OpenCRE
OpenCRE is OWASP's Open Common Requirement Enumeration: a catalog and mapping layer that links security requirements across standards, guidelines, cheat sheets, tools, threats, and weaknesses.
Definition
OpenCRE is the Open Common Requirement Enumeration. The OWASP OpenCRE repository describes it as an interactive content-linking platform for uniting security standards and guidelines, with a public application at opencre.org, a catalog of Common Requirements, mapping data from those requirements to sections of standards, and tools for contributing or running the application.
OpenCRE is not a control framework, certification, audit result, or proof that a system is secure. It is a cross-reference layer. A Common Requirement can act as the hub between overlapping sections of standards, guides, weaknesses, threats, testing instructions, and countermeasures. The governance value is not that OpenCRE replaces the source standards; it helps readers find how several standards talk about the same security idea.
For AI and agent systems, that matters because a deployed system may be governed by security engineering, model-risk, privacy, procurement, and audit teams at the same time. Requirements for secrets handling, logging, identity, input validation, dependency review, and access control often live in different documents. OpenCRE gives teams a way to keep those conversations connected.
How It Works
OpenCRE works by mapping sections of a source standard or guide to a Common Requirement, usually identified by a CRE number. The contributing guidance says a mapping for a new standard assigns each relevant section to the corresponding Common Requirement at opencre.org. Once several sources are mapped to the same requirement, a reader can move from one standard's wording to related material in other sources.
The OWASP Developer Guide describes OpenCRE as a catalog of security requirements that enumerates security topics and links to standards, cheat sheets, and guides. It lists examples such as CWE, NIST Special Publications 800-53 and 800-63, OWASP ASVS, OWASP Top 10, OWASP Proactive Controls, OWASP Cheat Sheets, OWASP WSTG, and ZAP.
The OpenCRE repository also describes the software side: a Python web and command-line application, public hosting at opencre.org, catalog data, mapping data, and tooling for local or private use. That matters for governance because a team can inspect mappings as data rather than treating each crosswalk as a hand-edited spreadsheet.
Agent Context
AI agents turn security requirements into operating boundaries. A coding agent may install packages, edit workflows, call model APIs, read secrets, open pull requests, or route work through remote tools. A business agent may query private records, send messages, update tickets, or trigger payments. The same action can raise application-security, identity, privacy, supply-chain, logging, and human-oversight requirements.
OpenCRE can help an agent team avoid requirement drift. Instead of saying "we comply with security standards" in the abstract, the team can map a concrete agent control, such as tool authorization or secret handling, to a requirement hub and then review the linked guidance. The result is a better evidence trail for procurement, secure development, red-team planning, and post-incident review.
The limit is important: OpenCRE does not decide whether an AI model is reliable, whether a particular use is lawful, or whether an agent should be allowed to act. It can organize security-control references around the systems that contain the model.
Governance and Safety
The governance value is crosswalk discipline. Institutions often face many partly overlapping frameworks. Without a shared requirement map, the same control may be reviewed three times under different names, while a real gap remains unseen. OpenCRE can reduce that fragmentation by making the links explicit.
The main failure mode is crosswalk theater. A mapped requirement is not the same as an implemented control. A control that appears in ASVS, NIST guidance, or a cheat sheet still needs a system owner, evidence, test result, exception process, and review date. OpenCRE helps locate related requirements; it does not perform the engineering, assessment, or risk acceptance.
Defense Pattern
- Name the CRE. Record the Common Requirement identifier and the source sections used for each control claim.
- Keep source authority. Use OpenCRE for navigation, but cite the original standard or guide for conformance language.
- Bind to evidence. Connect each mapped requirement to tests, configuration, logs, tickets, scans, approvals, or exceptions.
- Review gaps. Treat unmapped or loosely mapped agent controls as review items, not as covered requirements.
- Version the crosswalk. Preserve the mapping source, review date, tool output, and reviewer when mappings guide procurement or audit work.
- Do not overclaim. A mapped requirement can support assurance; it is not itself assurance.
Source Discipline
Claims about OpenCRE should distinguish the project from the mapped sources. The OpenCRE repository and OWASP Developer Guide are appropriate sources for what OpenCRE is, how mappings work, and which examples OWASP lists. They are not substitutes for the original NIST, OWASP, CWE, or other source documents when making a compliance claim.
For AI governance, source discipline also means naming the layer. A security requirement for a tool gateway is not the same as a model evaluation, a privacy impact assessment, a legal approval, or an AI safety case. OpenCRE can help with security-requirement navigation, but it should not be stretched into a general proof of AI trustworthiness.
Spiralist Reading
Spiralism reads OpenCRE as a map against institutional amnesia.
The machine age multiplies standards, dashboards, and assurances until every team can claim a different vocabulary. OpenCRE does not end that disorder. It asks a humbler question: when several texts name the same security need, can the institution remember the connection and show what it actually did?
Open Questions
- Which agent-specific controls should be mapped to OpenCRE rather than kept in local policy prose?
- How should OpenCRE mappings handle fast-moving AI security guidance without implying maturity where standards are still unsettled?
- Can control maps stay useful when agent platforms change prompts, tools, permissions, and model routes weekly?
- How should AI-assisted requirement mapping be reviewed before procurement or audit teams rely on it?
Related Pages
- AI Audits and Third-Party Assurance
- AI Audit Trails
- Open Security Controls Assessment Language (OSCAL)
- AI Governance
- Secure AI System Development
- AI System Inventory
- AI Bill of Materials
- NIST AI Risk Management Framework
- NIST SP 800-218A
- Agentic Supply-Chain Vulnerabilities
- AI Agent Sandboxing
- AI Agent Observability
Sources
- OWASP OpenCRE, OpenCRE repository, reviewed June 25, 2026.
- OWASP Developer Guide, OpenCRE, reviewed June 25, 2026.
- OWASP, Integration Standards project, reviewed June 25, 2026.
- OWASP OpenCRE, Contributing to OpenCRE, reviewed June 25, 2026.
- OpenCRE, public OpenCRE application, reviewed June 25, 2026.