@greenarmor/ges-policy-engine 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/dist/packs/nist.js +394 -51
  3. package/package.json +3 -3
package/README.md CHANGED
@@ -44,7 +44,7 @@ allPacks.forEach(p => console.log(`${p.id}: ${p.name}`));
44
44
  | `gdpr` | GDPR | EU General Data Protection Regulation controls |
45
45
  | `owasp` | OWASP ASVS | Application Security Verification Standard |
46
46
  | `cis` | CIS Controls | Center for Internet Security controls |
47
- | `nist` | NIST CSF | NIST Cybersecurity Framework |
47
+ | `nist` | NIST CSF 2.0 | NIST Cybersecurity Framework 2.0 (23 controls / 145 checks) |
48
48
  | `ai` | AI Policy | LLM, Agent, MCP, RAG security controls |
49
49
  | `blockchain` | Blockchain | Cryptographic signatures, key rotation, on-chain rules |
50
50
  | `government` | Government | Data sovereignty, chain of custody, tamper evidence |
package/dist/packs/nist.js CHANGED
@@ -1,115 +1,458 @@
1
1
  export function createNISTPolicyPack() {
2
2
  const controls = [
3
+ // ============================================================
4
+ // GOVERN (GV) — CSF 2.0
5
+ // ============================================================
3
6
  {
4
- id: "NIST-ID-001",
5
- name: "Identity Management",
6
- description: "Manage identities and access to organizational resources.",
7
+ id: "NIST-GV-OC",
8
+ name: "Organizational Context",
9
+ description: "The circumstances — mission, stakeholder expectations, dependencies, and legal/regional requirements surrounding the organization's cybersecurity decisions are understood.",
10
+ category: "govern",
11
+ framework: "NIST",
12
+ status: "not-implemented",
13
+ severity: "medium",
14
+ implementation_guidance: "Document the organization's cybersecurity mission, dependencies on systems/services/data, and regulatory obligations. Map stakeholder expectations to cybersecurity outcomes. Maintain a register of compliance requirements (GDPR, HIPAA, etc.). Review at least annually or upon major business changes. [CSF 2.0 Refs: GV.OC-01 through GV.OC-04; SP 800-53: PM-11, PM-12]",
15
+ checks: [
16
+ { id: "NIST-GV-OC-C1", description: "Organizational mission and objectives are understood and inform cybersecurity strategy", status: "not-implemented" },
17
+ { id: "NIST-GV-OC-C2", description: "Cybersecurity dependencies (systems, people, information, services) are identified and documented", status: "not-implemented" },
18
+ { id: "NIST-GV-OC-C3", description: "Stakeholder expectations and requirements for cybersecurity decisions are understood", status: "not-implemented" },
19
+ { id: "NIST-GV-OC-C4", description: "Legal, regulatory, and contractual requirements are identified and prioritized", status: "not-implemented" },
20
+ ],
21
+ },
22
+ {
23
+ id: "NIST-GV-RM",
24
+ name: "Risk Management Strategy",
25
+ description: "The organization's cybersecurity risk management priorities, constraints, risk tolerances, and statements are established, communicated, and socially agreed upon.",
26
+ category: "govern",
27
+ framework: "NIST",
28
+ status: "not-implemented",
29
+ severity: "high",
30
+ implementation_guidance: "Define and document a risk management strategy with risk thresholds and tolerances. Establish a repeatable risk assessment methodology (e.g., NIST SP 800-30). Define how risk is communicated to leadership. Create risk response procedures (accept, mitigate, transfer, avoid). [CSF 2.0 Refs: GV.RM-01 through GV.RM-07; SP 800-53: PM-9, RA-1]",
31
+ checks: [
32
+ { id: "NIST-GV-RM-C1", description: "Risk management objectives and priorities are established and communicated", status: "not-implemented" },
33
+ { id: "NIST-GV-RM-C2", description: "Risk tolerances and thresholds are defined and approved by leadership", status: "not-implemented" },
34
+ { id: "NIST-GV-RM-C3", description: "Cybersecurity risk decisions are informed by enterprise-wide risk", status: "not-implemented" },
35
+ { id: "NIST-GV-RM-C4", description: "Strategic direction for cybersecurity risk is regularly reviewed and updated", status: "not-implemented" },
36
+ { id: "NIST-GV-RM-C5", description: "Cybersecurity risk thresholds are integrated into procurement and vendor selection", status: "not-implemented" },
37
+ ],
38
+ },
39
+ {
40
+ id: "NIST-GV-RR",
41
+ name: "Roles, Responsibilities, and Authorities",
42
+ description: "Cybersecurity roles, responsibilities, and authorities are established, communicated, and understood across the organization.",
43
+ category: "govern",
44
+ framework: "NIST",
45
+ status: "not-implemented",
46
+ severity: "medium",
47
+ implementation_guidance: "Define cybersecurity roles (CISO, security team, system owners, data owners) with clear responsibilities. Document decision-making authority for risk acceptance and incident response. Communicate roles through RACI matrices. Ensure role-based training. [CSF 2.0 Refs: GV.RR-01 through GV.RR-05; SP 800-53: PM-2, PM-29]",
48
+ checks: [
49
+ { id: "NIST-GV-RR-C1", description: "Cybersecurity leadership roles and responsibilities are defined and documented", status: "not-implemented" },
50
+ { id: "NIST-GV-RR-C2", description: "Cybersecurity responsibilities are assigned and communicated to all personnel", status: "not-implemented" },
51
+ { id: "NIST-GV-RR-C3", description: "Authorities for cybersecurity risk decisions are delegated and documented", status: "not-implemented" },
52
+ { id: "NIST-GV-RR-C4", description: "Personnel with cybersecurity responsibilities are qualified and trained", status: "not-implemented" },
53
+ { id: "NIST-GV-RR-C5", description: "External service provider cybersecurity responsibilities are defined in contracts", status: "not-implemented" },
54
+ ],
55
+ },
56
+ {
57
+ id: "NIST-GV-PO",
58
+ name: "Policy",
59
+ description: "The cybersecurity policy statement, overarching cybersecurity rules, and expectations for the organization are established, communicated, and enforced.",
60
+ category: "govern",
61
+ framework: "NIST",
62
+ status: "not-implemented",
63
+ severity: "high",
64
+ implementation_guidance: "Create a cybersecurity policy statement approved by senior leadership. Establish overarching rules covering access control, data protection, incident response, and acceptable use. Define enforcement mechanisms and consequences for violations. Review policies annually. [CSF 2.0 Refs: GV.PO-01 through GV.PO-04; SP 800-53: PM-1]",
65
+ checks: [
66
+ { id: "NIST-GV-PO-C1", description: "Cybersecurity policy statement is established and approved by leadership", status: "not-implemented" },
67
+ { id: "NIST-GV-PO-C2", description: "Policies address internal and external requirements and expectations", status: "not-implemented" },
68
+ { id: "NIST-GV-PO-C3", description: "Policies are communicated and disseminated to all relevant stakeholders", status: "not-implemented" },
69
+ { id: "NIST-GV-PO-C4", description: "Policies are reviewed and updated on a defined schedule and after significant changes", status: "not-implemented" },
70
+ ],
71
+ },
72
+ {
73
+ id: "NIST-GV-OV",
74
+ name: "Oversight",
75
+ description: "The results of cybersecurity risk management activities and outcomes are used to inform, improve, and adapt cybersecurity strategy.",
76
+ category: "govern",
77
+ framework: "NIST",
78
+ status: "not-implemented",
79
+ severity: "medium",
80
+ implementation_guidance: "Establish cybersecurity oversight mechanisms including board-level reporting. Conduct regular cybersecurity strategy reviews. Track and report on cybersecurity metrics and KPIs. Use audit results and incident lessons to improve strategy. [CSF 2.0 Refs: GV.OV-01 through GV.OV-05; SP 800-53: CA-2, CA-7, PM-14]",
81
+ checks: [
82
+ { id: "NIST-GV-OV-C1", description: "Cybersecurity results are reported to and reviewed by accountable bodies (board, executives)", status: "not-implemented" },
83
+ { id: "NIST-GV-OV-C2", description: "Cybersecurity strategy and direction are assessed for effectiveness and alignment", status: "not-implemented" },
84
+ { id: "NIST-GV-OV-C3", description: "Accountable bodies use cybersecurity results to inform strategic decisions", status: "not-implemented" },
85
+ { id: "NIST-GV-OV-C4", description: "Cybersecurity performance is benchmarked against targets and industry standards", status: "not-implemented" },
86
+ { id: "NIST-GV-OV-C5", description: "Cybersecurity direction is revised based on oversight findings and changing conditions", status: "not-implemented" },
87
+ ],
88
+ },
89
+ {
90
+ id: "NIST-GV-SC",
91
+ name: "Cybersecurity Supply Chain Risk Management",
92
+ description: "Cybersecurity supply chain risk management processes, controls, and supplier relationships are identified, prioritized, assessed, documented, and governed.",
93
+ category: "govern",
94
+ framework: "NIST",
95
+ status: "not-implemented",
96
+ severity: "high",
97
+ implementation_guidance: "Establish a Cybersecurity Supply Chain Risk Management (C-SCRM) program. Inventory all suppliers and service providers. Define supplier cybersecurity requirements. Conduct supplier risk assessments. Monitor supplier security posture. Include cybersecurity clauses in contracts. [CSF 2.0 Refs: GV.SC-01 through GV.SC-07; SP 800-53: SR-1, SR-2, SR-3, SR-6]",
98
+ checks: [
99
+ { id: "NIST-GV-SC-C1", description: "Cybersecurity supply chain risk management requirements are established and communicated", status: "not-implemented" },
100
+ { id: "NIST-GV-SC-C2", description: "Suppliers and third-party partners are identified, prioritized, and documented", status: "not-implemented" },
101
+ { id: "NIST-GV-SC-C3", description: "Supplier agreements include cybersecurity requirements and risk considerations", status: "not-implemented" },
102
+ { id: "NIST-GV-SC-C4", description: "Suppliers are assessed for cybersecurity risk before and during the relationship", status: "not-implemented" },
103
+ { id: "NIST-GV-SC-C5", description: "Supplier incident response and notification requirements are defined", status: "not-implemented" },
104
+ { id: "NIST-GV-SC-C6", description: "Supplier cybersecurity performance is monitored and reviewed regularly", status: "not-implemented" },
105
+ { id: "NIST-GV-SC-C7", description: "Supply chain risks are incorporated into the overall risk management process", status: "not-implemented" },
106
+ ],
107
+ },
108
+ // ============================================================
109
+ // IDENTIFY (ID) — CSF 2.0
110
+ // ============================================================
111
+ {
112
+ id: "NIST-ID-AM",
113
+ name: "Asset Management",
114
+ description: "The people, devices, systems, software, services, facilities, data, and other assets are inventoried, prioritized, and managed so they are accounted for and addressed.",
115
+ category: "identify",
116
+ framework: "NIST",
117
+ status: "not-implemented",
118
+ severity: "high",
119
+ implementation_guidance: "Maintain comprehensive asset inventories for hardware, software, data, and services. Assign owners to each asset. Prioritize assets by criticality and sensitivity. Use automated discovery tools (e.g., CMDB, Syft for SBOM). Track software licenses and versions. Document asset lifecycles. [CSF 2.0 Refs: ID.AM-01 through ID.AM-08; SP 800-53: CM-8, PM-5]",
120
+ checks: [
121
+ { id: "NIST-ID-AM-C1", description: "Physical devices within the organization are inventoried and managed", status: "not-implemented" },
122
+ { id: "NIST-ID-AM-C2", description: "Software platforms and applications within the organization are inventoried and managed (SBOM)", status: "not-implemented" },
123
+ { id: "NIST-ID-AM-C3", description: "Organizational communication and data are mapped and managed (data flow diagrams)", status: "not-implemented" },
124
+ { id: "NIST-ID-AM-C4", description: "External information systems and services are catalogued and managed", status: "not-implemented" },
125
+ { id: "NIST-ID-AM-C5", description: "Assets (hardware, software, data) are prioritized based on classification, criticality, and value", status: "not-implemented" },
126
+ { id: "NIST-ID-AM-C6", description: "Cybersecurity roles and responsibilities for the organization and assets are identified", status: "not-implemented" },
127
+ { id: "NIST-ID-AM-C7", description: "Asset owners are identified, documented, and accountable for each asset", status: "not-implemented" },
128
+ { id: "NIST-ID-AM-C8", description: "Assets are mapped to critical services they support", status: "not-implemented" },
129
+ ],
130
+ },
131
+ {
132
+ id: "NIST-ID-RA",
133
+ name: "Risk Assessment",
134
+ description: "The organization understands the cybersecurity risk to operations (mission, functions, image, reputation), organizational assets, and individuals.",
7
135
  category: "identify",
8
136
  framework: "NIST",
9
137
  status: "not-implemented",
10
138
  severity: "critical",
11
- implementation_guidance: "Implement centralized identity management. Use SSO. Automate user provisioning and deprovisioning.",
139
+ implementation_guidance: "Conduct risk assessments using NIST SP 800-30 methodology. Identify threats, vulnerabilities, and likelihood of occurrence. Assess impact on operations, assets, and individuals. Document risk treatment plans. Include supply chain risks. Track remediation of identified risks. Reassess risk periodically and after significant changes. [CSF 2.0 Refs: ID.RA-01 through ID.RA-10; SP 800-53: RA-3, RA-6, RA-8, RA-9, RA-10]",
12
140
  checks: [
13
- { id: "NIST-ID-001-C1", description: "Centralized identity management", status: "not-implemented" },
14
- { id: "NIST-ID-001-C2", description: "SSO implemented", status: "not-implemented" },
141
+ { id: "NIST-ID-RA-C1", description: "Vulnerabilities in assets are identified and documented", status: "not-implemented" },
142
+ { id: "NIST-ID-RA-C2", description: "Threats to internal and external assets are identified and documented", status: "not-implemented" },
143
+ { id: "NIST-ID-RA-C3", description: "Threat and vulnerability information is received from information sharing forums and sources", status: "not-implemented" },
144
+ { id: "NIST-ID-RA-C4", description: "Threats, vulnerabilities, likelihoods, and impacts are used to determine and prioritize risk", status: "not-implemented" },
145
+ { id: "NIST-ID-RA-C5", description: "Potential impacts of cybersecurity threats and vulnerabilities are identified, quantified, and documented", status: "not-implemented" },
146
+ { id: "NIST-ID-RA-C6", description: "Risk responses are chosen, prioritized, funded, and executed based on strategy", status: "not-implemented" },
147
+ { id: "NIST-ID-RA-C7", description: "Changes are identified and risk is reassessed to account for new threats and vulnerabilities", status: "not-implemented" },
148
+ { id: "NIST-ID-RA-C8", description: "Relevant cyber threat intelligence is received, analyzed, and used to inform decision-making", status: "not-implemented" },
149
+ { id: "NIST-ID-RA-C9", description: "Acceptable use and risk of AI/ML systems is assessed and documented", status: "not-implemented" },
150
+ { id: "NIST-ID-RA-C10", description: "Root causes of cybersecurity incidents are investigated and documented (forensics capability)", status: "not-implemented" },
15
151
  ],
16
152
  },
17
153
  {
18
- id: "NIST-PR-001",
19
- name: "Access Control",
20
- description: "Implement access control policies and mechanisms.",
154
+ id: "NIST-ID-IM",
155
+ name: "Improvements",
156
+ description: "Identified cybersecurity risk management improvements are incorporated into organizational practice.",
157
+ category: "identify",
158
+ framework: "NIST",
159
+ status: "not-implemented",
160
+ severity: "medium",
161
+ implementation_guidance: "Establish a continuous improvement process for cybersecurity. Capture lessons learned from incidents, audits, and assessments. Feed improvements back into the risk management cycle. Track and prioritize improvement actions. [CSF 2.0 Refs: ID.IM-01 through ID.IM-04; SP 800-53: CA-2, CA-7, RA-3]",
162
+ checks: [
163
+ { id: "NIST-ID-IM-C1", description: "Improvements from assessments, audits, and reviews are identified and documented", status: "not-implemented" },
164
+ { id: "NIST-ID-IM-C2", description: "Improvements are prioritized and incorporated into cybersecurity plans", status: "not-implemented" },
165
+ { id: "NIST-ID-IM-C3", description: "Effectiveness of implemented improvements is measured and verified", status: "not-implemented" },
166
+ { id: "NIST-ID-IM-C4", description: "Improvement process is informed by internal and external sources (incidents, threat intel)", status: "not-implemented" },
167
+ ],
168
+ },
169
+ // ============================================================
170
+ // PROTECT (PR) — CSF 2.0
171
+ // ============================================================
172
+ {
173
+ id: "NIST-PR-AA",
174
+ name: "Identity Management, Authentication, and Access Control",
175
+ description: "Access to physical and logical assets and associated facilities is limited to authorized users, activities, and transactions, and managed to the extent necessary for cybersecurity risk management.",
21
176
  category: "protect",
22
177
  framework: "NIST",
23
178
  status: "not-implemented",
24
179
  severity: "critical",
25
- implementation_guidance: "Implement RBAC or ABAC. Enforce least privilege. Regular access reviews.",
180
+ implementation_guidance: "Implement centralized identity management with SSO (SAML/OIDC). Enforce MFA for all access. Use RBAC or ABAC with least-privilege principles. Implement automated provisioning/deprovisioning. Require strong authentication (Argon2id, passkeys). Implement session management with automatic timeout. Conduct regular access reviews. [CSF 2.0 Refs: PR.AA-01 through PR.AA-11; SP 800-53: AC-1 through AC-25, IA-2, IA-5, IA-8]",
26
181
  checks: [
27
- { id: "NIST-PR-001-C1", description: "Access control model implemented", status: "not-implemented" },
28
- { id: "NIST-PR-001-C2", description: "Regular access reviews scheduled", status: "not-implemented" },
182
+ { id: "NIST-PR-AA-C1", description: "Identities are verified for all users and services before granting access", status: "not-implemented" },
183
+ { id: "NIST-PR-AA-C2", description: "Authentication mechanisms resist replay, credential stuffing, and social engineering (MFA, passkeys)", status: "not-implemented" },
184
+ { id: "NIST-PR-AA-C3", description: "Users, devices, and other assets are authenticated (e.g., single-sign-on, MFA) commensurate with risk", status: "not-implemented" },
185
+ { id: "NIST-PR-AA-C4", description: "Identities and credentials are issued, verified, revoked, and managed for devices, users, and services", status: "not-implemented" },
186
+ { id: "NIST-PR-AA-C5", description: "Identity federations and trust relationships are established and managed", status: "not-implemented" },
187
+ { id: "NIST-PR-AA-C6", description: "Access to assets is limited to authorized users, processes, and devices (least privilege)", status: "not-implemented" },
188
+ { id: "NIST-PR-AA-C7", description: "Access permissions are managed through authorization rightsets (RBAC/ABAC) incorporating principles of least privilege and separation of duties", status: "not-implemented" },
189
+ { id: "NIST-PR-AA-C8", description: "Access permissions are periodically reviewed and validated (access recertification)", status: "not-implemented" },
190
+ { id: "NIST-PR-AA-C9", description: "Access to assets is revoked when no longer needed or upon termination", status: "not-implemented" },
191
+ { id: "NIST-PR-AA-C10", description: "Remote access is secured, monitored, and controlled (VPN, zero-trust, bastion hosts)", status: "not-implemented" },
192
+ { id: "NIST-PR-AA-C11", description: "Physical access to assets is managed, monitored, and controlled separately from logical access", status: "not-implemented" },
29
193
  ],
30
194
  },
31
195
  {
32
- id: "NIST-PR-002",
196
+ id: "NIST-PR-AT",
197
+ name: "Awareness and Training",
198
+ description: "The organization's personnel are provided with cybersecurity awareness and training so they can perform their cybersecurity-related tasks.",
199
+ category: "protect",
200
+ framework: "NIST",
201
+ status: "not-implemented",
202
+ severity: "medium",
203
+ implementation_guidance: "Establish a security awareness and training program. Provide role-based training for privileged users. Conduct phishing simulations. Train developers on secure coding (OWASP). Include onboarding training for new hires. Track training completion. Refresh annually. [CSF 2.0 Refs: PR.AT-01 through PR.AT-04; SP 800-53: AT-2, AT-3, AT-4]",
204
+ checks: [
205
+ { id: "NIST-PR-AT-C1", description: "Personnel are provided awareness and training so they possess the knowledge and skills to perform cybersecurity-related tasks", status: "not-implemented" },
206
+ { id: "NIST-PR-AT-C2", description: "Leadership and management receive training on their cybersecurity roles and responsibilities", status: "not-implemented" },
207
+ { id: "NIST-PR-AT-C3", description: "Personnel with physical access receive training on physical security responsibilities", status: "not-implemented" },
208
+ { id: "NIST-PR-AT-C4", description: "Personnel providing security training are qualified and kept up to date", status: "not-implemented" },
209
+ ],
210
+ },
211
+ {
212
+ id: "NIST-PR-DS",
33
213
  name: "Data Security",
34
- description: "Protect data at rest and in transit.",
214
+ description: "Data are managed and protected consistent with the organization's risk strategy to protect confidentiality, integrity, and availability of information.",
215
+ category: "protect",
216
+ framework: "NIST",
217
+ status: "not-implemented",
218
+ severity: "critical",
219
+ implementation_guidance: "Encrypt data at rest (AES-256-GCM) and in transit (TLS 1.2+). Implement data classification (public, internal, confidential, restricted). Use data loss prevention (DLP) tools. Enforce retention and disposal policies. Implement data integrity controls (checksums, signatures). Segment networks to protect sensitive data. Maintain test data management practices. [CSF 2.0 Refs: PR.DS-01 through PR.DS-11; SP 800-53: SC-8, SC-13, SC-28, MP-3, MP-5, MP-7]",
220
+ checks: [
221
+ { id: "NIST-PR-DS-C1", description: "Data at rest are protected from unauthorized access, modification, or deletion", status: "not-implemented" },
222
+ { id: "NIST-PR-DS-C2", description: "Data in transit are protected from unauthorized access, modification, or deletion", status: "not-implemented" },
223
+ { id: "NIST-PR-DS-C3", description: "Assets are formally managed throughout removal, transfers, and disposition (data sanitization)", status: "not-implemented" },
224
+ { id: "NIST-PR-DS-C4", description: "Adequate capacity to ensure availability is maintained", status: "not-implemented" },
225
+ { id: "NIST-PR-DS-C5", description: "Integrity checking mechanisms are used to verify software, firmware, and hardware integrity", status: "not-implemented" },
226
+ { id: "NIST-PR-DS-C6", description: "Networks and environments are protected from unauthorized logical access and tampering (segmentation)", status: "not-implemented" },
227
+ { id: "NIST-PR-DS-C7", description: "Data are managed and protected consistent with the organization's data classification schema", status: "not-implemented" },
228
+ { id: "NIST-PR-DS-C8", description: "Timely and accurate detection, response, and recovery from integrity violations are implemented", status: "not-implemented" },
229
+ { id: "NIST-PR-DS-C9", description: "Data are kept consistent, and their provenance and lineage are tracked", status: "not-implemented" },
230
+ { id: "NIST-PR-DS-C10", description: "Development and test environments and data are managed and separated from production", status: "not-implemented" },
231
+ { id: "NIST-PR-DS-C11", description: "Replicated data and services are protected from unauthorized access, modification, and deletion", status: "not-implemented" },
232
+ ],
233
+ },
234
+ {
235
+ id: "NIST-PR-PS",
236
+ name: "Platform Security",
237
+ description: "The physical and logical platforms of the organization — hardware (IoT, OT, IT), software (operating systems, applications, services), and underlying infrastructure (cloud, networks, storage) — are managed and protected to prevent, detect, and respond to cybersecurity risk.",
238
+ category: "protect",
239
+ framework: "NIST",
240
+ status: "not-implemented",
241
+ severity: "high",
242
+ implementation_guidance: "Harden all platforms using CIS Benchmarks or similar baselines. Implement configuration management (IaC, Ansible, Terraform). Enable logging on all platforms. Implement endpoint protection (EDR/XDR). Use container security (image scanning, admission controllers). Manage patches and updates. Secure cloud configurations. Apply defense-in-depth architecture. [CSF 2.0 Refs: PR.PS-01 through PR.PS-06; SP 800-53: CM-2, CM-6, CM-7, SI-2, SI-3, SI-7]",
243
+ checks: [
244
+ { id: "NIST-PR-PS-C1", description: "Configuration management practices are established and maintained (baseline configurations, change control)", status: "not-implemented" },
245
+ { id: "NIST-PR-PS-C2", description: "Software and hardware are updated and replaced when end of support or end of life is reached", status: "not-implemented" },
246
+ { id: "NIST-PR-PS-C3", description: "Log records are generated and made available for continuous monitoring and incident response", status: "not-implemented" },
247
+ { id: "NIST-PR-PS-C4", description: "Software and hardware components are removed when no longer in use", status: "not-implemented" },
248
+ { id: "NIST-PR-PS-C5", description: "Patches and updates for software and hardware are applied as soon as possible after release", status: "not-implemented" },
249
+ { id: "NIST-PR-PS-C6", description: "Security configurations are applied and maintained across platforms (hardening baselines)", status: "not-implemented" },
250
+ ],
251
+ },
252
+ {
253
+ id: "NIST-PR-IR",
254
+ name: "Technology Infrastructure Resilience",
255
+ description: "Security architectures are designed, and the resilience of systems is managed, to prevent, detect, respond to, and recover from cybersecurity events.",
35
256
  category: "protect",
36
257
  framework: "NIST",
37
258
  status: "not-implemented",
259
+ severity: "high",
260
+ implementation_guidance: "Design for high availability with redundancy and failover. Implement backup strategies (3-2-1 rule) with regular restore testing. Define RTO and RPO objectives. Use load balancing and auto-scaling. Implement network resilience (DNS failover, multi-region). Document architecture diagrams. Conduct resilience testing (chaos engineering). [CSF 2.0 Refs: PR.IR-01 through PR.IR-06; SP 800-53: CP-2, CP-9, CP-10, SC-6, SC-7]",
261
+ checks: [
262
+ { id: "NIST-PR-IR-C1", description: "Backups of information are conducted, maintained, and tested to ensure restoration", status: "not-implemented" },
263
+ { id: "NIST-PR-IR-C2", description: "Information is restored from backups when needed to restore operations", status: "not-implemented" },
264
+ { id: "NIST-PR-IR-C3", description: "Network resilience is implemented to maintain service availability (redundancy, failover)", status: "not-implemented" },
265
+ { id: "NIST-PR-IR-C4", description: "System performance and capacity are managed to maintain availability under stress", status: "not-implemented" },
266
+ { id: "NIST-PR-IR-C5", description: "Resilience requirements are integrated into the system development lifecycle and procurement", status: "not-implemented" },
267
+ { id: "NIST-PR-IR-C6", description: "Processes and procedures are implemented and tested for failover and recovery (RTO/RPO defined)", status: "not-implemented" },
268
+ ],
269
+ },
270
+ // ============================================================
271
+ // DETECT (DE) — CSF 2.0
272
+ // ============================================================
273
+ {
274
+ id: "NIST-DE-CM",
275
+ name: "Continuous Monitoring",
276
+ description: "Assets are monitored to identify cybersecurity anomalies, vulnerabilities, and adverse events at discrete points in time and over time.",
277
+ category: "detect",
278
+ framework: "NIST",
279
+ status: "not-implemented",
38
280
  severity: "critical",
39
- implementation_guidance: "Encrypt data at rest (AES-256). Encrypt data in transit (TLS 1.2+). Classify data.",
281
+ implementation_guidance: "Implement continuous security monitoring using SIEM (Splunk, ELK, Sentinel). Monitor networks, endpoints, applications, and user behavior. Deploy IDS/IPS and EDR solutions. Conduct regular vulnerability scanning. Monitor for unauthorized changes. Track certificate expiration and patch status. Implement real-time alerting for security events. [CSF 2.0 Refs: DE.CM-01 through DE.CM-12; SP 800-53: CA-7, CM-3, SC-5, SC-7, SI-4]",
40
282
  checks: [
41
- { id: "NIST-PR-002-C1", description: "Data encryption at rest", status: "not-implemented" },
42
- { id: "NIST-PR-002-C2", description: "Data encryption in transit", status: "not-implemented" },
43
- { id: "NIST-PR-002-C3", description: "Data classification implemented", status: "not-implemented" },
283
+ { id: "NIST-DE-CM-C1", description: "Networks and network services are monitored to identify anomalies and adverse events", status: "not-implemented" },
284
+ { id: "NIST-DE-CM-C2", description: "Physical environment is monitored to detect cybersecurity events", status: "not-implemented" },
285
+ { id: "NIST-DE-CM-C3", description: "Personnel activity is monitored to detect anomalies and insider threats", status: "not-implemented" },
286
+ { id: "NIST-DE-CM-C4", description: "External service provider activity is monitored to detect anomalies and adverse events", status: "not-implemented" },
287
+ { id: "NIST-DE-CM-C5", description: "User accounts are monitored for unauthorized access, modifications, or misuse", status: "not-implemented" },
288
+ { id: "NIST-DE-CM-C6", description: "Hardware, software, and firmware are monitored for vulnerabilities, tampering, and integrity violations", status: "not-implemented" },
289
+ { id: "NIST-DE-CM-C7", description: "Unauthorized connections and mobile/wireless devices are identified and monitored", status: "not-implemented" },
290
+ { id: "NIST-DE-CM-C8", description: "Vulnerability scans are performed and results are reviewed and prioritized", status: "not-implemented" },
291
+ { id: "NIST-DE-CM-C9", description: "Malicious code is detected and addressed (antivirus, EDR, sandboxing)", status: "not-implemented" },
292
+ { id: "NIST-DE-CM-C10", description: "Unauthorized mobile code is detected and addressed", status: "not-implemented" },
293
+ { id: "NIST-DE-CM-C11", description: "Monitoring for unauthorized components and assets is conducted", status: "not-implemented" },
294
+ { id: "NIST-DE-CM-C12", description: "Adverse events are detected through analysis of monitoring data and threat intelligence", status: "not-implemented" },
44
295
  ],
45
296
  },
46
297
  {
47
- id: "NIST-DE-001",
48
- name: "Security Monitoring",
49
- description: "Monitor for security events and anomalies.",
298
+ id: "NIST-DE-AE",
299
+ name: "Adverse Event Analysis",
300
+ description: "Adverse cybersecurity anomalies, vulnerabilities, and events are understood to detect and attribute cybersecurity incidents.",
50
301
  category: "detect",
51
302
  framework: "NIST",
52
303
  status: "not-implemented",
53
304
  severity: "critical",
54
- implementation_guidance: "Implement centralized logging. Use SIEM or similar. Define alert thresholds.",
305
+ implementation_guidance: "Establish a Security Operations Center (SOC) or equivalent monitoring capability. Implement correlation rules for event analysis. Use threat intelligence feeds for enrichment. Conduct root cause analysis on security events. Define incident severity levels and escalation criteria. Maintain forensic investigation capabilities. [CSF 2.0 Refs: DE.AE-01 through DE.AE-08; SP 800-53: AU-6, IR-4, SI-4]",
55
306
  checks: [
56
- { id: "NIST-DE-001-C1", description: "Centralized logging implemented", status: "not-implemented" },
57
- { id: "NIST-DE-001-C2", description: "Security alerting configured", status: "not-implemented" },
307
+ { id: "NIST-DE-AE-C1", description: "A baseline of network operations and expected data flows is established and maintained", status: "not-implemented" },
308
+ { id: "NIST-DE-AE-C2", description: "Adverse events are detected in a timely manner and understood", status: "not-implemented" },
309
+ { id: "NIST-DE-AE-C3", description: "Sources of adverse events are correlated and analyzed to detect patterns and incidents", status: "not-implemented" },
310
+ { id: "NIST-DE-AE-C4", description: "Impact of adverse events is estimated and validated to prioritize response", status: "not-implemented" },
311
+ { id: "NIST-DE-AE-C5", description: "Forensic analysis is performed to determine root cause and scope of incidents", status: "not-implemented" },
312
+ { id: "NIST-DE-AE-C6", description: "Cyber threat intelligence is used to detect and analyze adverse events", status: "not-implemented" },
313
+ { id: "NIST-DE-AE-C7", description: "Notification and sharing of adverse event information follows established processes", status: "not-implemented" },
314
+ { id: "NIST-DE-AE-C8", description: "Adverse events are categorized and prioritized using defined criteria", status: "not-implemented" },
58
315
  ],
59
316
  },
317
+ // ============================================================
318
+ // RESPOND (RS) — CSF 2.0
319
+ // ============================================================
60
320
  {
61
- id: "NIST-RS-001",
62
- name: "Incident Response",
63
- description: "Establish and maintain incident response capabilities.",
321
+ id: "NIST-RS-MA",
322
+ name: "Incident Management",
323
+ description: "Incidents are formally managed to identify, respond to, and recover from adverse cybersecurity events.",
64
324
  category: "respond",
65
325
  framework: "NIST",
66
326
  status: "not-implemented",
67
327
  severity: "critical",
68
- implementation_guidance: "Create incident response plan. Define roles and responsibilities. Conduct regular drills.",
328
+ implementation_guidance: "Establish a formal incident management process based on NIST SP 800-61. Define incident severity levels and response procedures. Implement incident tracking and ticketing. Establish escalation procedures. Define roles and responsibilities for incident response team. Conduct post-incident reviews. Maintain incident documentation and timelines. [CSF 2.0 Refs: RS.MA-01 through RS.MA-05; SP 800-53: IR-4, IR-8]",
69
329
  checks: [
70
- { id: "NIST-RS-001-C1", description: "Incident response plan documented", status: "not-implemented" },
71
- { id: "NIST-RS-001-C2", description: "Roles and responsibilities defined", status: "not-implemented" },
72
- { id: "NIST-RS-001-C3", description: "Regular drills conducted", status: "not-implemented" },
330
+ { id: "NIST-RS-MA-C1", description: "Incidents are received, triaged, assigned, and managed to resolution", status: "not-implemented" },
331
+ { id: "NIST-RS-MA-C2", description: "Incident response plans and procedures are executed and maintained", status: "not-implemented" },
332
+ { id: "NIST-RS-MA-C3", description: "Incident response information is reported and shared with relevant stakeholders", status: "not-implemented" },
333
+ { id: "NIST-RS-MA-C4", description: "Incident response metrics are collected, analyzed, and used to improve processes", status: "not-implemented" },
334
+ { id: "NIST-RS-MA-C5", description: "Incident classification and severity levels are defined and applied consistently", status: "not-implemented" },
73
335
  ],
74
336
  },
75
337
  {
76
- id: "NIST-RC-001",
77
- name: "Recovery Planning",
78
- description: "Establish and maintain recovery plans.",
338
+ id: "NIST-RS-AN",
339
+ name: "Incident Analysis",
340
+ description: "Investigations and forensics are conducted to ensure effective response and recovery activities and to support post-incident reporting and analysis.",
341
+ category: "respond",
342
+ framework: "NIST",
343
+ status: "not-implemented",
344
+ severity: "high",
345
+ implementation_guidance: "Conduct thorough forensic analysis of security incidents. Collect and preserve evidence (chain of custody). Use digital forensics tools for investigation. Analyze attack vectors and attacker techniques (MITRE ATT&CK mapping). Document findings in incident reports. Share lessons learned with the organization. [CSF 2.0 Refs: RS.AN-01 through RS.AN-07; SP 800-53: AU-6, IR-4, IR-6]",
346
+ checks: [
347
+ { id: "NIST-RS-AN-C1", description: "Notifications from detection systems are investigated and analyzed to determine scope and impact", status: "not-implemented" },
348
+ { id: "NIST-RS-AN-C2", description: "Affected assets, vulnerabilities, and impacts are understood and documented", status: "not-implemented" },
349
+ { id: "NIST-RS-AN-C3", description: "Forensics are performed to determine root cause, attribution, and preconditions", status: "not-implemented" },
350
+ { id: "NIST-RS-AN-C4", description: "Incident priority is determined based on impact and urgency", status: "not-implemented" },
351
+ { id: "NIST-RS-AN-C5", description: "Incident analysis findings are shared with relevant internal and external stakeholders", status: "not-implemented" },
352
+ { id: "NIST-RS-AN-C6", description: "Threat intelligence and attack patterns are used to improve incident analysis", status: "not-implemented" },
353
+ { id: "NIST-RS-AN-C7", description: "Evidence is collected and preserved using chain-of-custody procedures", status: "not-implemented" },
354
+ ],
355
+ },
356
+ {
357
+ id: "NIST-RS-CO",
358
+ name: "Incident Response Reporting and Communication",
359
+ description: "Incident response information is reported and communicated to internal and external stakeholders to support response and recovery activities.",
360
+ category: "respond",
361
+ framework: "NIST",
362
+ status: "not-implemented",
363
+ severity: "high",
364
+ implementation_guidance: "Establish incident communication protocols with defined notification timelines. Identify regulatory notification requirements (GDPR 72-hour breach notification, state laws). Define communication channels for internal teams, executives, customers, and regulators. Prepare incident communication templates. Designate spokespeople for media inquiries. [CSF 2.0 Refs: RS.CO-02 through RS.CO-06; SP 800-53: CP-2, IR-6, IR-7]",
365
+ checks: [
366
+ { id: "NIST-RS-CO-C1", description: "Incident information is reported to internal stakeholders consistent with established procedures and timelines", status: "not-implemented" },
367
+ { id: "NIST-RS-CO-C2", description: "Incident information is reported to external stakeholders (regulators, customers, partners) as required", status: "not-implemented" },
368
+ { id: "NIST-RS-CO-C3", description: "External stakeholders voluntarily share incident information (ISACs, information sharing forums)", status: "not-implemented" },
369
+ { id: "NIST-RS-CO-C4", description: "Coordination with stakeholders occurs during incident response (e.g., law enforcement, CERT)", status: "not-implemented" },
370
+ { id: "NIST-RS-CO-C5", description: "Voluntary and mandatory incident reporting requirements are identified and met", status: "not-implemented" },
371
+ { id: "NIST-RS-CO-C6", description: "Public communications during incidents follow approved crisis communication procedures", status: "not-implemented" },
372
+ ],
373
+ },
374
+ {
375
+ id: "NIST-RS-MI",
376
+ name: "Incident Mitigation",
377
+ description: "Response activities are performed to prevent expansion of an adverse cybersecurity event, effect its eradication, and recover from the event.",
378
+ category: "respond",
379
+ framework: "NIST",
380
+ status: "not-implemented",
381
+ severity: "critical",
382
+ implementation_guidance: "Develop and execute incident containment strategies. Implement eradication procedures to remove threats. Validate recovery before restoring services. Apply lessons learned to prevent recurrence. Document all mitigation actions. Maintain playbooks for common incident types (ransomware, data breach, DDoS). [CSF 2.0 Refs: RS.MI-02 through RS.MI-04; SP 800-53: IR-4, IR-5, SI-4]",
383
+ checks: [
384
+ { id: "NIST-RS-MI-C1", description: "Incidents are contained to prevent further damage and spread", status: "not-implemented" },
385
+ { id: "NIST-RS-MI-C2", description: "Threats and vulnerabilities that led to the incident are identified and eradicated", status: "not-implemented" },
386
+ { id: "NIST-RS-MI-C3", description: "Recovery actions are validated and completed before restoring affected systems to normal operations", status: "not-implemented" },
387
+ { id: "NIST-RS-MI-C4", description: "Mitigation actions are documented and tested for effectiveness", status: "not-implemented" },
388
+ { id: "NIST-RS-MI-C5", description: "Post-incident analysis leads to preventive measures and process improvements", status: "not-implemented" },
389
+ ],
390
+ },
391
+ {
392
+ id: "NIST-RS-IM",
393
+ name: "Incident Response Improvements",
394
+ description: "Response processes and procedures are improved by incorporating lessons learned from current and previous detection/response activities.",
395
+ category: "respond",
396
+ framework: "NIST",
397
+ status: "not-implemented",
398
+ severity: "medium",
399
+ implementation_guidance: "Conduct formal post-incident reviews (blameless retrospectives). Document lessons learned and track corrective actions. Update incident response playbooks based on findings. Feed improvements into training and awareness programs. Measure incident response effectiveness metrics (MTTD, MTTR). [CSF 2.0 Refs: RS.IM-01 through RS.IM-02; SP 800-53: IR-4, CA-2]",
400
+ checks: [
401
+ { id: "NIST-RS-IM-C1", description: "Response plans incorporate lessons learned from current and previous incidents", status: "not-implemented" },
402
+ { id: "NIST-RS-IM-C2", description: "Response strategies and procedures are updated and improved based on incident analysis", status: "not-implemented" },
403
+ ],
404
+ },
405
+ // ============================================================
406
+ // RECOVER (RC) — CSF 2.0
407
+ // ============================================================
408
+ {
409
+ id: "NIST-RC-RP",
410
+ name: "Recovery Plan Execution",
411
+ description: "Recovery assets and processes are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.",
79
412
  category: "recover",
80
413
  framework: "NIST",
81
414
  status: "not-implemented",
82
415
  severity: "critical",
83
- implementation_guidance: "Create disaster recovery plan. Define RTO and RPO. Test recovery procedures regularly.",
416
+ implementation_guidance: "Develop and maintain disaster recovery and business continuity plans. Define RTO and RPO for critical systems. Implement automated recovery procedures where possible. Conduct regular recovery testing (tabletop and full exercises). Maintain contact lists and escalation procedures. Document recovery procedures and runbooks. Ensure backup integrity through periodic restore tests. [CSF 2.0 Refs: RC.RP-01 through RC.RP-06; SP 800-53: CP-2, CP-4, CP-9, CP-10]",
84
417
  checks: [
85
- { id: "NIST-RC-001-C1", description: "Disaster recovery plan documented", status: "not-implemented" },
86
- { id: "NIST-RC-001-C2", description: "RTO and RPO defined", status: "not-implemented" },
87
- { id: "NIST-RC-001-C3", description: "Regular recovery tests", status: "not-implemented" },
418
+ { id: "NIST-RC-RP-C1", description: "Recovery plans and procedures are executed during or after a cybersecurity incident", status: "not-implemented" },
419
+ { id: "NIST-RC-RP-C2", description: "Recovery processes, procedures, and runbooks are reviewed and updated", status: "not-implemented" },
420
+ { id: "NIST-RC-RP-C3", description: "Recovery is tested and validated to ensure it meets objectives (RTO/RPO)", status: "not-implemented" },
421
+ { id: "NIST-RC-RP-C4", description: "Backups are protected, segmented, and tested for integrity and availability", status: "not-implemented" },
422
+ { id: "NIST-RC-RP-C5", description: "Recovery capabilities are coordinated with external stakeholders (cloud providers, ISPs, partners)", status: "not-implemented" },
423
+ { id: "NIST-RC-RP-C6", description: "Recovery procedures prioritize critical services and data based on business impact", status: "not-implemented" },
88
424
  ],
89
425
  },
90
426
  {
91
- id: "NIST-ID-002",
92
- name: "Supply Chain Risk Management",
93
- description: "Identify and manage supply chain risks through software Bill of Materials (SBOM).",
94
- category: "identify",
427
+ id: "NIST-RC-CO",
428
+ name: "Recovery Communication",
429
+ description: "Restoration activities are coordinated with internal and external parties (suppliers, partners, regulators, customers, media) to manage recovery efforts.",
430
+ category: "recover",
95
431
  framework: "NIST",
96
432
  status: "not-implemented",
97
- severity: "high",
98
- implementation_guidance: "Generate SBOM for all software components using Syft or Trivy. Scan SBOM for known vulnerabilities using Grype. Automate SBOM generation in CI/CD. Enforce SBOM-based policies for third-party dependencies.",
433
+ severity: "medium",
434
+ implementation_guidance: "Establish recovery communication plans for all stakeholder groups. Define who communicates what, when, and how during recovery. Coordinate with external service providers for joint recovery. Prepare customer-facing status updates. Ensure regulatory communication requirements are met during recovery. [CSF 2.0 Refs: RC.CO-01 through RC.CO-04; SP 800-53: CP-2, IR-4, IR-7]",
99
435
  checks: [
100
- { id: "NIST-ID-002-C1", description: "SBOM generated for all dependencies", status: "not-implemented" },
101
- { id: "NIST-ID-002-C2", description: "SBOM vulnerability scanning automated", status: "not-implemented" },
102
- { id: "NIST-ID-002-C3", description: "Third-party dependency risk assessed", status: "not-implemented" },
436
+ { id: "NIST-RC-CO-C1", description: "Public relations and communication plans for recovery are managed and executed", status: "not-implemented" },
437
+ { id: "NIST-RC-CO-C2", description: "Recovery is coordinated with management, communications, and public relations teams", status: "not-implemented" },
438
+ { id: "NIST-RC-CO-C3", description: "Recovery coordination with external stakeholders (regulators, suppliers, partners) is established", status: "not-implemented" },
439
+ { id: "NIST-RC-CO-C4", description: "Stakeholder communication includes recovery status, impacts, and expected restoration timelines", status: "not-implemented" },
103
440
  ],
104
441
  },
105
442
  ];
106
443
  return {
107
444
  id: "nist",
108
- name: "NIST Cybersecurity Framework Policy Pack",
109
- description: "NIST CSF controls across Identify, Protect, Detect, Respond, and Recover.",
110
- version: "1.0.0",
445
+ name: "NIST Cybersecurity Framework 2.0 Policy Pack",
446
+ description: "NIST CSF 2.0 controls across all six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. Covers 23 Categories and 114 Subcategories with SP 800-53 informative references.",
447
+ version: "2.0.0",
111
448
  project_types: [
112
- "saas", "healthcare-system", "generic-web-application", "government-system",
449
+ "saas",
450
+ "healthcare-system",
451
+ "generic-web-application",
452
+ "government-system",
453
+ "api-backend",
454
+ "mobile-application",
455
+ "ai-application",
113
456
  ],
114
457
  controls,
115
458
  frameworks: ["NIST"],
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "dependencies": {
3
- "@greenarmor/ges-compliance-engine": "1.2.0",
4
- "@greenarmor/ges-core": "1.2.0"
3
+ "@greenarmor/ges-compliance-engine": "1.2.2",
4
+ "@greenarmor/ges-core": "1.2.2"
5
5
  },
6
6
  "description": "GESF Policy Engine - Policy packs management and enforcement",
7
7
  "devDependencies": {
@@ -25,7 +25,7 @@
25
25
  "name": "@greenarmor/ges-policy-engine",
26
26
  "type": "module",
27
27
  "types": "./dist/index.d.ts",
28
- "version": "1.2.0",
28
+ "version": "1.2.2",
29
29
  "scripts": {
30
30
  "build": "tsc",
31
31
  "clean": "rm -rf dist tsconfig.tsbuildinfo",