bmad-plus 0.4.4 → 0.5.0

package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md

@@ -0,0 +1,129 @@
+# SSP Writing Guide
+
+The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
+It tells the complete security story of the Cloud Service Offering (CSO): architecture,
+data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
+
+> Always use the official FedRAMP SSP template. One template covers all baselines
+> (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
+
+---
+
+## SSP Section-by-Section Guide
+
+### Section 1: Information System Name and Title
+- Formal name of the CSO
+- Unique identifier (assigned during FedRAMP process)
+- Service model (IaaS / PaaS / SaaS)
+- Deployment model (Public / Private / Community / Hybrid cloud)
+
+### Section 2: System Categorization
+- FIPS 199 impact determination: Confidentiality / Integrity / Availability
+- Overall impact level = high-water mark of the three values
+- Justify each categorization with the types of federal information processed
+
+### Section 3: System Owner / Authorizing Official
+- List CSP system owner, ISSO, and agency AO contacts
+- For agency authorization, include the sponsoring agency AO
+
+### Section 4: Assignment of Security Responsibility
+- Identify the ISSO (Information System Security Officer)
+- Document CSP security team contacts
+
+### Section 5: System Mission / Purpose
+- Brief description of what the system does
+- What federal agencies/programs it supports
+- What types of federal data it handles
+
+### Section 6: System Description
+- Narrative description of the system
+- Technology stack overview
+- Key system components
+
+### Section 7: General System Description / System Environment
+**This is one of the most scrutinized sections.**
+- Detailed architecture description
+- Authorization boundary narrative — clearly define what is IN and OUT of scope
+- Network architecture diagram (embedded)
+- Data flow diagrams (embedded)
+- Ports, protocols, and services table
+- External connections table (all services connecting to/from the boundary)
+
+**Common mistakes:**
+- Vague boundary descriptions ("the cloud environment") — be specific
+- Missing data flows for admin/management traffic
+- Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
+
+### Section 8: System Environment / Interconnections
+- Interconnection Security Agreements (ISAs) for each external system
+- Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
+- Inherited controls from leveraged services must be documented in CIS/CRM workbook
+
+### Section 9: Laws, Regulations, Standards (Appendix B)
+- Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
+- Lists applicable federal laws (FISMA, Privacy Act, etc.)
+- May include agency-specific requirements (HIPAA, CJIS if applicable)
+
+### Section 10: Minimum Security Controls
+**The largest section — one narrative per control.**
+
+For each control in the applicable baseline:
+
+```
+[Control ID] [Control Name]
+Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
+
+[Control Implementation Statement]
+Describe HOW the control is implemented. Be specific:
+- What tool, policy, or process implements this control?
+- Who is responsible?
+- Where is the evidence?
+- For shared controls: what is the CSP responsibility vs. customer responsibility?
+
+Customer Responsibility (if applicable):
+[Describe what the customer/agency must do]
+```
+
+**Writing tips:**
+- Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
+- Reference specific policy document names, tool names, configuration settings
+- For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
+- Mark unimplemented controls as "Planned" and ensure they appear in POA&M
+
+### SSP Appendices (A through Q)
+
+| Appendix | Content | Required? |
+|---|---|---|
+| A | Acronyms & Glossary | Yes |
+| B | Related Laws & Regulations (Attachment 12) | Yes |
+| C | Security Policies & Procedures | Yes (CSP-authored) |
+| D | User Guide | Yes |
+| E | Rules of Behavior | Yes (FedRAMP template) |
+| F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
+| G | Configuration Management Plan | Yes (CSP-authored) |
+| H | Incident Response Plan | Yes (CSP-authored) |
+| I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
+| J | FIPS 199 Categorization | Yes |
+| K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
+| L | Cryptographic Modules Table | Yes |
+| M | Continuous Monitoring Plan | Yes |
+| N | Separation of Duties Matrix | Conditional |
+| O | POA&M | Yes (FedRAMP template) |
+| P | Supply Chain Risk Management Plan | Yes (Rev 5) |
+| Q | Privacy Impact Assessment (PIA) | If PII in scope |
+
+---
+
+## SSP Quality Checklist
+
+Before submitting, verify:
+- [ ] All controls for the applicable baseline have implementation statements
+- [ ] No controls describe future/planned state as currently implemented
+- [ ] All "Planned" controls appear in POA&M
+- [ ] Architecture diagrams and control narratives are consistent
+- [ ] External connections table matches the data flow diagrams
+- [ ] CIS/CRM workbook is complete for all shared/inherited controls
+- [ ] IIW lists every asset in the boundary
+- [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
+- [ ] All required appendices (C through Q as applicable) are attached
+- [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template

package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md

@@ -0,0 +1,192 @@
+# Consent Notice / Cookie Banner Template
+
+## Legal Basis
+Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
+ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
+
+---
+
+## Consent Requirements Checklist (Art. 7)
+- [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
+- [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
+- [ ] **Informed**: Clear plain-language explanation before consent given
+- [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
+- [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
+- [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
+- [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
+
+---
+
+## Cookie Banner — Required Elements
+
+### Layer 1 (Initial Banner)
+```
+We use cookies to [improve your experience / personalise content / analyse traffic].
+[ACCEPT ALL]   [REJECT ALL]   [MANAGE PREFERENCES]
+
+[Link to Cookie Policy]
+```
+
+**Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
+pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
+
+### Layer 2 (Preference Centre)
+Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
+| Category | Description | Default |
+|----------|-------------|---------|
+| Strictly Necessary | Required for site function — no consent needed | Always ON |
+| Analytics | [Provider, purpose] | OFF |
+| Marketing | [Provider, purpose] | OFF |
+| Personalisation | [Provider, purpose] | OFF |
+
+### Consent Record to Store
+```json
+{
+  "userId": "...",
+  "consentTimestamp": "ISO-8601",
+  "consentVersion": "v1.2",
+  "purposes": {
+    "analytics": true,
+    "marketing": false
+  },
+  "method": "explicit-click",
+  "ipAddress": "[pseudonymised or omit]"
+}
+```
+
+---
+---
+
+# DPIA Template (Data Protection Impact Assessment)
+
+## Legal Basis
+Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
+Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
+
+## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
+- Systematic and extensive profiling
+- Large-scale special category data (Art. 9)
+- Systematic monitoring of public areas
+- New technologies
+- Automated decision-making with legal/significant effects (Art. 22)
+- Children's data at scale
+- Data matching / combining datasets
+
+---
+
+## DPIA Structure
+
+### 1. Description of Processing (Art. 35(7)(a))
+- **System / project name**: [NAME]
+- **Controller**: [NAME + DPO if applicable]
+- **Nature of processing**: [What operations are performed on the data]
+- **Scope**: [Volume, frequency, geographic reach]
+- **Context**: [Who are the data subjects; their vulnerability level]
+- **Purpose**: [What is the legitimate aim]
+- **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
+
+### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
+Assess whether processing is:
+- **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
+- **Proportionate** — do the benefits outweigh the risks to individuals?
+- **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
+
+### 3. Risk Assessment (Art. 35(7)(c))
+For each identified risk:
+| Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
+|------|-----------------|---------------|-----------|------------|
+| Unauthorised access | 2 | 3 | High | Encryption, access controls |
+| Function creep | 1 | 2 | Medium | Purpose limitation controls |
+| Re-identification | 2 | 3 | High | Pseudonymisation |
+
+### 4. Measures to Address Risks (Art. 35(7)(d))
+For each High/Medium risk:
+- Technical measure: [DESCRIBE]
+- Organisational measure: [DESCRIBE]
+- Residual risk after mitigation: [Low/Medium/High]
+
+### 5. DPO / Stakeholder Sign-off (Art. 35(2))
+- DPO consulted: Yes / No — DPO opinion: [ATTACH]
+- Data subjects consulted (where appropriate): Yes / No
+- Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
+
+---
+---
+
+# Data Retention Policy Template
+
+## Legal Basis
+Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
+Art. 17 — right to erasure triggers where retention period expired.
+
+---
+
+## Retention Schedule
+
+| Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
+|--------------|-----------------|-----------------|--------------|----------------|
+| Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
+| Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
+| Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
+| Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
+| CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
+| Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
+| Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
+
+---
+
+## Operational Requirements
+- Automated deletion jobs should run [FREQUENCY] against retention schedule
+- Backups must be included in retention policy — purge from backups within [X] days of primary deletion
+- Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
+- Retention schedule reviewed: annually or upon material change to processing
+
+---
+---
+
+# Data Subject Rights Procedure
+
+## Legal Basis
+Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
+
+---
+
+## Rights Summary
+
+| Right | Article | When Applicable | Response Time |
+|-------|---------|----------------|--------------|
+| Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
+| Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
+| Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
+| Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
+| Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
+| Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
+| No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
+
+---
+
+## Request Handling Process
+
+1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
+2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
+3. **Log**: Record date received, type of request, handler assigned.
+4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
+5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
+6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
+7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
+
+## Exemptions to Document
+- Legal claims (Art. 17(3)(e))
+- Freedom of expression (Art. 17(3)(a))
+- Public interest archiving (Art. 17(3)(d))
+- Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
+
+---
+
+## SLA & Escalation
+- Day 0: Request received and logged
+- Day 3: Identity verified; request categorised
+- Day 20: Draft response reviewed by DPO/legal
+- Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
+- Day 30: Statutory deadline
+- Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))

package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md

@@ -0,0 +1,121 @@
+# Data Processing Agreement (DPA) Template
+
+## Legal Basis
+Art. 28 GDPR — processors must be bound by a contract covering all mandatory Art. 28(3) terms.
+Failure to have a compliant DPA is itself a violation exposable to Art. 83(4) fines (up to €10M / 2% turnover).
+
+---
+
+## Parties
+
+**Controller**: [CONTROLLER LEGAL NAME], [ADDRESS] ("Controller")
+**Processor**: [PROCESSOR LEGAL NAME], [ADDRESS] ("Processor")
+
+---
+
+## 1. Subject Matter and Duration (Art. 28(3))
+This DPA governs the processing of personal data by Processor on behalf of Controller in
+connection with: [DESCRIPTION OF MAIN SERVICE / CONTRACT].
+
+Duration: This DPA is co-terminus with the main service agreement dated [DATE].
+
+## 2. Nature and Purpose of Processing (Art. 28(3))
+The Processor will process personal data for the following purposes only:
+- [e.g. Hosting and storing Controller's application data]
+- [e.g. Sending transactional emails on Controller's instruction]
+
+Processing shall occur only on documented instructions from the Controller (Art. 28(3)(a)).
+
+## 3. Categories of Personal Data (Art. 28(3))
+The following categories of personal data are covered by this DPA:
+- [e.g. Contact data: name, email address, phone number]
+- [e.g. Usage data: IP address, session identifiers]
+- [List any special category data + confirm Art. 9 condition met]
+
+## 4. Categories of Data Subjects (Art. 28(3))
+- [e.g. Controller's end users / customers]
+- [e.g. Controller's employees]
+
+## 5. Processor Obligations (Art. 28(3))
+
+### 5.1 Instructions Only (Art. 28(3)(a))
+Processor shall process personal data only on documented instructions from Controller, including
+with regard to transfers, unless required by law (in which case Processor shall notify Controller
+unless prohibited).
+
+### 5.2 Confidentiality (Art. 28(3)(b))
+Processor shall ensure that persons authorised to process the data have committed to
+confidentiality or are under a statutory obligation of confidentiality.
+
+### 5.3 Security (Art. 28(3)(c); Art. 32)
+Processor shall implement appropriate technical and organisational measures including at minimum:
+- Encryption of personal data at rest and in transit
+- Ongoing confidentiality, integrity, and availability of processing systems
+- Ability to restore availability following incidents
+- Regular testing of security measures
+
+### 5.4 Sub-processors (Art. 28(2), 28(3)(d))
+Processor shall not engage sub-processors without prior **specific or general written authorisation**
+from Controller.
+
+Current authorised sub-processors: [LIST or "See Schedule A"]
+
+Processor shall impose equivalent data protection obligations on sub-processors (Art. 28(4)) and
+remains liable to Controller for sub-processor failures.
+
+### 5.5 Data Subject Rights (Art. 28(3)(e))
+Processor shall assist Controller by appropriate technical and organisational measures to fulfil
+Controller's obligation to respond to data subject rights requests (Arts. 15–22), given the nature
+of processing.
+
+### 5.6 Assistance with Controller Obligations (Art. 28(3)(f))
+Processor shall assist Controller in ensuring compliance with: Art. 32 (security), Art. 33–34
+(breach notification), Art. 35–36 (DPIAs), taking into account the nature of processing and
+information available.
+
+### 5.7 Deletion or Return (Art. 28(3)(g))
+At Controller's choice, Processor shall delete or return all personal data upon termination of
+services, and delete existing copies unless Union or Member State law requires storage.
+Timeline for deletion/return: [X days after termination].
+
+### 5.8 Audit Rights (Art. 28(3)(h))
+Processor shall make available all information necessary to demonstrate compliance with Art. 28
+and shall allow for and contribute to audits conducted by Controller or an authorised auditor.
+Audit notice period: [X days]. Frequency: [no more than once per year absent cause].
+
+## 6. International Transfers (Art. 44–49)
+[If applicable:]
+Where Processor transfers personal data outside the UK/EEA, the following safeguard applies:
+- [ ] Adequacy decision (Art. 45): [COUNTRY]
+- [ ] Standard Contractual Clauses (Art. 46(2)(c)): [MODULE — attach as Schedule B]
+- [ ] Binding Corporate Rules (Art. 47)
+- [ ] Other: [SPECIFY]
+
+## 7. Breach Notification (Art. 33)
+Processor shall notify Controller of any personal data breach **without undue delay** and in any
+event within **[48/72] hours** of becoming aware, providing information per Art. 33(3) to the
+extent available.
+
+## 8. Governing Law
+This DPA is governed by the laws of [JURISDICTION].
+
+---
+
+## Schedule A — Authorised Sub-processors
+| Sub-processor | Location | Processing Activity |
+|--------------|----------|-------------------|
+| [NAME] | [COUNTRY] | [PURPOSE] |
+
+## Schedule B — Standard Contractual Clauses
+[Attach EU Commission SCCs (2021) or UK IDTA as applicable]
+
+---
+
+## Drafting Checklist
+- [ ] All Art. 28(3)(a)–(h) clauses present
+- [ ] Sub-processor list attached or mechanism described
+- [ ] Transfer mechanism documented and attached
+- [ ] Breach notification timeline specified
+- [ ] Deletion timeline specified
+- [ ] Audit rights defined with reasonable notice period
+- [ ] Signed by authorised representatives of both parties

package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md

@@ -0,0 +1,87 @@
+# Privacy Notice / Privacy Policy Template
+
+## Legal Basis
+Arts. 13–14 (information to be provided), Art. 12 (transparent communication).
+Art. 13 applies when data collected directly from subject; Art. 14 when collected indirectly.
+
+---
+
+## Required Sections (Art. 13/14 Checklist)
+
+### 1. Identity and Contact Details of the Controller (Art. 13(1)(a))
+> **[ORGANISATION NAME]** ("we", "us", "our")
+> Registered address: [ADDRESS]
+> Email: [PRIVACY@EMAIL.COM]
+
+### 2. DPO Contact Details (Art. 13(1)(b)) — if applicable
+> Our Data Protection Officer can be contacted at: [DPO EMAIL / ADDRESS]
+
+### 3. Purposes and Lawful Basis (Art. 13(1)(c))
+For each processing activity, state both purpose AND lawful basis:
+
+| Purpose | Personal Data | Lawful Basis (Art. 6) |
+|---------|--------------|----------------------|
+| [e.g. Account creation] | [Name, email] | Contract (Art. 6(1)(b)) |
+| [e.g. Marketing emails] | [Email, preferences] | Consent (Art. 6(1)(a)) |
+| [e.g. Fraud prevention] | [Transaction data] | Legitimate interests (Art. 6(1)(f)) |
+
+Where legitimate interests is relied upon, summarise the LIA outcome.
+
+### 4. Legitimate Interests (Art. 13(1)(d)) — where applicable
+> We process [DATA] for [PURPOSE] based on our legitimate interest in [INTEREST]. We have
+> assessed that this interest is not overridden by your rights and interests because [REASON].
+
+### 5. Recipients or Categories of Recipients (Art. 13(1)(e))
+> We share your personal data with:
+> - [SERVICE PROVIDER / PROCESSOR NAME]: for [PURPOSE], located in [COUNTRY]
+> - [ANALYTICS PROVIDER]: for [PURPOSE]
+> We do not sell your personal data to third parties.
+
+### 6. International Transfers (Art. 13(1)(f))
+> Where we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place,
+> including: [Adequacy decision / Standard Contractual Clauses (SCCs) / BCRs — Art. 46].
+> Details available on request.
+
+### 7. Retention Period (Art. 13(2)(a))
+> We retain your personal data for [PERIOD / criteria used to determine period].
+> See our Retention Schedule for full details.
+
+### 8. Data Subject Rights (Art. 13(2)(b))
+> You have the right to:
+> - **Access** your data (Art. 15) — request a copy of data we hold about you
+> - **Rectification** of inaccurate data (Art. 16)
+> - **Erasure** ("right to be forgotten") in certain circumstances (Art. 17)
+> - **Restrict** our processing in certain circumstances (Art. 18)
+> - **Data portability** for data provided by you under consent or contract (Art. 20)
+> - **Object** to processing based on legitimate interests or direct marketing (Art. 21)
+> - **Withdraw consent** at any time without affecting prior processing (Art. 7(3))
+>
+> To exercise your rights, contact: [EMAIL / FORM URL]
+> We will respond within **one month** (Art. 12(3)), extendable by two further months for
+> complex requests.
+
+### 9. Right to Lodge a Complaint (Art. 13(2)(d))
+> You have the right to lodge a complaint with your supervisory authority.
+> In the UK: **ICO** — ico.org.uk | 0303 123 1113
+> In the EU: [LEAD SUPERVISORY AUTHORITY if applicable]
+
+### 10. Whether Provision is Statutory/Contractual (Art. 13(2)(e))
+> [Where applicable: "Providing this data is a contractual requirement. Failure to provide it
+> may mean we cannot [provide the service]."]
+
+### 11. Automated Decision-Making / Profiling (Art. 13(2)(f))
+> [If applicable: "We use automated decision-making including profiling for [PURPOSE].
+> This has [significant / no significant] effect on you. You have the right to [request human
+> review / object — Art. 22]."]
+> [If not applicable: "We do not use automated decision-making that produces legal or similarly
+> significant effects on you."]
+
+---
+
+## Drafting Checklist
+- [ ] Written in plain, clear language (Art. 12(1))
+- [ ] Provided free of charge (Art. 12(5))
+- [ ] All Art. 13(1) and 13(2) fields covered
+- [ ] Separate sections for each processing purpose
+- [ ] Version date and review schedule included
+- [ ] Accessible format (e.g., layered notice for website)