Saved in:
Bibliographic Details
Main Authors: Saha, Bikash, Shukla, Sandeep Kumar
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.07515
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914543455698944
author Saha, Bikash
Shukla, Sandeep Kumar
author_facet Saha, Bikash
Shukla, Sandeep Kumar
contents Organizational cybersecurity policies are often examined to determine whether they adequately comply standard security controls. This task is difficult because control statements are abstract, whereas policy documents describe governance practices in varied natural language. As a result, policy-based control assessment is time-consuming, difficult to standardize, and often difficult to document in a traceable manner. To address this gap, we present PROPARAG, an audit support approach for evaluating organizational cybersecurity policies against security controls autonomously. For each control, the approach retrieves relevant policy evidence, assesses coverage, identifies missing elements, and generates supporting explanations and recommendations. We evaluate PROPARAG on two real-world organizational policy corpora using 1,007 NIST SP 800-53 controls across both closed-source and open-source large language models (LLMs). The framework achieves F1 scores of 88.54 on OrgA and 82.31 on OrgB. The evaluation also shows that PROPARAG identifies relevant gaps in documented organizational policies and generates grounded recommendations for each identified gap. This research provides foundation for LLM-powered autonomous control-level assessment of organizational cybersecurity policies.
format Preprint
id arxiv_https___arxiv_org_abs_2605_07515
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle An Automated Framework for Cybersecurity Policy Compliance Assessment Against Security Control Standards
Saha, Bikash
Shukla, Sandeep Kumar
Cryptography and Security
Organizational cybersecurity policies are often examined to determine whether they adequately comply standard security controls. This task is difficult because control statements are abstract, whereas policy documents describe governance practices in varied natural language. As a result, policy-based control assessment is time-consuming, difficult to standardize, and often difficult to document in a traceable manner. To address this gap, we present PROPARAG, an audit support approach for evaluating organizational cybersecurity policies against security controls autonomously. For each control, the approach retrieves relevant policy evidence, assesses coverage, identifies missing elements, and generates supporting explanations and recommendations. We evaluate PROPARAG on two real-world organizational policy corpora using 1,007 NIST SP 800-53 controls across both closed-source and open-source large language models (LLMs). The framework achieves F1 scores of 88.54 on OrgA and 82.31 on OrgB. The evaluation also shows that PROPARAG identifies relevant gaps in documented organizational policies and generates grounded recommendations for each identified gap. This research provides foundation for LLM-powered autonomous control-level assessment of organizational cybersecurity policies.
title An Automated Framework for Cybersecurity Policy Compliance Assessment Against Security Control Standards
topic Cryptography and Security
url https://arxiv.org/abs/2605.07515