bmad-plus 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (294) hide show
  1. package/CHANGELOG.md +450 -425
  2. package/LICENSE +21 -21
  3. package/README.md +555 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +576 -426
  31. package/readme-international/README.es.md +578 -518
  32. package/readme-international/README.fr.md +576 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
  46. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
  47. package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
  48. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
  49. package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
  50. package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
  51. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
  52. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
  53. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
  54. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
  55. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
  56. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
  57. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
  58. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
  59. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
  60. package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
  61. package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
  62. package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
  63. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
  64. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  65. package/src/bmad-plus/module-help.csv +10 -10
  66. package/src/bmad-plus/module.yaml +283 -280
  67. package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
  68. package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
  69. package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
  70. package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
  71. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  111. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  112. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  113. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  114. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  115. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  116. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  117. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  118. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  119. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  120. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  121. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  122. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  123. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  124. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  125. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  126. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  127. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  128. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  129. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  130. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  131. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  132. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  133. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  134. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  135. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  136. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  137. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  138. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  139. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  140. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  141. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  142. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  143. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  144. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  145. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  146. package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
  147. package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
  148. package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
  149. package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
  150. package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
  151. package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
  152. package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
  153. package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
  154. package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
  155. package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
  156. package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
  157. package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
  158. package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
  159. package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
  160. package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
  161. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  162. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  163. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  164. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  165. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  166. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  167. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  168. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  169. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  170. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  171. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  172. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  173. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  174. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  175. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  176. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  177. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  178. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  179. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  180. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  181. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  182. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  183. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  184. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  185. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  186. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  187. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  188. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  189. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  190. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  191. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  192. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  193. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  194. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  195. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  196. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  197. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  198. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  199. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  200. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  201. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  202. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  203. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  204. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  205. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  206. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  207. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  208. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  209. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  210. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  211. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  212. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  213. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  214. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  215. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  216. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  217. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  218. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  219. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  220. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  221. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  222. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  223. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  224. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  225. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  226. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  227. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  228. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  229. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  230. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  231. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  232. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  233. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  234. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  235. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  236. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  237. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  238. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  239. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  240. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  241. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  242. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  243. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  244. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  245. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  246. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  247. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  248. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  249. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  250. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  251. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  252. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  253. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  254. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  255. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  256. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  257. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  258. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  259. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  260. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  261. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  262. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  263. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  264. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  265. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  266. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  267. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  268. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  269. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  270. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  271. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  272. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  273. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  274. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  275. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  276. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  277. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  278. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  279. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  280. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  281. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  282. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  283. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  284. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  285. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  286. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  287. package/tools/cli/commands/autoconfig.js +498 -489
  288. package/tools/cli/commands/doctor.js +222 -222
  289. package/tools/cli/commands/install.js +739 -739
  290. package/tools/cli/commands/memory.js +194 -194
  291. package/tools/cli/commands/scan.js +360 -350
  292. package/tools/cli/commands/uninstall.js +96 -96
  293. package/tools/cli/commands/update.js +174 -174
  294. package/tools/cli/i18n.js +763 -763
@@ -1,170 +1,170 @@
1
- # CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
2
-
3
- ## SPRS Score Calculation
4
-
5
- ### Scoring Methodology
6
- The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
7
- - **Starting score**: 110 points
8
- - **Each NOT MET practice**: Deduct the assigned point value
9
- - **Partial implementation**: Full deduction applies (no partial credit)
10
- - **Score range**: +110 (all practices met) to −203 (all not met)
11
- - **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
12
-
13
- ### Point Values by Domain
14
- Point values are assigned based on the practice's security impact:
15
-
16
- | Domain | Practices | Total Points at Risk |
17
- |--------|-----------|---------------------|
18
- | AC (Access Control) | 22 | ~50 |
19
- | AU (Audit & Accountability) | 9 | ~17 |
20
- | CM (Configuration Management) | 9 | ~19 |
21
- | IA (Identification & Authentication) | 11 | ~22 |
22
- | IR (Incident Response) | 3 | ~5 |
23
- | MA (Maintenance) | 6 | ~11 |
24
- | MP (Media Protection) | 9 | ~8 |
25
- | PE (Physical Protection) | 6 | ~11 |
26
- | PS (Personnel Security) | 2 | ~4 |
27
- | RA (Risk Assessment) | 3 | ~9 |
28
- | CA (Security Assessment) | 4 | ~9 |
29
- | SC (System & Communications) | 16 | ~39 |
30
- | SI (System & Information Integrity) | 7 | ~14 |
31
-
32
- *Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
33
-
34
- ### Highest-Impact Practices (Largest Point Deductions)
35
- Prioritize these when remediating — they carry the heaviest scoring weight:
36
- 1. **AC.L2-3.1.3** — CUI flow control (5 pts)
37
- 2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
38
- 3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
39
- 4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
40
- 5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
41
- 6. **AC.L2-3.1.5** — Least privilege (3 pts)
42
- 7. **AU.L2-3.3.1** — Audit logging (3 pts)
43
- 8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
44
-
45
- ---
46
-
47
- ## C3PAO Assessment Process
48
-
49
- ### Pre-Assessment (Contractor Responsibilities)
50
- Before engaging a C3PAO, ensure:
51
- - [ ] System Security Plan (SSP) is complete and covers all 110 practices
52
- - [ ] System boundary is defined with network diagrams
53
- - [ ] CUI data flows are documented
54
- - [ ] POA&M lists all practices not yet met
55
- - [ ] SPRS score has been self-calculated
56
- - [ ] Personnel responsible for each practice are identified
57
-
58
- ### Assessment Phases
59
-
60
- **Phase 1 — Documentation Review (Remote)**
61
- - C3PAO reviews SSP, network diagrams, policies, and POA&M
62
- - Requests artifact list: logs, screenshots, configuration exports, training records
63
- - Duration: 2–4 weeks
64
-
65
- **Phase 2 — Assessment Activities (On-site or Remote)**
66
- - Interviews with system administrators, security personnel, and executives
67
- - Technical testing: vulnerability scans, configuration reviews, access control verification
68
- - Observation of processes (incident response tabletop, maintenance procedures)
69
- - Duration: 1–3 weeks depending on scope
70
-
71
- **Phase 3 — Findings and Reporting**
72
- - C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
73
- - Contractor may provide additional evidence for disputed findings (limited window)
74
- - Final report submitted to CMMC-AB
75
-
76
- **Phase 4 — Certification Decision**
77
- - **All 110 practices MET**: Full certification issued; valid 3 years
78
- - **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
79
- - **Critical practices unmet**: No certification; remediate and reschedule
80
-
81
- ### Critical Practices (Cannot Have POA&M at Certification)
82
- The following practices must be fully MET for any certification to be issued:
83
- - AC.L2-3.1.3 (CUI flow control)
84
- - IA.L2-3.5.3 (Multifactor authentication)
85
- - SC.L2-3.13.8 (Encryption in transit)
86
- - SC.L2-3.13.11 (FIPS-validated cryptography)
87
- - SI.L2-3.14.6 (Attack monitoring)
88
- - AU.L2-3.3.1 (Audit logging)
89
- - IR.L2-3.6.1 (Incident response capability)
90
-
91
- ---
92
-
93
- ## POA&M Rules and Management
94
-
95
- ### What Can Be in a POA&M at Certification
96
- - Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
97
- - POA&M remediation deadline: **180 days** from certification date
98
- - Failure to remediate = certification revocation
99
- - Level 3: No POA&M at certification — all practices must be MET
100
-
101
- ### POA&M Entry Format
102
-
103
- | Field | Description |
104
- |-------|-------------|
105
- | Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
106
- | Weakness Description | What is not implemented and why |
107
- | Remediation Steps | Specific actions to achieve compliance |
108
- | Milestone 1–N | Intermediate checkpoints with dates |
109
- | Scheduled Completion | Target date for full implementation |
110
- | Resources Required | Personnel, tools, budget |
111
- | Status | Open / In Progress / Completed |
112
- | Evidence of Closure | What artifacts will demonstrate completion |
113
-
114
- ### POA&M Best Practices
115
- - Never list a critical practice in a POA&M if seeking certification
116
- - Update monthly; stale POA&Ms raise auditor concerns
117
- - Link each POA&M item to the relevant SSP section
118
- - Document root cause, not just the symptom
119
-
120
- ---
121
-
122
- ## Evidence Requirements by Practice Type
123
-
124
- ### Documentary Evidence (policies, procedures, plans)
125
- - Acceptable formats: PDF, Word, screenshots with metadata
126
- - Must show: author, date, version, approval signature
127
- - Examples: SSP, access control policy, incident response plan, training records
128
-
129
- ### Technical Evidence (system configuration, logs)
130
- - Configuration exports from firewalls, Active Directory, SIEM
131
- - Vulnerability scan reports (authenticated scans preferred)
132
- - MFA enrollment reports showing all privileged user enrollment
133
- - Patch management reports showing remediation timelines
134
-
135
- ### Interview Evidence
136
- - Assessors will interview: ISSO/ISSM, system admins, end users, executives
137
- - Prepare personnel to describe their security responsibilities
138
- - Cannot substitute documentation for interview — both required
139
-
140
- ---
141
-
142
- ## DIBNET Incident Reporting (DFARS 7012)
143
-
144
- DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
145
- - **Report to**: DIBNET portal (dibnet.dod.mil)
146
- - **Deadline**: Within **72 hours** of discovering the incident
147
- - **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
148
- - **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
149
- - **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
150
-
151
- ### What Constitutes a Reportable Incident
152
- - Unauthorized access to systems containing CUI
153
- - Exfiltration of CUI (actual or suspected)
154
- - Malware detected on systems that process CUI
155
- - Compromise of credentials that could lead to CUI access
156
-
157
- ---
158
-
159
- ## Common Assessment Findings
160
-
161
- | Practice | Common Finding | Typical Remediation |
162
- |----------|---------------|---------------------|
163
- | IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
164
- | SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
165
- | AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
166
- | CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
167
- | AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
168
- | RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
169
- | CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
170
- | AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
1
+ # CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
2
+
3
+ ## SPRS Score Calculation
4
+
5
+ ### Scoring Methodology
6
+ The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
7
+ - **Starting score**: 110 points
8
+ - **Each NOT MET practice**: Deduct the assigned point value
9
+ - **Partial implementation**: Full deduction applies (no partial credit)
10
+ - **Score range**: +110 (all practices met) to −203 (all not met)
11
+ - **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
12
+
13
+ ### Point Values by Domain
14
+ Point values are assigned based on the practice's security impact:
15
+
16
+ | Domain | Practices | Total Points at Risk |
17
+ |--------|-----------|---------------------|
18
+ | AC (Access Control) | 22 | ~50 |
19
+ | AU (Audit & Accountability) | 9 | ~17 |
20
+ | CM (Configuration Management) | 9 | ~19 |
21
+ | IA (Identification & Authentication) | 11 | ~22 |
22
+ | IR (Incident Response) | 3 | ~5 |
23
+ | MA (Maintenance) | 6 | ~11 |
24
+ | MP (Media Protection) | 9 | ~8 |
25
+ | PE (Physical Protection) | 6 | ~11 |
26
+ | PS (Personnel Security) | 2 | ~4 |
27
+ | RA (Risk Assessment) | 3 | ~9 |
28
+ | CA (Security Assessment) | 4 | ~9 |
29
+ | SC (System & Communications) | 16 | ~39 |
30
+ | SI (System & Information Integrity) | 7 | ~14 |
31
+
32
+ *Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
33
+
34
+ ### Highest-Impact Practices (Largest Point Deductions)
35
+ Prioritize these when remediating — they carry the heaviest scoring weight:
36
+ 1. **AC.L2-3.1.3** — CUI flow control (5 pts)
37
+ 2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
38
+ 3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
39
+ 4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
40
+ 5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
41
+ 6. **AC.L2-3.1.5** — Least privilege (3 pts)
42
+ 7. **AU.L2-3.3.1** — Audit logging (3 pts)
43
+ 8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
44
+
45
+ ---
46
+
47
+ ## C3PAO Assessment Process
48
+
49
+ ### Pre-Assessment (Contractor Responsibilities)
50
+ Before engaging a C3PAO, ensure:
51
+ - [ ] System Security Plan (SSP) is complete and covers all 110 practices
52
+ - [ ] System boundary is defined with network diagrams
53
+ - [ ] CUI data flows are documented
54
+ - [ ] POA&M lists all practices not yet met
55
+ - [ ] SPRS score has been self-calculated
56
+ - [ ] Personnel responsible for each practice are identified
57
+
58
+ ### Assessment Phases
59
+
60
+ **Phase 1 — Documentation Review (Remote)**
61
+ - C3PAO reviews SSP, network diagrams, policies, and POA&M
62
+ - Requests artifact list: logs, screenshots, configuration exports, training records
63
+ - Duration: 2–4 weeks
64
+
65
+ **Phase 2 — Assessment Activities (On-site or Remote)**
66
+ - Interviews with system administrators, security personnel, and executives
67
+ - Technical testing: vulnerability scans, configuration reviews, access control verification
68
+ - Observation of processes (incident response tabletop, maintenance procedures)
69
+ - Duration: 1–3 weeks depending on scope
70
+
71
+ **Phase 3 — Findings and Reporting**
72
+ - C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
73
+ - Contractor may provide additional evidence for disputed findings (limited window)
74
+ - Final report submitted to CMMC-AB
75
+
76
+ **Phase 4 — Certification Decision**
77
+ - **All 110 practices MET**: Full certification issued; valid 3 years
78
+ - **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
79
+ - **Critical practices unmet**: No certification; remediate and reschedule
80
+
81
+ ### Critical Practices (Cannot Have POA&M at Certification)
82
+ The following practices must be fully MET for any certification to be issued:
83
+ - AC.L2-3.1.3 (CUI flow control)
84
+ - IA.L2-3.5.3 (Multifactor authentication)
85
+ - SC.L2-3.13.8 (Encryption in transit)
86
+ - SC.L2-3.13.11 (FIPS-validated cryptography)
87
+ - SI.L2-3.14.6 (Attack monitoring)
88
+ - AU.L2-3.3.1 (Audit logging)
89
+ - IR.L2-3.6.1 (Incident response capability)
90
+
91
+ ---
92
+
93
+ ## POA&M Rules and Management
94
+
95
+ ### What Can Be in a POA&M at Certification
96
+ - Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
97
+ - POA&M remediation deadline: **180 days** from certification date
98
+ - Failure to remediate = certification revocation
99
+ - Level 3: No POA&M at certification — all practices must be MET
100
+
101
+ ### POA&M Entry Format
102
+
103
+ | Field | Description |
104
+ |-------|-------------|
105
+ | Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
106
+ | Weakness Description | What is not implemented and why |
107
+ | Remediation Steps | Specific actions to achieve compliance |
108
+ | Milestone 1–N | Intermediate checkpoints with dates |
109
+ | Scheduled Completion | Target date for full implementation |
110
+ | Resources Required | Personnel, tools, budget |
111
+ | Status | Open / In Progress / Completed |
112
+ | Evidence of Closure | What artifacts will demonstrate completion |
113
+
114
+ ### POA&M Best Practices
115
+ - Never list a critical practice in a POA&M if seeking certification
116
+ - Update monthly; stale POA&Ms raise auditor concerns
117
+ - Link each POA&M item to the relevant SSP section
118
+ - Document root cause, not just the symptom
119
+
120
+ ---
121
+
122
+ ## Evidence Requirements by Practice Type
123
+
124
+ ### Documentary Evidence (policies, procedures, plans)
125
+ - Acceptable formats: PDF, Word, screenshots with metadata
126
+ - Must show: author, date, version, approval signature
127
+ - Examples: SSP, access control policy, incident response plan, training records
128
+
129
+ ### Technical Evidence (system configuration, logs)
130
+ - Configuration exports from firewalls, Active Directory, SIEM
131
+ - Vulnerability scan reports (authenticated scans preferred)
132
+ - MFA enrollment reports showing all privileged user enrollment
133
+ - Patch management reports showing remediation timelines
134
+
135
+ ### Interview Evidence
136
+ - Assessors will interview: ISSO/ISSM, system admins, end users, executives
137
+ - Prepare personnel to describe their security responsibilities
138
+ - Cannot substitute documentation for interview — both required
139
+
140
+ ---
141
+
142
+ ## DIBNET Incident Reporting (DFARS 7012)
143
+
144
+ DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
145
+ - **Report to**: DIBNET portal (dibnet.dod.mil)
146
+ - **Deadline**: Within **72 hours** of discovering the incident
147
+ - **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
148
+ - **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
149
+ - **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
150
+
151
+ ### What Constitutes a Reportable Incident
152
+ - Unauthorized access to systems containing CUI
153
+ - Exfiltration of CUI (actual or suspected)
154
+ - Malware detected on systems that process CUI
155
+ - Compromise of credentials that could lead to CUI access
156
+
157
+ ---
158
+
159
+ ## Common Assessment Findings
160
+
161
+ | Practice | Common Finding | Typical Remediation |
162
+ |----------|---------------|---------------------|
163
+ | IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
164
+ | SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
165
+ | AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
166
+ | CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
167
+ | AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
168
+ | RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
169
+ | CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
170
+ | AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
@@ -1,113 +1,113 @@
1
- # CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
2
-
3
- ## Level Comparison Table
4
-
5
- | Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
6
- |-----------|----------------------|-------------------|-----------------|
7
- | **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
8
- | **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
9
- | **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
10
- | **SPRS submission** | Yes | Yes | Yes |
11
- | **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
12
- | **Conditional certification** | No | Yes (limited POA&M allowed) | No |
13
- | **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
14
-
15
- ---
16
-
17
- ## DFARS Clause Mapping
18
-
19
- | DFARS Clause | Requirement | Level Implied |
20
- |-------------|-------------|---------------|
21
- | FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
22
- | DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
23
- | DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
24
- | DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
25
- | DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
26
-
27
- **Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
28
-
29
- ---
30
-
31
- ## Assessment Process by Level
32
-
33
- ### Level 1 — Self-Assessment
34
- 1. Assess all 17 practices against FAR 52.204-21
35
- 2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
36
- 3. Submit to SPRS at https://www.sprs.csd.disa.mil/
37
- 4. Senior official affirms accuracy
38
- 5. Repeat annually
39
-
40
- ### Level 2 — C3PAO Assessment (Critical Programs)
41
- 1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
42
- 2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
43
- 3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
44
- 4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
45
- 5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
46
- 6. **Certification**: Issued by CMMC-AB; valid for 3 years
47
- 7. **Annual affirmation**: Affirm continued compliance each year
48
-
49
- ### Level 2 — Self-Assessment (Non-Critical Programs)
50
- - Same 110 practices as C3PAO path
51
- - Self-assessed by contractor; senior official affirms in SPRS
52
- - DoD reserves right to audit; false statements = False Claims Act liability
53
- - Must still submit SPRS score
54
-
55
- ### Level 3 — DIBCAC Assessment
56
- 1. Contractor must hold a current Level 2 C3PAO certification first
57
- 2. DIBCAC (government team) conducts assessment — not contractor-selected
58
- 3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
59
- 4. No conditional certification — all practices must be MET
60
- 5. Government schedules the assessment; no commercial negotiation
61
-
62
- ---
63
-
64
- ## Flow-Down Requirements
65
-
66
- DFARS 252.204-7021(c) requires prime contractors to:
67
- - Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
68
- - Specify the required CMMC level in the subcontract
69
- - Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
70
- - Flow-down applies to **all tiers** — sub-subcontractors are not exempt
71
-
72
- **Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
73
-
74
- ---
75
-
76
- ## Timeline and Key Dates
77
-
78
- | Milestone | Date |
79
- |-----------|------|
80
- | CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
81
- | DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
82
- | CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
83
- | Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
84
- | Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
85
-
86
- ---
87
-
88
- ## CUI Categories Most Common in Defense Contracts
89
-
90
- | CUI Category | Examples | Typical Contract Types |
91
- |-------------|----------|----------------------|
92
- | Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
93
- | Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
94
- | Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
95
- | Privacy (PII) | Personnel records | HR, health, benefits |
96
- | Law Enforcement Sensitive | Investigation data | Base security contractors |
97
- | Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
98
-
99
- ---
100
-
101
- ## Key Definitions
102
-
103
- | Term | Definition |
104
- |------|-----------|
105
- | **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
106
- | **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
107
- | **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
108
- | **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
109
- | **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
110
- | **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
111
- | **OSC** | Organization Seeking Certification — the defense contractor being assessed |
112
- | **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
113
- | **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |
1
+ # CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
2
+
3
+ ## Level Comparison Table
4
+
5
+ | Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
6
+ |-----------|----------------------|-------------------|-----------------|
7
+ | **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
8
+ | **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
9
+ | **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
10
+ | **SPRS submission** | Yes | Yes | Yes |
11
+ | **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
12
+ | **Conditional certification** | No | Yes (limited POA&M allowed) | No |
13
+ | **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
14
+
15
+ ---
16
+
17
+ ## DFARS Clause Mapping
18
+
19
+ | DFARS Clause | Requirement | Level Implied |
20
+ |-------------|-------------|---------------|
21
+ | FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
22
+ | DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
23
+ | DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
24
+ | DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
25
+ | DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
26
+
27
+ **Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
28
+
29
+ ---
30
+
31
+ ## Assessment Process by Level
32
+
33
+ ### Level 1 — Self-Assessment
34
+ 1. Assess all 17 practices against FAR 52.204-21
35
+ 2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
36
+ 3. Submit to SPRS at https://www.sprs.csd.disa.mil/
37
+ 4. Senior official affirms accuracy
38
+ 5. Repeat annually
39
+
40
+ ### Level 2 — C3PAO Assessment (Critical Programs)
41
+ 1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
42
+ 2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
43
+ 3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
44
+ 4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
45
+ 5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
46
+ 6. **Certification**: Issued by CMMC-AB; valid for 3 years
47
+ 7. **Annual affirmation**: Affirm continued compliance each year
48
+
49
+ ### Level 2 — Self-Assessment (Non-Critical Programs)
50
+ - Same 110 practices as C3PAO path
51
+ - Self-assessed by contractor; senior official affirms in SPRS
52
+ - DoD reserves right to audit; false statements = False Claims Act liability
53
+ - Must still submit SPRS score
54
+
55
+ ### Level 3 — DIBCAC Assessment
56
+ 1. Contractor must hold a current Level 2 C3PAO certification first
57
+ 2. DIBCAC (government team) conducts assessment — not contractor-selected
58
+ 3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
59
+ 4. No conditional certification — all practices must be MET
60
+ 5. Government schedules the assessment; no commercial negotiation
61
+
62
+ ---
63
+
64
+ ## Flow-Down Requirements
65
+
66
+ DFARS 252.204-7021(c) requires prime contractors to:
67
+ - Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
68
+ - Specify the required CMMC level in the subcontract
69
+ - Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
70
+ - Flow-down applies to **all tiers** — sub-subcontractors are not exempt
71
+
72
+ **Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
73
+
74
+ ---
75
+
76
+ ## Timeline and Key Dates
77
+
78
+ | Milestone | Date |
79
+ |-----------|------|
80
+ | CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
81
+ | DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
82
+ | CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
83
+ | Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
84
+ | Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
85
+
86
+ ---
87
+
88
+ ## CUI Categories Most Common in Defense Contracts
89
+
90
+ | CUI Category | Examples | Typical Contract Types |
91
+ |-------------|----------|----------------------|
92
+ | Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
93
+ | Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
94
+ | Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
95
+ | Privacy (PII) | Personnel records | HR, health, benefits |
96
+ | Law Enforcement Sensitive | Investigation data | Base security contractors |
97
+ | Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
98
+
99
+ ---
100
+
101
+ ## Key Definitions
102
+
103
+ | Term | Definition |
104
+ |------|-----------|
105
+ | **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
106
+ | **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
107
+ | **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
108
+ | **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
109
+ | **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
110
+ | **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
111
+ | **OSC** | Organization Seeking Certification — the defense contractor being assessed |
112
+ | **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
113
+ | **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |