Search papers, labs, and topics across Lattice.
This paper introduces the Automated Security Concept Structure Extraction and Reverse Topology-checking (ASSERT) Framework, which enables the verification of legacy IT security concepts by extracting them into machine-readable formats. By employing ontology-based extraction and a five-class graph comparison against a verified reference state, ASSERT facilitates the generation of schema-valid OSCAL artifacts, crucial for compliance under the NIS-2 Directive. The evaluation using the BSI's RecPlast dataset highlights that while ASSERT quantifies document-infrastructure inconsistencies, it also uncovers a trade-off between identifying undocumented entities and maintaining schema compliance.
Legacy IT security concepts can now be transformed into auditable, machine-readable formats without losing critical information, thanks to the ASSERT Framework.
The NIS-2 Directive increases the need for continuous, auditable compliance evidence and motivates a shift from document-based compliance toward machine-readable compliance artifacts. The Open Security Controls Assessment Language (OSCAL) is a standard for this purpose, which the German Federal Office for Information Security (BSI) is adapting with Grundschutz++. However, companies are still managing extensive legacy IT security concepts (IT-SCs), and migrating them without verification could transfer outdated assets into the new format. While existing research primarily addresses the generation of new concepts, there is a lack of a verification framework that extracts legacy IT-SCs into an auditable intermediate representation, deterministically compares the extracted graph with an independently constructed reference state, and exports schema-valid OSCAL artifacts. This paper introduces the Automated Security Concept Structure Extraction and Reverse Topology-checking (ASSERT) Framework, which addresses this gap by using ontology-based extraction of legacy documents into formal document graphs, a five-class graph difference against a verified reference graph, and the export into schema-valid OSCAL outputs for system description and assessment evidence. Using the BSI's RecPlast dataset, we compare a local open-weight model and a commercial model across three configurations with different levels of reference-ontology exposure. The evaluation shows that ASSERT makes document-infrastructure inconsistencies measurable, but reveals a trade-off between discovering undocumented entities and enforcing a schema.