MARI is an intelligent component developed in EMERALD by CNR to support compliance activities in the context of cybersecurity certification schemes. Its main goal is to automate the association between security controls and measurable metrics, reducing the manual workload for compliance managers.

MARI performs two key tasks:

Control-to-metric mapping: it automatically suggests relevant metrics based on the natural language description of a security control.

Control-to-control mapping: it identifies similarities between controls from different certification schemes, facilitating interoperability and regulatory alignment.

Both tasks rely on Deep Learning techniques. In particular, transformer-based models are used to encode controls and metrics into semantic vector representations, enabling similarity-based matching.

Implementation Progress
We have implemented MARI using sentence transformer models, obtaining a good accuracy of control-to-metric associations. Experiments using EUCS controls and manually defined metrics show promising results in terms of relevance and consistency.

MARI also supports automatic mapping between controls from different frameworks. Initial tests on EUCS and BSI C5:2020 controls confirm the effectiveness of this approach in identifying semantically equivalent requirements.

MARI contributes to making compliance activities more scalable, explainable, and aligned with the evolving regulatory landscape in cybersecurity.