@greenarmor/ges-policy-engine 1.2.5 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.d.ts +1 -0
  2. package/dist/index.js +4 -0
  3. package/dist/packs/government.js +2 -2
  4. package/dist/packs/nist-800-53.d.ts +2 -0
  5. package/dist/packs/nist-800-53.js +1246 -0
  6. package/package.json +3 -3
package/dist/packs/nist-800-53.js ADDED
@@ -0,0 +1,1246 @@
1
+ export function createNIST80053PolicyPack() {
2
+ const controls = [
3
+ // ============================================================
4
+ // AC — ACCESS CONTROL
5
+ // ============================================================
6
+ {
7
+ id: "NIST-800-53-AC-2",
8
+ name: "Account Management",
9
+ description: "Manage system accounts, establish account types, and monitor active accounts.",
10
+ category: "access-control",
11
+ framework: "NIST-800-53",
12
+ status: "not-implemented",
13
+ severity: "critical",
14
+ implementation_guidance: "Implement an account management system that creates, enables, modifies, disables, and removes accounts. Define account types (individual, shared, group, system, guest/anonymous, temporary). Notify account managers when accounts are no longer required. Authorize and monitor guest/anonymous and temporary accounts. Disable inactive accounts within 35 days. Monitor for repeated unauthorized access attempts.",
15
+ checks: [
16
+ { id: "NIST-800-53-AC-2-C1", description: "Account management procedures documented and enforced", status: "not-implemented" },
17
+ { id: "NIST-800-53-AC-2-C2", description: "Account types defined with role-based assignments", status: "not-implemented" },
18
+ { id: "NIST-800-53-AC-2-C3", description: "Inactive accounts disabled within 35 days", status: "not-implemented" },
19
+ { id: "NIST-800-53-AC-2-C4", description: "Account managers notified of account changes", status: "not-implemented" },
20
+ ],
21
+ },
22
+ {
23
+ id: "NIST-800-53-AC-3",
24
+ name: "Access Enforcement",
25
+ description: "Enforce approved authorizations for logical access to system resources in accordance with applicable access control policies.",
26
+ category: "access-control",
27
+ framework: "NIST-800-53",
28
+ status: "not-implemented",
29
+ severity: "critical",
30
+ implementation_guidance: "Enforce access control policies through technical safeguards such as role-based access control (RBAC), attribute-based access control (ABAC), or mandatory access control (MAC). Ensure the system uniquely identifies and authenticates users before granting access. Deny access by default; allow only explicitly authorized access.",
31
+ checks: [
32
+ { id: "NIST-800-53-AC-3-C1", description: "Access control model (RBAC/ABAC/MAC) implemented and enforced", status: "not-implemented" },
33
+ { id: "NIST-800-53-AC-3-C2", description: "Default-deny policy enforced on all protected resources", status: "not-implemented" },
34
+ { id: "NIST-800-53-AC-3-C3", description: "Access decisions logged for audit", status: "not-implemented" },
35
+ ],
36
+ },
37
+ {
38
+ id: "NIST-800-53-AC-5",
39
+ name: "Separation of Duties",
40
+ description: "Separate duties of individuals to prevent malevolent activity without collusion.",
41
+ category: "access-control",
42
+ framework: "NIST-800-53",
43
+ status: "not-implemented",
44
+ severity: "high",
45
+ implementation_guidance: "Identify and document functions that require separation of duties. Define access authorizations to support separation of duties. Ensure separation of duties is enforced through technical controls where feasible (e.g., require two-person approval for privileged operations).",
46
+ checks: [
47
+ { id: "NIST-800-53-AC-5-C1", description: "Critical functions requiring separation of duties identified", status: "not-implemented" },
48
+ { id: "NIST-800-53-AC-5-C2", description: "Technical controls enforce separation of duties", status: "not-implemented" },
49
+ ],
50
+ },
51
+ {
52
+ id: "NIST-800-53-AC-6",
53
+ name: "Least Privilege",
54
+ description: "Grant only the access necessary to accomplish assigned tasks in accordance with organizational missions and business functions.",
55
+ category: "access-control",
56
+ framework: "NIST-800-53",
57
+ status: "not-implemented",
58
+ severity: "critical",
59
+ implementation_guidance: "Design systems to enforce least privilege. Implement privileged access management (PAM) for admin accounts. Periodically review privileged access assignments (at least annually). Authorize access for privileged accounts for limited timeframes (just-in-time access). Re-evaluate access when duties change.",
60
+ checks: [
61
+ { id: "NIST-800-53-AC-6-C1", description: "Least privilege enforced through role-based assignments", status: "not-implemented" },
62
+ { id: "NIST-800-53-AC-6-C2", description: "Privileged access reviewed at least annually", status: "not-implemented" },
63
+ { id: "NIST-800-53-AC-6-C3", description: "Just-in-time access for high-privilege operations", status: "not-implemented" },
64
+ { id: "NIST-800-53-AC-6-C4", description: "Privileged access management (PAM) solution deployed", status: "not-implemented" },
65
+ ],
66
+ },
67
+ {
68
+ id: "NIST-800-53-AC-7",
69
+ name: "Unsuccessful Logon Attempts",
70
+ description: "Enforce limit on consecutive invalid logon attempts and automatically lock the account.",
71
+ category: "access-control",
72
+ framework: "NIST-800-53",
73
+ status: "not-implemented",
74
+ severity: "high",
75
+ implementation_guidance: "Enforce a limit of no more than 3 consecutive invalid logon attempts. Automatically lock the account/node for a defined period (recommended: minimum 15 minutes or until administrator unlocks). Log all unsuccessful logon attempts and alert on patterns indicating brute-force attacks.",
76
+ checks: [
77
+ { id: "NIST-800-53-AC-7-C1", description: "Account lockout after 3 invalid attempts enforced", status: "not-implemented" },
78
+ { id: "NIST-800-53-AC-7-C2", description: "Lockout period configured (min 15 minutes)", status: "not-implemented" },
79
+ { id: "NIST-800-53-AC-7-C3", description: "Brute-force patterns trigger security alerts", status: "not-implemented" },
80
+ ],
81
+ },
82
+ {
83
+ id: "NIST-800-53-AC-11",
84
+ name: "Session Lock",
85
+ description: "Lock sessions after a defined period of inactivity and require re-authentication to unlock.",
86
+ category: "access-control",
87
+ framework: "NIST-800-53",
88
+ status: "not-implemented",
89
+ severity: "medium",
90
+ implementation_guidance: "Initiate a session lock after 15 minutes of inactivity. Retain the session lock until re-authentication occurs. Hide the session contents (blank screen or obfuscation) when locked. Allow users to manually initiate session lock.",
91
+ checks: [
92
+ { id: "NIST-800-53-AC-11-C1", description: "Automatic session lock after 15 min inactivity", status: "not-implemented" },
93
+ { id: "NIST-800-53-AC-11-C2", description: "Session contents hidden when locked", status: "not-implemented" },
94
+ { id: "NIST-800-53-AC-11-C3", description: "Manual session lock available", status: "not-implemented" },
95
+ ],
96
+ },
97
+ {
98
+ id: "NIST-800-53-AC-17",
99
+ name: "Remote Access",
100
+ description: "Authorize, monitor, and control remote access to systems.",
101
+ category: "access-control",
102
+ framework: "NIST-800-53",
103
+ status: "not-implemented",
104
+ severity: "high",
105
+ implementation_guidance: "Establish and document remote access usage policies. Enforce multi-factor authentication for all remote access. Encrypt all remote access sessions (TLS 1.2+, VPN). Monitor and log all remote access sessions. Automatically terminate remote access sessions after a defined period. Route remote access through managed access control points.",
106
+ checks: [
107
+ { id: "NIST-800-53-AC-17-C1", description: "Remote access policy documented", status: "not-implemented" },
108
+ { id: "NIST-800-53-AC-17-C2", description: "MFA enforced on all remote access", status: "not-implemented" },
109
+ { id: "NIST-800-53-AC-17-C3", description: "All remote sessions encrypted and logged", status: "not-implemented" },
110
+ { id: "NIST-800-53-AC-17-C4", description: "Remote access routed through controlled access points", status: "not-implemented" },
111
+ ],
112
+ },
113
+ {
114
+ id: "NIST-800-53-AC-20",
115
+ name: "Use of External Systems",
116
+ description: "Establish terms and conditions for use of external systems and control use of organization-controlled systems on external networks.",
117
+ category: "access-control",
118
+ framework: "NIST-800-53",
119
+ status: "not-implemented",
120
+ severity: "medium",
121
+ implementation_guidance: "Establish terms and conditions for use of external systems. Prohibit processing, storage, or transmission of CUI on external systems unless approved. Require security assessments of external systems before use. Implement full-device or container-based encryption for mobile devices.",
122
+ checks: [
123
+ { id: "NIST-800-53-AC-20-C1", description: "Terms and conditions for external systems documented", status: "not-implemented" },
124
+ { id: "NIST-800-53-AC-20-C2", description: "CUI processing on external systems restricted", status: "not-implemented" },
125
+ { id: "NIST-800-53-AC-20-C3", description: "Mobile devices encrypted (full-device or container)", status: "not-implemented" },
126
+ ],
127
+ },
128
+ // ============================================================
129
+ // AT — AWARENESS AND TRAINING
130
+ // ============================================================
131
+ {
132
+ id: "NIST-800-53-AT-2",
133
+ name: "Literacy Training and Awareness",
134
+ description: "Provide security and privacy literacy training to system users on initial hire and at least annually thereafter.",
135
+ category: "training",
136
+ framework: "NIST-800-53",
137
+ status: "not-implemented",
138
+ severity: "medium",
139
+ implementation_guidance: "Provide security awareness training upon hire and at least annually. Include content on recognizing phishing, social engineering, malware indicators, and proper handling of CUI. Update training content to reflect new threats. Track completion and provide refresher training as needed.",
140
+ checks: [
141
+ { id: "NIST-800-53-AT-2-C1", description: "Security awareness training provided on hire", status: "not-implemented" },
142
+ { id: "NIST-800-53-AT-2-C2", description: "Annual refresher training completed by all personnel", status: "not-implemented" },
143
+ { id: "NIST-800-53-AT-2-C3", description: "Training includes phishing and social engineering awareness", status: "not-implemented" },
144
+ { id: "NIST-800-53-AT-2-C4", description: "Training completion tracked and reported", status: "not-implemented" },
145
+ ],
146
+ },
147
+ {
148
+ id: "NIST-800-53-AT-3",
149
+ name: "Role-Based Training",
150
+ description: "Provide role-based security and privacy training to personnel with specialized responsibilities.",
151
+ category: "training",
152
+ framework: "NIST-800-53",
153
+ status: "not-implemented",
154
+ severity: "high",
155
+ implementation_guidance: "Identify roles requiring specialized training (system admins, security officers, developers, incident responders). Provide practical, hands-on training specific to each role. Include training on secure coding practices for developers and incident response procedures for security teams.",
156
+ checks: [
157
+ { id: "NIST-800-53-AT-3-C1", description: "Specialized roles requiring role-based training identified", status: "not-implemented" },
158
+ { id: "NIST-800-53-AT-3-C2", description: "Hands-on training provided for each identified role", status: "not-implemented" },
159
+ { id: "NIST-800-53-AT-3-C3", description: "Training updated to reflect current threat landscape", status: "not-implemented" },
160
+ ],
161
+ },
162
+ {
163
+ id: "NIST-800-53-AT-4",
164
+ name: "Training Records",
165
+ description: "Document and monitor security and privacy training activities including completion and content.",
166
+ category: "training",
167
+ framework: "NIST-800-53",
168
+ status: "not-implemented",
169
+ severity: "low",
170
+ implementation_guidance: "Maintain records of all training activities including who was trained, when, what content was delivered, and completion status. Retain training records for at least the duration of employment. Use a learning management system (LMS) for tracking.",
171
+ checks: [
172
+ { id: "NIST-800-53-AT-4-C1", description: "Training records maintained with completion status", status: "not-implemented" },
173
+ { id: "NIST-800-53-AT-4-C2", description: "Records retained per organization retention policy", status: "not-implemented" },
174
+ ],
175
+ },
176
+ // ============================================================
177
+ // AU — AUDIT AND ACCOUNTABILITY
178
+ // ============================================================
179
+ {
180
+ id: "NIST-800-53-AU-2",
181
+ name: "Event Logging",
182
+ description: "Identify and log security-relevant events on the system.",
183
+ category: "audit",
184
+ framework: "NIST-800-53",
185
+ status: "not-implemented",
186
+ severity: "critical",
187
+ implementation_guidance: "Identify the types of events to be logged (authentication successes/failures, privilege escalations, configuration changes, data access, policy changes). Coordinate with other entities to enable correlation. Log events from all system components including applications, databases, network devices, and operating systems.",
188
+ checks: [
189
+ { id: "NIST-800-53-AU-2-C1", description: "Security-relevant event types identified and documented", status: "not-implemented" },
190
+ { id: "NIST-800-53-AU-2-C2", description: "Event logging enabled on all system components", status: "not-implemented" },
191
+ { id: "NIST-800-53-AU-2-C3", description: "Logs support cross-system event correlation", status: "not-implemented" },
192
+ ],
193
+ },
194
+ {
195
+ id: "NIST-800-53-AU-3",
196
+ name: "Content of Audit Records",
197
+ description: "Ensure audit records contain sufficient information to establish what, when, where, who, and outcome.",
198
+ category: "audit",
199
+ framework: "NIST-800-53",
200
+ status: "not-implemented",
201
+ severity: "high",
202
+ implementation_guidance: "Ensure audit records contain: date/time stamp, source IP address, user/subject identity, event type, event outcome (success/failure), resource/object accessed, and session identifier. Use a centralized logging format (e.g., JSON, CEF) for consistency.",
203
+ checks: [
204
+ { id: "NIST-800-53-AU-3-C1", description: "Audit records include timestamp, user, action, resource, outcome", status: "not-implemented" },
205
+ { id: "NIST-800-53-AU-3-C2", description: "Source IP and session ID captured in records", status: "not-implemented" },
206
+ { id: "NIST-800-53-AU-3-C3", description: "Centralized log format used for consistency", status: "not-implemented" },
207
+ ],
208
+ },
209
+ {
210
+ id: "NIST-800-53-AU-6",
211
+ name: "Audit Record Review, Analysis, and Reporting",
212
+ description: "Integrate audit record review, analysis, and reporting for investigation of security and privacy incidents.",
213
+ category: "audit",
214
+ framework: "NIST-800-53",
215
+ status: "not-implemented",
216
+ severity: "high",
217
+ implementation_guidance: "Review and analyze audit records on a regular basis (at least weekly). Integrate audit record monitoring with intrusion detection and SIEM systems. Use automated tools for log analysis and anomaly detection. Report findings to appropriate personnel and escalate anomalies.",
218
+ checks: [
219
+ { id: "NIST-800-53-AU-6-C1", description: "Audit records reviewed at least weekly", status: "not-implemented" },
220
+ { id: "NIST-800-53-AU-6-C2", description: "Log analysis integrated with SIEM/SOC", status: "not-implemented" },
221
+ { id: "NIST-800-53-AU-6-C3", description: "Anomalies reported and escalated to security team", status: "not-implemented" },
222
+ { id: "NIST-800-53-AU-6-C4", description: "Automated anomaly detection deployed", status: "not-implemented" },
223
+ ],
224
+ },
225
+ {
226
+ id: "NIST-800-53-AU-9",
227
+ name: "Protection of Audit Information",
228
+ description: "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.",
229
+ category: "audit",
230
+ framework: "NIST-800-53",
231
+ status: "not-implemented",
232
+ severity: "high",
233
+ implementation_guidance: "Protect audit information using access controls, encryption at rest, and WORM (write-once-read-many) storage where possible. Restrict access to audit tools to authorized personnel only. Store audit logs on a separate system or in a centralized log management system to prevent tampering.",
234
+ checks: [
235
+ { id: "NIST-800-53-AU-9-C1", description: "Audit logs protected by access controls", status: "not-implemented" },
236
+ { id: "NIST-800-53-AU-9-C2", description: "Audit logs encrypted at rest", status: "not-implemented" },
237
+ { id: "NIST-800-53-AU-9-C3", description: "Access to audit tools restricted to authorized personnel", status: "not-implemented" },
238
+ { id: "NIST-800-53-AU-9-C4", description: "Logs stored on separate/tamper-resistant system", status: "not-implemented" },
239
+ ],
240
+ },
241
+ {
242
+ id: "NIST-800-53-AU-12",
243
+ name: "Audit Record Generation",
244
+ description: "Provide audit record generation capability for security-relevant events.",
245
+ category: "audit",
246
+ framework: "NIST-800-53",
247
+ status: "not-implemented",
248
+ severity: "critical",
249
+ implementation_guidance: "Generate audit records for all identified security-relevant events. Compile records from various system components into a system-wide audit trail. Provide audit records to a centralized audit repository. Verify audit record generation is functioning correctly through periodic testing.",
250
+ checks: [
251
+ { id: "NIST-800-53-AU-12-C1", description: "Audit records generated for all defined events", status: "not-implemented" },
252
+ { id: "NIST-800-53-AU-12-C2", description: "Records compiled into system-wide audit trail", status: "not-implemented" },
253
+ { id: "NIST-800-53-AU-12-C3", description: "Records forwarded to centralized repository", status: "not-implemented" },
254
+ ],
255
+ },
256
+ // ============================================================
257
+ // CA — ASSESSMENT, AUTHORIZATION, AND MONITORING
258
+ // ============================================================
259
+ {
260
+ id: "NIST-800-53-CA-2",
261
+ name: "Control Assessment",
262
+ description: "Assess the security and privacy controls in the system to determine effectiveness.",
263
+ category: "assessment",
264
+ framework: "NIST-800-53",
265
+ status: "not-implemented",
266
+ severity: "high",
267
+ implementation_guidance: "Develop a security and privacy assessment plan. Assess controls upon initial implementation and at least annually thereafter. Use independent assessors (internal or external). Produce an assessment report documenting findings. Remediate identified deficiencies.",
268
+ checks: [
269
+ { id: "NIST-800-53-CA-2-C1", description: "Assessment plan developed and documented", status: "not-implemented" },
270
+ { id: "NIST-800-53-CA-2-C2", description: "Controls assessed at least annually", status: "not-implemented" },
271
+ { id: "NIST-800-53-CA-2-C3", description: "Assessment report produced with remediation plan", status: "not-implemented" },
272
+ { id: "NIST-800-53-CA-2-C4", description: "Independent assessors used", status: "not-implemented" },
273
+ ],
274
+ },
275
+ {
276
+ id: "NIST-800-53-CA-7",
277
+ name: "Continuous Monitoring",
278
+ description: "Develop a system-level continuous monitoring strategy and implement continuous monitoring.",
279
+ category: "assessment",
280
+ framework: "NIST-800-53",
281
+ status: "not-implemented",
282
+ severity: "high",
283
+ implementation_guidance: "Develop a continuous monitoring strategy that includes: configuration management, security control assessments, network monitoring, vulnerability scanning, and threat intelligence integration. Determine the frequency of monitoring based on risk. Report findings monthly/quarterly to authorizing officials.",
284
+ checks: [
285
+ { id: "NIST-800-53-CA-7-C1", description: "Continuous monitoring strategy documented", status: "not-implemented" },
286
+ { id: "NIST-800-53-CA-7-C2", description: "Automated monitoring tools deployed", status: "not-implemented" },
287
+ { id: "NIST-800-53-CA-7-C3", description: "Monitoring results reported to authorizing officials", status: "not-implemented" },
288
+ { id: "NIST-800-53-CA-7-C4", description: "Monitoring frequency based on risk assessment", status: "not-implemented" },
289
+ ],
290
+ },
291
+ {
292
+ id: "NIST-800-53-CA-9",
293
+ name: "Internal System Connections",
294
+ description: "Authorize internal connections of system components or subsystems.",
295
+ category: "assessment",
296
+ framework: "NIST-800-53",
297
+ status: "not-implemented",
298
+ severity: "medium",
299
+ implementation_guidance: "Document each internal system connection including the interface characteristics, security requirements, and the nature of information communicated. Authorize each connection before implementation. Review and re-authorize connections annually. Monitor connections for unauthorized changes.",
300
+ checks: [
301
+ { id: "NIST-800-53-CA-9-C1", description: "Internal system connections documented and authorized", status: "not-implemented" },
302
+ { id: "NIST-800-53-CA-9-C2", description: "Connections reviewed and re-authorized annually", status: "not-implemented" },
303
+ ],
304
+ },
305
+ // ============================================================
306
+ // CM — CONFIGURATION MANAGEMENT
307
+ // ============================================================
308
+ {
309
+ id: "NIST-800-53-CM-2",
310
+ name: "Baseline Configuration",
311
+ description: "Develop, document, and maintain a current baseline configuration of the system.",
312
+ category: "configuration-management",
313
+ framework: "NIST-800-53",
314
+ status: "not-implemented",
315
+ severity: "high",
316
+ implementation_guidance: "Establish and document baseline configurations for hardware, software, operating systems, and application components. Review and update baselines at least annually or after significant changes. Use infrastructure-as-code (IaC) to maintain baseline configurations. Implement automated configuration drift detection.",
317
+ checks: [
318
+ { id: "NIST-800-53-CM-2-C1", description: "Baseline configurations documented for all components", status: "not-implemented" },
319
+ { id: "NIST-800-53-CM-2-C2", description: "Baselines reviewed and updated at least annually", status: "not-implemented" },
320
+ { id: "NIST-800-53-CM-2-C3", description: "Infrastructure-as-code used to maintain baselines", status: "not-implemented" },
321
+ { id: "NIST-800-53-CM-2-C4", description: "Configuration drift detection implemented", status: "not-implemented" },
322
+ ],
323
+ },
324
+ {
325
+ id: "NIST-800-53-CM-3",
326
+ name: "Configuration Change Control",
327
+ description: "Determine and document the types of changes to the system that are configuration-controlled.",
328
+ category: "configuration-management",
329
+ framework: "NIST-800-53",
330
+ status: "not-implemented",
331
+ severity: "high",
332
+ implementation_guidance: "Approve and document configuration changes through a formal change control board (CCB) or equivalent process. Retain records of changes for audit. Review and test changes before deployment. Implement automated CI/CD pipelines with security gates.",
333
+ checks: [
334
+ { id: "NIST-800-53-CM-3-C1", description: "Change control process documented and enforced", status: "not-implemented" },
335
+ { id: "NIST-800-53-CM-3-C2", description: "Change records retained for audit", status: "not-implemented" },
336
+ { id: "NIST-800-53-CM-3-C3", description: "Changes tested before deployment", status: "not-implemented" },
337
+ { id: "NIST-800-53-CM-3-C4", description: "CI/CD pipelines include security gates", status: "not-implemented" },
338
+ ],
339
+ },
340
+ {
341
+ id: "NIST-800-53-CM-6",
342
+ name: "Configuration Settings",
343
+ description: "Establish, document, and implement secure configuration settings for system components.",
344
+ category: "configuration-management",
345
+ framework: "NIST-800-53",
346
+ status: "not-implemented",
347
+ severity: "critical",
348
+ implementation_guidance: "Establish security configuration settings based on CIS Benchmarks, DISA STIGs, or vendor hardening guides. Document and implement settings. Enforce settings through automated tools (e.g., Group Policy, Ansible, Chef). Monitor for deviations and remediate.",
349
+ checks: [
350
+ { id: "NIST-800-53-CM-6-C1", description: "Secure configuration settings documented (CIS/STIG)", status: "not-implemented" },
351
+ { id: "NIST-800-53-CM-6-C2", description: "Settings enforced through automation", status: "not-implemented" },
352
+ { id: "NIST-800-53-CM-6-C3", description: "Deviations monitored and remediated", status: "not-implemented" },
353
+ ],
354
+ },
355
+ {
356
+ id: "NIST-800-53-CM-7",
357
+ name: "Least Functionality",
358
+ description: "Configure the system with only essential functions, ports, protocols, and services.",
359
+ category: "configuration-management",
360
+ framework: "NIST-800-53",
361
+ status: "not-implemented",
362
+ severity: "high",
363
+ implementation_guidance: "Identify and document essential functions, ports, protocols, and services. Disable, remove, or restrict non-essential capabilities. Implement software allow-listing where feasible. Review functionality at least annually to identify and remove unnecessary components.",
364
+ checks: [
365
+ { id: "NIST-800-53-CM-7-C1", description: "Essential functions, ports, and services documented", status: "not-implemented" },
366
+ { id: "NIST-800-53-CM-7-C2", description: "Non-essential capabilities disabled or removed", status: "not-implemented" },
367
+ { id: "NIST-800-53-CM-7-C3", description: "Software allow-listing implemented", status: "not-implemented" },
368
+ { id: "NIST-800-53-CM-7-C4", description: "Functionality reviewed annually", status: "not-implemented" },
369
+ ],
370
+ },
371
+ {
372
+ id: "NIST-800-53-CM-8",
373
+ name: "System Component Inventory",
374
+ description: "Develop and document an inventory of system components that accurately reflects the current system.",
375
+ category: "configuration-management",
376
+ framework: "NIST-800-53",
377
+ status: "not-implemented",
378
+ severity: "high",
379
+ implementation_guidance: "Maintain an automated inventory of all system components including hardware, software, firmware, and network assets. Include component details: manufacturer, model, serial number, software versions, location, and owner. Update inventory automatically (agent-based or agentless discovery). Verify inventory at least monthly.",
380
+ checks: [
381
+ { id: "NIST-800-53-CM-8-C1", description: "Automated asset inventory maintained", status: "not-implemented" },
382
+ { id: "NIST-800-53-CM-8-C2", description: "Inventory includes all required component details", status: "not-implemented" },
383
+ { id: "NIST-800-53-CM-8-C3", description: "Inventory verified at least monthly", status: "not-implemented" },
384
+ { id: "NIST-800-53-CM-8-C4", description: "Inventory integrated with configuration management", status: "not-implemented" },
385
+ ],
386
+ },
387
+ // ============================================================
388
+ // CP — CONTINGENCY PLANNING
389
+ // ============================================================
390
+ {
391
+ id: "NIST-800-53-CP-2",
392
+ name: "Contingency Plan",
393
+ description: "Develop, document, and maintain a contingency plan for the system.",
394
+ category: "contingency-planning",
395
+ framework: "NIST-800-53",
396
+ status: "not-implemented",
397
+ severity: "high",
398
+ implementation_guidance: "Develop a contingency plan that includes: roles and responsibilities, recovery objectives (RTO/RPO), recovery procedures, and essential records. Review and update the plan at least annually. Distribute copies to key personnel. Coordinate the plan with related plans (incident response, business continuity).",
399
+ checks: [
400
+ { id: "NIST-800-53-CP-2-C1", description: "Contingency plan documented with RTO/RPO", status: "not-implemented" },
401
+ { id: "NIST-800-53-CP-2-C2", description: "Plan reviewed and updated at least annually", status: "not-implemented" },
402
+ { id: "NIST-800-53-CP-2-C3", description: "Plan distributed to key personnel", status: "not-implemented" },
403
+ { id: "NIST-800-53-CP-2-C4", description: "Plan coordinated with IR and BC plans", status: "not-implemented" },
404
+ ],
405
+ },
406
+ {
407
+ id: "NIST-800-53-CP-9",
408
+ name: "System Backup",
409
+ description: "Conduct backups of user-level and system-level information consistent with recovery objectives.",
410
+ category: "contingency-planning",
411
+ framework: "NIST-800-53",
412
+ status: "not-implemented",
413
+ severity: "critical",
414
+ implementation_guidance: "Conduct daily backups of user-level and system-level information. Protect backup information with encryption. Store backup copies in a physically separate facility or cloud region. Test backup information at least quarterly to verify media reliability and information integrity.",
415
+ checks: [
416
+ { id: "NIST-800-53-CP-9-C1", description: "Daily backups performed for all critical data", status: "not-implemented" },
417
+ { id: "NIST-800-53-CP-9-C2", description: "Backups encrypted at rest", status: "not-implemented" },
418
+ { id: "NIST-800-53-CP-9-C3", description: "Backups stored in separate facility/region", status: "not-implemented" },
419
+ { id: "NIST-800-53-CP-9-C4", description: "Backups tested at least quarterly", status: "not-implemented" },
420
+ ],
421
+ },
422
+ {
423
+ id: "NIST-800-53-CP-10",
424
+ name: "System Recovery and Reconstitution",
425
+ description: "Provide for the recovery and reconstitution of the system to a known state after a disruption, compromise, or failure.",
426
+ category: "contingency-planning",
427
+ framework: "NIST-800-53",
428
+ status: "not-implemented",
429
+ severity: "high",
430
+ implementation_guidance: "Implement recovery procedures that restore the system to a known, secure state. Include procedures for restoring from backup, verifying system integrity, and reconstituting services. Test recovery procedures annually. Maintain an alternate communications capability for recovery coordination.",
431
+ checks: [
432
+ { id: "NIST-800-53-CP-10-C1", description: "Recovery procedures documented and tested", status: "not-implemented" },
433
+ { id: "NIST-800-53-CP-10-C2", description: "System integrity verification after recovery", status: "not-implemented" },
434
+ { id: "NIST-800-53-CP-10-C3", description: "Annual recovery testing conducted", status: "not-implemented" },
435
+ ],
436
+ },
437
+ // ============================================================
438
+ // IA — IDENTIFICATION AND AUTHENTICATION
439
+ // ============================================================
440
+ {
441
+ id: "NIST-800-53-IA-2",
442
+ name: "Identification and Authentication",
443
+ description: "Uniquely identify and authenticate system users and processes.",
444
+ category: "authentication",
445
+ framework: "NIST-800-53",
446
+ status: "not-implemented",
447
+ severity: "critical",
448
+ implementation_guidance: "Uniquely identify and authenticate all users. Implement multi-factor authentication (MFA) for all accounts including: privileged accounts, remote access, and all non-organizational users. Use phishing-resistant MFA where feasible (FIDO2, WebAuthn). Implement MFA for all network access to privileged and non-privileged accounts.",
449
+ checks: [
450
+ { id: "NIST-800-53-IA-2-C1", description: "All users uniquely identified", status: "not-implemented" },
451
+ { id: "NIST-800-53-IA-2-C2", description: "MFA enforced for privileged accounts", status: "not-implemented" },
452
+ { id: "NIST-800-53-IA-2-C3", description: "MFA enforced for remote access", status: "not-implemented" },
453
+ { id: "NIST-800-53-IA-2-C4", description: "Phishing-resistant MFA (FIDO2/WebAuthn) available", status: "not-implemented" },
454
+ ],
455
+ },
456
+ {
457
+ id: "NIST-800-53-IA-5",
458
+ name: "Authenticator Management",
459
+ description: "Manage system authenticators by verifying, protecting, and controlling them.",
460
+ category: "authentication",
461
+ framework: "NIST-800-53",
462
+ status: "not-implemented",
463
+ severity: "critical",
464
+ implementation_guidance: "Define initial authenticator content and establish minimum authenticator strength requirements (NIST SP 800-63B). Protect authenticators from unauthorized disclosure and modification. Change default authenticators upon installation. Enforce password policies: minimum length 12+, no composition rules, screening against compromised password lists. Expire or revoke authenticators when no longer needed.",
465
+ checks: [
466
+ { id: "NIST-800-53-IA-5-C1", description: "Authenticator strength requirements defined", status: "not-implemented" },
467
+ { id: "NIST-800-53-IA-5-C2", description: "Default credentials changed on installation", status: "not-implemented" },
468
+ { id: "NIST-800-53-IA-5-C3", description: "Password policy aligned with NIST SP 800-63B", status: "not-implemented" },
469
+ { id: "NIST-800-53-IA-5-C4", description: "Compromised password screening implemented", status: "not-implemented" },
470
+ { id: "NIST-800-53-IA-5-C5", description: "Authenticators revoked when access is no longer needed", status: "not-implemented" },
471
+ ],
472
+ },
473
+ {
474
+ id: "NIST-800-53-IA-8",
475
+ name: "Service Provider Identification and Authentication",
476
+ description: "Uniquely identify and authenticate non-organizational (service provider) systems and processes.",
477
+ category: "authentication",
478
+ framework: "NIST-800-53",
479
+ status: "not-implemented",
480
+ severity: "medium",
481
+ implementation_guidance: "Identify and authenticate systems/services acting on behalf of external organizations. Implement machine-to-machine authentication using certificates, API keys with rotation, or OAuth 2.0 client credentials. Log and monitor service provider access.",
482
+ checks: [
483
+ { id: "NIST-800-53-IA-8-C1", description: "Service provider authentication implemented", status: "not-implemented" },
484
+ { id: "NIST-800-53-IA-8-C2", description: "Machine-to-machine auth uses certificates or OAuth", status: "not-implemented" },
485
+ { id: "NIST-800-53-IA-8-C3", description: "Service provider access logged and monitored", status: "not-implemented" },
486
+ ],
487
+ },
488
+ // ============================================================
489
+ // IR — INCIDENT RESPONSE
490
+ // ============================================================
491
+ {
492
+ id: "NIST-800-53-IR-4",
493
+ name: "Incident Handling",
494
+ description: "Implement an incident handling capability for security and privacy incidents.",
495
+ category: "incident-response",
496
+ framework: "NIST-800-53",
497
+ status: "not-implemented",
498
+ severity: "high",
499
+ implementation_guidance: "Implement an incident handling capability aligned with NIST SP 800-61 covering detection, analysis, containment, eradication, and recovery. Execute incident handling procedures in coordination with contingency plans. Incorporate lessons learned from incidents into procedures and controls.",
500
+ checks: [
501
+ { id: "NIST-800-53-IR-4-C1", description: "Incident response procedures documented (NIST SP 800-61)", status: "not-implemented" },
502
+ { id: "NIST-800-53-IR-4-C2", description: "IR procedures coordinate with contingency planning", status: "not-implemented" },
503
+ { id: "NIST-800-53-IR-4-C3", description: "Lessons learned incorporated into procedures", status: "not-implemented" },
504
+ ],
505
+ },
506
+ {
507
+ id: "NIST-800-53-IR-5",
508
+ name: "Incident Monitoring",
509
+ description: "Track and document security and privacy incidents.",
510
+ category: "incident-response",
511
+ framework: "NIST-800-53",
512
+ status: "not-implemented",
513
+ severity: "medium",
514
+ implementation_guidance: "Track and document incidents from initial detection through final resolution. Use an incident management/ticketing system. Include key details: detection time, classification, scope, actions taken, and resolution. Generate monthly reports on incident metrics and trends.",
515
+ checks: [
516
+ { id: "NIST-800-53-IR-5-C1", description: "Incident tracking system deployed", status: "not-implemented" },
517
+ { id: "NIST-800-53-IR-5-C2", description: "Incidents tracked from detection to resolution", status: "not-implemented" },
518
+ { id: "NIST-800-53-IR-5-C3", description: "Monthly incident metrics reported", status: "not-implemented" },
519
+ ],
520
+ },
521
+ {
522
+ id: "NIST-800-53-IR-6",
523
+ name: "Incident Reporting",
524
+ description: "Report security and privacy incidents to designated organizational authorities and external organizations.",
525
+ category: "incident-response",
526
+ framework: "NIST-800-53",
527
+ status: "not-implemented",
528
+ severity: "high",
529
+ implementation_guidance: "Report confirmed incidents to organizational authorities (CISO, legal, privacy officer) within defined timeframes. Report qualifying incidents to external organizations (US-CERT, law enforcement, regulatory bodies) as required. Establish automated alerting for critical incidents. Document reporting requirements and procedures.",
530
+ checks: [
531
+ { id: "NIST-800-53-IR-6-C1", description: "Incident reporting procedures documented", status: "not-implemented" },
532
+ { id: "NIST-800-53-IR-6-C2", description: "Internal reporting timeframes defined and met", status: "not-implemented" },
533
+ { id: "NIST-800-53-IR-6-C3", description: "External reporting (US-CERT/regulators) when required", status: "not-implemented" },
534
+ { id: "NIST-800-53-IR-6-C4", description: "Automated alerting for critical incidents", status: "not-implemented" },
535
+ ],
536
+ },
537
+ {
538
+ id: "NIST-800-53-IR-8",
539
+ name: "Incident Response Plan",
540
+ description: "Develop and disseminate an incident response plan.",
541
+ category: "incident-response",
542
+ framework: "NIST-800-53",
543
+ status: "not-implemented",
544
+ severity: "high",
545
+ implementation_guidance: "Develop a formal incident response plan that includes: mission, roles and responsibilities, performance measures, and communication plan. Disseminate the plan to all incident response personnel. Review and update at least annually. Test the plan annually via tabletop exercises or simulations.",
546
+ checks: [
547
+ { id: "NIST-800-53-IR-8-C1", description: "IR plan documented with roles and communication procedures", status: "not-implemented" },
548
+ { id: "NIST-800-53-IR-8-C2", description: "Plan disseminated to IR team members", status: "not-implemented" },
549
+ { id: "NIST-800-53-IR-8-C3", description: "Plan tested annually (tabletop or simulation)", status: "not-implemented" },
550
+ { id: "NIST-800-53-IR-8-C4", description: "Plan reviewed and updated at least annually", status: "not-implemented" },
551
+ ],
552
+ },
553
+ // ============================================================
554
+ // MA — MAINTENANCE
555
+ // ============================================================
556
+ {
557
+ id: "NIST-800-53-MA-2",
558
+ name: "Controlled Maintenance",
559
+ description: "Schedule, document, and review maintenance for systems and system components.",
560
+ category: "maintenance",
561
+ framework: "NIST-800-53",
562
+ status: "not-implemented",
563
+ severity: "medium",
564
+ implementation_guidance: "Schedule and approve all maintenance through formal processes. Include maintenance records: date, time, description of maintenance, personnel involved, and system components affected. Review maintenance records and inspect systems for unauthorized changes after maintenance. Require sanitization of equipment removed for off-site maintenance.",
565
+ checks: [
566
+ { id: "NIST-800-53-MA-2-C1", description: "Maintenance scheduling and approval process documented", status: "not-implemented" },
567
+ { id: "NIST-800-53-MA-2-C2", description: "Maintenance records maintained with full details", status: "not-implemented" },
568
+ { id: "NIST-800-53-MA-2-C3", description: "Post-maintenance inspections conducted", status: "not-implemented" },
569
+ ],
570
+ },
571
+ {
572
+ id: "NIST-800-53-MA-4",
573
+ name: "Nonlocal Maintenance",
574
+ description: "Authorize, monitor, and control nonlocal maintenance and diagnostic activities.",
575
+ category: "maintenance",
576
+ framework: "NIST-800-53",
577
+ status: "not-implemented",
578
+ severity: "high",
579
+ implementation_guidance: "Approve and document all nonlocal maintenance activities. Use multi-factor authentication and encryption for nonlocal maintenance sessions. Terminate sessions automatically after a defined period. Monitor nonlocal maintenance sessions and log all activity. Scan remote diagnostic tools for malware before use.",
580
+ checks: [
581
+ { id: "NIST-800-53-MA-4-C1", description: "Nonlocal maintenance approved and documented", status: "not-implemented" },
582
+ { id: "NIST-800-53-MA-4-C2", description: "MFA and encryption enforced for remote maintenance", status: "not-implemented" },
583
+ { id: "NIST-800-53-MA-4-C3", description: "Sessions auto-terminate after defined period", status: "not-implemented" },
584
+ { id: "NIST-800-53-MA-4-C4", description: "All sessions logged and monitored", status: "not-implemented" },
585
+ ],
586
+ },
587
+ {
588
+ id: "NIST-800-53-MA-6",
589
+ name: "Timely Maintenance",
590
+ description: "Initiate maintenance and correct defects in system components within specified timeframes.",
591
+ category: "maintenance",
592
+ framework: "NIST-800-53",
593
+ status: "not-implemented",
594
+ severity: "medium",
595
+ implementation_guidance: "Define maintenance timeframes based on severity of defects (critical: within 48 hours, high: within 7 days, medium: within 30 days). Track maintenance tickets through completion. Escalate overdue maintenance items. Maintain spare or replacement components to minimize downtime.",
596
+ checks: [
597
+ { id: "NIST-800-53-MA-6-C1", description: "Maintenance timeframes defined by severity", status: "not-implemented" },
598
+ { id: "NIST-800-53-MA-6-C2", description: "Maintenance tracked through completion", status: "not-implemented" },
599
+ { id: "NIST-800-53-MA-6-C3", description: "Overdue items escalated", status: "not-implemented" },
600
+ ],
601
+ },
602
+ // ============================================================
603
+ // MP — MEDIA PROTECTION
604
+ // ============================================================
605
+ {
606
+ id: "NIST-800-53-MP-4",
607
+ name: "Media Storage",
608
+ description: "Protect and control physical media containing sensitive information.",
609
+ category: "media-protection",
610
+ framework: "NIST-800-53",
611
+ status: "not-implemented",
612
+ severity: "medium",
613
+ implementation_guidance: "Store physical media (USB drives, tapes, hard drives, optical media) in secure, access-controlled locations. Protect media from environmental damage (fire, water, temperature). Implement an inventory system for media containing CUI. Restrict access to media to authorized personnel only.",
614
+ checks: [
615
+ { id: "NIST-800-53-MP-4-C1", description: "Physical media stored in secure location", status: "not-implemented" },
616
+ { id: "NIST-800-53-MP-4-C2", description: "Media protected from environmental damage", status: "not-implemented" },
617
+ { id: "NIST-800-53-MP-4-C3", description: "CUI media inventoried and tracked", status: "not-implemented" },
618
+ { id: "NIST-800-53-MP-4-C4", description: "Access to media restricted to authorized personnel", status: "not-implemented" },
619
+ ],
620
+ },
621
+ {
622
+ id: "NIST-800-53-MP-6",
623
+ name: "Media Sanitization",
624
+ description: "Sanitize media prior to disposal, release out of organizational control, or release for reuse.",
625
+ category: "media-protection",
626
+ framework: "NIST-800-53",
627
+ status: "not-implemented",
628
+ severity: "high",
629
+ implementation_guidance: "Sanitize media using methods approved by NIST SP 800-88 (Clear, Purge, or Destroy). Document sanitization actions including: media type, sanitization method, date, and personnel. Verify sanitization effectiveness. Use cryptographic erase for encrypted storage. Employ physical destruction (shredding, crushing, incineration) for media that cannot be securely erased.",
630
+ checks: [
631
+ { id: "NIST-800-53-MP-6-C1", description: "Sanitization procedures documented (NIST SP 800-88)", status: "not-implemented" },
632
+ { id: "NIST-800-53-MP-6-C2", description: "Sanitization actions documented and verified", status: "not-implemented" },
633
+ { id: "NIST-800-53-MP-6-C3", description: "Physical destruction used when secure erase not possible", status: "not-implemented" },
634
+ ],
635
+ },
636
+ {
637
+ id: "NIST-800-53-MP-7",
638
+ name: "Media Use",
639
+ description: "Restrict or prohibit use of system media and enforce encryption on mobile devices.",
640
+ category: "media-protection",
641
+ framework: "NIST-800-53",
642
+ status: "not-implemented",
643
+ severity: "medium",
644
+ implementation_guidance: "Restrict the use of removable media (USB, external drives) through technical controls. Encrypt all data on mobile devices and removable media. Prohibit use of personally-owned removable media. Use data loss prevention (DLP) tools to monitor and control data transfers.",
645
+ checks: [
646
+ { id: "NIST-800-53-MP-7-C1", description: "Removable media usage restricted through policy", status: "not-implemented" },
647
+ { id: "NIST-800-53-MP-7-C2", description: "Full-disk encryption on mobile devices", status: "not-implemented" },
648
+ { id: "NIST-800-53-MP-7-C3", description: "DLP tools deployed to control data transfers", status: "not-implemented" },
649
+ ],
650
+ },
651
+ // ============================================================
652
+ // PE — PHYSICAL AND ENVIRONMENTAL PROTECTION
653
+ // ============================================================
654
+ {
655
+ id: "NIST-800-53-PE-2",
656
+ name: "Physical Access Authorizations",
657
+ description: "Develop, approve, and maintain a list of individuals with physical access to the facility.",
658
+ category: "physical-security",
659
+ framework: "NIST-800-53",
660
+ status: "not-implemented",
661
+ severity: "medium",
662
+ implementation_guidance: "Maintain a current list of personnel authorized for physical access to facilities containing systems. Review authorization lists at least annually. Remove access for terminated or transferred personnel within 24 hours. Issue and control physical access badges/credentials.",
663
+ checks: [
664
+ { id: "NIST-800-53-PE-2-C1", description: "Physical access authorization list maintained", status: "not-implemented" },
665
+ { id: "NIST-800-53-PE-2-C2", description: "List reviewed at least annually", status: "not-implemented" },
666
+ { id: "NIST-800-53-PE-2-C3", description: "Terminated personnel access removed within 24h", status: "not-implemented" },
667
+ ],
668
+ },
669
+ {
670
+ id: "NIST-800-53-PE-3",
671
+ name: "Physical Access Control",
672
+ description: "Implement physical access control devices/procedures to safeguard the facility and system components.",
673
+ category: "physical-security",
674
+ framework: "NIST-800-53",
675
+ status: "not-implemented",
676
+ severity: "high",
677
+ implementation_guidance: "Verify individual physical access before granting facility access. Control physical access points including gates, doors, and loading docks. Escort visitors and monitor visitor activity. Maintain physical access audit logs. Secure output devices (printers) to prevent unauthorized document removal. Implement intrusion detection and video surveillance.",
678
+ checks: [
679
+ { id: "NIST-800-53-PE-3-C1", description: "Physical access verified before granting entry", status: "not-implemented" },
680
+ { id: "NIST-800-53-PE-3-C2", description: "Visitors escorted and monitored", status: "not-implemented" },
681
+ { id: "NIST-800-53-PE-3-C3", description: "Physical access logs maintained", status: "not-implemented" },
682
+ { id: "NIST-800-53-PE-3-C4", description: "Intrusion detection and video surveillance deployed", status: "not-implemented" },
683
+ ],
684
+ },
685
+ {
686
+ id: "NIST-800-53-PE-6",
687
+ name: "Monitoring Physical Access",
688
+ description: "Monitor physical access to the facility and investigate unauthorized physical access.",
689
+ category: "physical-security",
690
+ framework: "NIST-800-53",
691
+ status: "not-implemented",
692
+ severity: "medium",
693
+ implementation_guidance: "Monitor physical intrusion alarms and surveillance equipment. Review physical access logs at least monthly. Investigate and report unauthorized physical access attempts. Coordinate monitoring with internal security personnel or external monitoring services.",
694
+ checks: [
695
+ { id: "NIST-800-53-PE-6-C1", description: "Intrusion alarms and surveillance monitored", status: "not-implemented" },
696
+ { id: "NIST-800-53-PE-6-C2", description: "Access logs reviewed monthly", status: "not-implemented" },
697
+ { id: "NIST-800-53-PE-6-C3", description: "Unauthorized access investigated and reported", status: "not-implemented" },
698
+ ],
699
+ },
700
+ {
701
+ id: "NIST-800-53-PE-16",
702
+ name: "Delivery and Removal",
703
+ description: "Authorize and control information system components entering and exiting the facility.",
704
+ category: "physical-security",
705
+ framework: "NIST-800-53",
706
+ status: "not-implemented",
707
+ severity: "low",
708
+ implementation_guidance: "Screen and inspect all incoming deliveries for unauthorized devices or modifications. Authorize and document all equipment entering and exiting the facility. Maintain logs of all deliveries and removals. Use designated receiving areas separate from system processing areas.",
709
+ checks: [
710
+ { id: "NIST-800-53-PE-16-C1", description: "Incoming deliveries screened and inspected", status: "not-implemented" },
711
+ { id: "NIST-800-53-PE-16-C2", description: "Equipment entry/exit authorized and logged", status: "not-implemented" },
712
+ ],
713
+ },
714
+ // ============================================================
715
+ // PL — PLANNING
716
+ // ============================================================
717
+ {
718
+ id: "NIST-800-53-PL-2",
719
+ name: "System Security and Privacy Plans",
720
+ description: "Develop and document a system security and privacy plan for the system.",
721
+ category: "planning",
722
+ framework: "NIST-800-53",
723
+ status: "not-implemented",
724
+ severity: "high",
725
+ implementation_guidance: "Develop a System Security Plan (SSP) that documents: system boundary, system environment, security controls implemented, and roles/responsibilities. Review and update the plan upon significant changes and at least annually. Protect the SSP from unauthorized disclosure. Designate a system owner responsible for the plan.",
726
+ checks: [
727
+ { id: "NIST-800-53-PL-2-C1", description: "System Security Plan documented", status: "not-implemented" },
728
+ { id: "NIST-800-53-PL-2-C2", description: "Plan includes system boundary, environment, and controls", status: "not-implemented" },
729
+ { id: "NIST-800-53-PL-2-C3", description: "Plan reviewed and updated at least annually", status: "not-implemented" },
730
+ { id: "NIST-800-53-PL-2-C4", description: "Plan protected from unauthorized disclosure", status: "not-implemented" },
731
+ ],
732
+ },
733
+ {
734
+ id: "NIST-800-53-PL-8",
735
+ name: "Security and Privacy Architectures",
736
+ description: "Develop security and privacy architectures for the system.",
737
+ category: "planning",
738
+ framework: "NIST-800-53",
739
+ status: "not-implemented",
740
+ severity: "medium",
741
+ implementation_guidance: "Develop security and privacy architectures that describe: architecture principles, security architecture, how controls are integrated, and alignment with enterprise architecture. Review and update architectures when significant changes occur. Reflect architectures in system design documentation.",
742
+ checks: [
743
+ { id: "NIST-800-53-PL-8-C1", description: "Security architecture documented", status: "not-implemented" },
744
+ { id: "NIST-800-53-PL-8-C2", description: "Architecture reflects integration of security controls", status: "not-implemented" },
745
+ { id: "NIST-800-53-PL-8-C3", description: "Architecture aligned with enterprise architecture", status: "not-implemented" },
746
+ ],
747
+ },
748
+ // ============================================================
749
+ // PS — PERSONNEL SECURITY
750
+ // ============================================================
751
+ {
752
+ id: "NIST-800-53-PS-2",
753
+ name: "Position Risk Designation",
754
+ description: "Assign a risk designation to all positions within the organization.",
755
+ category: "personnel-security",
756
+ framework: "NIST-800-53",
757
+ status: "not-implemented",
758
+ severity: "medium",
759
+ implementation_guidance: "Assign risk levels (low, moderate, high) to all positions based on duties, access level, and potential for harm. Define screening requirements for each risk level. Review and update position designations when duties change. Document position risk designations and maintain inventory.",
760
+ checks: [
761
+ { id: "NIST-800-53-PS-2-C1", description: "Position risk designations assigned to all positions", status: "not-implemented" },
762
+ { id: "NIST-800-53-PS-2-C2", description: "Screening requirements defined per risk level", status: "not-implemented" },
763
+ { id: "NIST-800-53-PS-2-C3", description: "Designations reviewed when duties change", status: "not-implemented" },
764
+ ],
765
+ },
766
+ {
767
+ id: "NIST-800-53-PS-3",
768
+ name: "Personnel Screening",
769
+ description: "Screen individuals prior to authorizing access to organizational information and systems.",
770
+ category: "personnel-security",
771
+ framework: "NIST-800-53",
772
+ status: "not-implemented",
773
+ severity: "high",
774
+ implementation_guidance: "Conduct background checks before granting access. Verify identity, education, employment history, and criminal records. Level of screening corresponds to position risk designation. Re-screen personnel when a triggering event occurs (e.g., security incident, change in clearance). Document screening results.",
775
+ checks: [
776
+ { id: "NIST-800-53-PS-3-C1", description: "Background checks conducted before access is granted", status: "not-implemented" },
777
+ { id: "NIST-800-53-PS-3-C2", description: "Screening level matches position risk", status: "not-implemented" },
778
+ { id: "NIST-800-53-PS-3-C3", description: "Re-screening triggered by events", status: "not-implemented" },
779
+ ],
780
+ },
781
+ {
782
+ id: "NIST-800-53-PS-4",
783
+ name: "Personnel Termination",
784
+ description: "Terminate access to systems and facilities when employment ends.",
785
+ category: "personnel-security",
786
+ framework: "NIST-800-53",
787
+ status: "not-implemented",
788
+ severity: "critical",
789
+ implementation_guidance: "Disable access to logical systems within 2 hours of termination. Revoke facility access badges/credentials. Recover organizational property (laptops, mobile devices, keys). Notify security personnel of termination. Review access logs for terminated personnel activity.",
790
+ checks: [
791
+ { id: "NIST-800-53-PS-4-C1", description: "Logical access disabled within 2 hours of termination", status: "not-implemented" },
792
+ { id: "NIST-800-53-PS-4-C2", description: "Facility access and badges revoked", status: "not-implemented" },
793
+ { id: "NIST-800-53-PS-4-C3", description: "Organizational property recovered", status: "not-implemented" },
794
+ { id: "NIST-800-53-PS-4-C4", description: "Termination access logs reviewed", status: "not-implemented" },
795
+ ],
796
+ },
797
+ {
798
+ id: "NIST-800-53-PS-5",
799
+ name: "Personnel Transfer",
800
+ description: "Review and modify logical and physical access authorizations when personnel are transferred.",
801
+ category: "personnel-security",
802
+ framework: "NIST-800-53",
803
+ status: "not-implemented",
804
+ severity: "high",
805
+ implementation_guidance: "Review and modify access authorizations when personnel are transferred to new positions. Revoke access no longer required for the new position. Initiate new screening requirements if the new position has a higher risk designation. Ensure transfers are documented and coordinated with HR, IT, and security.",
806
+ checks: [
807
+ { id: "NIST-800-53-PS-5-C1", description: "Access reviewed and modified upon transfer", status: "not-implemented" },
808
+ { id: "NIST-800-53-PS-5-C2", description: "Unnecessary access revoked after transfer", status: "not-implemented" },
809
+ { id: "NIST-800-53-PS-5-C3", description: "Transfers coordinated with HR, IT, and security", status: "not-implemented" },
810
+ ],
811
+ },
812
+ {
813
+ id: "NIST-800-53-PS-7",
814
+ name: "Third-Party Personnel Security",
815
+ description: "Ensure that third-party providers satisfy personnel security requirements.",
816
+ category: "personnel-security",
817
+ framework: "NIST-800-53",
818
+ status: "not-implemented",
819
+ severity: "medium",
820
+ implementation_guidance: "Require third-party providers (contractors, service providers) to comply with personnel security requirements. Include screening requirements in contracts. Verify that third-party personnel have undergone appropriate screening. Require third parties to notify the organization within 24 hours of personnel termination or transfer.",
821
+ checks: [
822
+ { id: "NIST-800-53-PS-7-C1", description: "Third-party personnel security requirements in contracts", status: "not-implemented" },
823
+ { id: "NIST-800-53-PS-7-C2", description: "Third-party screening verified", status: "not-implemented" },
824
+ { id: "NIST-800-53-PS-7-C3", description: "Third-party notifies of termination/transfer within 24h", status: "not-implemented" },
825
+ ],
826
+ },
827
+ // ============================================================
828
+ // PT — PII PROCESSING AND TRANSPARENCY
829
+ // ============================================================
830
+ {
831
+ id: "NIST-800-53-PT-1",
832
+ name: "PII Processing",
833
+ description: "Identify, document, and minimize the processing of PII.",
834
+ category: "privacy",
835
+ framework: "NIST-800-53",
836
+ status: "not-implemented",
837
+ severity: "high",
838
+ implementation_guidance: "Identify and document all processing activities involving PII. Minimize the collection, use, retention, and disclosure of PII to the minimum necessary. Conduct a Privacy Impact Assessment (PIA). Establish purpose specifications for each PII processing activity. Implement data minimization strategies.",
839
+ checks: [
840
+ { id: "NIST-800-53-PT-1-C1", description: "PII processing activities identified and documented", status: "not-implemented" },
841
+ { id: "NIST-800-53-PT-1-C2", description: "PIA conducted for systems processing PII", status: "not-implemented" },
842
+ { id: "NIST-800-53-PT-1-C3", description: "Data minimization implemented", status: "not-implemented" },
843
+ ],
844
+ },
845
+ {
846
+ id: "NIST-800-53-PT-2",
847
+ name: "Consent and Notice",
848
+ description: "Provide notice and obtain consent for the processing of PII where appropriate.",
849
+ category: "privacy",
850
+ framework: "NIST-800-53",
851
+ status: "not-implemented",
852
+ severity: "medium",
853
+ implementation_guidance: "Provide clear and conspicuous notice of PII collection, use, sharing, and retention. Obtain affirmative consent for sensitive PII processing. Provide mechanisms for individuals to withdraw consent. Maintain records of consent. Ensure notices are available at the point of collection.",
854
+ checks: [
855
+ { id: "NIST-800-53-PT-2-C1", description: "Privacy notices provided at point of collection", status: "not-implemented" },
856
+ { id: "NIST-800-53-PT-2-C2", description: "Affirmative consent obtained for sensitive PII", status: "not-implemented" },
857
+ { id: "NIST-800-53-PT-2-C3", description: "Consent withdrawal mechanism available", status: "not-implemented" },
858
+ ],
859
+ },
860
+ {
861
+ id: "NIST-800-53-PT-3",
862
+ name: "Redaction",
863
+ description: "Redact PII from documents, reports, and records before release.",
864
+ category: "privacy",
865
+ framework: "NIST-800-53",
866
+ status: "not-implemented",
867
+ severity: "medium",
868
+ implementation_guidance: "Implement redaction procedures for documents containing PII that are released to the public or external parties. Use automated redaction tools where possible. Define PII elements requiring redaction (SSN, passport numbers, financial accounts). Verify redaction effectiveness before release.",
869
+ checks: [
870
+ { id: "NIST-800-53-PT-3-C1", description: "Redaction procedures documented", status: "not-implemented" },
871
+ { id: "NIST-800-53-PT-3-C2", description: "Automated redaction tools deployed", status: "not-implemented" },
872
+ { id: "NIST-800-53-PT-3-C3", description: "Redaction verified before release", status: "not-implemented" },
873
+ ],
874
+ },
875
+ {
876
+ id: "NIST-800-53-PT-6",
877
+ name: "PII Monitoring and Disclosure",
878
+ description: "Monitor and audit access to and disclosure of PII.",
879
+ category: "privacy",
880
+ framework: "NIST-800-53",
881
+ status: "not-implemented",
882
+ severity: "high",
883
+ implementation_guidance: "Log and monitor all access to PII. Audit PII disclosures to ensure they are authorized and properly documented. Implement data loss prevention (DLP) to detect unauthorized PII transfers. Generate periodic reports on PII access patterns. Alert on anomalous access patterns.",
884
+ checks: [
885
+ { id: "NIST-800-53-PT-6-C1", description: "All PII access logged and monitored", status: "not-implemented" },
886
+ { id: "NIST-800-53-PT-6-C2", description: "PII disclosures audited and documented", status: "not-implemented" },
887
+ { id: "NIST-800-53-PT-6-C3", description: "DLP deployed for unauthorized PII transfer detection", status: "not-implemented" },
888
+ { id: "NIST-800-53-PT-6-C4", description: "Anomalous access patterns trigger alerts", status: "not-implemented" },
889
+ ],
890
+ },
891
+ {
892
+ id: "NIST-800-53-PT-7",
893
+ name: "PII Destruction and Disposal",
894
+ description: "Destroy or dispose of PII when it is no longer needed for the specified purpose.",
895
+ category: "privacy",
896
+ framework: "NIST-800-53",
897
+ status: "not-implemented",
898
+ severity: "high",
899
+ implementation_guidance: "Establish retention schedules defining how long PII is retained. Securely destroy or dispose of PII when no longer needed. Use NIST SP 800-88 compliant methods for media sanitization. Document destruction actions including date, method, and personnel. Verify destruction effectiveness.",
900
+ checks: [
901
+ { id: "NIST-800-53-PT-7-C1", description: "PII retention schedules established", status: "not-implemented" },
902
+ { id: "NIST-800-53-PT-7-C2", description: "Secure destruction methods applied (SP 800-88)", status: "not-implemented" },
903
+ { id: "NIST-800-53-PT-7-C3", description: "Destruction actions documented and verified", status: "not-implemented" },
904
+ ],
905
+ },
906
+ // ============================================================
907
+ // RA — RISK ASSESSMENT
908
+ // ============================================================
909
+ {
910
+ id: "NIST-800-53-RA-3",
911
+ name: "Risk Assessment",
912
+ description: "Conduct a risk assessment of the system and environment of operation.",
913
+ category: "risk-assessment",
914
+ framework: "NIST-800-53",
915
+ status: "not-implemented",
916
+ severity: "high",
917
+ implementation_guidance: "Conduct risk assessments using a defined methodology (NIST SP 800-30). Identify threats, vulnerabilities, likelihoods, and impacts. Assess risk to operations, assets, individuals, and other organizations. Document risk assessment results. Update risk assessments annually or upon significant changes.",
918
+ checks: [
919
+ { id: "NIST-800-53-RA-3-C1", description: "Risk assessment methodology documented (SP 800-30)", status: "not-implemented" },
920
+ { id: "NIST-800-53-RA-3-C2", description: "Threats, vulnerabilities, and impacts identified", status: "not-implemented" },
921
+ { id: "NIST-800-53-RA-3-C3", description: "Risk assessment results documented", status: "not-implemented" },
922
+ { id: "NIST-800-53-RA-3-C4", description: "Assessment updated annually or after changes", status: "not-implemented" },
923
+ ],
924
+ },
925
+ {
926
+ id: "NIST-800-53-RA-5",
927
+ name: "Vulnerability Monitoring and Scanning",
928
+ description: "Scan for vulnerabilities in the system and remediate in a timely manner.",
929
+ category: "risk-assessment",
930
+ framework: "NIST-800-53",
931
+ status: "not-implemented",
932
+ severity: "critical",
933
+ implementation_guidance: "Scan for vulnerabilities at least weekly using automated tools (e.g., Nessus, Qualys, OpenVAS). Scan after significant system changes. Remediate vulnerabilities based on severity: critical within 15 days, high within 30 days, medium within 90 days. Share vulnerability information with security teams. Monitor for new vulnerabilities using threat intelligence feeds.",
934
+ checks: [
935
+ { id: "NIST-800-53-RA-5-C1", description: "Automated vulnerability scanning at least weekly", status: "not-implemented" },
936
+ { id: "NIST-800-53-RA-5-C2", description: "Scans conducted after significant changes", status: "not-implemented" },
937
+ { id: "NIST-800-53-RA-5-C3", description: "Remediation SLAs: critical 15d, high 30d, medium 90d", status: "not-implemented" },
938
+ { id: "NIST-800-53-RA-5-C4", description: "Vulnerability intel feeds monitored", status: "not-implemented" },
939
+ ],
940
+ },
941
+ {
942
+ id: "NIST-800-53-RA-7",
943
+ name: "Risk Response",
944
+ description: "Respond to identified risks in accordance with the risk assessment results.",
945
+ category: "risk-assessment",
946
+ framework: "NIST-800-53",
947
+ status: "not-implemented",
948
+ severity: "medium",
949
+ implementation_guidance: "Select and implement risk responses (accept, mitigate, transfer, avoid). Document risk response decisions including rationale and approval. Track remediation of identified risks. Report risk response status to authorizing officials. Reassess residual risk after mitigation.",
950
+ checks: [
951
+ { id: "NIST-800-53-RA-7-C1", description: "Risk responses selected and documented", status: "not-implemented" },
952
+ { id: "NIST-800-53-RA-7-C2", description: "Risk response approvals recorded", status: "not-implemented" },
953
+ { id: "NIST-800-53-RA-7-C3", description: "Remediation tracked and reported", status: "not-implemented" },
954
+ ],
955
+ },
956
+ // ============================================================
957
+ // SA — SYSTEM AND SERVICES ACQUISITION
958
+ // ============================================================
959
+ {
960
+ id: "NIST-800-53-SA-3",
961
+ name: "Supply Chain Protection",
962
+ description: "Protect the supply chain for the system and system components.",
963
+ category: "acquisition",
964
+ framework: "NIST-800-53",
965
+ status: "not-implemented",
966
+ severity: "high",
967
+ implementation_guidance: "Develop and implement a supply chain risk management (SCRM) plan. Identify and assess critical system components and their suppliers. Require suppliers to implement security controls. Verify the integrity of hardware and software received from suppliers (SBOM, code signing, hash verification). Monitor supply chain threats.",
968
+ checks: [
969
+ { id: "NIST-800-53-SA-3-C1", description: "SCRM plan developed and implemented", status: "not-implemented" },
970
+ { id: "NIST-800-53-SA-3-C2", description: "Critical components and suppliers identified", status: "not-implemented" },
971
+ { id: "NIST-800-53-SA-3-C3", description: "Supplier security requirements in contracts", status: "not-implemented" },
972
+ { id: "NIST-800-53-SA-3-C4", description: "Component integrity verified (SBOM, signing)", status: "not-implemented" },
973
+ ],
974
+ },
975
+ {
976
+ id: "NIST-800-53-SA-4",
977
+ name: "Acquisition Process",
978
+ description: "Include security and privacy requirements in acquisition contracts and verify conformance.",
979
+ category: "acquisition",
980
+ framework: "NIST-800-53",
981
+ status: "not-implemented",
982
+ severity: "medium",
983
+ implementation_guidance: "Document security and privacy requirements for systems, components, and services. Include requirements in acquisition contracts and statements of work. Require vendors to demonstrate compliance through documentation, testing, or third-party assessments. Verify conformance throughout the lifecycle.",
984
+ checks: [
985
+ { id: "NIST-800-53-SA-4-C1", description: "Security requirements defined for acquisitions", status: "not-implemented" },
986
+ { id: "NIST-800-53-SA-4-C2", description: "Requirements included in contracts/SOWs", status: "not-implemented" },
987
+ { id: "NIST-800-53-SA-4-C3", description: "Vendor compliance verified through assessment", status: "not-implemented" },
988
+ ],
989
+ },
990
+ {
991
+ id: "NIST-800-53-SA-8",
992
+ name: "Security Engineering Principles",
993
+ description: "Apply security engineering principles in the specification, design, development, and implementation of the system.",
994
+ category: "acquisition",
995
+ framework: "NIST-800-53",
996
+ status: "not-implemented",
997
+ severity: "high",
998
+ implementation_guidance: "Apply security engineering principles including: defense-in-depth, secure defaults, fail-safe defaults, least privilege, economy of mechanism, complete mediation, open design, separation of privilege, least common mechanism, and psychological acceptability. Implement threat modeling during design. Use secure design patterns and architecture.",
999
+ checks: [
1000
+ { id: "NIST-800-53-SA-8-C1", description: "Security engineering principles applied in design", status: "not-implemented" },
1001
+ { id: "NIST-800-53-SA-8-C2", description: "Threat modeling conducted during design phase", status: "not-implemented" },
1002
+ { id: "NIST-800-53-SA-8-C3", description: "Secure design patterns and architecture used", status: "not-implemented" },
1003
+ ],
1004
+ },
1005
+ {
1006
+ id: "NIST-800-53-SA-9",
1007
+ name: "External System Services",
1008
+ description: "Require providers of external system services to implement security and privacy controls.",
1009
+ category: "acquisition",
1010
+ framework: "NIST-800-53",
1011
+ status: "not-implemented",
1012
+ severity: "high",
1013
+ implementation_guidance: "Require cloud providers and external service providers to implement required security controls. Define security requirements in service-level agreements (SLAs). Monitor provider security control implementation. Conduct periodic assessments of provider security. Define procedures for terminating service agreements.",
1014
+ checks: [
1015
+ { id: "NIST-800-53-SA-9-C1", description: "Security requirements defined for external services", status: "not-implemented" },
1016
+ { id: "NIST-800-53-SA-9-C2", description: "Requirements in SLAs", status: "not-implemented" },
1017
+ { id: "NIST-800-53-SA-9-C3", description: "Provider security assessed periodically", status: "not-implemented" },
1018
+ { id: "NIST-800-53-SA-9-C4", description: "Service termination procedures defined", status: "not-implemented" },
1019
+ ],
1020
+ },
1021
+ {
1022
+ id: "NIST-800-53-SA-11",
1023
+ name: "Developer Testing and Evaluation",
1024
+ description: "Require developers to create and implement a security assessment plan and perform testing.",
1025
+ category: "acquisition",
1026
+ framework: "NIST-800-53",
1027
+ status: "not-implemented",
1028
+ severity: "high",
1029
+ implementation_guidance: "Require developers to perform security testing including: static code analysis (SAST), dynamic application security testing (DAST), fuzzing, and penetration testing. Implement code review processes. Require vulnerability remediation before deployment. Verify security functionality through independent testing.",
1030
+ checks: [
1031
+ { id: "NIST-800-53-SA-11-C1", description: "SAST integrated into CI/CD pipeline", status: "not-implemented" },
1032
+ { id: "NIST-800-53-SA-11-C2", description: "DAST conducted on applications", status: "not-implemented" },
1033
+ { id: "NIST-800-53-SA-11-C3", description: "Penetration testing conducted annually", status: "not-implemented" },
1034
+ { id: "NIST-800-53-SA-11-C4", description: "Code review process implemented", status: "not-implemented" },
1035
+ ],
1036
+ },
1037
+ {
1038
+ id: "NIST-800-53-SA-22",
1039
+ name: "Unsupported System Components",
1040
+ description: "Replace system components when support for the components is no longer available from the vendor.",
1041
+ category: "acquisition",
1042
+ framework: "NIST-800-53",
1043
+ status: "not-implemented",
1044
+ severity: "medium",
1045
+ implementation_guidance: "Track vendor support status for all system components. Replace unsupported hardware, software, and firmware. When replacement is not immediately possible, implement compensating controls and document the risk. Maintain an inventory of unsupported components with upgrade/replacement plans.",
1046
+ checks: [
1047
+ { id: "NIST-800-53-SA-22-C1", description: "Vendor support status tracked for all components", status: "not-implemented" },
1048
+ { id: "NIST-800-53-SA-22-C2", description: "Unsupported components replaced or compensated", status: "not-implemented" },
1049
+ { id: "NIST-800-53-SA-22-C3", description: "Inventory of unsupported components maintained", status: "not-implemented" },
1050
+ ],
1051
+ },
1052
+ // ============================================================
1053
+ // SC — SYSTEM AND COMMUNICATIONS PROTECTION
1054
+ // ============================================================
1055
+ {
1056
+ id: "NIST-800-53-SC-5",
1057
+ name: "Denial of Service Protection",
1058
+ description: "Protect against or limit the effects of denial of service (DoS) attacks.",
1059
+ category: "system-protection",
1060
+ framework: "NIST-800-53",
1061
+ status: "not-implemented",
1062
+ severity: "high",
1063
+ implementation_guidance: "Deploy DDoS protection (e.g., Cloudflare, AWS Shield). Implement rate limiting and connection throttling. Configure auto-scaling to handle traffic spikes. Monitor for DoS attack patterns. Maintain a response plan for DoS incidents. Restrict internal resource consumption (CPU, memory, connections).",
1064
+ checks: [
1065
+ { id: "NIST-800-53-SC-5-C1", description: "DDoS protection deployed", status: "not-implemented" },
1066
+ { id: "NIST-800-53-SC-5-C2", description: "Rate limiting and connection throttling implemented", status: "not-implemented" },
1067
+ { id: "NIST-800-53-SC-5-C3", description: "DoS monitoring and response plan in place", status: "not-implemented" },
1068
+ ],
1069
+ },
1070
+ {
1071
+ id: "NIST-800-53-SC-8",
1072
+ name: "Transmission Confidentiality and Integrity",
1073
+ description: "Protect the confidentiality and integrity of transmitted information.",
1074
+ category: "system-protection",
1075
+ framework: "NIST-800-53",
1076
+ status: "not-implemented",
1077
+ severity: "critical",
1078
+ implementation_guidance: "Implement TLS 1.2 or higher for all external data transmissions. Use mutual TLS (mTLS) for service-to-service communication. Enforce HSTS for web applications. Implement message-level encryption for sensitive data where needed. Verify cryptographic algorithm strength periodically.",
1079
+ checks: [
1080
+ { id: "NIST-800-53-SC-8-C1", description: "TLS 1.2+ enforced for all external communications", status: "not-implemented" },
1081
+ { id: "NIST-800-53-SC-8-C2", description: "HSTS enabled for web applications", status: "not-implemented" },
1082
+ { id: "NIST-800-53-SC-8-C3", description: "mTLS for internal service-to-service communication", status: "not-implemented" },
1083
+ ],
1084
+ },
1085
+ {
1086
+ id: "NIST-800-53-SC-12",
1087
+ name: "Cryptographic Key Establishment and Management",
1088
+ description: "Establish and manage cryptographic keys for cryptography used in the system.",
1089
+ category: "system-protection",
1090
+ framework: "NIST-800-53",
1091
+ status: "not-implemented",
1092
+ severity: "high",
1093
+ implementation_guidance: "Establish and manage cryptographic keys using NIST-approved algorithms and key lengths. Implement a key management system (KMS). Define key lifecycle procedures: generation, distribution, storage, rotation, and destruction. Use hardware security modules (HSMs) for critical keys. Maintain an inventory of cryptographic keys.",
1094
+ checks: [
1095
+ { id: "NIST-800-53-SC-12-C1", description: "Key management system deployed", status: "not-implemented" },
1096
+ { id: "NIST-800-53-SC-12-C2", description: "Key lifecycle procedures documented", status: "not-implemented" },
1097
+ { id: "NIST-800-53-SC-12-C3", description: "HSM used for critical key storage", status: "not-implemented" },
1098
+ { id: "NIST-800-53-SC-12-C4", description: "Key inventory maintained", status: "not-implemented" },
1099
+ ],
1100
+ },
1101
+ {
1102
+ id: "NIST-800-53-SC-13",
1103
+ name: "Cryptographic Protection",
1104
+ description: "Determine and document the cryptographic uses and implementations in the system.",
1105
+ category: "system-protection",
1106
+ framework: "NIST-800-53",
1107
+ status: "not-implemented",
1108
+ severity: "high",
1109
+ implementation_guidance: "Use FIPS 140-2/140-3 validated cryptographic modules. Implement encryption at rest using AES-256-GCM. Use only NIST-approved algorithms. Disable deprecated algorithms and protocols (RC4, DES, SSL, TLS 1.0/1.1). Document all cryptographic uses including: data at rest, data in transit, hashing, digital signatures.",
1110
+ checks: [
1111
+ { id: "NIST-800-53-SC-13-C1", description: "FIPS 140-2/3 validated crypto modules used", status: "not-implemented" },
1112
+ { id: "NIST-800-53-SC-13-C2", description: "Deprecated algorithms disabled (RC4, DES, SSL, TLS 1.0/1.1)", status: "not-implemented" },
1113
+ { id: "NIST-800-53-SC-13-C3", description: "Cryptographic uses documented", status: "not-implemented" },
1114
+ ],
1115
+ },
1116
+ {
1117
+ id: "NIST-800-53-SC-28",
1118
+ name: "Protection of Information at Rest",
1119
+ description: "Protect the confidentiality and integrity of information at rest.",
1120
+ category: "system-protection",
1121
+ framework: "NIST-800-53",
1122
+ status: "not-implemented",
1123
+ severity: "critical",
1124
+ implementation_guidance: "Implement full-disk encryption on all servers, laptops, and mobile devices. Encrypt database contents at rest using AES-256. Implement file-level or field-level encryption for sensitive data. Use encrypted storage volumes (EBS encryption, Azure Disk Encryption, GCP Persistent Disk encryption). Regularly verify encryption status.",
1125
+ checks: [
1126
+ { id: "NIST-800-53-SC-28-C1", description: "Full-disk encryption on all endpoints", status: "not-implemented" },
1127
+ { id: "NIST-800-53-SC-28-C2", description: "Database encryption at rest (AES-256)", status: "not-implemented" },
1128
+ { id: "NIST-800-53-SC-28-C3", description: "Field-level encryption for sensitive data", status: "not-implemented" },
1129
+ { id: "NIST-800-53-SC-28-C4", description: "Encrypted storage volumes verified", status: "not-implemented" },
1130
+ ],
1131
+ },
1132
+ // ============================================================
1133
+ // SI — SYSTEM AND INFORMATION INTEGRITY
1134
+ // ============================================================
1135
+ {
1136
+ id: "NIST-800-53-SI-2",
1137
+ name: "Flaw Remediation",
1138
+ description: "Identify, report, and correct system flaws and vulnerabilities.",
1139
+ category: "system-integrity",
1140
+ framework: "NIST-800-53",
1141
+ status: "not-implemented",
1142
+ severity: "critical",
1143
+ implementation_guidance: "Identify and remediate flaws including: security vulnerabilities, bugs, and configuration errors. Install security-relevant software and firmware updates within defined timeframes: critical 48 hours, high 7 days, medium 30 days, low 90 days. Test updates before deployment. Remove flawed components from operational systems.",
1144
+ checks: [
1145
+ { id: "NIST-800-53-SI-2-C1", description: "Flaw identification and reporting process documented", status: "not-implemented" },
1146
+ { id: "NIST-800-53-SI-2-C2", description: "Patch SLAs enforced: critical 48h, high 7d, medium 30d", status: "not-implemented" },
1147
+ { id: "NIST-800-53-SI-2-C3", description: "Updates tested before deployment", status: "not-implemented" },
1148
+ ],
1149
+ },
1150
+ {
1151
+ id: "NIST-800-53-SI-3",
1152
+ name: "Malicious Code Protection",
1153
+ description: "Implement protection against malicious code at system entry and exit points.",
1154
+ category: "system-integrity",
1155
+ framework: "NIST-800-53",
1156
+ status: "not-implemented",
1157
+ severity: "high",
1158
+ implementation_guidance: "Deploy endpoint detection and response (EDR) or anti-malware solutions on all endpoints and servers. Enable real-time scanning for malicious code at system entry/exit points (email gateways, web proxies, file servers). Automatically update malicious code detection signatures. Scan files from external sources before use. Block execution of unauthorized software.",
1159
+ checks: [
1160
+ { id: "NIST-800-53-SI-3-C1", description: "EDR/anti-malware deployed on all endpoints and servers", status: "not-implemented" },
1161
+ { id: "NIST-800-53-SI-3-C2", description: "Real-time scanning at entry/exit points", status: "not-implemented" },
1162
+ { id: "NIST-800-53-SI-3-C3", description: "Signatures auto-updated", status: "not-implemented" },
1163
+ { id: "NIST-800-53-SI-3-C4", description: "Unauthorized software execution blocked", status: "not-implemented" },
1164
+ ],
1165
+ },
1166
+ {
1167
+ id: "NIST-800-53-SI-4",
1168
+ name: "System Monitoring",
1169
+ description: "Monitor the system and inbound/outbound communications for security and privacy anomalies.",
1170
+ category: "system-integrity",
1171
+ framework: "NIST-800-53",
1172
+ status: "not-implemented",
1173
+ severity: "critical",
1174
+ implementation_guidance: "Deploy a SIEM (Security Information and Event Management) solution. Monitor network traffic for anomalies, intrusions, and unauthorized connections. Deploy intrusion detection/prevention systems (IDS/IPS). Monitor system behavior for indicators of compromise (IoCs). Integrate threat intelligence feeds. Define alerting thresholds and escalation procedures.",
1175
+ checks: [
1176
+ { id: "NIST-800-53-SI-4-C1", description: "SIEM deployed and centralized logging active", status: "not-implemented" },
1177
+ { id: "NIST-800-53-SI-4-C2", description: "IDS/IPS deployed on network perimeter", status: "not-implemented" },
1178
+ { id: "NIST-800-53-SI-4-C3", description: "Threat intelligence integrated", status: "not-implemented" },
1179
+ { id: "NIST-800-53-SI-4-C4", description: "Alerting thresholds and escalation defined", status: "not-implemented" },
1180
+ ],
1181
+ },
1182
+ {
1183
+ id: "NIST-800-53-SI-7",
1184
+ name: "Software, Firmware, and Information Integrity",
1185
+ description: "Detect unauthorized changes to software, firmware, and information.",
1186
+ category: "system-integrity",
1187
+ framework: "NIST-800-53",
1188
+ status: "not-implemented",
1189
+ severity: "high",
1190
+ implementation_guidance: "Implement file integrity monitoring (FIM) for critical system files, configuration files, and software. Perform integrity checks upon system startup and periodically. Verify code signing certificates for software updates. Alert on unauthorized changes. Use digital signatures for software distribution.",
1191
+ checks: [
1192
+ { id: "NIST-800-53-SI-7-C1", description: "File integrity monitoring (FIM) deployed", status: "not-implemented" },
1193
+ { id: "NIST-800-53-SI-7-C2", description: "Integrity checks on startup and periodically", status: "not-implemented" },
1194
+ { id: "NIST-800-53-SI-7-C3", description: "Code signing verified for software updates", status: "not-implemented" },
1195
+ { id: "NIST-800-53-SI-7-C4", description: "Unauthorized changes trigger alerts", status: "not-implemented" },
1196
+ ],
1197
+ },
1198
+ {
1199
+ id: "NIST-800-53-SI-10",
1200
+ name: "Information Input Validation",
1201
+ description: "Check the validity of information inputs to the system.",
1202
+ category: "system-integrity",
1203
+ framework: "NIST-800-53",
1204
+ status: "not-implemented",
1205
+ severity: "critical",
1206
+ implementation_guidance: "Implement input validation for all user-supplied data. Use parameterized queries to prevent SQL injection. Sanitize inputs to prevent XSS. Validate data format, type, length, and range. Implement server-side validation (never rely on client-side only). Use allow-lists for acceptable input values. Reject and log invalid inputs.",
1207
+ checks: [
1208
+ { id: "NIST-800-53-SI-10-C1", description: "Server-side input validation for all endpoints", status: "not-implemented" },
1209
+ { id: "NIST-800-53-SI-10-C2", description: "Parameterized queries prevent SQL injection", status: "not-implemented" },
1210
+ { id: "NIST-800-53-SI-10-C3", description: "XSS prevention via output encoding/sanitization", status: "not-implemented" },
1211
+ { id: "NIST-800-53-SI-10-C4", description: "Allow-lists used for acceptable input values", status: "not-implemented" },
1212
+ ],
1213
+ },
1214
+ {
1215
+ id: "NIST-800-53-SI-12",
1216
+ name: "Information Handling and Retention",
1217
+ description: "Handle and retain information in accordance with applicable requirements.",
1218
+ category: "system-integrity",
1219
+ framework: "NIST-800-53",
1220
+ status: "not-implemented",
1221
+ severity: "medium",
1222
+ implementation_guidance: "Establish information handling procedures based on data classification levels. Define retention periods for each data category. Implement automated retention enforcement (e.g., auto-delete after retention period). Securely dispose of information that has exceeded its retention period. Document data handling and retention procedures.",
1223
+ checks: [
1224
+ { id: "NIST-800-53-SI-12-C1", description: "Data handling procedures by classification level", status: "not-implemented" },
1225
+ { id: "NIST-800-53-SI-12-C2", description: "Retention periods defined per data category", status: "not-implemented" },
1226
+ { id: "NIST-800-53-SI-12-C3", description: "Automated retention enforcement implemented", status: "not-implemented" },
1227
+ ],
1228
+ },
1229
+ ];
1230
+ return {
1231
+ id: "nist-800-53",
1232
+ name: "NIST SP 800-53 Rev 5 Policy Pack (Government-Grade)",
1233
+ description: "Full NIST SP 800-53 Rev 5 security and privacy controls across all 18 control families: AC, AT, AU, CA, CM, CP, IA, IR, MA, MP, PE, PL, PM, PS, PT, RA, SA, SC, SI. **Designed for government systems, federal agencies, federal contractors, and FedRAMP compliance.** This is the official government compliance baseline used by all US federal information systems.",
1234
+ version: "5.0.0",
1235
+ project_types: [
1236
+ "government-system",
1237
+ "saas",
1238
+ "healthcare-system",
1239
+ "generic-web-application",
1240
+ "api-backend",
1241
+ "mobile-application",
1242
+ ],
1243
+ controls,
1244
+ frameworks: ["NIST-800-53"],
1245
+ };
1246
+ }