# Audit: Standards spine verification

- **Date:** 2026-05-07
- **Subject:** [`standard.md` Standards Spine](../standard.md#the-standards-spine): 22 references
- **Discipline:** Reference Discipline (`standard.md` `#reference-discipline`); 90-day `verified_on` floor
- **Method:** 4 parallel Exa cluster searches + HEAD curl batch on remaining URLs
- **Result:** 17 verified live; 2 stale URLs replaced; 1 anti-bot 403 (content-confirmed manually); 2 deferred (placeholder URL / live URL with no fresh verification path)

## Verified live (17)

### Via Exa search (7)
- `nist-sp-800-218-ssdf`: csrc.nist.gov/projects/ssdf
- `nist-sp-800-218a-ssdf-genai`: csrc.nist.gov/pubs/sp/800/218/a/final
- `owasp-asvs-5`: asvs.dev (5.0.0 dated May 2025 confirmed)
- `cisa-sbom-2025-minimum`: cisa.gov/resources-tools/resources/2025-minimum-elements...
- `cisa-sbd-pledge`: cisa.gov/securebydesign/pledge
- `slsa-v1-2`: slsa.dev/spec/v1.2
- `first-cvss-v4`: first.org/cvss/v4.0/specification-document

### Via HEAD curl (10)
- `owasp-wstg-v42`: owasp.org/www-project-web-security-testing-guide/v42. 200
- `nist-ai-rmf-100-1`: nist.gov/itl/ai-risk-management-framework. 200
- `openssf-scorecard`: github.com/ossf/scorecard. 200
- `sigstore-cosign`: docs.sigstore.dev. 200
- `owasp-genai-security-project`: genai.owasp.org. 200
- `iso-29147-disclosure`: iso.org/standard/72311.html. 200
- `owasp-agentic-skills-top-10`: github.com/OWASP/www-project-agentic-skills-top-10. 200
- `cisa-five-eyes-agentic-ai`: cisa.gov/news-events/news/cisa-us-and-international-partners.... 200
- `nist-ai-agent-standards-initiative`: nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative.... 200
- `cosai-oasis-agentic-security`: oasis-open.org/2026/05/06/coalition-for-secure-ai.... 200

## Stale, replaced (2)

### `nist-ai-rmf-600-1-genai`
- **Old:** `https://www.nist.gov/publications/artificial-intelligence-risk-management-framework-generative-artificial`: 404
- **New:** `https://airc.nist.gov/Home` (verified 200; the AI Risk Management Framework hub on the NIST AI Resource Center)
- **Archive:** `https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf` (canonical PDF, NVLpubs persistent)
- **Updated in:** `standard.md` (Standards Spine), `references.json`

### `csa-maestro`
- **Old:** `https://cloudsecurityalliance.org/research/working-groups/ai-safety-initiative`: 404
- **New:** `https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro` (verified via Exa; the canonical MAESTRO blog post by Ken Huang)
- **Updated in:** `standard.md` (Standards Spine), `references.json`

## Anti-bot 403 (1): content confirmed manually

### `sec-reg-sk-item-106`
- `https://www.sec.gov/news/press-release/2023-139` returns **403** to `curl` (SEC anti-bot). Content confirmed manually as the canonical SEC press release announcing Reg S-K Item 106 / Form 8-K Item 1.05 cybersecurity disclosure rules. Marked `verified_via: "manual"` to distinguish from search-verified or HEAD-verified entries.

## Deferred (2)

### `snyk-skill-md-shell-access`
- URL in `references.json` is the placeholder `https://snyk.io`. The actual research title. *"From SKILL.md to Shell Access in Three Lines of Markdown"*. Has been cited via secondary sources. Need to locate the original Snyk publication URL.
- **Action:** find canonical URL, update `references.json`, re-audit.

### `bis-bisbull108-stablecoins-linkages` and `bis-wp1265-defiying-gravity`
- Tier-3 IMF/BIS papers cited in the stablecoin specimen but not in this round's verification fan-out. Will be picked up in the next specimen-cycle audit.

## Updates produced
- `references.json`: 35 entries now carry `verified_via` and `verified_on: "2026-05-07"` (was 15 after the first audit, +20 this round).
- `standard.md`: 2 rotted spine URLs replaced; 1 archive URL added.

## Reproduce

Exact Exa query clusters:
```text
Q1: "NIST SP 800-218" SSDF v1.1 secure software development framework 800-218A generative AI
Q2: OWASP ASVS 5.0 Application Security Verification Standard WSTG v4.2 Threat Modeling Cheat Sheet
Q3: CISA Secure by Design pledge SBOM 2025 minimum elements signatories
Q4: SLSA v1.2 OpenSSF Scorecard Sigstore Cosign FIRST CVSS v4.0 specification
```

Plus HEAD curl batch (see `audits/scripts/spine-head-check.sh` once published, or rerun the inline `for url in …; do curl -s -o /dev/null -w "%{http_code}" -L "$url"; done` from this audit).