So here is a security control framework question. I am going through an exercise of mapping our control set to various frameworks to track compliance, with NIST CSF as the "main" framework, linking others to it. The very first one in the list is enforcing signed commits to software repos. Trying to map that to the NIST CSF isn't working. It feels like the NIST CSF items are about Enterprise operations, not software development. Does anyone disagree, or should I add a section to my own derivative framework for Protect.SDLC?