@blamejs/exceptd-skills 0.9.5 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/AGENTS.md +45 -0
  2. package/CHANGELOG.md +120 -0
  3. package/README.md +30 -5
  4. package/bin/exceptd.js +694 -1
  5. package/data/_indexes/_meta.json +2 -2
  6. package/data/playbooks/ai-api.json +1073 -0
  7. package/data/playbooks/containers.json +1078 -0
  8. package/data/playbooks/cred-stores.json +1000 -0
  9. package/data/playbooks/crypto.json +1008 -0
  10. package/data/playbooks/framework.json +1015 -0
  11. package/data/playbooks/hardening.json +945 -0
  12. package/data/playbooks/kernel.json +796 -0
  13. package/data/playbooks/mcp.json +1042 -0
  14. package/data/playbooks/runtime.json +913 -0
  15. package/data/playbooks/sbom.json +1279 -0
  16. package/data/playbooks/secrets.json +959 -0
  17. package/lib/cross-ref-api.js +224 -0
  18. package/lib/playbook-runner.js +896 -0
  19. package/lib/schemas/playbook.schema.json +657 -0
  20. package/manifest-snapshot.json +1 -1
  21. package/manifest.json +39 -39
  22. package/orchestrator/scanner.js +23 -1
  23. package/package.json +1 -1
  24. package/sbom.cdx.json +6 -6
package/data/playbooks/crypto.json ADDED
@@ -0,0 +1,1008 @@
1
+ {
2
+ "_meta": {
3
+ "id": "crypto",
4
+ "version": "1.0.0",
5
+ "last_threat_review": "2026-05-11",
6
+ "threat_currency_score": 95,
7
+ "changelog": [
8
+ {
9
+ "version": "1.0.0",
10
+ "date": "2026-05-11",
11
+ "summary": "Initial seven-phase PQC-readiness playbook. Inventories OpenSSL/LibreSSL/BoringSSL versions, sshd_config KEX/MAC/cipher suites, TLS 1.3 hybrid X25519+ML-KEM-768 support, certificate store hygiene (algorithm + expiry + cross-signing). Frames HNDL as the present threat surface. Full GRC closure mapping to NIS2/DORA/EU CRA/NIST PQC migration obligations.",
12
+ "cves_added": [],
13
+ "framework_gaps_updated": [
14
+ "nist-800-53-SC-8",
15
+ "nist-800-53-SC-13",
16
+ "iso-27001-2022-A.8.24",
17
+ "iso-27001-2022-A.8.25",
18
+ "pci-dss-4-3.6",
19
+ "dora-art9",
20
+ "nis2-art21-2h"
21
+ ]
22
+ }
23
+ ],
24
+ "owner": "@blamejs/platform-security",
25
+ "air_gap_mode": false,
26
+ "scope": "service",
27
+ "preconditions": [
28
+ {
29
+ "id": "filesystem-read",
30
+ "description": "Agent must be able to read /etc, system binary directories, and the user's home directory.",
31
+ "check": "agent_has_filesystem_read == true",
32
+ "on_fail": "halt"
33
+ },
34
+ {
35
+ "id": "openssl-or-equivalent-present",
36
+ "description": "At least one TLS library must be present and queryable. If none, the host has no crypto surface this playbook scopes.",
37
+ "check": "exists_any(['openssl', 'libssl.so*', 'libcrypto.so*']) == true",
38
+ "on_fail": "warn"
39
+ }
40
+ ],
41
+ "mutex": [],
42
+ "feeds_into": [
43
+ {
44
+ "playbook_id": "framework",
45
+ "condition": "analyze.compliance_theater_check.verdict == 'theater'"
46
+ },
47
+ {
48
+ "playbook_id": "sbom",
49
+ "condition": "analyze.blast_radius_score >= 4"
50
+ }
51
+ ]
52
+ },
53
+ "domain": {
54
+ "name": "Post-quantum cryptography exposure",
55
+ "attack_class": "pqc-exposure",
56
+ "atlas_refs": [],
57
+ "attack_refs": [
58
+ "T1040",
59
+ "T1557",
60
+ "T1573"
61
+ ],
62
+ "cve_refs": [],
63
+ "cwe_refs": [
64
+ "CWE-327",
65
+ "CWE-326",
66
+ "CWE-310"
67
+ ],
68
+ "d3fend_refs": [
69
+ "D3-FE",
70
+ "D3-MENCR"
71
+ ],
72
+ "frameworks_in_scope": [
73
+ "nist-800-53",
74
+ "nist-csf-2",
75
+ "iso-27001-2022",
76
+ "soc2",
77
+ "pci-dss-4",
78
+ "nis2",
79
+ "dora",
80
+ "uk-caf",
81
+ "au-ism",
82
+ "au-essential-8",
83
+ "sg-mas-trm",
84
+ "jp-nisc",
85
+ "in-cert",
86
+ "ca-osfi-b10",
87
+ "hipaa",
88
+ "cmmc",
89
+ "nerc-cip",
90
+ "eu-cra"
91
+ ]
92
+ },
93
+ "phases": {
94
+ "govern": {
95
+ "jurisdiction_obligations": [
96
+ {
97
+ "jurisdiction": "EU",
98
+ "regulation": "NIS2 Art.21(2)(h)",
99
+ "obligation": "maintain_cryptographic_inventory",
100
+ "window_hours": 720,
101
+ "clock_starts": "manual",
102
+ "evidence_required": [
103
+ "cryptographic_asset_inventory",
104
+ "pqc_migration_plan",
105
+ "algorithm_sunset_tracking"
106
+ ]
107
+ },
108
+ {
109
+ "jurisdiction": "EU",
110
+ "regulation": "DORA Art.9",
111
+ "obligation": "submit_cryptographic_resilience_evidence",
112
+ "window_hours": 720,
113
+ "clock_starts": "manual",
114
+ "evidence_required": [
115
+ "cryptographic_resilience_assessment",
116
+ "key_management_attestation",
117
+ "pqc_readiness_status"
118
+ ]
119
+ },
120
+ {
121
+ "jurisdiction": "EU",
122
+ "regulation": "NIS2 Art.23",
123
+ "obligation": "notify_regulator",
124
+ "window_hours": 24,
125
+ "clock_starts": "detect_confirmed",
126
+ "evidence_required": [
127
+ "confirmed_hndl_exposure",
128
+ "affected_data_sensitivity_horizon",
129
+ "interim_mitigation_record"
130
+ ]
131
+ },
132
+ {
133
+ "jurisdiction": "US",
134
+ "regulation": "OMB M-23-02",
135
+ "obligation": "maintain_pqc_migration_inventory",
136
+ "window_hours": 8760,
137
+ "clock_starts": "manual",
138
+ "evidence_required": [
139
+ "federal_pqc_inventory",
140
+ "annual_migration_progress_report"
141
+ ]
142
+ },
143
+ {
144
+ "jurisdiction": "AU",
145
+ "regulation": "APRA CPS 234",
146
+ "obligation": "notify_regulator",
147
+ "window_hours": 72,
148
+ "clock_starts": "validate_complete",
149
+ "evidence_required": [
150
+ "materiality_assessment",
151
+ "remediation_completed_evidence"
152
+ ]
153
+ }
154
+ ],
155
+ "theater_fingerprints": [
156
+ {
157
+ "pattern_id": "fips-140-as-pqc-evidence",
158
+ "claim": "We use FIPS 140-validated cryptographic modules, therefore our crypto posture is compliant and current.",
159
+ "fast_detection_test": "FIPS 140-3 validation lists only classical algorithms today (FIPS 203/204/205 add to the catalog but a module's validation cert lists specific algorithm modes). Read the actual FIPS 140-3 certificate for the module — if it lists only AES, RSA, ECDSA, ECDH, SHA-2/3 and no ML-KEM/ML-DSA/SLH-DSA, the module is fully compliant AND fully vulnerable to HNDL. The FIPS sticker tells you nothing about PQC readiness.",
160
+ "implicated_controls": [
161
+ "nist-800-53-SC-13",
162
+ "fips-140-3"
163
+ ]
164
+ },
165
+ {
166
+ "pattern_id": "tls-1-3-as-future-proof",
167
+ "claim": "We're on TLS 1.3 across the fleet — our transport encryption is modern.",
168
+ "fast_detection_test": "TLS 1.3 with classical-only key exchange (X25519, P-256, P-384) is HNDL-vulnerable today. Run: openssl s_client -connect <host>:443 -tls1_3 -groups X25519MLKEM768 — if the server does not negotiate the hybrid group, the org is recording-decrypt-later vulnerable regardless of TLS version. Reality: modern TLS version without modern key exchange = theater.",
169
+ "implicated_controls": [
170
+ "nist-800-53-SC-8",
171
+ "iso-27001-2022-A.8.24",
172
+ "pci-dss-4-4.2.1"
173
+ ]
174
+ },
175
+ {
176
+ "pattern_id": "policy-mentions-pqc",
177
+ "claim": "Our cryptographic policy mentions post-quantum cryptography migration — we have a PQC program.",
178
+ "fast_detection_test": "Diff the policy against the cryptographic asset inventory. If the policy names PQC but the inventory lacks per-asset (a) current algorithm, (b) sensitivity horizon, (c) PQC migration target, (d) sunset date for the classical algorithm — the policy is a document, not a program. The inventory is the program; without it the policy is theater.",
179
+ "implicated_controls": [
180
+ "nist-800-53-SC-13",
181
+ "iso-27001-2022-A.8.24",
182
+ "nis2-art21-2h"
183
+ ]
184
+ },
185
+ {
186
+ "pattern_id": "openssl-version-as-pqc-readiness",
187
+ "claim": "We're on OpenSSL 3.x, therefore we can support PQC when needed.",
188
+ "fast_detection_test": "OpenSSL 3.0/3.1/3.2 do not include native ML-KEM. OpenSSL 3.5 ships native ML-KEM/ML-DSA/SLH-DSA. Run: openssl list -kem-algorithms — if ML-KEM-768 (or ML-KEM-512/1024) is absent, the binary cannot negotiate the hybrid group regardless of how recent it sounds. Major-version label without the algorithm in -kem-algorithms = theater.",
189
+ "implicated_controls": [
190
+ "nist-800-53-SC-13",
191
+ "iso-27001-2022-A.8.24"
192
+ ]
193
+ },
194
+ {
195
+ "pattern_id": "ssh-config-modern-without-curve-audit",
196
+ "claim": "Our sshd_config uses modern KEX algorithms (curve25519-sha256).",
197
+ "fast_detection_test": "curve25519-sha256 is classical. sntrup761x25519-sha512@openssh.com is the OpenSSH 9.0+ hybrid PQC group. Read sshd -T | grep -i kexalg — if sntrup761x25519 or mlkem768x25519-sha256 is not present in KexAlgorithms, all SSH session keys are HNDL-recordable today.",
198
+ "implicated_controls": [
199
+ "nist-800-53-SC-8",
200
+ "iso-27001-2022-A.8.24"
201
+ ]
202
+ }
203
+ ],
204
+ "framework_context": {
205
+ "gap_summary": "Mainstream compliance frameworks treat cryptography as algorithm-agnostic policy ('use strong cryptography') and key-management hygiene. NIST 800-53 SC-8 / SC-13 cite FIPS-validated modules without requiring PQC-capable algorithms. ISO 27001:2022 A.8.24 / A.8.25 require cryptographic policy without naming specific algorithms or sunset dates. PCI DSS 4.0 §3.6 / §4.2.1 mandate 'strong cryptography' with no PQC-specific signal. NIS2 Art.21(2)(h) introduces cryptography as an essential measure but defers algorithm specifics. DORA Art.9 names cryptographic resilience but inherits the same gap. The federal cycle is further along: OMB M-23-02 + NSM-10 + CNSA 2.0 establish binding PQC migration timelines for US federal systems through 2030; commercial frameworks have not caught up. ISO 27001:2022 (published 2022, before FIPS 203/204/205 finalization in 2024) is the longest-laggard in our scope — its A.8.24 cryptographic-use control has no PQC language and no published amendment. EU jurisdictions are catching up faster via ENISA guidance, but the binding frameworks remain unchanged.",
206
+ "lag_score": 180,
207
+ "per_framework_gaps": [
208
+ {
209
+ "framework": "nist-800-53",
210
+ "control_id": "SC-13",
211
+ "designed_for": "Use of FIPS-validated cryptographic modules.",
212
+ "insufficient_because": "FIPS validation is a module-level attestation. A FIPS 140-3 validated module is fully compliant with SC-13 and fully vulnerable to HNDL if its validated algorithms are classical only. SC-13 needs an algorithm-currency sub-control referencing FIPS 203/204/205."
213
+ },
214
+ {
215
+ "framework": "nist-800-53",
216
+ "control_id": "SC-8",
217
+ "designed_for": "Transmission confidentiality and integrity.",
218
+ "insufficient_because": "Specifies that transmissions must be cryptographically protected. Does not specify against what threat model. HNDL adversary recording today and decrypting on CRQC date is a current threat that SC-8 in classical-only mode does not address."
219
+ },
220
+ {
221
+ "framework": "iso-27001-2022",
222
+ "control_id": "A.8.24",
223
+ "designed_for": "Use of cryptography — policy on cryptographic controls.",
224
+ "insufficient_because": "Published 2022 before FIPS 203/204/205 finalization. Names no algorithms, no sunset dates, no migration tempo. Compliant policy can be entirely classical."
225
+ },
226
+ {
227
+ "framework": "iso-27001-2022",
228
+ "control_id": "A.8.25",
229
+ "designed_for": "Secure development lifecycle.",
230
+ "insufficient_because": "Does not require crypto-agility — the ability to swap algorithms without re-architecting. Without crypto-agility, PQC migration requires re-engineering, which the control does not surface as a deficiency."
231
+ },
232
+ {
233
+ "framework": "pci-dss-4",
234
+ "control_id": "3.6 / 4.2.1",
235
+ "designed_for": "Strong cryptography for cardholder data at rest and in transit.",
236
+ "insufficient_because": "Defines 'strong cryptography' with current minimums (AES-128, ECC 224-bit). No PQC obligation. A PCI-compliant card processor today is HNDL-vulnerable for any cardholder data with > 10-year retention."
237
+ },
238
+ {
239
+ "framework": "nis2",
240
+ "control_id": "Art.21(2)(h)",
241
+ "designed_for": "Use of cryptography, where appropriate, including encryption of communications.",
242
+ "insufficient_because": "Names cryptography as essential measure; defers specifics. Permits classical-only posture. Bound only by what regulators eventually publish as guidance."
243
+ },
244
+ {
245
+ "framework": "dora",
246
+ "control_id": "Art.9",
247
+ "designed_for": "ICT systems, protocols and tools — cryptographic resilience.",
248
+ "insufficient_because": "Names cryptographic resilience but inherits NIS2's gap. Financial-entity HNDL exposure is acute (long-retention financial records) but framework cadence is months behind."
249
+ },
250
+ {
251
+ "framework": "eu-cra",
252
+ "control_id": "Annex I (essential cybersecurity requirements)",
253
+ "designed_for": "Cryptography for products with digital elements.",
254
+ "insufficient_because": "Manufacturer obligation to use 'state-of-the-art' cryptography. 'State-of-the-art' is interpretive; without binding PQC reference, products ship classical-only."
255
+ }
256
+ ]
257
+ },
258
+ "skill_preload": [
259
+ "pqc-first",
260
+ "framework-gap-analysis",
261
+ "compliance-theater",
262
+ "global-grc",
263
+ "policy-exception-gen"
264
+ ]
265
+ },
266
+ "direct": {
267
+ "threat_context": "PQC landscape mid-2026: FIPS 203 (ML-KEM), 204 (ML-DSA), 205 (SLH-DSA) finalized 2024-08-13 — production-ready for 21 months. OpenSSL 3.5 (released Q1 2025) ships native ML-KEM/ML-DSA/SLH-DSA; OpenSSH 9.0+ ships sntrup761x25519-sha512 KEX since 2022; Chrome (since v124, 2024) negotiates X25519MLKEM768 with compatible servers. The deployment gap is not technical readiness — it is operator inertia. NSA CNSA 2.0 mandates PQC for NSS by 2030; NIST IR 8547 (draft, 2024) sets the federal transition timeline. EU ENISA's PQC transition mandate is advancing toward binding Member State implementation through 2027-2028. HNDL is operational reality, not a future concern: state-level adversaries are recording encrypted traffic at scale and have been since 2013 (publicly known). Any data with a sensitivity window of 10+ years currently protected by classical asymmetric crypto is decryptable in the 2030s by an adversary that captured the ciphertext today. Aggressive academic CRQC estimates now appear in peer-reviewed cryptanalysis literature in the 5-8 year horizon (from mid-2026), with conservative estimates 12-15 years. Either horizon makes today's classical-only TLS handshakes already-exfiltrated.",
268
+ "rwep_threshold": {
269
+ "escalate": 75,
270
+ "monitor": 45,
271
+ "close": 25
272
+ },
273
+ "framework_lag_declaration": "Every framework in scope is structurally insufficient for HNDL. NIST 800-53 SC-8/SC-13, ISO 27001:2022 A.8.24/A.8.25, PCI DSS 4.0 §3.6/§4.2.1, NIS2 Art.21(2)(h), DORA Art.9, EU CRA Annex I all permit fully-classical cryptographic posture as 'strong cryptography'. NIST itself is the exception: FIPS 203/204/205 are finalized, NIST IR 8547 is a published migration roadmap, OMB M-23-02 mandates federal PQC inventory — but the 800-53 control catalog is unchanged. ISO 27001:2022 was published before PQC finalization and has no scheduled amendment. PCI Council and EU regulators are publicly aware but have not amended binding controls. Lag = ~180 days behind operational readiness (PQC has been production-ready since 2024-08-13) and 4-8+ years behind the CRQC horizon that drives the harvest-now-decrypt-later attack. Compensating controls (crypto-agility, hybrid algorithms, layered encryption envelopes) must close this gap before SLA-only compliance can be accepted.",
274
+ "skill_chain": [
275
+ {
276
+ "skill": "pqc-first",
277
+ "purpose": "Enumerate TLS library versions, sshd KEX/MAC/cipher posture, certificate algorithms, OpenSSL kem-algorithms list. Test for ML-KEM-768/ML-DSA/SLH-DSA availability and configuration.",
278
+ "required": true
279
+ },
280
+ {
281
+ "skill": "framework-gap-analysis",
282
+ "purpose": "Map each detected classical-only configuration to the specific framework controls that permit it and the operational threat that exploits it.",
283
+ "required": true
284
+ },
285
+ {
286
+ "skill": "compliance-theater",
287
+ "purpose": "Run the five theater tests in govern.theater_fingerprints; emit verdict for each.",
288
+ "required": true
289
+ },
290
+ {
291
+ "skill": "global-grc",
292
+ "purpose": "Cross-walk findings to per-jurisdiction obligations and notification clocks.",
293
+ "skip_if": "jurisdiction_obligations.length == 0",
294
+ "required": false
295
+ },
296
+ {
297
+ "skill": "policy-exception-gen",
298
+ "purpose": "Generate auditor-ready exception language for assets that cannot reach hybrid PQC in this cycle.",
299
+ "skip_if": "close.exception_generation.trigger_condition == false",
300
+ "required": false
301
+ }
302
+ ],
303
+ "token_budget": {
304
+ "estimated_total": 21000,
305
+ "breakdown": {
306
+ "govern": 2800,
307
+ "direct": 1600,
308
+ "look": 2400,
309
+ "detect": 3000,
310
+ "analyze": 4800,
311
+ "validate": 3800,
312
+ "close": 2600
313
+ }
314
+ }
315
+ },
316
+ "look": {
317
+ "artifacts": [
318
+ {
319
+ "id": "openssl-version",
320
+ "type": "process_list",
321
+ "source": "openssl version -a",
322
+ "description": "OpenSSL full version, build info, FIPS mode. Required to determine ML-KEM availability.",
323
+ "required": true,
324
+ "air_gap_alternative": "If openssl(1) absent, read libssl.so.* and libcrypto.so.* dynamic library version strings."
325
+ },
326
+ {
327
+ "id": "openssl-kem-algorithms",
328
+ "type": "process_list",
329
+ "source": "openssl list -kem-algorithms 2>/dev/null AND openssl list -signature-algorithms 2>/dev/null AND openssl list -kem-algorithms -provider oqsprovider 2>/dev/null",
330
+ "description": "Available KEMs and signature algorithms. ML-KEM-768 / ML-DSA / SLH-DSA presence is the binary PQC readiness signal.",
331
+ "required": true
332
+ },
333
+ {
334
+ "id": "openssl-providers",
335
+ "type": "process_list",
336
+ "source": "openssl list -providers 2>/dev/null",
337
+ "description": "Loaded providers — default, fips, legacy, oqsprovider. Identifies whether liboqs is integrated.",
338
+ "required": false
339
+ },
340
+ {
341
+ "id": "libssl-libraries",
342
+ "type": "file_path",
343
+ "source": "ldconfig -p | grep -E 'libssl|libcrypto|libtls' AND find /usr/lib /usr/local/lib -name 'libssl*' -o -name 'libcrypto*' 2>/dev/null",
344
+ "description": "Installed TLS libraries — catches non-default OpenSSL builds, vendored libcrypto, LibreSSL, BoringSSL.",
345
+ "required": false
346
+ },
347
+ {
348
+ "id": "sshd-config-effective",
349
+ "type": "config_file",
350
+ "source": "sshd -T 2>/dev/null OR /etc/ssh/sshd_config + included files",
351
+ "description": "Effective sshd KEX/MAC/cipher posture. Primary detector for SSH-side HNDL exposure.",
352
+ "required": false,
353
+ "air_gap_alternative": "If sshd -T unavailable, parse /etc/ssh/sshd_config and walk included configs manually."
354
+ },
355
+ {
356
+ "id": "ssh-version",
357
+ "type": "process_list",
358
+ "source": "ssh -V 2>&1",
359
+ "description": "OpenSSH version. Versions >= 9.0 ship sntrup761x25519-sha512 hybrid KEX.",
360
+ "required": false
361
+ },
362
+ {
363
+ "id": "tls-server-handshake",
364
+ "type": "network_capture",
365
+ "source": "openssl s_client -connect 127.0.0.1:443 -tls1_3 -groups X25519MLKEM768 -servername localhost 2>&1 | head -200 (for each local TLS-serving port)",
366
+ "description": "Local TLS-serving processes' actual hybrid-group negotiation behavior.",
367
+ "required": false,
368
+ "air_gap_alternative": "Read server config (nginx ssl_ecdh_curve, apache SSLOpenSSLConfCmd, Caddy auto, HAProxy ssl-default-bind-curves) statically."
369
+ },
370
+ {
371
+ "id": "certificate-store",
372
+ "type": "config_file",
373
+ "source": "find /etc/ssl/certs /etc/pki /usr/local/share/ca-certificates -name '*.pem' -o -name '*.crt' 2>/dev/null AND for each cert: openssl x509 -in <path> -noout -subject -issuer -dates -ext basicConstraints,keyUsage -pubkey | openssl asn1parse",
374
+ "description": "Certificate store inventory — subject, issuer, validity, public-key algorithm. Identifies classical-only certs in the trust chain.",
375
+ "required": false
376
+ },
377
+ {
378
+ "id": "host-cert-keys",
379
+ "type": "config_file",
380
+ "source": "For each TLS-serving process: locate its server cert + key, run openssl x509/openssl rsa/openssl ec to identify algorithm and key size",
381
+ "description": "Per-service certificate algorithm — distinguishes RSA-2048 / ECDSA-P256 / Ed25519 / hybrid certs.",
382
+ "required": false
383
+ },
384
+ {
385
+ "id": "crypto-policy",
386
+ "type": "config_file",
387
+ "source": "/etc/crypto-policies/config (RHEL/Fedora) AND update-crypto-policies --show 2>/dev/null AND /etc/ssl/openssl.cnf",
388
+ "description": "System-wide crypto policy file — RHEL crypto-policies, Debian openssl.cnf, etc.",
389
+ "required": false
390
+ }
391
+ ],
392
+ "collection_scope": {
393
+ "time_window": "current",
394
+ "asset_scope": "local_host_and_locally_terminated_tls",
395
+ "depth": "standard",
396
+ "sampling": "single-host point-in-time inventory. Fleet rollout requires per-host execution; centralized PQC inventory required for NIS2 Art.21(2)(h) compliance regardless. Re-collect on every regression_trigger event."
397
+ },
398
+ "environment_assumptions": [
399
+ {
400
+ "assumption": "host has at least one TLS library installed",
401
+ "if_false": "Host has no transport crypto surface this playbook addresses; return visibility_gap=no_crypto_surface. Note: an IoT/embedded host with bundled-mbedtls would require separate enumeration."
402
+ },
403
+ {
404
+ "assumption": "agent has read access to /etc/ssl, /etc/ssh, system certificate stores",
405
+ "if_false": "Investigation is unfounded for cert and ssh inventory; downgrade those branches to inconclusive."
406
+ },
407
+ {
408
+ "assumption": "openssl binary is on PATH OR libssl loader is queryable",
409
+ "if_false": "Fall back to ldconfig + library file inspection; mark openssl-kem-algorithms indeterminate; downgrade PQC readiness confidence."
410
+ }
411
+ ],
412
+ "fallback_if_unavailable": [
413
+ {
414
+ "artifact_id": "openssl-kem-algorithms",
415
+ "fallback_action": "use_compensating_artifact",
416
+ "confidence_impact": "medium"
417
+ },
418
+ {
419
+ "artifact_id": "tls-server-handshake",
420
+ "fallback_action": "use_compensating_artifact",
421
+ "confidence_impact": "medium"
422
+ },
423
+ {
424
+ "artifact_id": "certificate-store",
425
+ "fallback_action": "mark_inconclusive",
426
+ "confidence_impact": "low"
427
+ },
428
+ {
429
+ "artifact_id": "sshd-config-effective",
430
+ "fallback_action": "mark_inconclusive",
431
+ "confidence_impact": "medium"
432
+ },
433
+ {
434
+ "artifact_id": "openssl-version",
435
+ "fallback_action": "escalate_to_human",
436
+ "confidence_impact": "high"
437
+ }
438
+ ]
439
+ },
440
+ "detect": {
441
+ "indicators": [
442
+ {
443
+ "id": "ml-kem-absent",
444
+ "type": "log_pattern",
445
+ "value": "openssl list -kem-algorithms does NOT contain ML-KEM-768 (or ML-KEM-512 / ML-KEM-1024)",
446
+ "description": "Primary detector — TLS library cannot negotiate ML-KEM. Entire stack is classical-only.",
447
+ "confidence": "deterministic",
448
+ "deterministic": true
449
+ },
450
+ {
451
+ "id": "ml-dsa-slh-dsa-absent",
452
+ "type": "log_pattern",
453
+ "value": "openssl list -signature-algorithms does NOT contain ML-DSA-44/65/87 AND does NOT contain SLH-DSA-*",
454
+ "description": "TLS library cannot use PQC signatures. Certificate-chain PQC migration is blocked.",
455
+ "confidence": "deterministic",
456
+ "deterministic": true
457
+ },
458
+ {
459
+ "id": "openssl-pre-3-5",
460
+ "type": "log_pattern",
461
+ "value": "openssl version starts with 'OpenSSL 1.', 'OpenSSL 2.', 'OpenSSL 3.0', 'OpenSSL 3.1', 'OpenSSL 3.2', 'OpenSSL 3.3', or 'OpenSSL 3.4'",
462
+ "description": "Pre-3.5 OpenSSL lacks native ML-KEM. Requires oqsprovider or upgrade.",
463
+ "confidence": "deterministic",
464
+ "deterministic": true
465
+ },
466
+ {
467
+ "id": "sshd-no-pqc-kex",
468
+ "type": "log_pattern",
469
+ "value": "sshd -T effective KexAlgorithms does NOT contain sntrup761x25519-sha512@openssh.com AND does NOT contain mlkem768x25519-sha256",
470
+ "description": "SSH daemon cannot negotiate PQC hybrid KEX. All SSH session keys HNDL-recordable.",
471
+ "confidence": "deterministic",
472
+ "deterministic": true,
473
+ "attack_ref": "T1040"
474
+ },
475
+ {
476
+ "id": "tls-no-hybrid-group",
477
+ "type": "network_pattern",
478
+ "value": "openssl s_client -groups X25519MLKEM768 fails to negotiate (server returns 'no shared group' or downgrades to X25519)",
479
+ "description": "Local TLS service cannot negotiate hybrid PQC group. HNDL-recordable handshake.",
480
+ "confidence": "high",
481
+ "deterministic": false,
482
+ "attack_ref": "T1040"
483
+ },
484
+ {
485
+ "id": "rsa-2048-cert-long-life",
486
+ "type": "file_path",
487
+ "value": "Any cert in trust chain or as host cert uses RSA <= 2048 AND validity period > 10 years (or signs long-retention data)",
488
+ "description": "Classical RSA cert with sensitivity horizon exceeding CRQC estimate.",
489
+ "confidence": "deterministic",
490
+ "deterministic": true
491
+ },
492
+ {
493
+ "id": "weak-mac-or-cipher",
494
+ "type": "log_pattern",
495
+ "value": "sshd MACs contain hmac-sha1, hmac-md5, or *-cbc, OR sshd Ciphers contain 3des-cbc / aes*-cbc / arcfour*",
496
+ "description": "Weak symmetric or MAC algorithms accepted by sshd.",
497
+ "confidence": "deterministic",
498
+ "deterministic": true
499
+ },
500
+ {
501
+ "id": "no-crypto-inventory",
502
+ "type": "behavioral_signal",
503
+ "value": "No /etc/crypto-inventory, no centralized PQC migration tracker, no per-asset cryptography mapping",
504
+ "description": "NIS2 Art.21(2)(h) requires cryptographic asset inventory. Absence is itself a finding.",
505
+ "confidence": "high",
506
+ "deterministic": false
507
+ }
508
+ ],
509
+ "false_positive_profile": [
510
+ {
511
+ "indicator_id": "ml-kem-absent",
512
+ "benign_pattern": "Host runs an OpenSSL 3.4 binary with oqsprovider installed and configured — ML-KEM available via provider but not in default list output.",
513
+ "distinguishing_test": "Re-run with -provider oqsprovider explicitly. If ML-KEM-768 appears, downgrade to medium and note 'provider-dependent PQC availability'."
514
+ },
515
+ {
516
+ "indicator_id": "sshd-no-pqc-kex",
517
+ "benign_pattern": "OpenSSH server intentionally restricted to a minimal KEX set by hardening policy (e.g. FIPS-only) — operator may have deliberately excluded sntrup761x25519 pending NIST FIPS approval of an OpenSSH PQC KEX combination.",
518
+ "distinguishing_test": "Check for a documented FIPS-only justification in the sshd config comments or org policy. If present, downgrade to medium and note 'FIPS-restricted, HNDL-accepted-risk' — still requires policy exception."
519
+ },
520
+ {
521
+ "indicator_id": "rsa-2048-cert-long-life",
522
+ "benign_pattern": "Cert is for a service with explicit short sensitivity-horizon (e.g. ephemeral CI artifact signing rotating monthly), validity is administrative not data-sensitivity.",
523
+ "distinguishing_test": "Cross-reference the cert's service against the data classification of what it protects. If service handles only ephemeral data with < 1-year retention, downgrade to low."
524
+ }
525
+ ],
526
+ "minimum_signal": {
527
+ "detected": "Any deterministic indicator fires AND the host serves or terminates TLS / SSH for production or sensitive data flows. Confirmed HNDL exposure: classical-only crypto + sensitivity horizon exceeding aggressive CRQC estimate (5-8 years).",
528
+ "inconclusive": "Crypto library version + KEX list captured but the corresponding TLS/SSH services not enumerated (e.g. firewall-restricted local access). Cannot map readiness gap to specific exposed services without further data.",
529
+ "not_detected": "ML-KEM-768 available in TLS library AND sshd accepts sntrup761x25519-sha512@openssh.com (or mlkem768x25519-sha256) AND all long-retention-sensitivity certs use hybrid (classical+PQC) signatures AND a cryptographic asset inventory exists with sunset dates for classical algorithms."
530
+ }
531
+ },
532
+ "analyze": {
533
+ "rwep_inputs": [
534
+ {
535
+ "signal_id": "ml-kem-absent",
536
+ "rwep_factor": "active_exploitation",
537
+ "weight": 25,
538
+ "notes": "HNDL is operational — state-level recording is documented. Active exploitation in the recording sense, not yet decryption sense."
539
+ },
540
+ {
541
+ "signal_id": "ml-kem-absent",
542
+ "rwep_factor": "blast_radius",
543
+ "weight": 25,
544
+ "notes": "Affects all TLS-protected flows; blast radius proportional to data sensitivity horizon."
545
+ },
546
+ {
547
+ "signal_id": "sshd-no-pqc-kex",
548
+ "rwep_factor": "blast_radius",
549
+ "weight": 20,
550
+ "notes": "SSH session keys = bastion + lateral movement creds + tunneled traffic."
551
+ },
552
+ {
553
+ "signal_id": "rsa-2048-cert-long-life",
554
+ "rwep_factor": "blast_radius",
555
+ "weight": 20,
556
+ "notes": "Certificate chain compromise on CRQC day collapses authentication for long-retention data."
557
+ },
558
+ {
559
+ "signal_id": "openssl-pre-3-5",
560
+ "rwep_factor": "patch_available",
561
+ "weight": -10,
562
+ "notes": "Upgrade path is available; patch_available reduces RWEP."
563
+ },
564
+ {
565
+ "signal_id": "ml-kem-absent",
566
+ "rwep_factor": "ai_weaponization",
567
+ "weight": 5,
568
+ "notes": "AI-accelerated cryptanalysis tooling exists (CRQC simulation), making the CRQC timeline less speculative."
569
+ }
570
+ ],
571
+ "blast_radius_model": {
572
+ "scope_question": "If an adversary records this host's TLS/SSH traffic today and decrypts it on the CRQC day (mid-2030s), what scope of compromise is the host realistically delivering?",
573
+ "scoring_rubric": [
574
+ {
575
+ "condition": "host handles only ephemeral data with < 1-year sensitivity horizon (e.g. transient CI worker, dev sandbox)",
576
+ "blast_radius_score": 1,
577
+ "description": "Data is stale by CRQC day; recorded handshake yields nothing valuable."
578
+ },
579
+ {
580
+ "condition": "host handles internal corporate data, 1-3 year sensitivity horizon",
581
+ "blast_radius_score": 2,
582
+ "description": "Some recorded data valuable on CRQC day; embarrassment + competitive cost."
583
+ },
584
+ {
585
+ "condition": "host handles personal data (GDPR / HIPAA / PCI), 3-10 year retention",
586
+ "blast_radius_score": 3,
587
+ "description": "Recorded PII / PHI / cardholder data decryptable on CRQC day → notification obligations on a delayed clock that the framework does not yet contemplate."
588
+ },
589
+ {
590
+ "condition": "host handles financial transaction logs, long-retention healthcare records, IP/trade secrets, 10-25 year sensitivity",
591
+ "blast_radius_score": 4,
592
+ "description": "Massive long-tail decryption event; significant material loss + regulatory action."
593
+ },
594
+ {
595
+ "condition": "host handles classified, state-sensitive, biometric template, or generational sensitivity data (25+ year horizon)",
596
+ "blast_radius_score": 5,
597
+ "description": "Strategic compromise on CRQC day; loss is irreversible and category-defining."
598
+ }
599
+ ]
600
+ },
601
+ "compliance_theater_check": {
602
+ "claim": "Strong cryptography is in use per NIST 800-53 SC-8/SC-13, ISO 27001:2022 A.8.24/A.8.25, PCI DSS 4.0 §3.6/§4.2.1, NIS2 Art.21(2)(h), DORA Art.9 — cryptographic controls are operating effectively.",
603
+ "audit_evidence": "TLS 1.3 deployment evidence, FIPS 140-3 validated module deployment, cryptographic policy document, certificate inventory, key-rotation logs.",
604
+ "reality_test": "Run: openssl list -kem-algorithms AND openssl s_client -groups X25519MLKEM768 -connect <production_tls_endpoint>:443 AND sshd -T | grep -i kexalg AND for each cert in trust chain with > 10y data-sensitivity-horizon: openssl x509 -in <cert> -text -noout | grep 'Signature Algorithm'. Theater if (a) ML-KEM-768 not available, OR (b) hybrid group not negotiated, OR (c) sshd lacks sntrup761x25519/mlkem768x25519, OR (d) any long-retention cert uses RSA-only or ECDSA-only signature. Each failure constitutes a recordable handshake or signature classical-vulnerable to CRQC adversary.",
605
+ "theater_verdict_if_gap": "Org demonstrates audit-clean cryptographic posture that is fully HNDL-vulnerable today. Either (a) upgrade to OpenSSL 3.5+ (or install oqsprovider on 3.x) and enable hybrid X25519+ML-KEM-768 as default group, (b) re-issue long-retention certs with hybrid signatures, (c) update sshd_config KexAlgorithms to prefer sntrup761x25519-sha512 / mlkem768x25519-sha256, (d) establish per-asset cryptographic inventory with sunset dates, OR (e) generate a defensible policy exception via policy-exception-gen documenting the HNDL acceptance + crypto-agility roadmap + compensating controls."
606
+ },
607
+ "framework_gap_mapping": [
608
+ {
609
+ "finding_id": "pqc-exposure-detected",
610
+ "framework": "nist-800-53",
611
+ "claimed_control": "SC-13 — Cryptographic Protection",
612
+ "actual_gap": "Cites FIPS-validated modules. FIPS 140-3 validation lists specific algorithm modes; modules validated only for AES/RSA/ECDSA pass SC-13 and are HNDL-vulnerable.",
613
+ "required_control": "Add an SC-13(N) variant requiring algorithm-currency: any data with sensitivity horizon > aggressive-CRQC-estimate (5y) must be protected by FIPS 203/204/205 hybrid algorithms before re-attestation."
614
+ },
615
+ {
616
+ "finding_id": "pqc-exposure-detected",
617
+ "framework": "nist-800-53",
618
+ "claimed_control": "SC-8 — Transmission Confidentiality and Integrity",
619
+ "actual_gap": "Does not specify against what threat model. Permits classical-only TLS.",
620
+ "required_control": "Add an SC-8(N) variant explicitly requiring hybrid KEX for production TLS terminations protecting data with > 5y sensitivity horizon."
621
+ },
622
+ {
623
+ "finding_id": "pqc-exposure-detected",
624
+ "framework": "iso-27001-2022",
625
+ "claimed_control": "A.8.24 — Use of cryptography",
626
+ "actual_gap": "Published 2022 before PQC finalization. Names no algorithms, no sunset dates.",
627
+ "required_control": "Amendment requiring (a) per-asset cryptographic inventory, (b) sunset dates for classical algorithms tied to data sensitivity horizon, (c) hybrid PQC default for new deployments."
628
+ },
629
+ {
630
+ "finding_id": "pqc-exposure-detected",
631
+ "framework": "pci-dss-4",
632
+ "claimed_control": "§3.6 / §4.2.1 — Strong cryptography",
633
+ "actual_gap": "'Strong cryptography' defined with classical minimums. No PQC obligation for long-retention cardholder data.",
634
+ "required_control": "Update 'strong cryptography' definition to include FIPS 203/204/205 hybrid mandatory for cardholder data with retention > 5 years."
635
+ },
636
+ {
637
+ "finding_id": "pqc-exposure-detected",
638
+ "framework": "nis2",
639
+ "claimed_control": "Art.21(2)(h) — Use of cryptography",
640
+ "actual_gap": "Names cryptography as essential measure without algorithmic specifics.",
641
+ "required_control": "Implementing acts to bind 'appropriate cryptography' to NIST PQC standards for essential entities with long-retention sensitive data."
642
+ },
643
+ {
644
+ "finding_id": "pqc-exposure-detected",
645
+ "framework": "dora",
646
+ "claimed_control": "Art.9 — ICT systems, protocols and tools",
647
+ "actual_gap": "Cryptographic-resilience language inherits NIS2 gap.",
648
+ "required_control": "RTS/ITS requiring financial-entity cryptographic inventory with PQC migration timeline. Financial records sensitivity horizon = max(regulatory retention, customer lifetime); both exceed CRQC."
649
+ },
650
+ {
651
+ "finding_id": "pqc-exposure-detected",
652
+ "framework": "eu-cra",
653
+ "claimed_control": "Annex I — Essential cybersecurity requirements",
654
+ "actual_gap": "'State-of-the-art' cryptography is interpretive.",
655
+ "required_control": "Implementing acts binding 'state-of-the-art' to NIST PQC for products with > 5-year operational life."
656
+ }
657
+ ],
658
+ "escalation_criteria": [
659
+ {
660
+ "condition": "blast_radius_score >= 4 AND ml-kem-absent == true",
661
+ "action": "raise_severity"
662
+ },
663
+ {
664
+ "condition": "rwep >= 75 AND data_sensitivity_horizon_years >= 10",
665
+ "action": "page_on_call"
666
+ },
667
+ {
668
+ "condition": "blast_radius_score >= 4",
669
+ "action": "trigger_playbook",
670
+ "target_playbook": "framework"
671
+ },
672
+ {
673
+ "condition": "compliance_theater_check.verdict == 'theater' AND jurisdiction_obligations contains 'EU'",
674
+ "action": "notify_legal"
675
+ }
676
+ ]
677
+ },
678
+ "validate": {
679
+ "remediation_paths": [
680
+ {
681
+ "id": "openssl-upgrade-to-3-5",
682
+ "description": "Upgrade OpenSSL to >= 3.5 (or install oqsprovider on 3.x). Enable ML-KEM-768 in default TLS groups.",
683
+ "preconditions": [
684
+ "distro_package_for_openssl_3_5_available == true OR oqsprovider_packageable == true",
685
+ "system_libssl_upgrade_safe == true"
686
+ ],
687
+ "priority": 1,
688
+ "compensating_controls": [
689
+ "pin classical-only group fallback for legacy peers via per-service override"
690
+ ],
691
+ "estimated_time_hours": 3
692
+ },
693
+ {
694
+ "id": "enable-hybrid-tls-groups",
695
+ "description": "Configure each TLS-serving process to prefer X25519MLKEM768 (or X25519Kyber768Draft00 if oqsprovider). Set ssl_ecdh_curve nginx / SSLOpenSSLConfCmd apache / ssl-default-bind-curves haproxy.",
696
+ "preconditions": [
697
+ "openssl_supports_ml_kem == true",
698
+ "ops_authorization_for_service_restart == true"
699
+ ],
700
+ "priority": 2,
701
+ "compensating_controls": [
702
+ "client_compat_canary_for_each_service",
703
+ "monitoring_for_negotiation_failures"
704
+ ],
705
+ "estimated_time_hours": 2
706
+ },
707
+ {
708
+ "id": "ssh-add-hybrid-kex",
709
+ "description": "Update sshd_config KexAlgorithms to prepend sntrup761x25519-sha512@openssh.com (and mlkem768x25519-sha256 on OpenSSH >= 9.6).",
710
+ "preconditions": [
711
+ "openssh_>=_9_0",
712
+ "operator_authorized_for_sshd_change == true"
713
+ ],
714
+ "priority": 3,
715
+ "compensating_controls": [
716
+ "bastion_session_recording_for_legacy_kex_fallback",
717
+ "monitoring_for_kex_negotiation_downgrades"
718
+ ],
719
+ "estimated_time_hours": 1
720
+ },
721
+ {
722
+ "id": "reissue-long-life-certs-hybrid",
723
+ "description": "For every cert with > 10-year data-sensitivity horizon: re-issue with hybrid signature (ML-DSA or SLH-DSA + ECDSA) using publicly-trusted CA hybrid root or internal CA with hybrid cross-signing.",
724
+ "preconditions": [
725
+ "ca_supports_hybrid_signatures == true OR internal_ca_can_be_extended == true"
726
+ ],
727
+ "priority": 4,
728
+ "compensating_controls": [
729
+ "legacy_chain_for_pre-PQC_client_compat",
730
+ "transparency_log_entries_for_hybrid_certs"
731
+ ],
732
+ "estimated_time_hours": 16
733
+ },
734
+ {
735
+ "id": "establish-crypto-inventory",
736
+ "description": "Build a per-asset cryptographic inventory with sensitivity horizon, current algorithm, PQC migration target, sunset date. Satisfies NIS2 Art.21(2)(h) maintenance obligation.",
737
+ "preconditions": [
738
+ "asset_inventory_baseline_exists == true"
739
+ ],
740
+ "priority": 5,
741
+ "compensating_controls": [],
742
+ "estimated_time_hours": 40
743
+ },
744
+ {
745
+ "id": "policy-exception",
746
+ "description": "If a specific asset cannot reach hybrid PQC in this cycle (legacy hardware, embedded HSM without PQC firmware, vendor SaaS): generate auditor-ready policy exception with crypto-agility roadmap.",
747
+ "preconditions": [
748
+ "remediation_paths[1..5] blocked for the specific asset",
749
+ "ciso_acceptance_obtainable == true"
750
+ ],
751
+ "priority": 6,
752
+ "compensating_controls": [
753
+ "network_segmentation_to_limit_handshake_exposure",
754
+ "vpn_pqc_tunnel_overlay",
755
+ "shortened_retention_for_classical-protected_data"
756
+ ],
757
+ "estimated_time_hours": 8
758
+ }
759
+ ],
760
+ "validation_tests": [
761
+ {
762
+ "id": "ml-kem-in-list",
763
+ "test": "Run `openssl list -kem-algorithms` post-remediation. Confirm ML-KEM-768 (or 512/1024) is present.",
764
+ "expected_result": "ML-KEM-768 appears in -kem-algorithms output.",
765
+ "test_type": "functional"
766
+ },
767
+ {
768
+ "id": "hybrid-tls-negotiation",
769
+ "test": "Run `openssl s_client -connect <service>:443 -tls1_3 -groups X25519MLKEM768` against each TLS-serving service. Confirm hybrid group is negotiated.",
770
+ "expected_result": "Connected; negotiated group = X25519MLKEM768 (or org-equivalent hybrid).",
771
+ "test_type": "functional"
772
+ },
773
+ {
774
+ "id": "ssh-pqc-kex-negotiation",
775
+ "test": "Run `ssh -vv -o KexAlgorithms=sntrup761x25519-sha512@openssh.com localhost true` (or against bastion). Confirm negotiated KEX is the hybrid PQC value.",
776
+ "expected_result": "Debug output shows kex: algorithm: sntrup761x25519-sha512@openssh.com (or mlkem768x25519-sha256).",
777
+ "test_type": "functional"
778
+ },
779
+ {
780
+ "id": "classical-only-negotiation-negative",
781
+ "test": "Re-run `openssl s_client -groups X25519` (classical only). Confirm service still accepts classical for backward compatibility, but the default group is hybrid.",
782
+ "expected_result": "Negotiation succeeds; classical group accepted for compat but server-preferred order has hybrid first. Documented in service config.",
783
+ "test_type": "regression"
784
+ },
785
+ {
786
+ "id": "cert-algorithm-audit",
787
+ "test": "For each cert protecting long-retention data: `openssl x509 -in <cert> -noout -text | grep -E 'Signature Algorithm|Public Key Algorithm'`. Confirm hybrid signature or ML-DSA/SLH-DSA.",
788
+ "expected_result": "Long-retention certs report hybrid or PQC signature algorithm.",
789
+ "test_type": "functional"
790
+ },
791
+ {
792
+ "id": "inventory-completeness",
793
+ "test": "Open the cryptographic asset inventory. For each asset, confirm fields: current_algorithm, sensitivity_horizon, pqc_migration_target, classical_sunset_date are populated.",
794
+ "expected_result": "100% field completion for assets in scope.",
795
+ "test_type": "functional"
796
+ }
797
+ ],
798
+ "residual_risk_statement": {
799
+ "risk": "Even with hybrid PQC enabled, legacy peers may downgrade to classical groups during compatibility windows; certain assets (vendor SaaS, embedded HSM, legacy protocols) may not be migratable in this cycle and remain HNDL-recordable.",
800
+ "why_remains": "PQC migration is multi-year. Hybrid KEX is the only configuration where the encrypted material is safe against the CRQC adversary; classical-fallback paths preserve interop but reopen the recording window. Some assets have no PQC migration path until vendor firmware lands. Crypto-agility (the ability to swap algorithms without re-architecting) is an org-wide investment, not a single fix.",
801
+ "acceptance_level": "ciso",
802
+ "compensating_controls_in_place": [
803
+ "network_segmentation_for_classical-only_assets",
804
+ "shortened_retention_where_feasible",
805
+ "transparency_monitoring_of_handshake_negotiation_for_downgrade_detection",
806
+ "annual_crypto-agility_program_review"
807
+ ]
808
+ },
809
+ "evidence_requirements": [
810
+ {
811
+ "evidence_type": "scan_report",
812
+ "description": "TLS handshake test results showing hybrid group negotiated on each production TLS endpoint; sshd KEX negotiation showing PQC hybrid; openssl list -kem-algorithms output.",
813
+ "retention_period": "7_years",
814
+ "framework_satisfied": [
815
+ "nist-800-53-SC-8",
816
+ "nist-800-53-SC-13",
817
+ "iso-27001-2022-A.8.24",
818
+ "pci-dss-4-4.2.1",
819
+ "nis2-art21-2h",
820
+ "dora-art9"
821
+ ]
822
+ },
823
+ {
824
+ "evidence_type": "config_diff",
825
+ "description": "Before/after diffs of openssl.cnf, sshd_config, nginx/apache/haproxy ssl config showing hybrid group preference, plus change-management approval reference.",
826
+ "retention_period": "7_years",
827
+ "framework_satisfied": [
828
+ "nist-800-53-CM-3",
829
+ "iso-27001-2022-A.8.32"
830
+ ]
831
+ },
832
+ {
833
+ "evidence_type": "attestation",
834
+ "description": "Cryptographic asset inventory snapshot (signed) showing per-asset current algorithm, sensitivity horizon, PQC migration target, classical sunset date.",
835
+ "retention_period": "7_years",
836
+ "framework_satisfied": [
837
+ "nis2-art21-2h",
838
+ "dora-art9",
839
+ "iso-27001-2022-A.8.24",
840
+ "us-omb-m-23-02"
841
+ ]
842
+ },
843
+ {
844
+ "evidence_type": "scan_report",
845
+ "description": "Certificate-store audit report identifying long-retention certs and their signature algorithms before and after hybrid re-issuance.",
846
+ "retention_period": "audit_cycle",
847
+ "framework_satisfied": [
848
+ "nist-800-53-SC-12",
849
+ "iso-27001-2022-A.8.24"
850
+ ]
851
+ }
852
+ ],
853
+ "regression_trigger": [
854
+ {
855
+ "condition": "new_openssh_release == true",
856
+ "interval": "on_event"
857
+ },
858
+ {
859
+ "condition": "new_openssl_release == true",
860
+ "interval": "on_event"
861
+ },
862
+ {
863
+ "condition": "FIPS_203_or_204_or_205_amendment",
864
+ "interval": "on_event"
865
+ },
866
+ {
867
+ "condition": "new_NIST_PQC_standard_published",
868
+ "interval": "on_event"
869
+ },
870
+ {
871
+ "condition": "quarterly",
872
+ "interval": "90d"
873
+ }
874
+ ]
875
+ },
876
+ "close": {
877
+ "evidence_package": {
878
+ "bundle_format": "csaf-2.0",
879
+ "contents": [
880
+ "scan_report",
881
+ "config_diff",
882
+ "attestation",
883
+ "framework_gap_mapping",
884
+ "compliance_theater_verdict",
885
+ "residual_risk_statement"
886
+ ],
887
+ "destination": "local_only",
888
+ "signed": true
889
+ },
890
+ "learning_loop": {
891
+ "enabled": true,
892
+ "lesson_template": {
893
+ "attack_vector": "Harvest-now-decrypt-later: state-level adversary records classical-encrypted traffic today (TLS handshake, SSH session, signed cert), decrypts on CRQC day in mid-2030s, recovering long-retention sensitive data.",
894
+ "control_gap": "Frameworks define 'strong cryptography' against classical threat model. SC-8/SC-13, A.8.24, §3.6, Art.21(2)(h), Art.9 all permit classical-only posture as compliant. FIPS validation is a module-level attestation that confirms classical algorithms are correctly implemented; it does not surface algorithmic obsolescence.",
895
+ "framework_gap": "NIST 800-53 has not amended SC-8/SC-13 with PQC sub-controls despite FIPS 203/204/205 finalization in 2024-08. ISO 27001:2022 (pre-PQC) has no PQC language and no scheduled amendment. PCI Council and EU regulators publicly aware but have not amended binding controls. Lag = ~180 days behind PQC operational readiness and 4-8+ years behind the CRQC horizon.",
896
+ "new_control_requirement": "Add a 'cryptographic algorithm currency' sub-control across SC-8, SC-13, A.8.24, §3.6, §4.2.1, Art.21(2)(h), Art.9 requiring: (a) per-asset cryptographic inventory with sensitivity horizon, (b) hybrid PQC mandatory for new deployments protecting data with horizon > 5 years, (c) algorithm sunset dates documented per asset, (d) crypto-agility built into design (algorithm swap without re-architecting), (e) annual review against current NIST PQC publication state."
897
+ },
898
+ "feeds_back_to_skills": [
899
+ "pqc-first",
900
+ "framework-gap-analysis",
901
+ "compliance-theater",
902
+ "global-grc",
903
+ "zeroday-gap-learn"
904
+ ]
905
+ },
906
+ "notification_actions": [
907
+ {
908
+ "obligation_ref": "EU/NIS2 Art.21(2)(h) 720h",
909
+ "deadline": "computed_at_runtime",
910
+ "recipient": "internal_legal",
911
+ "evidence_attached": [
912
+ "cryptographic_asset_inventory",
913
+ "pqc_migration_plan",
914
+ "algorithm_sunset_tracking"
915
+ ],
916
+ "draft_notification": "NIS2 Art.21(2)(h) cryptographic inventory submission: ${entity_name} maintains a cryptographic asset inventory dated ${inventory_date}. PQC migration plan with timelines and per-asset sunset dates is attached. Current state: ${total_assets} cryptographic assets inventoried; ${hybrid_pqc_count} hybrid PQC enabled; ${classical_only_count} classical-only with documented sunset dates. Re-attestation cadence: ${cadence}."
917
+ },
918
+ {
919
+ "obligation_ref": "EU/DORA Art.9 720h",
920
+ "deadline": "computed_at_runtime",
921
+ "recipient": "internal_legal",
922
+ "evidence_attached": [
923
+ "cryptographic_resilience_assessment",
924
+ "key_management_attestation",
925
+ "pqc_readiness_status"
926
+ ],
927
+ "draft_notification": "DORA Art.9 cryptographic resilience submission: ${entity_name} (financial entity) attests cryptographic resilience per Art.9. PQC readiness: ${pqc_readiness_summary}. Key management: ${km_summary}. HNDL exposure: ${hndl_exposure_summary}; remediation ETA: ${remediation_eta}."
928
+ },
929
+ {
930
+ "obligation_ref": "EU/NIS2 Art.23 24h",
931
+ "deadline": "computed_at_runtime",
932
+ "recipient": "internal_legal",
933
+ "evidence_attached": [
934
+ "confirmed_hndl_exposure",
935
+ "affected_data_sensitivity_horizon",
936
+ "interim_mitigation_record"
937
+ ],
938
+ "draft_notification": "NIS2 Art.23 24-hour early warning (where applicable): Confirmed HNDL exposure detected on ${affected_systems}. Data sensitivity horizon: ${horizon_years} years. Interim mitigation: ${mitigation_status}. Note: HNDL is a delayed-decryption threat; the breach realisation event is CRQC, not detection. This notification is precautionary."
939
+ },
940
+ {
941
+ "obligation_ref": "US/OMB M-23-02 8760h",
942
+ "deadline": "computed_at_runtime",
943
+ "recipient": "internal_legal",
944
+ "evidence_attached": [
945
+ "federal_pqc_inventory",
946
+ "annual_migration_progress_report"
947
+ ],
948
+ "draft_notification": "OMB M-23-02 annual PQC migration inventory: ${federal_entity} reports ${total_assets} cryptographic assets inventoried, ${hybrid_pqc_count} migrated to PQC, ${migration_eta_summary}. Per CNSA 2.0 binding deadline of 2030, current trajectory: ${on_track_or_off_track}."
949
+ },
950
+ {
951
+ "obligation_ref": "AU/APRA CPS 234 72h",
952
+ "deadline": "computed_at_runtime",
953
+ "recipient": "regulator_email",
954
+ "evidence_attached": [
955
+ "materiality_assessment",
956
+ "remediation_completed_evidence"
957
+ ],
958
+ "draft_notification": "APRA CPS 234 notification (where remediation deemed material): cryptographic exposure remediation completed for ${affected_systems}. Materiality determination: ${materiality_justification}. Remediation summary: ${remediation_summary}."
959
+ }
960
+ ],
961
+ "exception_generation": {
962
+ "trigger_condition": "remediation_blocked == true OR vendor_patch_pending == true OR architectural_impossibility == true",
963
+ "exception_template": {
964
+ "scope": "Asset(s) ${asset_list} cannot reach hybrid PQC posture within this remediation cycle. Blocking factors: ${blocking_factors} (e.g. legacy HSM firmware lacking PQC, vendor SaaS without PQC support, embedded device firmware end-of-life).",
965
+ "duration": "until_vendor_patch",
966
+ "compensating_controls": [
967
+ "network_segmentation_isolating_classical-only_handshake_from_long-retention_data_flows",
968
+ "vpn_pqc_tunnel_overlay_for_traffic_to/from_affected_assets",
969
+ "shortened_retention_policy_for_data_protected_only_by_classical_crypto",
970
+ "transparency_monitoring_of_handshake_negotiation_alerting_on_downgrade",
971
+ "annual_crypto-agility_review",
972
+ "vendor_pqc_roadmap_tracking"
973
+ ],
974
+ "risk_acceptance_owner": "ciso",
975
+ "auditor_ready_language": "Pursuant to ${framework_id} ${control_id} (Cryptographic Protection / Use of Cryptography / Cryptographic Resilience), the organization documents a time-bound risk acceptance for asset(s) ${asset_list} that cannot reach hybrid post-quantum cryptography posture within the current remediation cycle. The accepted risk class is harvest-now-decrypt-later (HNDL): adversaries with traffic-recording capability today may decrypt recorded handshakes on the cryptographically-relevant quantum computer (CRQC) date, currently estimated at 2030-2035 per aggressive academic cryptanalysis and 2035-2040 per conservative industry assessment. The organization accepts that current framework controls (NIST 800-53 SC-8/SC-13, ISO 27001:2022 A.8.24/A.8.25, PCI DSS 4.0 §3.6/§4.2.1, NIS2 Art.21(2)(h), DORA Art.9, EU CRA Annex I) define 'strong cryptography' against a classical threat model and do not require PQC, that this gap is documented in ${exceptd_framework_gap_mapping_ref}, and that the organization's compensating controls during the exception window are: ${compensating_controls}. Crypto-agility roadmap: ${crypto_agility_roadmap}. Risk accepted by ${ciso_name} on ${acceptance_date}. Time-bound until ${duration_expiry} (vendor PQC firmware publication, sensitivity-horizon expiry of protected data, OR ${default_180d_expiry}, whichever is first). Re-evaluation triggers: vendor publishes PQC support, NIST issues PQC amendment to 800-53, new CRQC estimate published in peer-reviewed cryptanalysis literature, OR scheduled expiry."
976
+ }
977
+ },
978
+ "regression_schedule": {
979
+ "next_run": "computed_at_runtime",
980
+ "trigger": "both",
981
+ "notify_on_skip": true
982
+ }
983
+ }
984
+ },
985
+ "directives": [
986
+ {
987
+ "id": "all-crypto-pqc-readiness",
988
+ "title": "Full PQC readiness audit across TLS libraries, SSH, certificate store, and cryptographic policy",
989
+ "applies_to": {
990
+ "always": true
991
+ }
992
+ },
993
+ {
994
+ "id": "hndl-active-recording-investigation",
995
+ "title": "HNDL active-recording threat investigation (T1040 / T1557)",
996
+ "applies_to": {
997
+ "attack_technique": "T1040"
998
+ }
999
+ },
1000
+ {
1001
+ "id": "tls-encrypted-channel-pqc",
1002
+ "title": "T1573 — Encrypted Channel readiness against CRQC adversary",
1003
+ "applies_to": {
1004
+ "attack_technique": "T1573"
1005
+ }
1006
+ }
1007
+ ]
1008
+ }