cis2nist corrections

[ejaronne]

https://github.com/mitre/saf/commits/main/src/resources/cis2nist.json

Does not correctly map based on 7.1 version of the CIS Control families: https://github.com/mitre/inspec_tools/blob/d56c3a717765b2ceb99f774d9b5379b58cb1254c/lib/data/NIST_Map_02052020_CIS_Controls_Version_7.1_Implementation_Groups_1.2.xlsx

Furthermore, it does not account for older version 6.1: https://github.com/mitre/inspec_tools/blob/d56c3a717765b2ceb99f774d9b5379b58cb1254c/lib/data/NIST_Map_09212017B_CSC-CIS_Critical_Security_Controls_VER_6.1_Excel_9.1.2016.xlsx but perhaps that was a concious choice to only support the "latest"

However, benchmark such as https://learn.cisecurity.org/l/799323/2021-04-30/462zn cite both 6.1 and 7.1 related CIS controls, which can map to different NIST controls.

Ideally, both cis2nist and https://github.com/mitre/saf#inspec-metadata code needs to be able to accommodate both to allow constructs such as the following to be stubbed out: https://github.com/mitre/microsoft-sql-server-2017-cis-baseline/blob/efba654f7e1cca3ede36116099917067bea0a596/controls/cis-1.1.rb#L37-L42

And, be scalable to v8 of the CIS controls: https://www.cisecurity.org/insights/white-papers/cis-controls-v8-mapping-to-nist-800-53-rev-5

Note: older CIS guides might reference nothing or only 6.1. Newer ones 6.1 and 7.1. Newer still just 7.1. Then 7.1 and 8.1, and 8.1, so on...