replaces the finding.

Which channels to activate

  • US Federal (FedRAMP, FISMA): NIST + CISA channels
  • EU critical infrastructure (NIS2): BSI + ANSSI channels
  • EU payments and FinTech: BSI + ANSSI + the EU Payments overlay
  • German enterprise: BSI channel; French enterprise: ANSSI + France overlay
  • United Kingdom: NIST + the UK overlay; Australia: the ASD ISM overlay; Canada: NIST + the CCCS overlay
  • Generic global SaaS: NIST + BSI + IETF + OWASP
  • Default when nothing is configured: every channel the backend advertises

Standards & authorities

  • NIST - SP 800-131A Rev. 2, FIPS 180-4, FIPS 197 - 24 rules, highest priority
  • BSI - TR-02102-1 - 16 rules, carries NIS2 tags
  • ANSSI - RGS Annexe B1 v2.0 - 9 rules, carries NIS2 tags
  • CISA - Post-Quantum Initiative, BOD 18-01 - 7 rules
  • IETF - RFC deprecation track (8996, 8429, 6151, 6194) - 11 rules
  • OWASP - ASVS v5 chapters V11 + V12, live source - 33 rules

Jurisdictional mappings

  • EU Cyber Resilience Act - CRA readiness: inventory, state-of-the-art evidence, CI gate
  • EU Payments - PSD2, DORA, PCI DSS 4.0 - payment-infrastructure overlay
  • Germany - BSI TR-02102, IT-Grundschutz, NIS2 implementation
  • France - ANSSI RGS, OIV critical-infrastructure overlay
  • United Kingdom - NCSC Foundation Profile overlay
  • Australia - ASD ISM overlay for OFFICIAL-classified data
  • Canada - CCCS ITSP.40.111 overlay

Framework deep dives

Frequently asked questions

How current are the authority baselines?

The backend re-checks every channel on a 24-hour cycle and publishes signed patch updates. Clients verify the signature before applying, and updates reach scans without reinstalling anything.

What happens when two authorities disagree?

A documented priority order (NIST before BSI before ANSSI, down to the Korthex-curated fallback) decides the reported verdict. The finding keeps every authority's stance in its sources, so nothing is hidden behind the winner.

Do the baselines work air-gapped?

Yes. Baseline updates are signed files; clients verify them before applying, and they can be transferred into air-gapped environments on your own schedule.

Is there a Korthex opinion channel?

Yes, a Korthex-curated consensus channel exists as the lowest-priority fallback for algorithms the authorities have not yet ruled on. It never overrides an authority.