@cyclonedx/cdxgen 12.3.3 → 12.4.1

package/data/rules/hbom-security.yaml

@@ -0,0 +1,248 @@
+# HBOM Security Rules
+# Category: hbom-security
+# Evaluates host hardware inventory for encryption, removable-media, wireless, and disclosure risks.
+
+- id: HBS-001
+  name: "Storage component is explicitly unencrypted"
+  description: "System or attached storage reported as unencrypted increases exposure for lost, stolen, or offline-access devices."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "SC-28 Protection of Information at Rest"
+    cis-controls-v8:
+      - "3.11 Encrypt Sensitive Data at Rest"
+    iso-27001:
+      - "A.8.24 Use of cryptography"
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and (
+        $safeStr($prop($, 'cdx:hbom:isEncrypted')) = 'false'
+        or $safeStr($prop($, 'cdx:hbom:fileVault')) = 'false'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage component '{{ name }}' is reported as unencrypted"
+  mitigation: "Enable full-disk or volume encryption, verify escrow/recovery procedures, and confirm the device is enrolled in the intended encryption baseline."
+  evidence: |
+    {
+      "hardwareClass": $prop($, 'cdx:hbom:hardwareClass'),
+      "isEncrypted": $prop($, 'cdx:hbom:isEncrypted'),
+      "fileVault": $prop($, 'cdx:hbom:fileVault'),
+      "volumeUuid": $prop($, 'cdx:hbom:volumeUuid'),
+      "deviceSerial": $prop($, 'cdx:hbom:deviceSerial')
+    }
+
+- id: HBS-002
+  name: "Connected wireless adapter uses weak or missing link security"
+  description: "Wireless adapters connected without strong link security indicate elevated interception and unauthorized access risk."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "AC-18 Wireless Access"
+      - "SC-13 Cryptographic Protection"
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'wireless-adapter'
+      and $safeStr($prop($, 'cdx:hbom:connected')) = 'true'
+      and (
+        $safeStr($prop($, 'cdx:hbom:securityMode')) = ''
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'open')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'wep')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'none')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Wireless adapter '{{ name }}' is connected with weak or missing security mode '{{ $firstNonEmpty($prop($, 'cdx:hbom:securityMode'), 'unknown') }}'"
+  mitigation: "Move the device to WPA2/WPA3-class protections, review SSID policy, and confirm that open or legacy wireless modes are not permitted for the host profile."
+  evidence: |
+    {
+      "securityMode": $prop($, 'cdx:hbom:securityMode'),
+      "channel": $prop($, 'cdx:hbom:channel'),
+      "phyMode": $prop($, 'cdx:hbom:phyMode'),
+      "countryCode": $prop($, 'cdx:hbom:countryCode'),
+      "firmwareVersion": $prop($, 'cdx:hbom:firmwareVersion')
+    }
+
+- id: HBS-003
+  name: "Removable storage is attached without encryption or lock evidence"
+  description: "Attached removable storage that is explicitly unlocked or unencrypted increases data-exfiltration and malware-ingress risk."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "MP-7 Media Use"
+      - "SC-28 Protection of Information at Rest"
+    cis-controls-v8:
+      - "3.9 Encrypt Data on Removable Media"
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and $safeStr($prop($, 'cdx:hbom:isRemovable')) = 'true'
+      and (
+        $safeStr($prop($, 'cdx:hbom:isEncrypted')) = 'false'
+        or $safeStr($prop($, 'cdx:hbom:isLocked')) = 'false'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Removable storage '{{ name }}' is attached without encryption or lock assurance"
+  mitigation: "Remove unapproved removable media, require encrypted removable devices, and verify the host's removable-media control policy."
+  evidence: |
+    {
+      "isRemovable": $prop($, 'cdx:hbom:isRemovable'),
+      "isEncrypted": $prop($, 'cdx:hbom:isEncrypted'),
+      "isLocked": $prop($, 'cdx:hbom:isLocked'),
+      "connectionType": $prop($, 'cdx:hbom:connectionType'),
+      "transport": $prop($, 'cdx:hbom:transport')
+    }
+
+- id: HBS-004
+  name: "HBOM exposes raw hardware identifiers"
+  description: "Raw serial numbers, MAC addresses, or platform UUIDs in the BOM can leak asset intelligence beyond the intended audience."
+  severity: medium
+  category: hbom-security
+  dry-run-support: full
+  condition: |
+    $append(
+      metadata.component[
+        (
+          $hasProp($, 'cdx:hbom:serialNumber')
+          and $startsWith($safeStr($prop($, 'cdx:hbom:serialNumber')), 'redacted') = false
+        )
+        or (
+          $hasProp($, 'cdx:hbom:platformUuid')
+          and $startsWith($safeStr($prop($, 'cdx:hbom:platformUuid')), 'redacted') = false
+        )
+      ],
+      components[
+      (
+        $hasProp($, 'cdx:hbom:serialNumber')
+        and $startsWith($safeStr($prop($, 'cdx:hbom:serialNumber')), 'redacted') = false
+      )
+      or (
+        $hasProp($, 'cdx:hbom:macAddress')
+        and $startsWith($safeStr($prop($, 'cdx:hbom:macAddress')), 'redacted') = false
+      )
+      or (
+        $hasProp($, 'cdx:hbom:deviceSerial')
+        and $startsWith($safeStr($prop($, 'cdx:hbom:deviceSerial')), 'redacted') = false
+      )
+      ]
+    )
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", metadata.component."bom-ref", bom.serialNumber)
+    }
+  message: "HBOM entry '{{ name }}' exposes raw hardware identifiers that should be reviewed before distribution"
+  mitigation: "Use redacted identifier mode for externally shared HBOMs and restrict raw identifiers to tightly controlled internal asset workflows."
+  evidence: |
+    {
+      "identifierPolicy": $firstNonEmpty($prop($, 'cdx:hbom:identifierPolicy'), $prop(metadata.component, 'cdx:hbom:identifierPolicy')),
+      "serialNumber": $prop($, 'cdx:hbom:serialNumber'),
+      "macAddress": $prop($, 'cdx:hbom:macAddress'),
+      "deviceSerial": $prop($, 'cdx:hbom:deviceSerial'),
+      "platformUuid": $prop(metadata.component, 'cdx:hbom:platformUuid')
+    }
+
+- id: HBS-005
+  name: "External expansion bus reports permissive security posture"
+  description: "A Thunderbolt or USB4 path with permissive security level or disabled IOMMU protection increases the risk of DMA-style or rogue-device attack paths."
+  severity: high
+  category: hbom-security
+  dry-run-support: full
+  standards:
+    nist-800-53:
+      - "CM-8 System Component Inventory"
+      - "SC-7 Boundary Protection"
+      - "SI-16 Memory Protection"
+  condition: |
+    components[
+      (
+        $hasProp($, 'cdx:hbom:securityLevel')
+        or $hasProp($, 'cdx:hbom:iommuProtection')
+        or $hasProp($, 'cdx:hbom:policy')
+      )
+      and (
+        $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'none')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'legacy')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityLevel'))), 'user')
+        or $safeStr($prop($, 'cdx:hbom:iommuProtection')) = 'false'
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "External expansion component '{{ name }}' reports a permissive security posture or missing IOMMU protection"
+  mitigation: "Require a stronger Thunderbolt/USB4 security level, verify IOMMU protection is enabled, and review auto-authorization policy before trusting hot-plug external devices."
+  evidence: |
+    {
+      "securityLevel": $prop($, 'cdx:hbom:securityLevel'),
+      "iommuProtection": $prop($, 'cdx:hbom:iommuProtection'),
+      "policy": $prop($, 'cdx:hbom:policy'),
+      "authorized": $prop($, 'cdx:hbom:authorized'),
+      "bootAclCount": $prop($, 'cdx:hbom:bootAclCount')
+    }
+
+- id: HBS-006
+  name: "HBOM exposes raw cellular or subscriber identifiers"
+  description: "Raw modem equipment identifiers, IMEIs, or subscriber numbers in the BOM can leak privacy-sensitive fleet and subscriber intelligence."
+  severity: medium
+  category: hbom-security
+  dry-run-support: full
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'modem'
+        or $hasProp($, 'cdx:hbom:equipmentIdentifier')
+        or $hasProp($, 'cdx:hbom:imei')
+        or $hasProp($, 'cdx:hbom:ownNumbers')
+      )
+      and (
+        (
+          $hasProp($, 'cdx:hbom:equipmentIdentifier')
+          and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:equipmentIdentifier'))), 'redacted') = false
+        )
+        or (
+          $hasProp($, 'cdx:hbom:imei')
+          and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:imei'))), 'redacted') = false
+        )
+        or (
+          $hasProp($, 'cdx:hbom:ownNumbers')
+          and $startsWith($lowercase($safeStr($prop($, 'cdx:hbom:ownNumbers'))), 'redacted') = false
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Cellular component '{{ name }}' exposes raw modem or subscriber identifiers that should be reviewed before distribution"
+  mitigation: "Keep modem identifiers redacted in shared HBOMs and restrict raw IMEI, equipment, or subscriber number exposure to tightly controlled internal device-management workflows."
+  evidence: |
+    {
+      "equipmentIdentifier": $prop($, 'cdx:hbom:equipmentIdentifier'),
+      "imei": $prop($, 'cdx:hbom:imei'),
+      "ownNumbers": $prop($, 'cdx:hbom:ownNumbers'),
+      "identifierPolicy": $firstNonEmpty($prop($, 'cdx:hbom:identifierPolicy'), $prop(metadata.component, 'cdx:hbom:identifierPolicy'))
+    }

package/data/rules/host-topology.yaml

@@ -0,0 +1,165 @@
+# Host Topology Rules
+# Category: host-topology
+# Evaluates strict, evidence-backed insights derived from merged HBOM + OBOM inventories.
+
+- id: HMX-001
+  name: "Active wired interface with live runtime addresses is operating degraded"
+  description: "A wired interface that is actually carrying runtime addresses but is negotiated at low bandwidth or half duplex represents a higher-confidence performance issue than hardware inventory alone."
+  severity: medium
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      $prop($, 'cdx:hbom:hardwareClass') = 'network-interface'
+      and $number($firstNonEmpty($prop($, 'cdx:hostview:interface_addresses:count'), '0')) > 0
+      and (
+        $lowercase($safeStr($prop($, 'cdx:hbom:duplex'))) = 'half'
+        or (
+          $hasProp($, 'cdx:hbom:speedMbps')
+          and $number($prop($, 'cdx:hbom:speedMbps')) > 0
+          and $number($prop($, 'cdx:hbom:speedMbps')) < 1000
+        )
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Interface '{{ name }}' has live runtime address evidence but negotiated degraded duplex or bandwidth characteristics"
+  mitigation: "Inspect cabling, switch policy, NIC firmware/driver, and negotiated link settings before treating the issue as application-only latency."
+  evidence: |
+    {
+      "runtimeAddressCount": $prop($, 'cdx:hostview:interface_addresses:count'),
+      "driver": $prop($, 'cdx:hbom:driver'),
+      "speedMbps": $prop($, 'cdx:hbom:speedMbps'),
+      "duplex": $prop($, 'cdx:hbom:duplex'),
+      "operState": $prop($, 'cdx:hbom:operState')
+    }
+
+- id: HMX-002
+  name: "Wireless interface with live runtime address uses weak or missing link security"
+  description: "Weak wireless security on an interface that also has runtime address evidence is a stronger exposure signal than hardware inventory alone."
+  severity: high
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'wireless-adapter'
+        or (
+          $prop($, 'cdx:hbom:hardwareClass') = 'network-interface'
+          and $hasProp($, 'cdx:hbom:securityMode')
+        )
+      )
+      and $number($firstNonEmpty($prop($, 'cdx:hostview:interface_addresses:count'), '0')) > 0
+      and (
+        $safeStr($prop($, 'cdx:hbom:securityMode')) = ''
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'open')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'wep')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:securityMode'))), 'none')
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Wireless interface '{{ name }}' has live runtime address evidence while using weak or missing security mode '{{ $firstNonEmpty($prop($, 'cdx:hbom:securityMode'), 'unknown') }}'"
+  mitigation: "Move the interface to WPA2/WPA3-class protections, review SSID policy, and verify that actively routed wireless links meet enterprise security baselines."
+  evidence: |
+    {
+      "runtimeAddressCount": $prop($, 'cdx:hostview:interface_addresses:count'),
+      "securityMode": $prop($, 'cdx:hbom:securityMode'),
+      "channel": $prop($, 'cdx:hbom:channel'),
+      "phyMode": $prop($, 'cdx:hbom:phyMode')
+    }
+
+- id: HMX-003
+  name: "Merged host inventory lacks strict hardware/runtime topology links"
+  description: "When a merged HBOM+OBOM view contains no strict cross-domain topology links, reviewers should treat combined host conclusions cautiously and inspect collection coverage."
+  severity: medium
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    metadata.component[
+      type = 'device'
+      and $prop($, 'cdx:hostview:mode') = 'hbom-obom-merged'
+      and $number($firstNonEmpty($prop($, 'cdx:hostview:topologyLinkCount'), '0')) = 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Merged host inventory for '{{ name }}' contains no strict HBOM-to-OBOM topology links"
+  mitigation: "Review collector coverage, ensure runtime categories such as interface_addresses or kernel_modules are available, and prefer exact identifier-bearing probes over heuristic joins."
+  evidence: |
+    {
+      "hostViewMode": $prop($, 'cdx:hostview:mode'),
+      "hardwareComponentCount": $prop($, 'cdx:hostview:hardwareComponentCount'),
+      "runtimeComponentCount": $prop($, 'cdx:hostview:runtimeComponentCount'),
+      "topologyLinkCount": $prop($, 'cdx:hostview:topologyLinkCount')
+    }
+
+- id: HMX-004
+  name: "Mounted storage with explicit runtime evidence is reporting degraded health"
+  description: "Storage health issues become higher-confidence operational findings when the hardware component is also linked to an active runtime mount or logical drive using exact identifiers."
+  severity: high
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      (
+        $prop($, 'cdx:hbom:hardwareClass') = 'storage'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-device'
+        or $prop($, 'cdx:hbom:hardwareClass') = 'storage-volume'
+      )
+      and (
+        $number($firstNonEmpty($prop($, 'cdx:hostview:mount_hardening:count'), '0')) > 0
+        or $number($firstNonEmpty($prop($, 'cdx:hostview:runtime-storage:count'), '0')) > 0
+      )
+      and (
+        $contains($lowercase($safeStr($prop($, 'cdx:hbom:smartStatus'))), 'fail')
+        or $contains($lowercase($safeStr($prop($, 'cdx:hbom:health'))), 'degrad')
+        or $number($firstNonEmpty($prop($, 'cdx:hbom:wearPercentageUsed'), '0')) >= 90
+      )
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Storage component '{{ name }}' is explicitly linked to a runtime mount or drive while reporting degraded health telemetry"
+  mitigation: "Prioritize remediation for the backing device because the linked runtime mount evidence shows the degraded storage is actively in use."
+  evidence: |
+    {
+      "mountCount": $prop($, 'cdx:hostview:mount_hardening:count'),
+      "runtimeStorageCount": $prop($, 'cdx:hostview:runtime-storage:count'),
+      "smartStatus": $prop($, 'cdx:hbom:smartStatus'),
+      "health": $prop($, 'cdx:hbom:health'),
+      "wearPercentageUsed": $prop($, 'cdx:hbom:wearPercentageUsed')
+    }
+
+- id: HMX-005
+  name: "Explicit HBOM secure-boot trust anchor matches a revoked runtime Secure Boot certificate"
+  description: "When HBOM metadata carries an explicit Secure Boot certificate identifier that strictly links to runtime secureboot_certificates data, revoked trust anchors indicate a higher-confidence firmware trust issue."
+  severity: high
+  category: host-topology
+  dry-run-support: partial
+  condition: |
+    components[
+      $prop($, 'cdx:osquery:category') = 'secureboot_certificates'
+      and $number($firstNonEmpty($prop($, 'revoked'), '0')) > 0
+      and $number($firstNonEmpty($prop($$.metadata.component, 'cdx:hostview:secureboot_certificates:count'), '0')) > 0
+    ]
+  location: |
+    {
+      "bomRef": $firstNonEmpty($."bom-ref", bom.serialNumber)
+    }
+  message: "Secure Boot certificate '{{ name }}' is revoked and the host also has an explicit HBOM trust-anchor link for this Secure Boot surface"
+  mitigation: "Review firmware trust policy, remove revoked Secure Boot entries from active trust sets, and verify that the expected db/dbx anchors on the host still match the approved platform state."
+  evidence: |
+    {
+      "linkedSecureBootCertificateCount": $prop($, 'cdx:hostview:secureboot_certificates:count'),
+      "revokedCertificateCount": $count(bom.components[
+        $prop($, 'cdx:osquery:category') = 'secureboot_certificates'
+        and $number($firstNonEmpty($prop($, 'revoked'), '0')) > 0
+      ])
+    }

package/data/rules/mcp-servers.yaml

@@ -3,13 +3,15 @@
   description: "HTTP-based MCP servers that expose tools without authentication let unauthenticated clients invoke model-controlled actions directly."
   severity: critical
   category: mcp-server
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0004]
+    tactics: [TA0001, TA0002]
     techniques: [T1190, T1059]
   standards:
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Manage"
@@ -44,6 +46,7 @@
   description: "Streamable HTTP MCP servers should authenticate incoming requests before serving prompts, resources, or tools."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0001]
     techniques: [T1190]
@@ -81,13 +84,15 @@
   description: "MCP servers built on non-official SDKs or wrappers deserve extra review before being exposed over HTTP, especially when they register tools."
   severity: medium
   category: mcp-server
+  dry-run-support: full
   attack:
-    tactics: [TA0001, TA0005]
+    tactics: [TA0001]
     techniques: [T1195.001]
   standards:
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM07: Insecure Plugin Design"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Map"
@@ -124,6 +129,7 @@
   description: "MCP services discovered only from client configuration files still need explicit authentication or OAuth posture when they resolve to network-accessible HTTP endpoints."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0001]
     techniques: [T1190]
@@ -131,6 +137,7 @@
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Map"
       - "Manage"
@@ -163,6 +170,7 @@
   description: "MCP configs that embed tokens, API keys, or other secrets directly in args, env values, or headers create immediate credential-handling and supply-chain review risk."
   severity: critical
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0006]
     techniques: [T1552]
@@ -170,6 +178,7 @@
     owasp-ai-top-10:
       - "LLM05: Supply Chain Vulnerabilities"
       - "LLM07: Insecure Plugin Design"
+      - "LLM03:2025 Supply Chain"
     nist-ai-rmf:
       - "Govern"
       - "Manage"
@@ -201,13 +210,15 @@
   description: "Dynamic client registration combined with a static configured client ID can create confused-deputy style authorization risk in MCP deployments."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
-    tactics: [TA0004]
+    tactics: [TA0006]
     techniques: [T1528]
   standards:
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Map"
@@ -238,6 +249,7 @@
   description: "Token-forwarding and passthrough settings in MCP configs deserve review because they can propagate delegated credentials across trust boundaries."
   severity: high
   category: mcp-server
+  dry-run-support: full
   attack:
     tactics: [TA0006]
     techniques: [T1528]
@@ -245,6 +257,7 @@
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Manage"
@@ -275,10 +288,12 @@
   description: "Committed MCP client configuration files can carry trust, auth, and distribution sensitivity even when they are not actively used during the current scan."
   severity: medium
   category: mcp-server
+  dry-run-support: full
   standards:
     owasp-ai-top-10:
       - "LLM07: Insecure Plugin Design"
       - "LLM08: Excessive Agency"
+      - "LLM06:2025 Excessive Agency"
     nist-ai-rmf:
       - "Govern"
       - "Map"