> ## Documentation Index
> Fetch the complete documentation index at: https://docs.grantex.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Draft NIST NCCoE Public Comment

> Grantex response to NIST NCCoE AI challenge areas — mapping DAAP to the AI Risk Management Framework.

## Overview

The repository publishes a draft comment for the NIST National Cybersecurity Center of Excellence (NCCoE), mapping DAAP protocol capabilities to the NIST AI Risk Management Framework (AI RMF 1.0). The NCCoE comment period closed on April 2, 2026 and NIST lists the project as reviewing comments. Grantex does not currently publish a submission receipt or a NIST response, so this page must not be read as evidence of NIST acceptance, endorsement, or confirmed receipt.

## Key Mappings

The comment maps DAAP capabilities to all four AI RMF functions:

| AI RMF Function | DAAP Capabilities                                                                 |
| --------------- | --------------------------------------------------------------------------------- |
| **Map**         | Agent scope declarations, policy engine risk tolerance, anomaly baselines         |
| **Measure**     | Usage metering, hash-chained audit trail, budget controls, conformance suite      |
| **Manage**      | Real-time revocation, cascade revocation, event streaming, webhooks               |
| **Govern**      | OPA/Cedar policy backends, principal sessions, compliance exports, policy-as-code |

## Implementation Evidence

The comment includes evidence from the Grantex reference implementation:

* **Authorization server**: Fastify/PostgreSQL/Redis reference service deployed on Cloud Run, with CI-backed unit, integration, security, conformance, and end-to-end tests
* **SDK coverage**: TypeScript, Python, and Go; use each registry/module tag as the release source of truth
* **Framework integrations**: 11 production-ready integrations
* **Conformance suite**: `@grantex/conformance`, with results tied to the tested package version and commit

## Recommendations

1. Adopt agent-specific identity standards (DIDs over API keys)
2. Require action-level audit trails with tamper evidence
3. Mandate real-time revocation with cascade semantics
4. Define budget control requirements for financial agents
5. Encourage external policy backend integration (OPA, Cedar, AuthZEN)
6. Reference interoperability test suites in standards

## Full Document

The complete comment is available in the repository at [`docs/standards/nist-nccoe-comment.md`](https://github.com/mishrasanjeev/grantex/blob/main/docs/standards/nist-nccoe-comment.md).
