@grc-claw/oscal 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +35 -0
  2. package/src/index.ts +282 -0
package/package.json ADDED
@@ -0,0 +1,35 @@
1
+ {
2
+ "name": "@grc-claw/oscal",
3
+ "version": "0.8.0",
4
+ "description": "NIST OSCAL 1.1.2 I/O for GRC_Claw \u2014 FedRAMP Rev 5, CMMC 2.0, SSP/POA&M/SAR export",
5
+ "type": "module",
6
+ "main": "dist/index.js",
7
+ "types": "dist/index.d.ts",
8
+ "exports": {
9
+ ".": {
10
+ "import": "./dist/index.js",
11
+ "types": "./dist/index.d.ts"
12
+ }
13
+ },
14
+ "publishConfig": {
15
+ "access": "public"
16
+ },
17
+ "scripts": {
18
+ "build": "tsc",
19
+ "test": "node --experimental-vm-modules ../../node_modules/.bin/jest"
20
+ },
21
+ "keywords": [
22
+ "oscal",
23
+ "fedramp",
24
+ "cmmc",
25
+ "nist",
26
+ "grc",
27
+ "compliance",
28
+ "sp800-53"
29
+ ],
30
+ "license": "MIT",
31
+ "repository": {
32
+ "type": "git",
33
+ "url": "https://github.com/AAH20/GRC_Claw"
34
+ }
35
+ }
package/src/index.ts ADDED
@@ -0,0 +1,282 @@
1
+ /**
2
+ * @grc-claw/oscal
3
+ * NIST OSCAL 1.1.2 I/O for FedRAMP Rev 5 and CMMC 2.0
4
+ *
5
+ * Exports compliance_controls + proof_ledger data as OSCAL JSON:
6
+ * - SSP (System Security Plan)
7
+ * - POA&M (Plan of Action and Milestones)
8
+ * - SAR (Security Assessment Results)
9
+ * - Component Definition
10
+ *
11
+ * Import into GovReady-Q, XACTA, OSCAL Viewer, or submit directly to FedRAMP PMO.
12
+ */
13
+ import * as crypto from 'crypto';
14
+
15
+ export type OscalFormat = 'ssp' | 'poam' | 'sar' | 'component';
16
+ export type ImpactLevel = 'low' | 'moderate' | 'high';
17
+
18
+ export interface OscalControl {
19
+ id: string; // ISO 27001 / SOC 2 control code e.g. "A.8.8"
20
+ oscalId: string; // NIST SP 800-53 mapping e.g. "si-2"
21
+ status: string; // 'compliant' | 'non_compliant' | 'partial'
22
+ description: string;
23
+ drifted: boolean;
24
+ driftedAt?: string;
25
+ evidenceSummary?: string;
26
+ }
27
+
28
+ export interface OscalEvidenceItem {
29
+ id: string;
30
+ controlCode: string;
31
+ source: string;
32
+ summary: string;
33
+ entryHash: string;
34
+ collectedAt: string;
35
+ tsaToken?: string;
36
+ }
37
+
38
+ export interface OscalExportOptions {
39
+ orgSlug: string;
40
+ systemName?: string;
41
+ framework?: string;
42
+ impactLevel?: ImpactLevel;
43
+ oscalVersion?: string;
44
+ }
45
+
46
+ // ISO 27001 → NIST SP 800-53r5 control mapping
47
+ const CONTROL_CROSSWALK: Record<string, string> = {
48
+ 'A.5.1': 'pl-1', 'A.5.2': 'pl-2', 'A.5.8': 'sa-3', 'A.5.12': 'mp-3',
49
+ 'A.5.15': 'ac-3', 'A.5.16': 'ia-2', 'A.5.17': 'ia-5', 'A.5.18': 'ac-2',
50
+ 'A.5.24': 'ir-1', 'A.5.25': 'ir-4', 'A.5.26': 'ir-5', 'A.5.27': 'ir-6',
51
+ 'A.5.31': 'sa-9', 'A.5.33': 'au-11', 'A.5.34': 'at-4', 'A.5.35': 'ca-5',
52
+ 'A.6.1': 'ps-2', 'A.6.3': 'at-2', 'A.6.4': 'pe-2', 'A.6.7': 'pe-6',
53
+ 'A.6.8': 'ir-6',
54
+ 'A.8.1': 'cm-8', 'A.8.2': 'ac-2', 'A.8.3': 'ac-3', 'A.8.4': 'ac-17',
55
+ 'A.8.5': 'ia-2', 'A.8.6': 'cp-8', 'A.8.7': 'si-3', 'A.8.8': 'si-2',
56
+ 'A.8.9': 'cm-6', 'A.8.10': 'mp-6', 'A.8.11': 'ac-2', 'A.8.12': 'ac-4',
57
+ 'A.8.15': 'au-2', 'A.8.16': 'si-4', 'A.8.20': 'sc-7', 'A.8.21': 'sc-7',
58
+ 'A.8.24': 'sc-28', 'A.8.25': 'sa-8', 'A.8.32': 'cm-3',
59
+ 'CC1.1': 'ac-1', 'CC2.1': 'pl-4', 'CC3.1': 'ra-3', 'CC4.1': 'ca-2',
60
+ 'CC5.1': 'pm-6', 'CC6.1': 'ac-2', 'CC6.2': 'ia-2', 'CC6.6': 'sc-7',
61
+ 'CC6.7': 'sc-28', 'CC7.1': 'si-4', 'CC7.2': 'ir-4', 'CC7.4': 'ir-6',
62
+ 'CC8.1': 'cm-3', 'CC9.2': 'sa-9',
63
+ };
64
+
65
+ function uuid(seed: string): string {
66
+ return crypto.createHash('sha256').update(seed).digest('hex').slice(0, 36);
67
+ }
68
+
69
+ export class OscalExporter {
70
+ constructor(private readonly opts: OscalExportOptions) {}
71
+
72
+ exportSSP(controls: OscalControl[], evidence: OscalEvidenceItem[]): Record<string, unknown> {
73
+ const now = new Date().toISOString();
74
+ const { orgSlug, systemName = orgSlug, framework = 'iso27001', impactLevel = 'moderate', oscalVersion = '1.1.2' } = this.opts;
75
+
76
+ const implementedReqs = controls.map(c => {
77
+ const oscalId = CONTROL_CROSSWALK[c.id] ?? c.id.toLowerCase().replace(/[^a-z0-9]/g, '-');
78
+ const ev = evidence.filter(e => e.controlCode === c.id);
79
+ return {
80
+ uuid: uuid(`req-${orgSlug}-${c.id}`),
81
+ 'control-id': oscalId,
82
+ description: c.description || `Implementation of ${c.id}`,
83
+ props: [
84
+ { name: 'implementation-status', value: c.status },
85
+ { name: 'grc-control-code', value: c.id },
86
+ { name: 'drift-detected', value: String(c.drifted) },
87
+ ...(c.driftedAt ? [{ name: 'drift-detected-at', value: c.driftedAt }] : []),
88
+ ],
89
+ statements: [{
90
+ 'statement-id': `${oscalId}_smt`,
91
+ uuid: uuid(`smt-${orgSlug}-${c.id}`),
92
+ description: c.evidenceSummary ?? 'See attached evidence artifacts.',
93
+ }],
94
+ 'by-components': ev.slice(0, 5).map(e => ({
95
+ 'component-uuid': uuid(`bycomp-${e.id}`),
96
+ uuid: uuid(`bc-${e.id}`),
97
+ description: e.summary,
98
+ props: [
99
+ { name: 'source', value: e.source },
100
+ { name: 'entry-hash', value: e.entryHash },
101
+ ...(e.tsaToken ? [{ name: 'tsa-token', value: e.tsaToken.slice(0, 50) + '…' }] : []),
102
+ ],
103
+ })),
104
+ };
105
+ });
106
+
107
+ return {
108
+ 'system-security-plan': {
109
+ uuid: uuid(`ssp-${orgSlug}-${Date.now()}`),
110
+ metadata: {
111
+ title: `System Security Plan — ${systemName}`,
112
+ 'last-modified': now,
113
+ version: '1.0',
114
+ 'oscal-version': oscalVersion,
115
+ props: [
116
+ { name: 'framework', value: framework },
117
+ { name: 'generated-by', value: 'A2Z SOC GRC Platform v6.0' },
118
+ ],
119
+ roles: [
120
+ { id: 'system-owner', title: 'System Owner' },
121
+ { id: 'isso', title: 'Information System Security Officer' },
122
+ ],
123
+ },
124
+ 'import-profile': {
125
+ href: framework === 'fedramp'
126
+ ? 'https://raw.githubusercontent.com/usnistgov/oscal-content/main/fedramp/rev5/FedRAMP_rev5_MODERATE-baseline-resolved-profile_catalog.json'
127
+ : `#${framework}`,
128
+ },
129
+ 'system-characteristics': {
130
+ 'system-ids': [{ 'identifier-type': 'https://ietf.org/rfc/rfc4122', id: uuid(`system-${orgSlug}`) }],
131
+ 'system-name': systemName,
132
+ description: `Continuous compliance system for ${systemName} under ${framework.toUpperCase()} framework.`,
133
+ 'security-impact-level': {
134
+ 'security-objective-confidentiality': impactLevel,
135
+ 'security-objective-integrity': impactLevel,
136
+ 'security-objective-availability': impactLevel,
137
+ },
138
+ status: { state: 'operational' },
139
+ 'authorization-boundary': { description: `${systemName} production environment and all connected integrations.` },
140
+ },
141
+ 'system-implementation': {
142
+ users: [{
143
+ uuid: uuid(`user-${orgSlug}`),
144
+ title: 'System Administrator',
145
+ 'role-ids': ['system-owner'],
146
+ }],
147
+ components: [{
148
+ uuid: uuid(`comp-${orgSlug}-grc`),
149
+ type: 'software',
150
+ title: 'A2Z SOC + GRC_Claw',
151
+ description: 'GRC platform providing continuous compliance automation, SIEM correlation, SOAR, and ZK evidence proofs.',
152
+ status: { state: 'operational' },
153
+ props: [{ name: 'version', value: '6.0' }],
154
+ }],
155
+ },
156
+ 'control-implementation': {
157
+ description: `Control implementations for ${framework.toUpperCase()} as of ${now}. Generated by A2Z SOC autonomous compliance platform.`,
158
+ 'set-parameters': [],
159
+ 'implemented-requirements': implementedReqs,
160
+ },
161
+ 'back-matter': {
162
+ resources: evidence.slice(0, 10).map(e => ({
163
+ uuid: uuid(`resource-${e.id}`),
164
+ title: e.summary,
165
+ props: [
166
+ { name: 'type', value: 'evidence' },
167
+ { name: 'source', value: e.source },
168
+ { name: 'hash', value: e.entryHash },
169
+ ],
170
+ 'rlinks': [],
171
+ })),
172
+ },
173
+ },
174
+ };
175
+ }
176
+
177
+ exportPOAM(driftedControls: OscalControl[]): Record<string, unknown> {
178
+ const now = new Date().toISOString();
179
+ const { orgSlug, systemName = orgSlug, oscalVersion = '1.1.2' } = this.opts;
180
+
181
+ return {
182
+ 'plan-of-action-and-milestones': {
183
+ uuid: uuid(`poam-${orgSlug}-${Date.now()}`),
184
+ metadata: {
185
+ title: `Plan of Action and Milestones — ${systemName}`,
186
+ 'last-modified': now,
187
+ version: '1.0',
188
+ 'oscal-version': oscalVersion,
189
+ },
190
+ 'system-id': { 'identifier-type': 'https://ietf.org/rfc/rfc4122', id: uuid(`system-${orgSlug}`) },
191
+ 'local-definitions': {
192
+ components: [{
193
+ uuid: uuid(`poam-comp-${orgSlug}`),
194
+ type: 'software',
195
+ title: systemName,
196
+ description: 'Primary system under assessment.',
197
+ status: { state: 'operational' },
198
+ }],
199
+ },
200
+ observations: driftedControls.map(c => ({
201
+ uuid: uuid(`obs-${c.id}-${orgSlug}`),
202
+ title: `Compliance drift in ${c.id}`,
203
+ description: `Control ${c.id} has drifted from baseline. ${c.evidenceSummary ?? ''}`,
204
+ methods: ['AUTOMATED'],
205
+ types: ['finding'],
206
+ relevant_evidence: [],
207
+ collected: c.driftedAt ?? now,
208
+ expires: new Date(Date.now() + 90 * 86400000).toISOString(),
209
+ })),
210
+ risks: driftedControls.map(c => ({
211
+ uuid: uuid(`risk-${c.id}-${orgSlug}`),
212
+ title: `Risk: Non-compliance in ${c.id}`,
213
+ description: `Control ${c.id} drift creates compliance risk under ${this.opts.framework?.toUpperCase() ?? 'ISO 27001'}.`,
214
+ statement: `The organization is currently non-compliant with ${c.id}. Immediate remediation required.`,
215
+ status: 'open',
216
+ 'mitigating-factors': [{
217
+ uuid: uuid(`mit-${c.id}`),
218
+ description: 'Automated remediation PR queued via A2Z SOC /api/platform/remediation-pr.',
219
+ }],
220
+ deadline: new Date(Date.now() + 14 * 86400000).toISOString(),
221
+ })),
222
+ 'poam-items': driftedControls.map(c => ({
223
+ uuid: uuid(`poam-item-${c.id}-${orgSlug}`),
224
+ title: `Remediate drift: ${c.id}`,
225
+ description: c.evidenceSummary ?? `Drift detected in ${c.id}. Remediation via autonomous PR.`,
226
+ related_findings: [],
227
+ origins: [{ actors: [{ type: 'tool', 'actor-uuid': uuid('a2z-soc-autopilot'), title: 'A2Z SOC Autopilot' }] }],
228
+ 'related-risks': [uuid(`risk-${c.id}-${orgSlug}`)],
229
+ milestones: [{
230
+ uuid: uuid(`mile-${c.id}`),
231
+ title: 'Open remediation PR',
232
+ description: 'Call POST /api/platform/remediation-pr to generate automated fix.',
233
+ 'scheduled-completion': new Date(Date.now() + 14 * 86400000).toISOString(),
234
+ }],
235
+ })),
236
+ },
237
+ };
238
+ }
239
+
240
+ exportComponentDefinition(controls: OscalControl[]): Record<string, unknown> {
241
+ const now = new Date().toISOString();
242
+ const { orgSlug, framework = 'iso27001', oscalVersion = '1.1.2' } = this.opts;
243
+
244
+ return {
245
+ 'component-definition': {
246
+ uuid: uuid(`compdef-${orgSlug}`),
247
+ metadata: {
248
+ title: 'A2Z SOC + GRC_Claw — Component Definition',
249
+ 'last-modified': now,
250
+ version: '6.0',
251
+ 'oscal-version': oscalVersion,
252
+ props: [{ name: 'vendor', value: 'A2Z SOC' }],
253
+ },
254
+ components: [{
255
+ uuid: uuid('grc-claw-comp'),
256
+ type: 'software',
257
+ title: 'A2Z SOC GRC Platform',
258
+ description: 'Continuous compliance platform with SIEM, SOAR, ZK proofs, and autonomous remediation.',
259
+ props: [
260
+ { name: 'version', value: '6.0' },
261
+ { name: 'type', value: 'GRC-Platform' },
262
+ { name: 'oscal-export', value: 'true' },
263
+ ],
264
+ 'control-implementations': [{
265
+ uuid: uuid(`ci-${framework}-${orgSlug}`),
266
+ source: `#${framework}`,
267
+ description: `GRC_Claw control implementations for ${framework}`,
268
+ 'implemented-requirements': controls.slice(0, 50).map(c => ({
269
+ uuid: uuid(`ci-req-${c.id}`),
270
+ 'control-id': CONTROL_CROSSWALK[c.id] ?? c.id.toLowerCase(),
271
+ description: c.description,
272
+ props: [{ name: 'implementation-status', value: c.status }],
273
+ })),
274
+ }],
275
+ }],
276
+ 'back-matter': { resources: [] },
277
+ },
278
+ };
279
+ }
280
+ }
281
+
282
+ export { CONTROL_CROSSWALK };