@blamejs/exceptd-skills 0.10.0 → 0.10.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +54 -0
- package/bin/exceptd.js +303 -9
- package/data/_indexes/_meta.json +2 -2
- package/data/playbooks/ai-api.json +400 -90
- package/data/playbooks/containers.json +406 -94
- package/data/playbooks/cred-stores.json +374 -89
- package/data/playbooks/crypto.json +369 -87
- package/data/playbooks/framework.json +376 -86
- package/data/playbooks/hardening.json +357 -84
- package/data/playbooks/kernel.json +324 -77
- package/data/playbooks/mcp.json +407 -92
- package/data/playbooks/runtime.json +345 -81
- package/data/playbooks/sbom.json +497 -111
- package/data/playbooks/secrets.json +352 -83
- package/lib/playbook-runner.js +77 -7
- package/lib/schemas/playbook.schema.json +5 -0
- package/manifest-snapshot.json +1 -1
- package/manifest.json +39 -39
- package/package.json +1 -1
- package/sbom.cdx.json +6 -6
|
@@ -10,11 +10,20 @@
|
|
|
10
10
|
"date": "2026-05-11",
|
|
11
11
|
"summary": "Initial seven-phase PQC-readiness playbook. Inventories OpenSSL/LibreSSL/BoringSSL versions, sshd_config KEX/MAC/cipher suites, TLS 1.3 hybrid X25519+ML-KEM-768 support, certificate store hygiene (algorithm + expiry + cross-signing). Frames HNDL as the present threat surface. Full GRC closure mapping to NIS2/DORA/EU CRA/NIST PQC migration obligations.",
|
|
12
12
|
"cves_added": [],
|
|
13
|
-
"framework_gaps_updated": [
|
|
13
|
+
"framework_gaps_updated": [
|
|
14
|
+
"nist-800-53-SC-8",
|
|
15
|
+
"nist-800-53-SC-13",
|
|
16
|
+
"iso-27001-2022-A.8.24",
|
|
17
|
+
"iso-27001-2022-A.8.25",
|
|
18
|
+
"pci-dss-4-3.6",
|
|
19
|
+
"dora-art9",
|
|
20
|
+
"nis2-art21-2h"
|
|
21
|
+
]
|
|
14
22
|
}
|
|
15
23
|
],
|
|
16
24
|
"owner": "@blamejs/platform-security",
|
|
17
25
|
"air_gap_mode": false,
|
|
26
|
+
"scope": "service",
|
|
18
27
|
"preconditions": [
|
|
19
28
|
{
|
|
20
29
|
"id": "filesystem-read",
|
|
@@ -41,26 +50,47 @@
|
|
|
41
50
|
}
|
|
42
51
|
]
|
|
43
52
|
},
|
|
44
|
-
|
|
45
53
|
"domain": {
|
|
46
54
|
"name": "Post-quantum cryptography exposure",
|
|
47
55
|
"attack_class": "pqc-exposure",
|
|
48
56
|
"atlas_refs": [],
|
|
49
|
-
"attack_refs": [
|
|
57
|
+
"attack_refs": [
|
|
58
|
+
"T1040",
|
|
59
|
+
"T1557",
|
|
60
|
+
"T1573"
|
|
61
|
+
],
|
|
50
62
|
"cve_refs": [],
|
|
51
|
-
"cwe_refs": [
|
|
52
|
-
|
|
63
|
+
"cwe_refs": [
|
|
64
|
+
"CWE-327",
|
|
65
|
+
"CWE-326",
|
|
66
|
+
"CWE-310"
|
|
67
|
+
],
|
|
68
|
+
"d3fend_refs": [
|
|
69
|
+
"D3-FE",
|
|
70
|
+
"D3-MENCR"
|
|
71
|
+
],
|
|
53
72
|
"frameworks_in_scope": [
|
|
54
|
-
"nist-800-53",
|
|
55
|
-
"
|
|
56
|
-
"
|
|
57
|
-
"
|
|
58
|
-
"
|
|
73
|
+
"nist-800-53",
|
|
74
|
+
"nist-csf-2",
|
|
75
|
+
"iso-27001-2022",
|
|
76
|
+
"soc2",
|
|
77
|
+
"pci-dss-4",
|
|
78
|
+
"nis2",
|
|
79
|
+
"dora",
|
|
80
|
+
"uk-caf",
|
|
81
|
+
"au-ism",
|
|
82
|
+
"au-essential-8",
|
|
83
|
+
"sg-mas-trm",
|
|
84
|
+
"jp-nisc",
|
|
85
|
+
"in-cert",
|
|
86
|
+
"ca-osfi-b10",
|
|
87
|
+
"hipaa",
|
|
88
|
+
"cmmc",
|
|
89
|
+
"nerc-cip",
|
|
90
|
+
"eu-cra"
|
|
59
91
|
]
|
|
60
92
|
},
|
|
61
|
-
|
|
62
93
|
"phases": {
|
|
63
|
-
|
|
64
94
|
"govern": {
|
|
65
95
|
"jurisdiction_obligations": [
|
|
66
96
|
{
|
|
@@ -69,7 +99,11 @@
|
|
|
69
99
|
"obligation": "maintain_cryptographic_inventory",
|
|
70
100
|
"window_hours": 720,
|
|
71
101
|
"clock_starts": "manual",
|
|
72
|
-
"evidence_required": [
|
|
102
|
+
"evidence_required": [
|
|
103
|
+
"cryptographic_asset_inventory",
|
|
104
|
+
"pqc_migration_plan",
|
|
105
|
+
"algorithm_sunset_tracking"
|
|
106
|
+
]
|
|
73
107
|
},
|
|
74
108
|
{
|
|
75
109
|
"jurisdiction": "EU",
|
|
@@ -77,7 +111,11 @@
|
|
|
77
111
|
"obligation": "submit_cryptographic_resilience_evidence",
|
|
78
112
|
"window_hours": 720,
|
|
79
113
|
"clock_starts": "manual",
|
|
80
|
-
"evidence_required": [
|
|
114
|
+
"evidence_required": [
|
|
115
|
+
"cryptographic_resilience_assessment",
|
|
116
|
+
"key_management_attestation",
|
|
117
|
+
"pqc_readiness_status"
|
|
118
|
+
]
|
|
81
119
|
},
|
|
82
120
|
{
|
|
83
121
|
"jurisdiction": "EU",
|
|
@@ -85,7 +123,11 @@
|
|
|
85
123
|
"obligation": "notify_regulator",
|
|
86
124
|
"window_hours": 24,
|
|
87
125
|
"clock_starts": "detect_confirmed",
|
|
88
|
-
"evidence_required": [
|
|
126
|
+
"evidence_required": [
|
|
127
|
+
"confirmed_hndl_exposure",
|
|
128
|
+
"affected_data_sensitivity_horizon",
|
|
129
|
+
"interim_mitigation_record"
|
|
130
|
+
]
|
|
89
131
|
},
|
|
90
132
|
{
|
|
91
133
|
"jurisdiction": "US",
|
|
@@ -93,7 +135,10 @@
|
|
|
93
135
|
"obligation": "maintain_pqc_migration_inventory",
|
|
94
136
|
"window_hours": 8760,
|
|
95
137
|
"clock_starts": "manual",
|
|
96
|
-
"evidence_required": [
|
|
138
|
+
"evidence_required": [
|
|
139
|
+
"federal_pqc_inventory",
|
|
140
|
+
"annual_migration_progress_report"
|
|
141
|
+
]
|
|
97
142
|
},
|
|
98
143
|
{
|
|
99
144
|
"jurisdiction": "AU",
|
|
@@ -101,7 +146,10 @@
|
|
|
101
146
|
"obligation": "notify_regulator",
|
|
102
147
|
"window_hours": 72,
|
|
103
148
|
"clock_starts": "validate_complete",
|
|
104
|
-
"evidence_required": [
|
|
149
|
+
"evidence_required": [
|
|
150
|
+
"materiality_assessment",
|
|
151
|
+
"remediation_completed_evidence"
|
|
152
|
+
]
|
|
105
153
|
}
|
|
106
154
|
],
|
|
107
155
|
"theater_fingerprints": [
|
|
@@ -109,31 +157,48 @@
|
|
|
109
157
|
"pattern_id": "fips-140-as-pqc-evidence",
|
|
110
158
|
"claim": "We use FIPS 140-validated cryptographic modules, therefore our crypto posture is compliant and current.",
|
|
111
159
|
"fast_detection_test": "FIPS 140-3 validation lists only classical algorithms today (FIPS 203/204/205 add to the catalog but a module's validation cert lists specific algorithm modes). Read the actual FIPS 140-3 certificate for the module — if it lists only AES, RSA, ECDSA, ECDH, SHA-2/3 and no ML-KEM/ML-DSA/SLH-DSA, the module is fully compliant AND fully vulnerable to HNDL. The FIPS sticker tells you nothing about PQC readiness.",
|
|
112
|
-
"implicated_controls": [
|
|
160
|
+
"implicated_controls": [
|
|
161
|
+
"nist-800-53-SC-13",
|
|
162
|
+
"fips-140-3"
|
|
163
|
+
]
|
|
113
164
|
},
|
|
114
165
|
{
|
|
115
166
|
"pattern_id": "tls-1-3-as-future-proof",
|
|
116
167
|
"claim": "We're on TLS 1.3 across the fleet — our transport encryption is modern.",
|
|
117
168
|
"fast_detection_test": "TLS 1.3 with classical-only key exchange (X25519, P-256, P-384) is HNDL-vulnerable today. Run: openssl s_client -connect <host>:443 -tls1_3 -groups X25519MLKEM768 — if the server does not negotiate the hybrid group, the org is recording-decrypt-later vulnerable regardless of TLS version. Reality: modern TLS version without modern key exchange = theater.",
|
|
118
|
-
"implicated_controls": [
|
|
169
|
+
"implicated_controls": [
|
|
170
|
+
"nist-800-53-SC-8",
|
|
171
|
+
"iso-27001-2022-A.8.24",
|
|
172
|
+
"pci-dss-4-4.2.1"
|
|
173
|
+
]
|
|
119
174
|
},
|
|
120
175
|
{
|
|
121
176
|
"pattern_id": "policy-mentions-pqc",
|
|
122
177
|
"claim": "Our cryptographic policy mentions post-quantum cryptography migration — we have a PQC program.",
|
|
123
178
|
"fast_detection_test": "Diff the policy against the cryptographic asset inventory. If the policy names PQC but the inventory lacks per-asset (a) current algorithm, (b) sensitivity horizon, (c) PQC migration target, (d) sunset date for the classical algorithm — the policy is a document, not a program. The inventory is the program; without it the policy is theater.",
|
|
124
|
-
"implicated_controls": [
|
|
179
|
+
"implicated_controls": [
|
|
180
|
+
"nist-800-53-SC-13",
|
|
181
|
+
"iso-27001-2022-A.8.24",
|
|
182
|
+
"nis2-art21-2h"
|
|
183
|
+
]
|
|
125
184
|
},
|
|
126
185
|
{
|
|
127
186
|
"pattern_id": "openssl-version-as-pqc-readiness",
|
|
128
187
|
"claim": "We're on OpenSSL 3.x, therefore we can support PQC when needed.",
|
|
129
188
|
"fast_detection_test": "OpenSSL 3.0/3.1/3.2 do not include native ML-KEM. OpenSSL 3.5 ships native ML-KEM/ML-DSA/SLH-DSA. Run: openssl list -kem-algorithms — if ML-KEM-768 (or ML-KEM-512/1024) is absent, the binary cannot negotiate the hybrid group regardless of how recent it sounds. Major-version label without the algorithm in -kem-algorithms = theater.",
|
|
130
|
-
"implicated_controls": [
|
|
189
|
+
"implicated_controls": [
|
|
190
|
+
"nist-800-53-SC-13",
|
|
191
|
+
"iso-27001-2022-A.8.24"
|
|
192
|
+
]
|
|
131
193
|
},
|
|
132
194
|
{
|
|
133
195
|
"pattern_id": "ssh-config-modern-without-curve-audit",
|
|
134
196
|
"claim": "Our sshd_config uses modern KEX algorithms (curve25519-sha256).",
|
|
135
197
|
"fast_detection_test": "curve25519-sha256 is classical. sntrup761x25519-sha512@openssh.com is the OpenSSH 9.0+ hybrid PQC group. Read sshd -T | grep -i kexalg — if sntrup761x25519 or mlkem768x25519-sha256 is not present in KexAlgorithms, all SSH session keys are HNDL-recordable today.",
|
|
136
|
-
"implicated_controls": [
|
|
198
|
+
"implicated_controls": [
|
|
199
|
+
"nist-800-53-SC-8",
|
|
200
|
+
"iso-27001-2022-A.8.24"
|
|
201
|
+
]
|
|
137
202
|
}
|
|
138
203
|
],
|
|
139
204
|
"framework_context": {
|
|
@@ -190,9 +255,14 @@
|
|
|
190
255
|
}
|
|
191
256
|
]
|
|
192
257
|
},
|
|
193
|
-
"skill_preload": [
|
|
258
|
+
"skill_preload": [
|
|
259
|
+
"pqc-first",
|
|
260
|
+
"framework-gap-analysis",
|
|
261
|
+
"compliance-theater",
|
|
262
|
+
"global-grc",
|
|
263
|
+
"policy-exception-gen"
|
|
264
|
+
]
|
|
194
265
|
},
|
|
195
|
-
|
|
196
266
|
"direct": {
|
|
197
267
|
"threat_context": "PQC landscape mid-2026: FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA) finalized 2024-08-13 — production-ready for 21 months. OpenSSL 3.5 (released Q1 2025) ships native ML-KEM/ML-DSA/SLH-DSA; OpenSSH 9.0+ ships sntrup761x25519-sha512 KEX since 2022; Chrome (since v124, 2024) negotiates X25519MLKEM768 with compatible servers. The deployment gap is not technical readiness — it is operator inertia. NSA CNSA 2.0 mandates PQC for NSS by 2030; NIST IR 8547 (draft, 2024) sets the federal transition timeline. EU ENISA's PQC transition mandate is advancing toward binding Member State implementation through 2027-2028. HNDL is operational reality, not a future concern: state-level adversaries are recording encrypted traffic at scale and have been since 2013 (publicly known). Any data with a sensitivity window of 10+ years currently protected by classical asymmetric crypto is decryptable in the 2030s by an adversary that captured the ciphertext today. Aggressive academic CRQC estimates now appear in peer-reviewed cryptanalysis literature in the 5-8 year horizon (from mid-2026), with conservative estimates 12-15 years. Either horizon makes today's classical-only TLS handshakes already-exfiltrated.",
|
|
198
268
|
"rwep_threshold": {
|
|
@@ -202,11 +272,33 @@
|
|
|
202
272
|
},
|
|
203
273
|
"framework_lag_declaration": "Every framework in scope is structurally insufficient for HNDL. NIST 800-53 SC-8/SC-13, ISO 27001:2022 A.8.24/A.8.25, PCI DSS 4.0 §3.6/§4.2.1, NIS2 Art.21(2)(h), DORA Art.9, EU CRA Annex I all permit fully-classical cryptographic posture as 'strong cryptography'. NIST itself is the exception: FIPS 203/204/205 are finalized, NIST IR 8547 is a published migration roadmap, OMB M-23-02 mandates federal PQC inventory — but the 800-53 control catalog is unchanged. ISO 27001:2022 was published before PQC finalization and has no scheduled amendment. PCI Council and EU regulators are publicly aware but have not amended binding controls. Lag = ~180 days behind operational readiness (PQC has been production-ready since 2024-08-13) and 4-8+ years behind the CRQC horizon that drives the harvest-now-decrypt-later attack. Compensating controls (crypto-agility, hybrid algorithms, layered encryption envelopes) must close this gap before SLA-only compliance can be accepted.",
|
|
204
274
|
"skill_chain": [
|
|
205
|
-
{
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
275
|
+
{
|
|
276
|
+
"skill": "pqc-first",
|
|
277
|
+
"purpose": "Enumerate TLS library versions, sshd KEX/MAC/cipher posture, certificate algorithms, OpenSSL kem-algorithms list. Test for ML-KEM-768/ML-DSA/SLH-DSA availability and configuration.",
|
|
278
|
+
"required": true
|
|
279
|
+
},
|
|
280
|
+
{
|
|
281
|
+
"skill": "framework-gap-analysis",
|
|
282
|
+
"purpose": "Map each detected classical-only configuration to the specific framework controls that permit it and the operational threat that exploits it.",
|
|
283
|
+
"required": true
|
|
284
|
+
},
|
|
285
|
+
{
|
|
286
|
+
"skill": "compliance-theater",
|
|
287
|
+
"purpose": "Run the five theater tests in govern.theater_fingerprints; emit verdict for each.",
|
|
288
|
+
"required": true
|
|
289
|
+
},
|
|
290
|
+
{
|
|
291
|
+
"skill": "global-grc",
|
|
292
|
+
"purpose": "Cross-walk findings to per-jurisdiction obligations and notification clocks.",
|
|
293
|
+
"skip_if": "jurisdiction_obligations.length == 0",
|
|
294
|
+
"required": false
|
|
295
|
+
},
|
|
296
|
+
{
|
|
297
|
+
"skill": "policy-exception-gen",
|
|
298
|
+
"purpose": "Generate auditor-ready exception language for assets that cannot reach hybrid PQC in this cycle.",
|
|
299
|
+
"skip_if": "close.exception_generation.trigger_condition == false",
|
|
300
|
+
"required": false
|
|
301
|
+
}
|
|
210
302
|
],
|
|
211
303
|
"token_budget": {
|
|
212
304
|
"estimated_total": 21000,
|
|
@@ -221,7 +313,6 @@
|
|
|
221
313
|
}
|
|
222
314
|
}
|
|
223
315
|
},
|
|
224
|
-
|
|
225
316
|
"look": {
|
|
226
317
|
"artifacts": [
|
|
227
318
|
{
|
|
@@ -319,14 +410,33 @@
|
|
|
319
410
|
}
|
|
320
411
|
],
|
|
321
412
|
"fallback_if_unavailable": [
|
|
322
|
-
{
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
413
|
+
{
|
|
414
|
+
"artifact_id": "openssl-kem-algorithms",
|
|
415
|
+
"fallback_action": "use_compensating_artifact",
|
|
416
|
+
"confidence_impact": "medium"
|
|
417
|
+
},
|
|
418
|
+
{
|
|
419
|
+
"artifact_id": "tls-server-handshake",
|
|
420
|
+
"fallback_action": "use_compensating_artifact",
|
|
421
|
+
"confidence_impact": "medium"
|
|
422
|
+
},
|
|
423
|
+
{
|
|
424
|
+
"artifact_id": "certificate-store",
|
|
425
|
+
"fallback_action": "mark_inconclusive",
|
|
426
|
+
"confidence_impact": "low"
|
|
427
|
+
},
|
|
428
|
+
{
|
|
429
|
+
"artifact_id": "sshd-config-effective",
|
|
430
|
+
"fallback_action": "mark_inconclusive",
|
|
431
|
+
"confidence_impact": "medium"
|
|
432
|
+
},
|
|
433
|
+
{
|
|
434
|
+
"artifact_id": "openssl-version",
|
|
435
|
+
"fallback_action": "escalate_to_human",
|
|
436
|
+
"confidence_impact": "high"
|
|
437
|
+
}
|
|
327
438
|
]
|
|
328
439
|
},
|
|
329
|
-
|
|
330
440
|
"detect": {
|
|
331
441
|
"indicators": [
|
|
332
442
|
{
|
|
@@ -419,24 +529,73 @@
|
|
|
419
529
|
"not_detected": "ML-KEM-768 available in TLS library AND sshd accepts sntrup761x25519-sha512@openssh.com (or mlkem768x25519-sha256) AND all long-retention-sensitivity certs use hybrid (classical+PQC) signatures AND a cryptographic asset inventory exists with sunset dates for classical algorithms."
|
|
420
530
|
}
|
|
421
531
|
},
|
|
422
|
-
|
|
423
532
|
"analyze": {
|
|
424
533
|
"rwep_inputs": [
|
|
425
|
-
{
|
|
426
|
-
|
|
427
|
-
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
534
|
+
{
|
|
535
|
+
"signal_id": "ml-kem-absent",
|
|
536
|
+
"rwep_factor": "active_exploitation",
|
|
537
|
+
"weight": 25,
|
|
538
|
+
"notes": "HNDL is operational — state-level recording is documented. Active exploitation in the recording sense, not yet decryption sense."
|
|
539
|
+
},
|
|
540
|
+
{
|
|
541
|
+
"signal_id": "ml-kem-absent",
|
|
542
|
+
"rwep_factor": "blast_radius",
|
|
543
|
+
"weight": 25,
|
|
544
|
+
"notes": "Affects all TLS-protected flows; blast radius proportional to data sensitivity horizon."
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"signal_id": "sshd-no-pqc-kex",
|
|
548
|
+
"rwep_factor": "blast_radius",
|
|
549
|
+
"weight": 20,
|
|
550
|
+
"notes": "SSH session keys = bastion + lateral movement creds + tunneled traffic."
|
|
551
|
+
},
|
|
552
|
+
{
|
|
553
|
+
"signal_id": "rsa-2048-cert-long-life",
|
|
554
|
+
"rwep_factor": "blast_radius",
|
|
555
|
+
"weight": 20,
|
|
556
|
+
"notes": "Certificate chain compromise on CRQC day collapses authentication for long-retention data."
|
|
557
|
+
},
|
|
558
|
+
{
|
|
559
|
+
"signal_id": "openssl-pre-3-5",
|
|
560
|
+
"rwep_factor": "patch_available",
|
|
561
|
+
"weight": -10,
|
|
562
|
+
"notes": "Upgrade path is available; patch_available reduces RWEP."
|
|
563
|
+
},
|
|
564
|
+
{
|
|
565
|
+
"signal_id": "ml-kem-absent",
|
|
566
|
+
"rwep_factor": "ai_weaponization",
|
|
567
|
+
"weight": 5,
|
|
568
|
+
"notes": "AI-accelerated cryptanalysis tooling exists (CRQC simulation), making the CRQC timeline less speculative."
|
|
569
|
+
}
|
|
431
570
|
],
|
|
432
571
|
"blast_radius_model": {
|
|
433
572
|
"scope_question": "If an adversary records this host's TLS/SSH traffic today and decrypts it on the CRQC day (mid-2030s), what scope of compromise is the host realistically delivering?",
|
|
434
573
|
"scoring_rubric": [
|
|
435
|
-
{
|
|
436
|
-
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
574
|
+
{
|
|
575
|
+
"condition": "host handles only ephemeral data with < 1-year sensitivity horizon (e.g. transient CI worker, dev sandbox)",
|
|
576
|
+
"blast_radius_score": 1,
|
|
577
|
+
"description": "Data is stale by CRQC day; recorded handshake yields nothing valuable."
|
|
578
|
+
},
|
|
579
|
+
{
|
|
580
|
+
"condition": "host handles internal corporate data, 1-3 year sensitivity horizon",
|
|
581
|
+
"blast_radius_score": 2,
|
|
582
|
+
"description": "Some recorded data valuable on CRQC day; embarrassment + competitive cost."
|
|
583
|
+
},
|
|
584
|
+
{
|
|
585
|
+
"condition": "host handles personal data (GDPR / HIPAA / PCI), 3-10 year retention",
|
|
586
|
+
"blast_radius_score": 3,
|
|
587
|
+
"description": "Recorded PII / PHI / cardholder data decryptable on CRQC day → notification obligations on a delayed clock that the framework does not yet contemplate."
|
|
588
|
+
},
|
|
589
|
+
{
|
|
590
|
+
"condition": "host handles financial transaction logs, long-retention healthcare records, IP/trade secrets, 10-25 year sensitivity",
|
|
591
|
+
"blast_radius_score": 4,
|
|
592
|
+
"description": "Massive long-tail decryption event; significant material loss + regulatory action."
|
|
593
|
+
},
|
|
594
|
+
{
|
|
595
|
+
"condition": "host handles classified, state-sensitive, biometric template, or generational sensitivity data (25+ year horizon)",
|
|
596
|
+
"blast_radius_score": 5,
|
|
597
|
+
"description": "Strategic compromise on CRQC day; loss is irreversible and category-defining."
|
|
598
|
+
}
|
|
440
599
|
]
|
|
441
600
|
},
|
|
442
601
|
"compliance_theater_check": {
|
|
@@ -497,51 +656,87 @@
|
|
|
497
656
|
}
|
|
498
657
|
],
|
|
499
658
|
"escalation_criteria": [
|
|
500
|
-
{
|
|
501
|
-
|
|
502
|
-
|
|
503
|
-
|
|
659
|
+
{
|
|
660
|
+
"condition": "blast_radius_score >= 4 AND ml-kem-absent == true",
|
|
661
|
+
"action": "raise_severity"
|
|
662
|
+
},
|
|
663
|
+
{
|
|
664
|
+
"condition": "rwep >= 75 AND data_sensitivity_horizon_years >= 10",
|
|
665
|
+
"action": "page_on_call"
|
|
666
|
+
},
|
|
667
|
+
{
|
|
668
|
+
"condition": "blast_radius_score >= 4",
|
|
669
|
+
"action": "trigger_playbook",
|
|
670
|
+
"target_playbook": "framework"
|
|
671
|
+
},
|
|
672
|
+
{
|
|
673
|
+
"condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
|
|
674
|
+
"action": "notify_legal"
|
|
675
|
+
}
|
|
504
676
|
]
|
|
505
677
|
},
|
|
506
|
-
|
|
507
678
|
"validate": {
|
|
508
679
|
"remediation_paths": [
|
|
509
680
|
{
|
|
510
681
|
"id": "openssl-upgrade-to-3-5",
|
|
511
682
|
"description": "Upgrade OpenSSL to >= 3.5 (or install oqsprovider on 3.x). Enable ML-KEM-768 in default TLS groups.",
|
|
512
|
-
"preconditions": [
|
|
683
|
+
"preconditions": [
|
|
684
|
+
"distro_package_for_openssl_3_5_available == true OR oqsprovider_packageable == true",
|
|
685
|
+
"system_libssl_upgrade_safe == true"
|
|
686
|
+
],
|
|
513
687
|
"priority": 1,
|
|
514
|
-
"compensating_controls": [
|
|
688
|
+
"compensating_controls": [
|
|
689
|
+
"pin classical-only group fallback for legacy peers via per-service override"
|
|
690
|
+
],
|
|
515
691
|
"estimated_time_hours": 3
|
|
516
692
|
},
|
|
517
693
|
{
|
|
518
694
|
"id": "enable-hybrid-tls-groups",
|
|
519
695
|
"description": "Configure each TLS-serving process to prefer X25519MLKEM768 (or X25519Kyber768Draft00 if oqsprovider). Set ssl_ecdh_curve nginx / SSLOpenSSLConfCmd apache / ssl-default-bind-curves haproxy.",
|
|
520
|
-
"preconditions": [
|
|
696
|
+
"preconditions": [
|
|
697
|
+
"openssl_supports_ml_kem == true",
|
|
698
|
+
"ops_authorization_for_service_restart == true"
|
|
699
|
+
],
|
|
521
700
|
"priority": 2,
|
|
522
|
-
"compensating_controls": [
|
|
701
|
+
"compensating_controls": [
|
|
702
|
+
"client_compat_canary_for_each_service",
|
|
703
|
+
"monitoring_for_negotiation_failures"
|
|
704
|
+
],
|
|
523
705
|
"estimated_time_hours": 2
|
|
524
706
|
},
|
|
525
707
|
{
|
|
526
708
|
"id": "ssh-add-hybrid-kex",
|
|
527
709
|
"description": "Update sshd_config KexAlgorithms to prepend sntrup761x25519-sha512@openssh.com (and mlkem768x25519-sha256 on OpenSSH >= 9.6).",
|
|
528
|
-
"preconditions": [
|
|
710
|
+
"preconditions": [
|
|
711
|
+
"openssh_>=_9_0",
|
|
712
|
+
"operator_authorized_for_sshd_change == true"
|
|
713
|
+
],
|
|
529
714
|
"priority": 3,
|
|
530
|
-
"compensating_controls": [
|
|
715
|
+
"compensating_controls": [
|
|
716
|
+
"bastion_session_recording_for_legacy_kex_fallback",
|
|
717
|
+
"monitoring_for_kex_negotiation_downgrades"
|
|
718
|
+
],
|
|
531
719
|
"estimated_time_hours": 1
|
|
532
720
|
},
|
|
533
721
|
{
|
|
534
722
|
"id": "reissue-long-life-certs-hybrid",
|
|
535
723
|
"description": "For every cert with > 10-year data-sensitivity horizon: re-issue with hybrid signature (ML-DSA or SLH-DSA + ECDSA) using publicly-trusted CA hybrid root or internal CA with hybrid cross-signing.",
|
|
536
|
-
"preconditions": [
|
|
724
|
+
"preconditions": [
|
|
725
|
+
"ca_supports_hybrid_signatures == true OR internal_ca_can_be_extended == true"
|
|
726
|
+
],
|
|
537
727
|
"priority": 4,
|
|
538
|
-
"compensating_controls": [
|
|
728
|
+
"compensating_controls": [
|
|
729
|
+
"legacy_chain_for_pre-PQC_client_compat",
|
|
730
|
+
"transparency_log_entries_for_hybrid_certs"
|
|
731
|
+
],
|
|
539
732
|
"estimated_time_hours": 16
|
|
540
733
|
},
|
|
541
734
|
{
|
|
542
735
|
"id": "establish-crypto-inventory",
|
|
543
736
|
"description": "Build a per-asset cryptographic inventory with sensitivity horizon, current algorithm, PQC migration target, sunset date. Satisfies NIS2 Art.21(2)(h) maintenance obligation.",
|
|
544
|
-
"preconditions": [
|
|
737
|
+
"preconditions": [
|
|
738
|
+
"asset_inventory_baseline_exists == true"
|
|
739
|
+
],
|
|
545
740
|
"priority": 5,
|
|
546
741
|
"compensating_controls": [],
|
|
547
742
|
"estimated_time_hours": 40
|
|
@@ -549,9 +744,16 @@
|
|
|
549
744
|
{
|
|
550
745
|
"id": "policy-exception",
|
|
551
746
|
"description": "If a specific asset cannot reach hybrid PQC in this cycle (legacy hardware, embedded HSM without PQC firmware, vendor SaaS): generate auditor-ready policy exception with crypto-agility roadmap.",
|
|
552
|
-
"preconditions": [
|
|
747
|
+
"preconditions": [
|
|
748
|
+
"remediation_paths[1..5] blocked for the specific asset",
|
|
749
|
+
"ciso_acceptance_obtainable == true"
|
|
750
|
+
],
|
|
553
751
|
"priority": 6,
|
|
554
|
-
"compensating_controls": [
|
|
752
|
+
"compensating_controls": [
|
|
753
|
+
"network_segmentation_to_limit_handshake_exposure",
|
|
754
|
+
"vpn_pqc_tunnel_overlay",
|
|
755
|
+
"shortened_retention_for_classical-protected_data"
|
|
756
|
+
],
|
|
555
757
|
"estimated_time_hours": 8
|
|
556
758
|
}
|
|
557
759
|
],
|
|
@@ -597,47 +799,91 @@
|
|
|
597
799
|
"risk": "Even with hybrid PQC enabled, legacy peers may downgrade to classical groups during compatibility windows; certain assets (vendor SaaS, embedded HSM, legacy protocols) may not be migratable in this cycle and remain HNDL-recordable.",
|
|
598
800
|
"why_remains": "PQC migration is multi-year. Hybrid KEX is the only configuration where the encrypted material is safe against the CRQC adversary; classical-fallback paths preserve interop but reopen the recording window. Some assets have no PQC migration path until vendor firmware lands. Crypto-agility (the ability to swap algorithms without re-architecting) is an org-wide investment, not a single fix.",
|
|
599
801
|
"acceptance_level": "ciso",
|
|
600
|
-
"compensating_controls_in_place": [
|
|
802
|
+
"compensating_controls_in_place": [
|
|
803
|
+
"network_segmentation_for_classical-only_assets",
|
|
804
|
+
"shortened_retention_where_feasible",
|
|
805
|
+
"transparency_monitoring_of_handshake_negotiation_for_downgrade_detection",
|
|
806
|
+
"annual_crypto-agility_program_review"
|
|
807
|
+
]
|
|
601
808
|
},
|
|
602
809
|
"evidence_requirements": [
|
|
603
810
|
{
|
|
604
811
|
"evidence_type": "scan_report",
|
|
605
812
|
"description": "TLS handshake test results showing hybrid group negotiated on each production TLS endpoint; sshd KEX negotiation showing PQC hybrid; openssl list -kem-algorithms output.",
|
|
606
813
|
"retention_period": "7_years",
|
|
607
|
-
"framework_satisfied": [
|
|
814
|
+
"framework_satisfied": [
|
|
815
|
+
"nist-800-53-SC-8",
|
|
816
|
+
"nist-800-53-SC-13",
|
|
817
|
+
"iso-27001-2022-A.8.24",
|
|
818
|
+
"pci-dss-4-4.2.1",
|
|
819
|
+
"nis2-art21-2h",
|
|
820
|
+
"dora-art9"
|
|
821
|
+
]
|
|
608
822
|
},
|
|
609
823
|
{
|
|
610
824
|
"evidence_type": "config_diff",
|
|
611
825
|
"description": "Before/after diffs of openssl.cnf, sshd_config, nginx/apache/haproxy ssl config showing hybrid group preference, plus change-management approval reference.",
|
|
612
826
|
"retention_period": "7_years",
|
|
613
|
-
"framework_satisfied": [
|
|
827
|
+
"framework_satisfied": [
|
|
828
|
+
"nist-800-53-CM-3",
|
|
829
|
+
"iso-27001-2022-A.8.32"
|
|
830
|
+
]
|
|
614
831
|
},
|
|
615
832
|
{
|
|
616
833
|
"evidence_type": "attestation",
|
|
617
834
|
"description": "Cryptographic asset inventory snapshot (signed) showing per-asset current algorithm, sensitivity horizon, PQC migration target, classical sunset date.",
|
|
618
835
|
"retention_period": "7_years",
|
|
619
|
-
"framework_satisfied": [
|
|
836
|
+
"framework_satisfied": [
|
|
837
|
+
"nis2-art21-2h",
|
|
838
|
+
"dora-art9",
|
|
839
|
+
"iso-27001-2022-A.8.24",
|
|
840
|
+
"us-omb-m-23-02"
|
|
841
|
+
]
|
|
620
842
|
},
|
|
621
843
|
{
|
|
622
844
|
"evidence_type": "scan_report",
|
|
623
845
|
"description": "Certificate-store audit report identifying long-retention certs and their signature algorithms before and after hybrid re-issuance.",
|
|
624
846
|
"retention_period": "audit_cycle",
|
|
625
|
-
"framework_satisfied": [
|
|
847
|
+
"framework_satisfied": [
|
|
848
|
+
"nist-800-53-SC-12",
|
|
849
|
+
"iso-27001-2022-A.8.24"
|
|
850
|
+
]
|
|
626
851
|
}
|
|
627
852
|
],
|
|
628
853
|
"regression_trigger": [
|
|
629
|
-
{
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
{
|
|
854
|
+
{
|
|
855
|
+
"condition": "new_openssh_release == true",
|
|
856
|
+
"interval": "on_event"
|
|
857
|
+
},
|
|
858
|
+
{
|
|
859
|
+
"condition": "new_openssl_release == true",
|
|
860
|
+
"interval": "on_event"
|
|
861
|
+
},
|
|
862
|
+
{
|
|
863
|
+
"condition": "FIPS_203_or_204_or_205_amendment",
|
|
864
|
+
"interval": "on_event"
|
|
865
|
+
},
|
|
866
|
+
{
|
|
867
|
+
"condition": "new_NIST_PQC_standard_published",
|
|
868
|
+
"interval": "on_event"
|
|
869
|
+
},
|
|
870
|
+
{
|
|
871
|
+
"condition": "quarterly",
|
|
872
|
+
"interval": "90d"
|
|
873
|
+
}
|
|
634
874
|
]
|
|
635
875
|
},
|
|
636
|
-
|
|
637
876
|
"close": {
|
|
638
877
|
"evidence_package": {
|
|
639
878
|
"bundle_format": "csaf-2.0",
|
|
640
|
-
"contents": [
|
|
879
|
+
"contents": [
|
|
880
|
+
"scan_report",
|
|
881
|
+
"config_diff",
|
|
882
|
+
"attestation",
|
|
883
|
+
"framework_gap_mapping",
|
|
884
|
+
"compliance_theater_verdict",
|
|
885
|
+
"residual_risk_statement"
|
|
886
|
+
],
|
|
641
887
|
"destination": "local_only",
|
|
642
888
|
"signed": true
|
|
643
889
|
},
|
|
@@ -649,42 +895,66 @@
|
|
|
649
895
|
"framework_gap": "NIST 800-53 has not amended SC-8/SC-13 with PQC sub-controls despite FIPS 203/204/205 finalization in 2024-08. ISO 27001:2022 (pre-PQC) has no PQC language and no scheduled amendment. PCI Council and EU regulators publicly aware but have not amended binding controls. Lag = ~180 days behind PQC operational readiness and 4-8+ years behind the CRQC horizon.",
|
|
650
896
|
"new_control_requirement": "Add a 'cryptographic algorithm currency' sub-control across SC-8, SC-13, A.8.24, §3.6, §4.2.1, Art.21(2)(h), Art.9 requiring: (a) per-asset cryptographic inventory with sensitivity horizon, (b) hybrid PQC mandatory for new deployments protecting data with horizon > 5 years, (c) algorithm sunset dates documented per asset, (d) crypto-agility built into design (algorithm swap without re-architecting), (e) annual review against current NIST PQC publication state."
|
|
651
897
|
},
|
|
652
|
-
"feeds_back_to_skills": [
|
|
898
|
+
"feeds_back_to_skills": [
|
|
899
|
+
"pqc-first",
|
|
900
|
+
"framework-gap-analysis",
|
|
901
|
+
"compliance-theater",
|
|
902
|
+
"global-grc",
|
|
903
|
+
"zeroday-gap-learn"
|
|
904
|
+
]
|
|
653
905
|
},
|
|
654
906
|
"notification_actions": [
|
|
655
907
|
{
|
|
656
908
|
"obligation_ref": "EU/NIS2 Art.21(2)(h) 720h",
|
|
657
909
|
"deadline": "computed_at_runtime",
|
|
658
910
|
"recipient": "internal_legal",
|
|
659
|
-
"evidence_attached": [
|
|
911
|
+
"evidence_attached": [
|
|
912
|
+
"cryptographic_asset_inventory",
|
|
913
|
+
"pqc_migration_plan",
|
|
914
|
+
"algorithm_sunset_tracking"
|
|
915
|
+
],
|
|
660
916
|
"draft_notification": "NIS2 Art.21(2)(h) cryptographic inventory submission: ${entity_name} maintains a cryptographic asset inventory dated ${inventory_date}. PQC migration plan with timelines and per-asset sunset dates is attached. Current state: ${total_assets} cryptographic assets inventoried; ${hybrid_pqc_count} hybrid PQC enabled; ${classical_only_count} classical-only with documented sunset dates. Re-attestation cadence: ${cadence}."
|
|
661
917
|
},
|
|
662
918
|
{
|
|
663
919
|
"obligation_ref": "EU/DORA Art.9 720h",
|
|
664
920
|
"deadline": "computed_at_runtime",
|
|
665
921
|
"recipient": "internal_legal",
|
|
666
|
-
"evidence_attached": [
|
|
922
|
+
"evidence_attached": [
|
|
923
|
+
"cryptographic_resilience_assessment",
|
|
924
|
+
"key_management_attestation",
|
|
925
|
+
"pqc_readiness_status"
|
|
926
|
+
],
|
|
667
927
|
"draft_notification": "DORA Art.9 cryptographic resilience submission: ${entity_name} (financial entity) attests cryptographic resilience per Art.9. PQC readiness: ${pqc_readiness_summary}. Key management: ${km_summary}. HNDL exposure: ${hndl_exposure_summary}; remediation ETA: ${remediation_eta}."
|
|
668
928
|
},
|
|
669
929
|
{
|
|
670
930
|
"obligation_ref": "EU/NIS2 Art.23 24h",
|
|
671
931
|
"deadline": "computed_at_runtime",
|
|
672
932
|
"recipient": "internal_legal",
|
|
673
|
-
"evidence_attached": [
|
|
933
|
+
"evidence_attached": [
|
|
934
|
+
"confirmed_hndl_exposure",
|
|
935
|
+
"affected_data_sensitivity_horizon",
|
|
936
|
+
"interim_mitigation_record"
|
|
937
|
+
],
|
|
674
938
|
"draft_notification": "NIS2 Art.23 24-hour early warning (where applicable): Confirmed HNDL exposure detected on ${affected_systems}. Data sensitivity horizon: ${horizon_years} years. Interim mitigation: ${mitigation_status}. Note: HNDL is a delayed-decryption threat; the breach realisation event is CRQC, not detection. This notification is precautionary."
|
|
675
939
|
},
|
|
676
940
|
{
|
|
677
941
|
"obligation_ref": "US/OMB M-23-02 8760h",
|
|
678
942
|
"deadline": "computed_at_runtime",
|
|
679
943
|
"recipient": "internal_legal",
|
|
680
|
-
"evidence_attached": [
|
|
944
|
+
"evidence_attached": [
|
|
945
|
+
"federal_pqc_inventory",
|
|
946
|
+
"annual_migration_progress_report"
|
|
947
|
+
],
|
|
681
948
|
"draft_notification": "OMB M-23-02 annual PQC migration inventory: ${federal_entity} reports ${total_assets} cryptographic assets inventoried, ${hybrid_pqc_count} migrated to PQC, ${migration_eta_summary}. Per CNSA 2.0 binding deadline of 2030, current trajectory: ${on_track_or_off_track}."
|
|
682
949
|
},
|
|
683
950
|
{
|
|
684
951
|
"obligation_ref": "AU/APRA CPS 234 72h",
|
|
685
952
|
"deadline": "computed_at_runtime",
|
|
686
953
|
"recipient": "regulator_email",
|
|
687
|
-
"evidence_attached": [
|
|
954
|
+
"evidence_attached": [
|
|
955
|
+
"materiality_assessment",
|
|
956
|
+
"remediation_completed_evidence"
|
|
957
|
+
],
|
|
688
958
|
"draft_notification": "APRA CPS 234 notification (where remediation deemed material): cryptographic exposure remediation completed for ${affected_systems}. Materiality determination: ${materiality_justification}. Remediation summary: ${remediation_summary}."
|
|
689
959
|
}
|
|
690
960
|
],
|
|
@@ -693,7 +963,14 @@
|
|
|
693
963
|
"exception_template": {
|
|
694
964
|
"scope": "Asset(s) ${asset_list} cannot reach hybrid PQC posture within this remediation cycle. Blocking factors: ${blocking_factors} (e.g. legacy HSM firmware lacking PQC, vendor SaaS without PQC support, embedded device firmware end-of-life).",
|
|
695
965
|
"duration": "until_vendor_patch",
|
|
696
|
-
"compensating_controls": [
|
|
966
|
+
"compensating_controls": [
|
|
967
|
+
"network_segmentation_isolating_classical-only_handshake_from_long-retention_data_flows",
|
|
968
|
+
"vpn_pqc_tunnel_overlay_for_traffic_to/from_affected_assets",
|
|
969
|
+
"shortened_retention_policy_for_data_protected_only_by_classical_crypto",
|
|
970
|
+
"transparency_monitoring_of_handshake_negotiation_alerting_on_downgrade",
|
|
971
|
+
"annual_crypto-agility_review",
|
|
972
|
+
"vendor_pqc_roadmap_tracking"
|
|
973
|
+
],
|
|
697
974
|
"risk_acceptance_owner": "ciso",
|
|
698
975
|
"auditor_ready_language": "Pursuant to ${framework_id} ${control_id} (Cryptographic Protection / Use of Cryptography / Cryptographic Resilience), the organization documents a time-bound risk acceptance for asset(s) ${asset_list} that cannot reach hybrid post-quantum cryptography posture within the current remediation cycle. The accepted risk class is harvest-now-decrypt-later (HNDL): adversaries with traffic-recording capability today may decrypt recorded handshakes on the cryptographically-relevant quantum computer (CRQC) date, currently estimated at 2030-2035 per aggressive academic cryptanalysis and 2035-2040 per conservative industry assessment. The organization accepts that current framework controls (NIST 800-53 SC-8/SC-13, ISO 27001:2022 A.8.24/A.8.25, PCI DSS 4.0 §3.6/§4.2.1, NIS2 Art.21(2)(h), DORA Art.9, EU CRA Annex I) define 'strong cryptography' against a classical threat model and do not require PQC, that this gap is documented in ${exceptd_framework_gap_mapping_ref}, and that the organization's compensating controls during the exception window are: ${compensating_controls}. Crypto-agility roadmap: ${crypto_agility_roadmap}. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry} (vendor PQC firmware publication, sensitivity-horizon expiry of protected data, OR ${default_180d_expiry}, whichever is first). Re-evaluation triggers: vendor publishes PQC support, NIST issues PQC amendment to 800-53, new CRQC estimate published in peer-reviewed cryptanalysis literature, OR scheduled expiry."
|
|
699
976
|
}
|
|
@@ -705,22 +982,27 @@
|
|
|
705
982
|
}
|
|
706
983
|
}
|
|
707
984
|
},
|
|
708
|
-
|
|
709
985
|
"directives": [
|
|
710
986
|
{
|
|
711
987
|
"id": "all-crypto-pqc-readiness",
|
|
712
988
|
"title": "Full PQC readiness audit across TLS libraries, SSH, certificate store, and cryptographic policy",
|
|
713
|
-
"applies_to": {
|
|
989
|
+
"applies_to": {
|
|
990
|
+
"always": true
|
|
991
|
+
}
|
|
714
992
|
},
|
|
715
993
|
{
|
|
716
994
|
"id": "hndl-active-recording-investigation",
|
|
717
995
|
"title": "HNDL active-recording threat investigation (T1040 / T1557)",
|
|
718
|
-
"applies_to": {
|
|
996
|
+
"applies_to": {
|
|
997
|
+
"attack_technique": "T1040"
|
|
998
|
+
}
|
|
719
999
|
},
|
|
720
1000
|
{
|
|
721
1001
|
"id": "tls-encrypted-channel-pqc",
|
|
722
1002
|
"title": "T1573 — Encrypted Channel readiness against CRQC adversary",
|
|
723
|
-
"applies_to": {
|
|
1003
|
+
"applies_to": {
|
|
1004
|
+
"attack_technique": "T1573"
|
|
1005
|
+
}
|
|
724
1006
|
}
|
|
725
1007
|
]
|
|
726
1008
|
}
|