Nsasoft US LLC has released NSAuditor AI Enterprise Edition 0.15.6, a compliance-mapping correctness patch that fixes two cross-framework defects in how S3 public-exposure findings route to the six supported compliance frameworks. Plugin count is UNCHANGED at 28, all six framework coverage matrices are UNCHANGED, and zero framework JSON files gained or lost a control mapping at the matrix level.
The two defects, in plain terms
An audit tool’s worst failure is a false report. NSAuditor AI runs its findings through six compliance frameworks, and the team found two failure classes in one place: S3 public-exposure routing. A publicly-accessible S3 bucket was correctly flagged on SOC 2, HIPAA, ISO/IEC 27001:2022, and CIS Controls v8 — but showed CLEAN on NIST CSF and PCI DSS. Separately, a missing guardrail (no Public Access Block) on an otherwise-private bucket was reported as if the bucket were confirmed-public — the kind of false-FAIL a PCI QSA rejects on sight.
Fix 1 — NIST CSF and PCI DSS now catch a public bucket
Plugin 1020’s S3 public-exposure CRITICALs (public bucket policy, bucket ACL, object ACL, or non-current object version granting AllUsers or AuthenticatedUsers) now route to NIST CSF PR.AA-05 (access permissions / least-privilege) and PR.DS-01 (data-at-rest confidentiality dual-map), and to PCI DSS Requirement 7.2.1 (access-control model). The PCI mapping carries an explicit CDE-scope caveat — whether the bucket holds cardholder data is the operator’s Data-Flow-Diagram determination.
Fix 2 — A missing guardrail no longer reads as a confirmed breach
The finding for a bucket with no Public Access Block (“bucket may be publicly accessible … not confirmed public”) is a defense-in-depth gap, not a confirmed exposure. The 0.15.2 calibration already rated it MEDIUM for exactly that reason. But the text still matched the broad "publicly accessible" routing rule, so it false-FAILed the confidentiality controls identically to a confirmed-public bucket. The rule is now tightened to match only the confirmed-public phrasings (bucket is or objects publicly accessible) across all six frameworks; the guardrail-gap finding is still reported as a MEDIUM but no longer trips a compliance control.
Two same-session review folds
FOLD-1: the bucket-POLICY public CRITICAL was previously mapped on SOC 2, HIPAA, and CIS but NOT on NIST, PCI, or ISO. Added the "Bucket policy grants public access" anchor to NIST PR.AA-05/PR.DS-01, PCI 7.2.1, and ISO A.5.23/A.8.3/A.8.12. All six frameworks now agree on a public bucket policy. FOLD-2: the non-current-version emission from EE 0.15.4 was registered in the drift detector.
Engineering discipline + live validation
Built test-first; multi-lens review (NIST CSF Implementation-Tiers + PCI DSS QSA-perspective + cloud false-negative). The cardinal check held: no confirmed-public emission is silently dropped. Six-framework matrices UNCHANGED: SOC 2 10/4/33 · HIPAA 7/3/45 · NIST CSF 2.0 13/10/83 · PCI DSS 20/8/39 · ISO 27001 17/14/62 · CIS v8 17/22/114. EE regression 6638/6638 GREEN.
Re-ran the audit from the globally-installed @latest artifact against a real test-infrastructure account: a confirmed-public bucket now FAILs NIST PR.AA-05 + PR.DS-01 and PCI 7.2.1 (both previously CLEAN) alongside SOC 2, HIPAA, ISO, and CIS. The same bucket’s missing-PAB MEDIUM routes to ZERO compliance controls — the false-FAIL is gone, verified live. No cross-cloud regression.
Trio publish
EE 0.15.6 ships as the forty-fourth consecutive trio-publish alongside CE 0.1.87 and agent-skill 0.1.54 (both paired no-op bumps preserving the @latest pin alignment). The post-0.15.5 GCP SDK major bump is deliberately NOT in this release — reverted out and deferred pending a live-GCP smoke. Install:
npm install -g nsauditor-ai@latest @nsasoft/nsauditor-ai-ee@latest nsauditor-ai-agent-skill@latestThe hexa-framework one-scan workflow remains: --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8 produces six separate auditor-ready evidence packs from a single scan. Zero data exfiltration — all evidence stays inside your infrastructure.
Full release notes: NSAuditor AI Enterprise Edition.
