ACR-3.03v1.0

A tool registry SHALL document all authorized tools, their capabilities, access conditions, and risk

Domain

03 — Domain 3: Tool and API Governance

Eval Method

EIEvidence Inspection

Risk Weight

4 / 10

Applicability

L1L2L3

Description#

A tool registry SHALL document all authorized tools, their capabilities, access conditions, and risk classifications.

Evaluation Method#

EIEvidence Inspection

Compliance is evaluated through inspection of documentary evidence including architecture documents, configuration artifacts, and operational records.

v1.1 Details#

Profile Applicability

S,A,C

Evaluation Frequency

Annual

Platform Cert Eligible

Yes

Framework Crosswalk Refs

NIST SP 800-53 CM-8; ISO/IEC 27001 A.8.9

This is a conditional control. Non-compliance with this ACR may result in conditional certification with a mandated remediation period. The Authorized Verification Body will specify the remediation timeline and required evidence for the condition to be cleared. If remediation is not completed within the specified period, the conditional certification will be revoked.

← PreviousACR-3.02: The system SHALL prevent unauthorized tool chaining where the output of one tool triggers another wi Next →ACR-3.04: Tool access SHALL follow the principle of least privilege, granting only the minimum capabilities re

A tool registry SHALL document all authorized tools, their capabilities, access conditions, and risk

Description#

Evaluation Method#

v1.1 Details#

Classification#