Pinned, sha256-verified OSCAL catalogs used by every grc.engineering SSP.
Each version ships with a PROVENANCE.md and SHA256SUMS file so an assessor can reproduce exactly which catalog your System Security Plan was assembled against. See ADR-010 for the rationale.
Every artifact referenced in a grc.engineering component-definition uses a trestle:// URI that resolves to a specific pinned version here. Reviewers verify with the accompanying SHA256SUMS:
curl -O https://signalplane.co/registry/nist-800-171r3/v1.0.0/catalog.json
curl -O https://signalplane.co/registry/nist-800-171r3/v1.0.0/SHA256SUMS
sha256sum -c SHA256SUMS
The full index is published as JSON for tooling. CI pipelines can parse it to pin artifact versions deterministically.