@connexum/ai-governance 1.0.0-beta.11

package/dist/packs/nis2.js

@@ -0,0 +1,425 @@
+"use strict";
+/**
+ * EU NIS2 Directive Compliance Pack
+ *
+ * Regulation: Directive (EU) 2022/2555 of the European Parliament and of the
+ *             Council of 14 December 2022 on measures for a high common level
+ *             of cybersecurity across the Union (NIS2 Directive)
+ *
+ * Jurisdiction: EU (European Union -- all member states)
+ * Regulators: National competent authorities per Art. 8 (e.g., BSI in Germany,
+ *             ANSSI in France, NCSC in Netherlands, ENISA as EU-level body);
+ *             CSIRT network per Art. 11; cooperation group per Art. 14
+ *
+ * Effective dates:
+ *   - 17 January 2023: entry into force
+ *   - 17 October 2024: member state transposition deadline (Articles 41)
+ *   - Note: Member state transposition quality varies; verify local law in
+ *     each target jurisdiction before relying on national implementation.
+ *
+ * Scope -- Entity classification:
+ *   ESSENTIAL ENTITIES (Annex I -- highest obligations):
+ *     Energy (electricity, oil, gas, hydrogen, district heating), Transport
+ *     (air, rail, water, road), Banking, Financial market infrastructure,
+ *     Health (hospitals, EU reference labs, R&D, pharma), Drinking water,
+ *     Wastewater, Digital infrastructure (IXPs, DNS, TLDs, cloud, data
+ *     centres, CDNs, trust services, electronic comms), ICT service
+ *     management (B2B MSPs, MSSPs), Public administration (central/regional),
+ *     Space (ground-based infrastructure)
+ *
+ *   IMPORTANT ENTITIES (Annex II -- lower threshold, same 10 measures):
+ *     Postal and courier services, Waste management, Manufacture of critical
+ *     products (medical devices, computers/electronics, machinery, motor
+ *     vehicles, other transport), Food production/processing/distribution,
+ *     Digital providers (online marketplaces, search engines, social networks),
+ *     Research organisations
+ *
+ * Key obligations (Art. 21 -- all entities):
+ *   10 minimum cybersecurity risk-management measures:
+ *   1. Incident handling
+ *   2. Business continuity and crisis management (BCP)
+ *   3. Supply chain security (including ICT supply chain)
+ *   4. Network and information systems security
+ *   5. Vulnerability handling and disclosure
+ *   6. Basic cyber hygiene + cybersecurity training
+ *   7. Multi-factor authentication + access control
+ *   8. Cryptography / encryption
+ *   9. Human resources security
+ *   10. Asset management + appropriate physical security
+ *
+ * Incident reporting (Art. 23):
+ *   - Significant incident: early warning within 24 hours of becoming aware
+ *   - Formal notification within 72 hours
+ *   - Final report within 1 month (initial) / 3 months (for ongoing incidents)
+ *   - Significant incident defined: (a) caused or can cause severe operational
+ *     disruption or financial losses; or (b) affected or can affect other
+ *     natural or legal persons by causing considerable material or non-material
+ *     damages.
+ *
+ * Distinction from DORA:
+ *   DORA applies specifically to financial sector entities (credit institutions,
+ *   investment firms, insurance, payment institutions, etc.) and includes more
+ *   prescriptive requirements around ICT risk management and TLPT. NIS2 applies
+ *   broadly across critical sectors. For financial sector entities, DORA
+ *   satisfies NIS2 equivalence per Art. 1(2) NIS2. Both packs may be active
+ *   if the entity is in scope of both (e.g., a bank providing critical
+ *   infrastructure services).
+ *
+ * Penalties:
+ *   Essential entities: up to EUR 10M or 2% of global annual turnover (whichever higher)
+ *   Important entities: up to EUR 7M or 1.4% of global annual turnover (whichever higher)
+ *   Personal liability of management bodies for non-compliance (Art. 20)
+ *
+ * @connexum/ai-governance
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NIS2_PACK = exports.NIS2_CATEGORY_CLASSIFIERS = void 0;
+exports.NIS2_CATEGORY_CLASSIFIERS = {
+    ESSENTIAL_ENTITY_DATA: {
+        references: ['NIS2 Art. 3 -- essential entities; Annex I -- sectors of essential entities; Art. 21 -- security requirements'],
+        classifier: (input) => {
+            if (/\b(?:essential\s+entity|nis2\s+essential|annex\s+i\s+entity|critical\s+infrastructure\s+eu)\b/i.test(input))
+                return true;
+            if (/\b(?:energy\s+grid\s+data|hospital\s+network\s+data|banking\s+infrastructure|financial\s+market\s+infrastructure|dns\s+operator|isp\s+infrastructure)\b/i.test(input))
+                return true;
+            if (/\b(?:nis2\s+critical\s+sector|public\s+administration\s+cybersecurity|space\s+infrastructure\s+nis2)\b/i.test(input))
+                return true;
+            return false;
+        },
+    },
+    IMPORTANT_ENTITY_DATA: {
+        references: ['NIS2 Art. 3 -- important entities; Annex II -- sectors of important entities'],
+        classifier: (input) => {
+            if (/\b(?:important\s+entity|nis2\s+important|annex\s+ii\s+entity|nis2\s+digital\s+provider)\b/i.test(input))
+                return true;
+            if (/\b(?:online\s+marketplace\s+nis2|search\s+engine\s+nis2|social\s+network\s+nis2|food\s+sector\s+nis2)\b/i.test(input))
+                return true;
+            if (/\b(?:waste\s+management\s+nis2|postal\s+nis2|manufacturing\s+nis2)\b/i.test(input))
+                return true;
+            return false;
+        },
+    },
+    SUPPLY_CHAIN_CYBERSECURITY_RECORD: {
+        references: ['NIS2 Art. 21(2)(d) -- supply chain security; Art. 21(2)(j) -- supply chain security policies'],
+        classifier: (input) => {
+            if (/\b(?:supply\s+chain\s+security\s+nis2|ict\s+supply\s+chain|vendor\s+cybersecurity\s+assessment\s+nis2|third.party\s+cybersecurity\s+nis2)\b/i.test(input))
+                return true;
+            if (/\b(?:nis2\s+supply\s+chain\s+risk|software\s+supply\s+chain\s+nis2|managed\s+service\s+provider\s+nis2|msp\s+security\s+nis2)\b/i.test(input))
+                return true;
+            return false;
+        },
+    },
+    INCIDENT_NOTIFICATION_RECORD: {
+        references: ['NIS2 Art. 23 -- incident notification; 24-hour early warning; 72-hour formal notification; 1-month final report'],
+        classifier: (input) => {
+            if (/\b(?:nis2\s+incident|significant\s+incident\s+nis2|nis2\s+notification|csirt\s+notification|national\s+authority\s+notification\s+nis2)\b/i.test(input))
+                return true;
+            if (/\b(?:24.hour\s+early\s+warning\s+nis2|72.hour\s+nis2|nis2\s+final\s+report|operational\s+disruption\s+nis2)\b/i.test(input))
+                return true;
+            return false;
+        },
+    },
+    VULNERABILITY_DISCLOSURE_RECORD: {
+        references: ['NIS2 Art. 12 -- coordinated vulnerability disclosure; Art. 21(2)(e) -- vulnerability handling; Art. 25 -- ENISA vulnerability database'],
+        classifier: (input) => {
+            if (/\b(?:vulnerability\s+disclosure\s+nis2|coordinated\s+vulnerability|cvd\s+nis2|enisa\s+vulnerability|vulnerability\s+report\s+nis2)\b/i.test(input))
+                return true;
+            if (/\b(?:security\s+patch\s+record|vulnerability\s+management\s+nis2|zero.day\s+nis2|cve\s+nis2\s+report)\b/i.test(input))
+                return true;
+            return false;
+        },
+    },
+    PII: {
+        references: ['GDPR Art. 4(1) -- personal data; NIS2 Art. 34 -- processing of personal data under NIS2'],
+        classifier: (input) => {
+            if (/\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/.test(input))
+                return true;
+            if (/\b\d{3}-\d{2}-\d{4}\b/.test(input))
+                return true;
+            if (/\b(?:contact\s+person\s+nis2|management\s+body\s+member\s+data|ciso\s+personal\s+data|incident\s+reporter\s+pii)\b/i.test(input))
+                return true;
+            return false;
+        },
+    },
+    CREDENTIALS: {
+        references: ['NIS2 Art. 21(2)(g) -- multi-factor authentication; Art. 21(2)(h) -- encryption; secure communications requirements'],
+        classifier: (input) => {
+            if (/\b(?:api[_-]?key|apikey)\s*[=:]\s*["']?[A-Za-z0-9_\-\/+]{16,}["']?/i.test(input))
+                return true;
+            if (/\bpassword\s*[=:]\s*["']?[A-Za-z0-9!@#$%^&*_\-]{8,}["']?/i.test(input))
+                return true;
+            if (/\bAKIA[A-Z0-9]{16}\b/.test(input))
+                return true;
+            if (/-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/.test(input))
+                return true;
+            return false;
+        },
+    },
+};
+exports.NIS2_PACK = {
+    categoryClassifiers: exports.NIS2_CATEGORY_CLASSIFIERS,
+    id: 'nis2',
+    name: 'EU NIS2 Directive (Directive 2022/2555)',
+    version: '1.0.0',
+    description: 'EU Directive 2022/2555 (NIS2) -- a high common level of cybersecurity across the EU. In force 17 January 2023; member state transposition deadline 17 October 2024. Covers Essential Entities (Annex I: energy, transport, banking, financial market infrastructure, healthcare, water, digital infrastructure, ICT service management, public administration, space) and Important Entities (Annex II: postal, waste, manufacturing, food, digital providers, research). Mandates 10 minimum cybersecurity risk-management measures (Art. 21) including MFA, encryption, supply chain security, BCP, vulnerability handling, and board cyber training. Incident reporting: 24-hour early warning + 72-hour formal notification + 1-month final report to national CSIRT. Distinct from DORA (financial sector; DORA satisfies NIS2 equivalence per Art. 1(2) NIS2). Penalties: up to EUR 10M / 2% global turnover for Essential Entities; EUR 7M / 1.4% for Important Entities.',
+    authority: 'National competent authorities + ENISA (EU Agency for Cybersecurity) + CSIRT network',
+    industries: ['energy', 'transport', 'banking', 'financial-services', 'healthcare', 'water-utilities', 'digital-infrastructure', 'telecommunications', 'managed-services', 'public-sector', 'manufacturing', 'food', 'logistics', 'technology'],
+    requiredModules: [
+        {
+            name: 'governance-runtime',
+            required: true,
+            reason: 'Entity classification gate (Essential / Important per Annexes I and II); 10 minimum security measures enforcement per Art. 21; management body accountability and training (Art. 20)',
+            reference: 'NIS2 Art. 3 -- entity classification; Art. 21 -- security requirements; Art. 20 -- management bodies accountability; Art. 21(2)(f) -- basic cyber hygiene',
+        },
+        {
+            name: 'data-classifier',
+            required: true,
+            reason: 'Classify essential entity data, important entity data, supply chain cybersecurity records, incident notification records, and vulnerability disclosure records for appropriate handling and reporting',
+            reference: 'NIS2 Art. 21(2) -- security requirements scope; Art. 23 -- incident notification data classification; Art. 12 -- vulnerability disclosure classification',
+        },
+        {
+            name: 'audit-integrity',
+            required: true,
+            reason: 'Tamper-evident audit trail for incident notification records, supply chain security assessments, vulnerability disclosures, and security measure compliance evidence; required for national competent authority audit',
+            reference: 'NIS2 Art. 23 -- incident record-keeping; Art. 21 -- security measures documentation; Art. 32 -- supervisory and enforcement measures; Art. 33 -- competent authority inspections',
+        },
+        {
+            name: 'agent-auth',
+            required: true,
+            reason: 'Multi-factor authentication enforcement per Art. 21(2)(g); access control for network and information systems; privileged access management; zero-trust architecture support',
+            reference: 'NIS2 Art. 21(2)(g) -- multi-factor or continuous authentication; Art. 21(2)(i) -- human resources security; Art. 21(2)(j) -- access control policies',
+        },
+        {
+            name: 'encryption-layer',
+            required: true,
+            reason: 'Encryption of network communications and data at rest per Art. 21(2)(h); encrypted communications for incident coordination with CSIRT; secure channel for vulnerability disclosure',
+            reference: 'NIS2 Art. 21(2)(h) -- encrypted communications; Art. 21(2)(g) -- secure voice/video/text communications; Art. 23(4) -- secure incident reporting channel',
+        },
+        {
+            name: 'approval-queue',
+            required: true,
+            reason: 'Board-level approval for significant incident classification before CSIRT notification; management body sign-off on cybersecurity risk management measures per Art. 20; board cyber training completion verification',
+            reference: 'NIS2 Art. 20 -- management body accountability; Art. 20(1) -- management bodies approve and oversee cybersecurity risk measures; Art. 20(2) -- management body cyber training',
+        },
+        {
+            name: 'attestation-manager',
+            required: true,
+            reason: 'Documentation of 10 minimum security measures per Art. 21; board cyber training records (annual); supply chain security assessment records; entity classification documentation; risk management records',
+            reference: 'NIS2 Art. 21 -- security measures documentation; Art. 20(2) -- annual board cyber training; Art. 21(2)(d) -- supply chain security assessments; Art. 32 -- competent authority evidence requirements',
+        },
+        {
+            name: 'event-bus',
+            required: true,
+            reason: 'Significant incident cascade reporting: 24-hour early warning + 72-hour formal notification + 1-month final report to CSIRT; vulnerability disclosure event coordination; crisis communication bus',
+            reference: 'NIS2 Art. 23(4)(a) -- 24-hour early warning; Art. 23(4)(b) -- 72-hour incident notification; Art. 23(4)(c) -- 1-month final report; Art. 23(1) -- notification to CSIRT or competent authority',
+        },
+        {
+            name: 'supply-chain',
+            required: true,
+            reason: 'ICT supply chain security assessment per Art. 21(2)(d); vendor cybersecurity due diligence; managed service provider accountability; Art. 22 coordinated security risk assessments of critical supply chains',
+            reference: 'NIS2 Art. 21(2)(d) -- supply chain security policy; Art. 21(2)(j) -- security in network acquisition; Art. 22 -- EU-level coordinated supply chain risk assessments (ENISA/cooperation group)',
+        },
+        {
+            name: 'session-persistence',
+            required: true,
+            reason: 'Incident records retained for at least 3 years per NIS2; risk management documentation retained while operating; vulnerability disclosure records continuity across sessions',
+            reference: 'NIS2 Art. 23 -- incident records retention; Art. 21 -- ongoing risk management records; NIS2 implementation guidance -- minimum 3-year incident record retention',
+        },
+        {
+            name: 'transparency-injector',
+            required: true,
+            reason: 'Incident notification transparency to CSIRT and national authorities; vulnerability disclosure transparency per Art. 12; public communication of significant incidents when required by national authority',
+            reference: 'NIS2 Art. 23 -- incident notification cascade; Art. 12 -- coordinated vulnerability disclosure; Art. 24(5) -- national authority may require public notification; Art. 23(6) -- CSIRT may share incident info',
+        },
+        {
+            name: 'anomaly-detector',
+            required: true,
+            reason: 'Continuous monitoring for significant incidents per Art. 21(2)(a); threat detection for early warning activation; anomaly detection for supply chain compromise; vulnerability pattern monitoring',
+            reference: 'NIS2 Art. 21(2)(a) -- incident handling; Art. 21(2)(e) -- vulnerability handling; Art. 21(2)(b) -- business continuity; Art. 23(1) -- awareness of significant incident trigger',
+        },
+    ],
+    moduleConfig: {
+        'governance-runtime': {
+            entityClassificationRequired: true, // Essential / Important per Annexes I and II
+            tenMinimumSecurityMeasuresEnforced: true,
+            managementBodyAccountabilityRequired: true,
+            boardCyberTrainingRequired: true,
+            mfaRequired: true,
+            aimsContextDefined: true,
+        },
+        'data-classifier': {
+            enabledCategories: ['ESSENTIAL_ENTITY_DATA', 'IMPORTANT_ENTITY_DATA', 'SUPPLY_CHAIN_CYBERSECURITY_RECORD', 'INCIDENT_NOTIFICATION_RECORD', 'VULNERABILITY_DISCLOSURE_RECORD', 'PII', 'CREDENTIALS'],
+            incidentNotificationRecordAction: 'WARN',
+            credentialsAction: 'BLOCK',
+        },
+        'agent-auth': {
+            mfaForPrivilegedAccess: true,
+            mfaForRemoteAccess: true,
+            advancedAuthenticationRequired: true,
+        },
+        'event-bus': {
+            nis2EarlyWarningHours: 24,
+            nis2FormalNotificationHours: 72,
+            nis2FinalReportDays: 30,
+            incidentCascadeReportingRequired: true,
+        },
+        'attestation-manager': {
+            nis2SecurityMeasuresDocumentationRequired: true,
+            boardCyberTrainingAnnualRequired: true,
+            supplyChainAssessmentRequired: true,
+        },
+        'supply-chain': {
+            ictSupplyChainSecurityRequired: true,
+            vendorCybersecurityDueDiligenceRequired: true,
+            registerOfInformationRequired: true,
+        },
+        'session-persistence': {
+            incidentRecordRetentionYears: 3,
+            riskManagementDocumentationRetentionRequired: true,
+        },
+        'anomaly-detector': {
+            threatIntelligenceActive: true,
+            robustnessMonitoringActive: true,
+        },
+    },
+    providerPolicy: {
+        blockedProviders: ['deepseek', 'baidu', 'alibaba'],
+        requiredCapabilities: ['DATA-RESIDENCY-EU', 'ISO27001-CERTIFIED', 'NIS2-COMPLIANT-SUPPLY-CHAIN'],
+        blockReasons: {
+            deepseek: 'PRC National Intelligence Law creates unacceptable supply chain cybersecurity risk under NIS2 Art. 21(2)(d) ICT supply chain security requirements; incompatible with EU data residency obligations for essential/important entity operational data.',
+            baidu: 'PRC jurisdiction. No EU adequacy decision. Transfer of essential/important entity operational data to PRC violates NIS2 supply chain security requirements (Art. 21(2)(d)) and GDPR Art. 44.',
+            alibaba: 'PRC jurisdiction. NIS2 Art. 21(2)(d) and Art. 22 EU coordinated supply chain risk assessments identify PRC-hosted services as elevated supply chain risk for critical infrastructure sectors.',
+        },
+    },
+    dataPolicy: {
+        scanCategories: ['ESSENTIAL_ENTITY_DATA', 'IMPORTANT_ENTITY_DATA', 'SUPPLY_CHAIN_CYBERSECURITY_RECORD', 'INCIDENT_NOTIFICATION_RECORD', 'VULNERABILITY_DISCLOSURE_RECORD', 'PII', 'CREDENTIALS'],
+        categoryActions: {
+            ESSENTIAL_ENTITY_DATA: 'WARN',
+            IMPORTANT_ENTITY_DATA: 'WARN',
+            SUPPLY_CHAIN_CYBERSECURITY_RECORD: 'WARN',
+            INCIDENT_NOTIFICATION_RECORD: 'WARN',
+            VULNERABILITY_DISCLOSURE_RECORD: 'WARN',
+            PII: 'WARN',
+            CREDENTIALS: 'BLOCK',
+        },
+        encryptionRequired: true,
+        encryptionStandard: 'AES-256-GCM',
+        minimumClassification: 'RESTRICTED',
+    },
+    retentionPolicy: {
+        // NIS2 implementation guidance: incident records minimum 3 years.
+        // Risk management documentation: indefinite while operating.
+        // Using 3-year minimum as auditLogRetentionDays floor; session records follow same schedule.
+        auditLogRetentionDays: 1095, // 3 years minimum (NIS2 incident record guidance)
+        sessionRetentionDays: 1095, // 3 years for operational risk management records
+        incidentRetentionDays: 1095, // 3 years for significant incident records and notification logs
+        reference: 'NIS2 Art. 23 -- incident records; NIS2 implementation guidance -- 3-year minimum retention for incident documentation; ENISA NIS2 Implementation Guide; GDPR Art. 5(1)(e) -- storage limitation for personal data in incident records',
+        forceDelete: false,
+        requiresLegalHoldSupport: true,
+        sovereignty: ['eu'], // EU data residency for essential/important entity operational data
+    },
+    incidentPolicy: {
+        // NIS2 Art. 23(4)(a): 24-hour early warning to CSIRT.
+        // NIS2 Art. 23(4)(b): 72-hour formal notification.
+        // NIS2 Art. 23(4)(c): 1-month final report.
+        // Pack uses 24-hour as the primary clock; 72-hour for formal notification.
+        notificationDeadlineHours: 24, // Art. 23(4)(a) early warning -- first mandatory deadline
+        reference: 'NIS2 Art. 23(4)(a) -- 24-hour early warning to CSIRT/competent authority; Art. 23(4)(b) -- 72-hour formal incident notification; Art. 23(4)(c) -- 1-month final report; Art. 23(1) -- notification obligation',
+        requiredRecipients: ['national-csirt', 'national-competent-authority', 'chief-information-security-officer', 'management-body'],
+        formalNotificationRequired: true,
+    },
+    validators: [
+        {
+            id: 'nis2-entity-classification',
+            description: 'Entity classification active: deployment classified as Essential (Annex I) or Important (Annex II) per NIS2 Art. 3; classification drives applicable obligations and penalties',
+            reference: 'NIS2 Art. 3 -- essential and important entities; Annex I -- essential entity sectors; Annex II -- important entity sectors; Art. 21 -- obligations apply equally to both tiers',
+            check: 'governance_active',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-incident-cascade-24h',
+            description: '24-hour early warning clock active; significant incident triggers immediate CSIRT notification within 24 hours of becoming aware; cascade reporting (24h / 72h / 1-month) wired',
+            reference: 'NIS2 Art. 23(4)(a) -- early warning within 24 hours; Art. 23(1) -- notification to CSIRT or competent authority; Art. 23(2) -- significant incident definition',
+            check: 'monitoring_active',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-incident-cascade-72h',
+            description: '72-hour formal incident notification clock active; formal notification to national CSIRT or competent authority within 72 hours; incident classification and impact assessment included',
+            reference: 'NIS2 Art. 23(4)(b) -- incident notification within 72 hours; Art. 23(4) -- content requirements for notification; Art. 23(5) -- competent authority may request intermediate report',
+            check: 'monitoring_active',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-mfa-enforcement',
+            description: 'Multi-factor authentication enforced for all privileged and remote access per Art. 21(2)(g); continuous authentication monitoring active',
+            reference: 'NIS2 Art. 21(2)(g) -- multi-factor authentication or continuous authentication solutions; Art. 21(2)(g) -- secure voice/video/text communications',
+            check: 'agent_auth_active',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-encryption',
+            description: 'Encryption of network communications and sensitive data at rest per Art. 21(2)(h); encrypted channel for CSIRT incident reporting',
+            reference: 'NIS2 Art. 21(2)(h) -- encrypted communications (end-to-end encryption where appropriate); Art. 23(4) -- secure incident reporting channel',
+            check: 'encryption_active',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-supply-chain-security',
+            description: 'ICT supply chain security assessment active; vendor cybersecurity due diligence enforced; managed service provider accountability documented per Art. 21(2)(d)',
+            reference: 'NIS2 Art. 21(2)(d) -- supply chain security including relationships between each entity and its direct suppliers; Art. 22 -- EU coordinated supply chain security risk assessments',
+            check: 'subservice_registry_active',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-ten-security-measures',
+            description: 'All 10 minimum cybersecurity risk-management measures implemented per Art. 21(2): incident handling, BCP, supply chain security, network security, vulnerability handling, cyber hygiene, MFA, encryption, HR security, asset management',
+            reference: 'NIS2 Art. 21(2)(a)-(j) -- 10 minimum security measures; Art. 21(1) -- proportionate technical and organisational measures; Art. 21(4) -- ENISA implementing guidance',
+            check: 'audit_trail_exists',
+            failSeverity: 'CRITICAL',
+        },
+        {
+            id: 'nis2-board-accountability',
+            description: 'Management body accountability active; board-level approval of cybersecurity measures documented; annual board cyber training records maintained',
+            reference: 'NIS2 Art. 20(1) -- management bodies approve and oversee cybersecurity risk measures; Art. 20(2) -- management body cyber training (annual); Art. 20(3) -- personal liability',
+            check: 'approval_queue_active',
+            failSeverity: 'HIGH',
+        },
+        {
+            id: 'nis2-vulnerability-handling',
+            description: 'Vulnerability handling and coordinated disclosure process active; ENISA vulnerability database reporting available; zero-day and CVE tracking active',
+            reference: 'NIS2 Art. 12 -- coordinated vulnerability disclosure; Art. 21(2)(e) -- vulnerability handling and disclosure; Art. 25 -- ENISA European vulnerability database',
+            check: 'post_market_monitoring',
+            failSeverity: 'HIGH',
+        },
+        {
+            id: 'nis2-data-classifier',
+            description: 'Essential/Important entity data, supply chain cybersecurity records, incident notification records, and vulnerability disclosures classified',
+            reference: 'NIS2 Art. 21(2) -- security measure scope; Art. 23 -- incident notification data; Art. 12 -- vulnerability disclosure',
+            check: 'data_classifier_active',
+            failSeverity: 'HIGH',
+        },
+        {
+            id: 'nis2-audit-trail',
+            description: 'Tamper-evident audit trail active for security measures compliance, incident notifications, supply chain assessments, and board training records; minimum 3-year retention',
+            reference: 'NIS2 Art. 23 -- incident records; Art. 21 -- security measure documentation; Art. 32 -- competent authority inspection; NIS2 implementation guidance -- 3-year minimum retention',
+            check: 'audit_trail_exists',
+            failSeverity: 'HIGH',
+        },
+        {
+            id: 'nis2-incident-final-report',
+            description: '1-month final incident report capability active; post-incident root cause analysis documented; corrective measures included in report',
+            reference: 'NIS2 Art. 23(4)(c) -- final report within 1 month; Art. 23(4)(c)(i)-(iv) -- content: description, severity, impact, root cause, corrective measures',
+            check: 'attestation_active',
+            failSeverity: 'HIGH',
+        },
+        {
+            id: 'nis2-incident-transparency',
+            description: 'Incident notification transparency to CSIRT and competent authority active; public notification capability when required; vulnerability disclosure channel active',
+            reference: 'NIS2 Art. 23 -- incident notification cascade; Art. 24(5) -- national authority may require public notification; Art. 23(6) -- CSIRT may share incident information',
+            check: 'transparency_active',
+            failSeverity: 'HIGH',
+        },
+    ],
+};
+//# sourceMappingURL=nis2.js.map

package/dist/packs/nis2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nis2.js","sourceRoot":"","sources":["../../src/packs/nis2.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;;;AAKU,QAAA,yBAAyB,GAAwB;IAC5D,qBAAqB,EAAE;QACrB,UAAU,EAAE,CAAC,+GAA+G,CAAC;QAC7H,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,gGAAgG,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC9H,IAAI,0JAA0J,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACxL,IAAI,yGAAyG,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACvI,OAAO,KAAK,CAAC;QACf,CAAC;KACF;IACD,qBAAqB,EAAE;QACrB,UAAU,EAAE,CAAC,8EAA8E,CAAC;QAC5F,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,4FAA4F,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC1H,IAAI,0GAA0G,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACxI,IAAI,uEAAuE,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrG,OAAO,KAAK,CAAC;QACf,CAAC;KACF;IACD,iCAAiC,EAAE;QACjC,UAAU,EAAE,CAAC,8FAA8F,CAAC;QAC5G,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,8IAA8I,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC5K,IAAI,kIAAkI,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAChK,OAAO,KAAK,CAAC;QACf,CAAC;KACF;IACD,4BAA4B,EAAE;QAC5B,UAAU,EAAE,CAAC,iHAAiH,CAAC;QAC/H,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,4IAA4I,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC1K,IAAI,gHAAgH,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC9I,OAAO,KAAK,CAAC;QACf,CAAC;KACF;IACD,+BAA+B,EAAE;QAC/B,UAAU,EAAE,CAAC,wIAAwI,CAAC;QACtJ,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,uIAAuI,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrK,IAAI,0GAA0G,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACxI,OAAO,KAAK,CAAC;QACf,CAAC;KACF;IACD,GAAG,EAAE;QACH,UAAU,EAAE,CAAC,yFAAyF,CAAC;QACvG,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,qDAAqD,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnF,IAAI,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrD,IAAI,qHAAqH,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnJ,OAAO,KAAK,CAAC;QACf,CAAC;KACF;IACD,WAAW,EAAE;QACX,UAAU,EAAE,CAAC,oHAAoH,CAAC;QAClI,UAAU,EAAE,CAAC,KAAa,EAAW,EAAE;YACrC,IAAI,qEAAqE,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnG,IAAI,2DAA2D,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACzF,IAAI,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACpD,IAAI,4CAA4C,CAAC,IAAI,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC1E,OAAO,KAAK,CAAC;QACf,CAAC;KACF;CACF,CAAC;AAEW,QAAA,SAAS,GAAkE;IACtF,mBAAmB,EAAE,iCAAyB;IAC9C,EAAE,EAAE,MAAM;IACV,IAAI,EAAE,yCAAyC;IAC/C,OAAO,EAAE,OAAO;IAChB,WAAW,EACT,k7BAAk7B;IACp7B,SAAS,EAAE,sFAAsF;IACjG,UAAU,EAAE,CAAC,QAAQ,EAAE,WAAW,EAAE,SAAS,EAAE,oBAAoB,EAAE,YAAY,EAAE,iBAAiB,EAAE,wBAAwB,EAAE,oBAAoB,EAAE,kBAAkB,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,YAAY,CAAC;IAE9O,eAAe,EAAE;QACf;YACE,IAAI,EAAE,oBAAoB;YAC1B,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,sLAAsL;YAC9L,SAAS,EAAE,2JAA2J;SACvK;QACD;YACE,IAAI,EAAE,iBAAiB;YACvB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,uMAAuM;YAC/M,SAAS,EAAE,0JAA0J;SACtK;QACD;YACE,IAAI,EAAE,iBAAiB;YACvB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,uNAAuN;YAC/N,SAAS,EAAE,kLAAkL;SAC9L;QACD;YACE,IAAI,EAAE,YAAY;YAClB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,8KAA8K;YACtL,SAAS,EAAE,sJAAsJ;SAClK;QACD;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,qLAAqL;YAC7L,SAAS,EAAE,0JAA0J;SACtK;QACD;YACE,IAAI,EAAE,gBAAgB;YACtB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,sNAAsN;YAC9N,SAAS,EAAE,+KAA+K;SAC3L;QACD;YACE,IAAI,EAAE,qBAAqB;YAC3B,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,0MAA0M;YAClN,SAAS,EAAE,sMAAsM;SAClN;QACD;YACE,IAAI,EAAE,WAAW;YACjB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,oMAAoM;YAC5M,SAAS,EAAE,gMAAgM;SAC5M;QACD;YACE,IAAI,EAAE,cAAc;YACpB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,8MAA8M;YACtN,SAAS,EAAE,+LAA+L;SAC3M;QACD;YACE,IAAI,EAAE,qBAAqB;YAC3B,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,8KAA8K;YACtL,SAAS,EAAE,kKAAkK;SAC9K;QACD;YACE,IAAI,EAAE,uBAAuB;YAC7B,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,4MAA4M;YACpN,SAAS,EAAE,+MAA+M;SAC3N;QACD;YACE,IAAI,EAAE,kBAAkB;YACxB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,mMAAmM;YAC3M,SAAS,EAAE,iLAAiL;SAC7L;KACF;IAED,YAAY,EAAE;QACZ,oBAAoB,EAAE;YACpB,4BAA4B,EAAE,IAAI,EAAE,6CAA6C;YACjF,kCAAkC,EAAE,IAAI;YACxC,oCAAoC,EAAE,IAAI;YAC1C,0BAA0B,EAAE,IAAI;YAChC,WAAW,EAAE,IAAI;YACjB,kBAAkB,EAAE,IAAI;SACzB;QACD,iBAAiB,EAAE;YACjB,iBAAiB,EAAE,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,mCAAmC,EAAE,8BAA8B,EAAE,iCAAiC,EAAE,KAAK,EAAE,aAAa,CAAC;YACnM,gCAAgC,EAAE,MAAM;YACxC,iBAAiB,EAAE,OAAO;SAC3B;QACD,YAAY,EAAE;YACZ,sBAAsB,EAAE,IAAI;YAC5B,kBAAkB,EAAE,IAAI;YACxB,8BAA8B,EAAE,IAAI;SACrC;QACD,WAAW,EAAE;YACX,qBAAqB,EAAE,EAAE;YACzB,2BAA2B,EAAE,EAAE;YAC/B,mBAAmB,EAAE,EAAE;YACvB,gCAAgC,EAAE,IAAI;SACvC;QACD,qBAAqB,EAAE;YACrB,yCAAyC,EAAE,IAAI;YAC/C,gCAAgC,EAAE,IAAI;YACtC,6BAA6B,EAAE,IAAI;SACpC;QACD,cAAc,EAAE;YACd,8BAA8B,EAAE,IAAI;YACpC,uCAAuC,EAAE,IAAI;YAC7C,6BAA6B,EAAE,IAAI;SACpC;QACD,qBAAqB,EAAE;YACrB,4BAA4B,EAAE,CAAC;YAC/B,4CAA4C,EAAE,IAAI;SACnD;QACD,kBAAkB,EAAE;YAClB,wBAAwB,EAAE,IAAI;YAC9B,0BAA0B,EAAE,IAAI;SACjC;KACF;IAED,cAAc,EAAE;QACd,gBAAgB,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,CAAC;QAClD,oBAAoB,EAAE,CAAC,mBAAmB,EAAE,oBAAoB,EAAE,6BAA6B,CAAC;QAChG,YAAY,EAAE;YACZ,QAAQ,EAAE,sPAAsP;YAChQ,KAAK,EAAE,8LAA8L;YACrM,OAAO,EAAE,+LAA+L;SACzM;KACF;IAED,UAAU,EAAE;QACV,cAAc,EAAE,CAAC,uBAAuB,EAAE,uBAAuB,EAAE,mCAAmC,EAAE,8BAA8B,EAAE,iCAAiC,EAAE,KAAK,EAAE,aAAa,CAAC;QAChM,eAAe,EAAE;YACf,qBAAqB,EAAE,MAAM;YAC7B,qBAAqB,EAAE,MAAM;YAC7B,iCAAiC,EAAE,MAAM;YACzC,4BAA4B,EAAE,MAAM;YACpC,+BAA+B,EAAE,MAAM;YACvC,GAAG,EAAE,MAAM;YACX,WAAW,EAAE,OAAO;SACrB;QACD,kBAAkB,EAAE,IAAI;QACxB,kBAAkB,EAAE,aAAa;QACjC,qBAAqB,EAAE,YAAY;KACpC;IAED,eAAe,EAAE;QACf,kEAAkE;QAClE,6DAA6D;QAC7D,6FAA6F;QAC7F,qBAAqB,EAAE,IAAI,EAAE,kDAAkD;QAC/E,oBAAoB,EAAE,IAAI,EAAE,kDAAkD;QAC9E,qBAAqB,EAAE,IAAI,EAAE,iEAAiE;QAC9F,SAAS,EAAE,uOAAuO;QAClP,WAAW,EAAE,KAAK;QAClB,wBAAwB,EAAE,IAAI;QAC9B,WAAW,EAAE,CAAC,IAAI,CAAC,EAAE,oEAAoE;KAC1F;IAED,cAAc,EAAE;QACd,sDAAsD;QACtD,mDAAmD;QACnD,4CAA4C;QAC5C,2EAA2E;QAC3E,yBAAyB,EAAE,EAAE,EAAE,0DAA0D;QACzF,SAAS,EAAE,+MAA+M;QAC1N,kBAAkB,EAAE,CAAC,gBAAgB,EAAE,8BAA8B,EAAE,oCAAoC,EAAE,iBAAiB,CAAC;QAC/H,0BAA0B,EAAE,IAAI;KACjC;IAED,UAAU,EAAE;QACV;YACE,EAAE,EAAE,4BAA4B;YAChC,WAAW,EAAE,gLAAgL;YAC7L,SAAS,EAAE,gLAAgL;YAC3L,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,2BAA2B;YAC/B,WAAW,EAAE,iLAAiL;YAC9L,SAAS,EAAE,gKAAgK;YAC3K,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,2BAA2B;YAC/B,WAAW,EAAE,yLAAyL;YACtM,SAAS,EAAE,qLAAqL;YAChM,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,sBAAsB;YAC1B,WAAW,EAAE,0IAA0I;YACvJ,SAAS,EAAE,mJAAmJ;YAC9J,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,iBAAiB;YACrB,WAAW,EAAE,mIAAmI;YAChJ,SAAS,EAAE,2IAA2I;YACtJ,KAAK,EAAE,mBAAmB;YAC1B,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,4BAA4B;YAChC,WAAW,EAAE,gKAAgK;YAC7K,SAAS,EAAE,oLAAoL;YAC/L,KAAK,EAAE,4BAA4B;YACnC,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,4BAA4B;YAChC,WAAW,EAAE,0OAA0O;YACvP,SAAS,EAAE,sKAAsK;YACjL,KAAK,EAAE,oBAAoB;YAC3B,YAAY,EAAE,UAAU;SACzB;QACD;YACE,EAAE,EAAE,2BAA2B;YAC/B,WAAW,EAAE,kJAAkJ;YAC/J,SAAS,EAAE,+KAA+K;YAC1L,KAAK,EAAE,uBAAuB;YAC9B,YAAY,EAAE,MAAM;SACrB;QACD;YACE,EAAE,EAAE,6BAA6B;YACjC,WAAW,EAAE,sJAAsJ;YACnK,SAAS,EAAE,gKAAgK;YAC3K,KAAK,EAAE,wBAAwB;YAC/B,YAAY,EAAE,MAAM;SACrB;QACD;YACE,EAAE,EAAE,sBAAsB;YAC1B,WAAW,EAAE,8IAA8I;YAC3J,SAAS,EAAE,uHAAuH;YAClI,KAAK,EAAE,wBAAwB;YAC/B,YAAY,EAAE,MAAM;SACrB;QACD;YACE,EAAE,EAAE,kBAAkB;YACtB,WAAW,EAAE,4KAA4K;YACzL,SAAS,EAAE,kLAAkL;YAC7L,KAAK,EAAE,oBAAoB;YAC3B,YAAY,EAAE,MAAM;SACrB;QACD;YACE,EAAE,EAAE,4BAA4B;YAChC,WAAW,EAAE,uIAAuI;YACpJ,SAAS,EAAE,qJAAqJ;YAChK,KAAK,EAAE,oBAAoB;YAC3B,YAAY,EAAE,MAAM;SACrB;QACD;YACE,EAAE,EAAE,4BAA4B;YAChC,WAAW,EAAE,mKAAmK;YAChL,SAAS,EAAE,qKAAqK;YAChL,KAAK,EAAE,qBAAqB;YAC5B,YAAY,EAAE,MAAM;SACrB;KACF;CACF,CAAC"}

package/dist/packs/nist-800-53.d.ts

@@ -0,0 +1,40 @@
+/**
+ * NIST SP 800-53 Compliance Pack
+ *
+ * Framework: NIST Special Publication 800-53 Revision 5 (Sept 2020,
+ *   updates ongoing) — Security and Privacy Controls for Information
+ *   Systems and Organizations. The US federal control catalog
+ *   underpinning FedRAMP, FISMA, RMF (NIST 800-37), and many sectoral
+ *   frameworks.
+ *
+ * Jurisdiction: US federal mandate (FISMA + OMB Circular A-130);
+ *   widely adopted globally as a control reference.
+ * Authority: NIST + Office of Management and Budget (OMB) +
+ *   FedRAMP PMO (cloud-specific overlay)
+ *
+ * 20 control families (SP 800-53 Rev. 5):
+ *   AC (Access Control), AT (Awareness + Training), AU (Audit +
+ *   Accountability), CA (Assessment, Authorization + Monitoring),
+ *   CM (Configuration Management), CP (Contingency Planning),
+ *   IA (Identification + Authentication), IR (Incident Response),
+ *   MA (Maintenance), MP (Media Protection), PE (Physical +
+ *   Environmental), PL (Planning), PM (Program Management),
+ *   PS (Personnel Security), PT (PII Processing + Transparency),
+ *   RA (Risk Assessment), SA (System + Services Acquisition),
+ *   SC (System + Communications Protection), SI (System + Information
+ *   Integrity), SR (Supply Chain Risk Management).
+ *
+ * Baselines (FIPS 199 impact):
+ *   - LOW (~149 controls)
+ *   - MODERATE (~261 controls)
+ *   - HIGH (~318 controls)
+ *
+ * @connexum/ai-governance
+ */
+import { CompliancePack } from './index';
+import { CategoryClassifiers } from '../classification/pack-driven-classifier';
+export declare const NIST_800_53_CATEGORY_CLASSIFIERS: CategoryClassifiers;
+export declare const NIST_800_53_PACK: CompliancePack & {
+    categoryClassifiers: CategoryClassifiers;
+};
+//# sourceMappingURL=nist-800-53.d.ts.map

package/dist/packs/nist-800-53.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nist-800-53.d.ts","sourceRoot":"","sources":["../../src/packs/nist-800-53.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,mBAAmB,EAAE,MAAM,0CAA0C,CAAC;AAE/E,eAAO,MAAM,gCAAgC,EAAE,mBA8B9C,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,cAAc,GAAG;IAAE,mBAAmB,EAAE,mBAAmB,CAAA;CA0DzF,CAAC"}

package/dist/packs/nist-800-53.js

@@ -0,0 +1,129 @@
+"use strict";
+/**
+ * NIST SP 800-53 Compliance Pack
+ *
+ * Framework: NIST Special Publication 800-53 Revision 5 (Sept 2020,
+ *   updates ongoing) — Security and Privacy Controls for Information
+ *   Systems and Organizations. The US federal control catalog
+ *   underpinning FedRAMP, FISMA, RMF (NIST 800-37), and many sectoral
+ *   frameworks.
+ *
+ * Jurisdiction: US federal mandate (FISMA + OMB Circular A-130);
+ *   widely adopted globally as a control reference.
+ * Authority: NIST + Office of Management and Budget (OMB) +
+ *   FedRAMP PMO (cloud-specific overlay)
+ *
+ * 20 control families (SP 800-53 Rev. 5):
+ *   AC (Access Control), AT (Awareness + Training), AU (Audit +
+ *   Accountability), CA (Assessment, Authorization + Monitoring),
+ *   CM (Configuration Management), CP (Contingency Planning),
+ *   IA (Identification + Authentication), IR (Incident Response),
+ *   MA (Maintenance), MP (Media Protection), PE (Physical +
+ *   Environmental), PL (Planning), PM (Program Management),
+ *   PS (Personnel Security), PT (PII Processing + Transparency),
+ *   RA (Risk Assessment), SA (System + Services Acquisition),
+ *   SC (System + Communications Protection), SI (System + Information
+ *   Integrity), SR (Supply Chain Risk Management).
+ *
+ * Baselines (FIPS 199 impact):
+ *   - LOW (~149 controls)
+ *   - MODERATE (~261 controls)
+ *   - HIGH (~318 controls)
+ *
+ * @connexum/ai-governance
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NIST_800_53_PACK = exports.NIST_800_53_CATEGORY_CLASSIFIERS = void 0;
+exports.NIST_800_53_CATEGORY_CLASSIFIERS = {
+    CONTROL_FAMILY_EVIDENCE: {
+        references: ['NIST SP 800-53 Rev. 5 — 20 control families'],
+        classifier: (i) => /\b(?:800[\s-]?53\s+(?:control|family)|800-53|nist\s+(?:ac|au|ca|cm|cp|ia|ir|ma|mp|pe|pl|pm|ps|pt|ra|sa|sc|si|sr|at)[\s-]?\d{1,2})\b/i.test(i),
+    },
+    AUTHORIZATION_PACKAGE: {
+        references: ['NIST 800-37 RMF — System Security Plan + Authorization to Operate'],
+        classifier: (i) => /\b(?:ssp\s+800-53|authorization\s+to\s+operate|ato\s+package|authorization\s+package\s+800-53|sar\s+800-53)\b/i.test(i),
+    },
+    CONTINUOUS_MONITORING: {
+        references: ['NIST 800-53 CA-7 continuous monitoring'],
+        classifier: (i) => /\b(?:ca-7\s+continuous\s+monitoring|conmon\s+800-53|continuous\s+monitoring\s+strategy)\b/i.test(i),
+    },
+    POAM: {
+        references: ['NIST 800-53 CA-5 Plan of Action and Milestones'],
+        classifier: (i) => /\b(?:po(?:a|am|am&m)|plan\s+of\s+action\s+(?:and\s+)?milestones|ca-5\s+poam)\b/i.test(i),
+    },
+    BASELINE_DESIGNATION: {
+        references: ['FIPS 199 + NIST 800-53 baseline (LOW / MODERATE / HIGH)'],
+        classifier: (i) => /\b(?:fips\s+199|800-53\s+(?:low|moderate|high)\s+baseline|impact\s+level\s+(?:low|moderate|high))\b/i.test(i),
+    },
+    CREDENTIALS: {
+        references: ['NIST 800-53 IA-5 authenticator management'],
+        classifier: (i) => {
+            if (/\b(?:api[_-]?key|apikey)\s*[=:]\s*["']?[A-Za-z0-9_\-\/+]{16,}["']?/i.test(i))
+                return true;
+            if (/\bpassword\s*[=:]\s*["']?[A-Za-z0-9!@#$%^&*_\-]{8,}["']?/i.test(i))
+                return true;
+            if (/-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/.test(i))
+                return true;
+            return false;
+        },
+    },
+};
+exports.NIST_800_53_PACK = {
+    categoryClassifiers: exports.NIST_800_53_CATEGORY_CLASSIFIERS,
+    id: 'nist-800-53',
+    aliases: ['nist-sp-800-53', 'sp-800-53', '800-53', 'nist-800-53-rev5'],
+    name: 'NIST SP 800-53 Rev. 5 — Security and Privacy Controls',
+    version: '1.0.0',
+    description: 'NIST Special Publication 800-53 Revision 5 — Security and Privacy Controls for Information Systems and Organizations. 20 control families across LOW / MODERATE / HIGH baselines (FIPS 199 impact). The US federal control catalog underpinning FedRAMP, FISMA, RMF (NIST 800-37), and widely adopted globally. Pairs with `nist-csf` (framework), `fedramp`, `stateramp`, `cmmc2`, `fisma` (when added).',
+    authority: 'NIST + OMB + FedRAMP PMO',
+    industries: ['public-sector', 'cloud-infrastructure', 'defense', 'financial-services', 'healthcare', 'critical-national-infrastructure'],
+    requiredModules: [
+        { name: 'attestation-manager', required: true, reason: 'Baseline designation (LOW/MODERATE/HIGH); System Security Plan; Authorization to Operate; per-control-family evidence; POA&M tracked.', reference: 'NIST 800-37 RMF + 800-53 control inheritance' },
+        { name: 'governance-runtime', required: true, reason: 'AC family default-deny on uncovered access; CM family configuration baseline gate; SI integrity gate.', reference: 'NIST 800-53 AC + CM + SI families' },
+        { name: 'audit-integrity', required: true, reason: 'AU family audit + accountability tamper-evident chain; required for ATO + assessor evidence.', reference: 'NIST 800-53 AU family' },
+        { name: 'event-bus', required: true, reason: 'IR family incident response routing; CA-7 continuous monitoring telemetry; SI-4 system monitoring.', reference: 'NIST 800-53 IR + CA + SI' },
+        { name: 'data-classifier', required: true, reason: 'Surface 800-53 evidence categories across the 20 families.', reference: 'NIST 800-53 evidence categorisation' },
+        { name: 'agent-auth', required: true, reason: 'IA family identity + authenticator management; AC family access enforcement.', reference: 'NIST 800-53 IA + AC families' },
+        { name: 'encryption-layer', required: true, reason: 'SC family system + communications protection; cryptographic agility.', reference: 'NIST 800-53 SC family' },
+        { name: 'session-persistence', required: true, reason: '800-53 evidence retained per CA-2 assessment cycle (typically 3 years between full assessments) plus FedRAMP-specific overlays.', reference: 'NIST 800-53 CA-2; FedRAMP retention' },
+        { name: 'supply-chain', required: true, reason: 'SR family supply-chain risk management; SR-2 SCRM plan.', reference: 'NIST 800-53 SR family (new in Rev. 5)' },
+        { name: 'approval-queue', required: true, reason: 'CA-6 authorization decisions routed for AO sign-off; CM-3 configuration change approvals; PM-3 risk-management approvals.', reference: 'NIST 800-53 CA-6 + CM-3 + PM-3' },
+    ],
+    moduleConfig: {
+        'attestation-manager': { baselineDesignationTracked: true, sspTracked: true, atoTracked: true, perFamilyEvidenceTracked: true, poamTracked: true },
+        'governance-runtime': { acDefaultDenyRequired: true, cmConfigBaselineGateRequired: true, siIntegrityGateRequired: true },
+        'audit-integrity': { auFamilyTamperEvidentRequired: true },
+        'event-bus': { irRoutingRequired: true, conmonRequired: true, si4MonitoringRequired: true },
+        'data-classifier': { enabledCategories: ['CONTROL_FAMILY_EVIDENCE', 'AUTHORIZATION_PACKAGE', 'CONTINUOUS_MONITORING', 'POAM', 'BASELINE_DESIGNATION', 'CREDENTIALS'], credentialsAction: 'BLOCK' },
+        'agent-auth': { iaAuthenticatorMgmtRequired: true, acAccessEnforcementRequired: true },
+        'encryption-layer': { algorithm: 'aes-256-gcm', scProtectionRequired: true },
+        'session-persistence': { retentionDaysMinimum: 1095 },
+        'supply-chain': { srScrmPlanRequired: true },
+        'approval-queue': { reviewTier: 'T2' },
+    },
+    providerPolicy: {
+        blockedProviders: ['deepseek', 'baidu', 'alibaba'],
+        requiredCapabilities: ['NIST-800-53-COMPATIBLE', 'FEDRAMP-CAPABLE'],
+        blockReasons: { deepseek: 'PRC jurisdiction. NIST 800-53 SR family supply-chain risk management excludes PRC routing for federal systems.', baidu: 'PRC jurisdiction.', alibaba: 'PRC jurisdiction.' },
+    },
+    dataPolicy: {
+        scanCategories: ['CONTROL_FAMILY_EVIDENCE', 'AUTHORIZATION_PACKAGE', 'CONTINUOUS_MONITORING', 'POAM', 'BASELINE_DESIGNATION', 'CREDENTIALS'],
+        categoryActions: { CONTROL_FAMILY_EVIDENCE: 'WARN', AUTHORIZATION_PACKAGE: 'WARN', CONTINUOUS_MONITORING: 'WARN', POAM: 'WARN', BASELINE_DESIGNATION: 'WARN', CREDENTIALS: 'BLOCK' },
+        encryptionRequired: true, encryptionStandard: 'AES-256-GCM', minimumClassification: 'RESTRICTED',
+    },
+    retentionPolicy: { auditLogRetentionDays: 1095, sessionRetentionDays: 1095, incidentRetentionDays: 2190, reference: 'NIST 800-53 CA-2 assessment cycle + FedRAMP retention', forceDelete: false, requiresLegalHoldSupport: true, sovereignty: ['us'] },
+    incidentPolicy: { notificationDeadlineHours: 1, reference: 'NIST 800-53 IR-6 incident reporting; US-CERT 1-hour notification for federal systems', requiredRecipients: ['us-cert', 'authorizing-official', 'iso', 'sca'], formalNotificationRequired: true },
+    validators: [
+        { id: 'nist-800-53-baseline-designation', description: 'FIPS 199 impact (LOW / MODERATE / HIGH) designated; baseline control set instantiated.', reference: 'FIPS 199 + 800-53 baselines', check: 'attestation_active', failSeverity: 'CRITICAL' },
+        { id: 'nist-800-53-ssp-current', description: 'System Security Plan current; per-control implementation captured.', reference: 'NIST 800-37 RMF', check: 'attestation_active', failSeverity: 'CRITICAL' },
+        { id: 'nist-800-53-ato-active', description: 'Authorization to Operate active and within validity window.', reference: 'NIST 800-37 ATO', check: 'attestation_active', failSeverity: 'CRITICAL' },
+        { id: 'nist-800-53-conmon', description: 'CA-7 continuous monitoring strategy active; monthly + annual assessment cadence.', reference: 'NIST 800-53 CA-7', check: 'monitoring_active', failSeverity: 'CRITICAL' },
+        { id: 'nist-800-53-poam', description: 'Plan of Action and Milestones current; remediation owners + due dates tracked.', reference: 'NIST 800-53 CA-5', check: 'attestation_active', failSeverity: 'HIGH' },
+        { id: 'nist-800-53-incident-1h', description: 'IR-6 incident reporting wired; US-CERT 1-hour notification path active for federal systems.', reference: 'NIST 800-53 IR-6', check: 'monitoring_active', failSeverity: 'CRITICAL' },
+        { id: 'nist-800-53-supply-chain', description: 'SR family SCRM plan + sub-supplier attestation captured (new in Rev. 5).', reference: 'NIST 800-53 SR family', check: 'subservice_registry_active', failSeverity: 'HIGH' },
+        { id: 'nist-800-53-encryption', description: 'SC family encryption controls active; FIPS 140-3 validated cryptography.', reference: 'NIST 800-53 SC + FIPS 140-3', check: 'encryption_active', failSeverity: 'HIGH' },
+        { id: 'nist-800-53-audit-trail', description: 'AU family tamper-evident audit chain active.', reference: 'NIST 800-53 AU family', check: 'audit_trail_exists', failSeverity: 'CRITICAL' },
+        { id: 'nist-800-53-credential-block', description: 'Plaintext credentials blocked per IA-5 authenticator management.', reference: 'NIST 800-53 IA-5', check: 'data_classifier_active', failSeverity: 'CRITICAL' },
+    ],
+};
+//# sourceMappingURL=nist-800-53.js.map

package/dist/packs/nist-800-53.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"nist-800-53.js","sourceRoot":"","sources":["../../src/packs/nist-800-53.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;;;AAKU,QAAA,gCAAgC,GAAwB;IACnE,uBAAuB,EAAE;QACvB,UAAU,EAAE,CAAC,6CAA6C,CAAC;QAC3D,UAAU,EAAE,CAAC,CAAS,EAAW,EAAE,CAAC,sIAAsI,CAAC,IAAI,CAAC,CAAC,CAAC;KACnL;IACD,qBAAqB,EAAE;QACrB,UAAU,EAAE,CAAC,mEAAmE,CAAC;QACjF,UAAU,EAAE,CAAC,CAAS,EAAW,EAAE,CAAC,gHAAgH,CAAC,IAAI,CAAC,CAAC,CAAC;KAC7J;IACD,qBAAqB,EAAE;QACrB,UAAU,EAAE,CAAC,wCAAwC,CAAC;QACtD,UAAU,EAAE,CAAC,CAAS,EAAW,EAAE,CAAC,4FAA4F,CAAC,IAAI,CAAC,CAAC,CAAC;KACzI;IACD,IAAI,EAAE;QACJ,UAAU,EAAE,CAAC,gDAAgD,CAAC;QAC9D,UAAU,EAAE,CAAC,CAAS,EAAW,EAAE,CAAC,iFAAiF,CAAC,IAAI,CAAC,CAAC,CAAC;KAC9H;IACD,oBAAoB,EAAE;QACpB,UAAU,EAAE,CAAC,yDAAyD,CAAC;QACvE,UAAU,EAAE,CAAC,CAAS,EAAW,EAAE,CAAC,sGAAsG,CAAC,IAAI,CAAC,CAAC,CAAC;KACnJ;IACD,WAAW,EAAE;QACX,UAAU,EAAE,CAAC,2CAA2C,CAAC;QACzD,UAAU,EAAE,CAAC,CAAS,EAAW,EAAE;YACjC,IAAI,qEAAqE,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YAC/F,IAAI,2DAA2D,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACrF,IAAI,4CAA4C,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;YACtE,OAAO,KAAK,CAAC;QACf,CAAC;KACF;CACF,CAAC;AAEW,QAAA,gBAAgB,GAAkE;IAC7F,mBAAmB,EAAE,wCAAgC;IACrD,EAAE,EAAE,aAAa;IACjB,OAAO,EAAE,CAAC,gBAAgB,EAAE,WAAW,EAAE,QAAQ,EAAE,kBAAkB,CAAC;IACtE,IAAI,EAAE,uDAAuD;IAC7D,OAAO,EAAE,OAAO;IAChB,WAAW,EACT,2YAA2Y;IAC7Y,SAAS,EAAE,0BAA0B;IACrC,UAAU,EAAE,CAAC,eAAe,EAAE,sBAAsB,EAAE,SAAS,EAAE,oBAAoB,EAAE,YAAY,EAAE,kCAAkC,CAAC;IACxI,eAAe,EAAE;QACf,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,uIAAuI,EAAE,SAAS,EAAE,8CAA8C,EAAE;QAC3P,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,uGAAuG,EAAE,SAAS,EAAE,mCAAmC,EAAE;QAC/M,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,8FAA8F,EAAE,SAAS,EAAE,uBAAuB,EAAE;QACvL,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,oGAAoG,EAAE,SAAS,EAAE,0BAA0B,EAAE;QAC1L,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,4DAA4D,EAAE,SAAS,EAAE,qCAAqC,EAAE;QACnK,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,8EAA8E,EAAE,SAAS,EAAE,8BAA8B,EAAE;QACzK,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,sEAAsE,EAAE,SAAS,EAAE,uBAAuB,EAAE;QAChK,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,iIAAiI,EAAE,SAAS,EAAE,qCAAqC,EAAE;QAC5O,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,yDAAyD,EAAE,SAAS,EAAE,uCAAuC,EAAE;QAC/J,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,2HAA2H,EAAE,SAAS,EAAE,gCAAgC,EAAE;KAC7N;IACD,YAAY,EAAE;QACZ,qBAAqB,EAAE,EAAE,0BAA0B,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,wBAAwB,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE;QAClJ,oBAAoB,EAAE,EAAE,qBAAqB,EAAE,IAAI,EAAE,4BAA4B,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE;QACxH,iBAAiB,EAAE,EAAE,6BAA6B,EAAE,IAAI,EAAE;QAC1D,WAAW,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE;QAC3F,iBAAiB,EAAE,EAAE,iBAAiB,EAAE,CAAC,yBAAyB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE,aAAa,CAAC,EAAE,iBAAiB,EAAE,OAAO,EAAE;QAClM,YAAY,EAAE,EAAE,2BAA2B,EAAE,IAAI,EAAE,2BAA2B,EAAE,IAAI,EAAE;QACtF,kBAAkB,EAAE,EAAE,SAAS,EAAE,aAAa,EAAE,oBAAoB,EAAE,IAAI,EAAE;QAC5E,qBAAqB,EAAE,EAAE,oBAAoB,EAAE,IAAI,EAAE;QACrD,cAAc,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE;QAC5C,gBAAgB,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE;KACvC;IACD,cAAc,EAAE;QACd,gBAAgB,EAAE,CAAC,UAAU,EAAE,OAAO,EAAE,SAAS,CAAC;QAClD,oBAAoB,EAAE,CAAC,wBAAwB,EAAE,iBAAiB,CAAC;QACnE,YAAY,EAAE,EAAE,QAAQ,EAAE,gHAAgH,EAAE,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,mBAAmB,EAAE;KACvM;IACD,UAAU,EAAE;QACV,cAAc,EAAE,CAAC,yBAAyB,EAAE,uBAAuB,EAAE,uBAAuB,EAAE,MAAM,EAAE,sBAAsB,EAAE,aAAa,CAAC;QAC5I,eAAe,EAAE,EAAE,uBAAuB,EAAE,MAAM,EAAE,qBAAqB,EAAE,MAAM,EAAE,qBAAqB,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE;QACpL,kBAAkB,EAAE,IAAI,EAAE,kBAAkB,EAAE,aAAa,EAAE,qBAAqB,EAAE,YAAY;KACjG;IACD,eAAe,EAAE,EAAE,qBAAqB,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,SAAS,EAAE,uDAAuD,EAAE,WAAW,EAAE,KAAK,EAAE,wBAAwB,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,IAAI,CAAC,EAAE;IACtP,cAAc,EAAE,EAAE,yBAAyB,EAAE,CAAC,EAAE,SAAS,EAAE,sFAAsF,EAAE,kBAAkB,EAAE,CAAC,SAAS,EAAE,sBAAsB,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE,0BAA0B,EAAE,IAAI,EAAE;IAC5P,UAAU,EAAE;QACV,EAAE,EAAE,EAAE,kCAAkC,EAAE,WAAW,EAAE,wFAAwF,EAAE,SAAS,EAAE,6BAA6B,EAAE,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,UAAU,EAAE;QAClP,EAAE,EAAE,EAAE,yBAAyB,EAAE,WAAW,EAAE,oEAAoE,EAAE,SAAS,EAAE,iBAAiB,EAAE,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,UAAU,EAAE;QACzM,EAAE,EAAE,EAAE,wBAAwB,EAAE,WAAW,EAAE,6DAA6D,EAAE,SAAS,EAAE,iBAAiB,EAAE,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,UAAU,EAAE;QACjM,EAAE,EAAE,EAAE,oBAAoB,EAAE,WAAW,EAAE,kFAAkF,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,UAAU,EAAE;QAClN,EAAE,EAAE,EAAE,kBAAkB,EAAE,WAAW,EAAE,gFAAgF,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,EAAE;QAC3M,EAAE,EAAE,EAAE,yBAAyB,EAAE,WAAW,EAAE,6FAA6F,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,UAAU,EAAE;QAClO,EAAE,EAAE,EAAE,0BAA0B,EAAE,WAAW,EAAE,0EAA0E,EAAE,SAAS,EAAE,uBAAuB,EAAE,KAAK,EAAE,4BAA4B,EAAE,YAAY,EAAE,MAAM,EAAE;QAC1N,EAAE,EAAE,EAAE,wBAAwB,EAAE,WAAW,EAAE,0EAA0E,EAAE,SAAS,EAAE,6BAA6B,EAAE,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,EAAE;QACrN,EAAE,EAAE,EAAE,yBAAyB,EAAE,WAAW,EAAE,8CAA8C,EAAE,SAAS,EAAE,uBAAuB,EAAE,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,UAAU,EAAE;QACzL,EAAE,EAAE,EAAE,8BAA8B,EAAE,WAAW,EAAE,kEAAkE,EAAE,SAAS,EAAE,kBAAkB,EAAE,KAAK,EAAE,wBAAwB,EAAE,YAAY,EAAE,UAAU,EAAE;KAClN;CACF,CAAC"}