bmad-plus 0.7.5 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -425
- package/LICENSE +21 -21
- package/README.md +555 -447
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -222
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,170 +1,170 @@
|
|
|
1
|
-
# CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
|
|
2
|
-
|
|
3
|
-
## SPRS Score Calculation
|
|
4
|
-
|
|
5
|
-
### Scoring Methodology
|
|
6
|
-
The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
|
|
7
|
-
- **Starting score**: 110 points
|
|
8
|
-
- **Each NOT MET practice**: Deduct the assigned point value
|
|
9
|
-
- **Partial implementation**: Full deduction applies (no partial credit)
|
|
10
|
-
- **Score range**: +110 (all practices met) to −203 (all not met)
|
|
11
|
-
- **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
|
|
12
|
-
|
|
13
|
-
### Point Values by Domain
|
|
14
|
-
Point values are assigned based on the practice's security impact:
|
|
15
|
-
|
|
16
|
-
| Domain | Practices | Total Points at Risk |
|
|
17
|
-
|--------|-----------|---------------------|
|
|
18
|
-
| AC (Access Control) | 22 | ~50 |
|
|
19
|
-
| AU (Audit & Accountability) | 9 | ~17 |
|
|
20
|
-
| CM (Configuration Management) | 9 | ~19 |
|
|
21
|
-
| IA (Identification & Authentication) | 11 | ~22 |
|
|
22
|
-
| IR (Incident Response) | 3 | ~5 |
|
|
23
|
-
| MA (Maintenance) | 6 | ~11 |
|
|
24
|
-
| MP (Media Protection) | 9 | ~8 |
|
|
25
|
-
| PE (Physical Protection) | 6 | ~11 |
|
|
26
|
-
| PS (Personnel Security) | 2 | ~4 |
|
|
27
|
-
| RA (Risk Assessment) | 3 | ~9 |
|
|
28
|
-
| CA (Security Assessment) | 4 | ~9 |
|
|
29
|
-
| SC (System & Communications) | 16 | ~39 |
|
|
30
|
-
| SI (System & Information Integrity) | 7 | ~14 |
|
|
31
|
-
|
|
32
|
-
*Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
|
|
33
|
-
|
|
34
|
-
### Highest-Impact Practices (Largest Point Deductions)
|
|
35
|
-
Prioritize these when remediating — they carry the heaviest scoring weight:
|
|
36
|
-
1. **AC.L2-3.1.3** — CUI flow control (5 pts)
|
|
37
|
-
2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
|
|
38
|
-
3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
|
|
39
|
-
4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
|
|
40
|
-
5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
|
|
41
|
-
6. **AC.L2-3.1.5** — Least privilege (3 pts)
|
|
42
|
-
7. **AU.L2-3.3.1** — Audit logging (3 pts)
|
|
43
|
-
8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
|
|
44
|
-
|
|
45
|
-
---
|
|
46
|
-
|
|
47
|
-
## C3PAO Assessment Process
|
|
48
|
-
|
|
49
|
-
### Pre-Assessment (Contractor Responsibilities)
|
|
50
|
-
Before engaging a C3PAO, ensure:
|
|
51
|
-
- [ ] System Security Plan (SSP) is complete and covers all 110 practices
|
|
52
|
-
- [ ] System boundary is defined with network diagrams
|
|
53
|
-
- [ ] CUI data flows are documented
|
|
54
|
-
- [ ] POA&M lists all practices not yet met
|
|
55
|
-
- [ ] SPRS score has been self-calculated
|
|
56
|
-
- [ ] Personnel responsible for each practice are identified
|
|
57
|
-
|
|
58
|
-
### Assessment Phases
|
|
59
|
-
|
|
60
|
-
**Phase 1 — Documentation Review (Remote)**
|
|
61
|
-
- C3PAO reviews SSP, network diagrams, policies, and POA&M
|
|
62
|
-
- Requests artifact list: logs, screenshots, configuration exports, training records
|
|
63
|
-
- Duration: 2–4 weeks
|
|
64
|
-
|
|
65
|
-
**Phase 2 — Assessment Activities (On-site or Remote)**
|
|
66
|
-
- Interviews with system administrators, security personnel, and executives
|
|
67
|
-
- Technical testing: vulnerability scans, configuration reviews, access control verification
|
|
68
|
-
- Observation of processes (incident response tabletop, maintenance procedures)
|
|
69
|
-
- Duration: 1–3 weeks depending on scope
|
|
70
|
-
|
|
71
|
-
**Phase 3 — Findings and Reporting**
|
|
72
|
-
- C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
|
|
73
|
-
- Contractor may provide additional evidence for disputed findings (limited window)
|
|
74
|
-
- Final report submitted to CMMC-AB
|
|
75
|
-
|
|
76
|
-
**Phase 4 — Certification Decision**
|
|
77
|
-
- **All 110 practices MET**: Full certification issued; valid 3 years
|
|
78
|
-
- **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
|
|
79
|
-
- **Critical practices unmet**: No certification; remediate and reschedule
|
|
80
|
-
|
|
81
|
-
### Critical Practices (Cannot Have POA&M at Certification)
|
|
82
|
-
The following practices must be fully MET for any certification to be issued:
|
|
83
|
-
- AC.L2-3.1.3 (CUI flow control)
|
|
84
|
-
- IA.L2-3.5.3 (Multifactor authentication)
|
|
85
|
-
- SC.L2-3.13.8 (Encryption in transit)
|
|
86
|
-
- SC.L2-3.13.11 (FIPS-validated cryptography)
|
|
87
|
-
- SI.L2-3.14.6 (Attack monitoring)
|
|
88
|
-
- AU.L2-3.3.1 (Audit logging)
|
|
89
|
-
- IR.L2-3.6.1 (Incident response capability)
|
|
90
|
-
|
|
91
|
-
---
|
|
92
|
-
|
|
93
|
-
## POA&M Rules and Management
|
|
94
|
-
|
|
95
|
-
### What Can Be in a POA&M at Certification
|
|
96
|
-
- Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
|
|
97
|
-
- POA&M remediation deadline: **180 days** from certification date
|
|
98
|
-
- Failure to remediate = certification revocation
|
|
99
|
-
- Level 3: No POA&M at certification — all practices must be MET
|
|
100
|
-
|
|
101
|
-
### POA&M Entry Format
|
|
102
|
-
|
|
103
|
-
| Field | Description |
|
|
104
|
-
|-------|-------------|
|
|
105
|
-
| Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
|
|
106
|
-
| Weakness Description | What is not implemented and why |
|
|
107
|
-
| Remediation Steps | Specific actions to achieve compliance |
|
|
108
|
-
| Milestone 1–N | Intermediate checkpoints with dates |
|
|
109
|
-
| Scheduled Completion | Target date for full implementation |
|
|
110
|
-
| Resources Required | Personnel, tools, budget |
|
|
111
|
-
| Status | Open / In Progress / Completed |
|
|
112
|
-
| Evidence of Closure | What artifacts will demonstrate completion |
|
|
113
|
-
|
|
114
|
-
### POA&M Best Practices
|
|
115
|
-
- Never list a critical practice in a POA&M if seeking certification
|
|
116
|
-
- Update monthly; stale POA&Ms raise auditor concerns
|
|
117
|
-
- Link each POA&M item to the relevant SSP section
|
|
118
|
-
- Document root cause, not just the symptom
|
|
119
|
-
|
|
120
|
-
---
|
|
121
|
-
|
|
122
|
-
## Evidence Requirements by Practice Type
|
|
123
|
-
|
|
124
|
-
### Documentary Evidence (policies, procedures, plans)
|
|
125
|
-
- Acceptable formats: PDF, Word, screenshots with metadata
|
|
126
|
-
- Must show: author, date, version, approval signature
|
|
127
|
-
- Examples: SSP, access control policy, incident response plan, training records
|
|
128
|
-
|
|
129
|
-
### Technical Evidence (system configuration, logs)
|
|
130
|
-
- Configuration exports from firewalls, Active Directory, SIEM
|
|
131
|
-
- Vulnerability scan reports (authenticated scans preferred)
|
|
132
|
-
- MFA enrollment reports showing all privileged user enrollment
|
|
133
|
-
- Patch management reports showing remediation timelines
|
|
134
|
-
|
|
135
|
-
### Interview Evidence
|
|
136
|
-
- Assessors will interview: ISSO/ISSM, system admins, end users, executives
|
|
137
|
-
- Prepare personnel to describe their security responsibilities
|
|
138
|
-
- Cannot substitute documentation for interview — both required
|
|
139
|
-
|
|
140
|
-
---
|
|
141
|
-
|
|
142
|
-
## DIBNET Incident Reporting (DFARS 7012)
|
|
143
|
-
|
|
144
|
-
DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
|
|
145
|
-
- **Report to**: DIBNET portal (dibnet.dod.mil)
|
|
146
|
-
- **Deadline**: Within **72 hours** of discovering the incident
|
|
147
|
-
- **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
|
|
148
|
-
- **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
|
|
149
|
-
- **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
|
|
150
|
-
|
|
151
|
-
### What Constitutes a Reportable Incident
|
|
152
|
-
- Unauthorized access to systems containing CUI
|
|
153
|
-
- Exfiltration of CUI (actual or suspected)
|
|
154
|
-
- Malware detected on systems that process CUI
|
|
155
|
-
- Compromise of credentials that could lead to CUI access
|
|
156
|
-
|
|
157
|
-
---
|
|
158
|
-
|
|
159
|
-
## Common Assessment Findings
|
|
160
|
-
|
|
161
|
-
| Practice | Common Finding | Typical Remediation |
|
|
162
|
-
|----------|---------------|---------------------|
|
|
163
|
-
| IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
|
|
164
|
-
| SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
|
|
165
|
-
| AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
|
|
166
|
-
| CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
|
|
167
|
-
| AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
|
|
168
|
-
| RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
|
|
169
|
-
| CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
|
|
170
|
-
| AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
|
|
1
|
+
# CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
|
|
2
|
+
|
|
3
|
+
## SPRS Score Calculation
|
|
4
|
+
|
|
5
|
+
### Scoring Methodology
|
|
6
|
+
The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
|
|
7
|
+
- **Starting score**: 110 points
|
|
8
|
+
- **Each NOT MET practice**: Deduct the assigned point value
|
|
9
|
+
- **Partial implementation**: Full deduction applies (no partial credit)
|
|
10
|
+
- **Score range**: +110 (all practices met) to −203 (all not met)
|
|
11
|
+
- **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
|
|
12
|
+
|
|
13
|
+
### Point Values by Domain
|
|
14
|
+
Point values are assigned based on the practice's security impact:
|
|
15
|
+
|
|
16
|
+
| Domain | Practices | Total Points at Risk |
|
|
17
|
+
|--------|-----------|---------------------|
|
|
18
|
+
| AC (Access Control) | 22 | ~50 |
|
|
19
|
+
| AU (Audit & Accountability) | 9 | ~17 |
|
|
20
|
+
| CM (Configuration Management) | 9 | ~19 |
|
|
21
|
+
| IA (Identification & Authentication) | 11 | ~22 |
|
|
22
|
+
| IR (Incident Response) | 3 | ~5 |
|
|
23
|
+
| MA (Maintenance) | 6 | ~11 |
|
|
24
|
+
| MP (Media Protection) | 9 | ~8 |
|
|
25
|
+
| PE (Physical Protection) | 6 | ~11 |
|
|
26
|
+
| PS (Personnel Security) | 2 | ~4 |
|
|
27
|
+
| RA (Risk Assessment) | 3 | ~9 |
|
|
28
|
+
| CA (Security Assessment) | 4 | ~9 |
|
|
29
|
+
| SC (System & Communications) | 16 | ~39 |
|
|
30
|
+
| SI (System & Information Integrity) | 7 | ~14 |
|
|
31
|
+
|
|
32
|
+
*Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
|
|
33
|
+
|
|
34
|
+
### Highest-Impact Practices (Largest Point Deductions)
|
|
35
|
+
Prioritize these when remediating — they carry the heaviest scoring weight:
|
|
36
|
+
1. **AC.L2-3.1.3** — CUI flow control (5 pts)
|
|
37
|
+
2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
|
|
38
|
+
3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
|
|
39
|
+
4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
|
|
40
|
+
5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
|
|
41
|
+
6. **AC.L2-3.1.5** — Least privilege (3 pts)
|
|
42
|
+
7. **AU.L2-3.3.1** — Audit logging (3 pts)
|
|
43
|
+
8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
|
|
44
|
+
|
|
45
|
+
---
|
|
46
|
+
|
|
47
|
+
## C3PAO Assessment Process
|
|
48
|
+
|
|
49
|
+
### Pre-Assessment (Contractor Responsibilities)
|
|
50
|
+
Before engaging a C3PAO, ensure:
|
|
51
|
+
- [ ] System Security Plan (SSP) is complete and covers all 110 practices
|
|
52
|
+
- [ ] System boundary is defined with network diagrams
|
|
53
|
+
- [ ] CUI data flows are documented
|
|
54
|
+
- [ ] POA&M lists all practices not yet met
|
|
55
|
+
- [ ] SPRS score has been self-calculated
|
|
56
|
+
- [ ] Personnel responsible for each practice are identified
|
|
57
|
+
|
|
58
|
+
### Assessment Phases
|
|
59
|
+
|
|
60
|
+
**Phase 1 — Documentation Review (Remote)**
|
|
61
|
+
- C3PAO reviews SSP, network diagrams, policies, and POA&M
|
|
62
|
+
- Requests artifact list: logs, screenshots, configuration exports, training records
|
|
63
|
+
- Duration: 2–4 weeks
|
|
64
|
+
|
|
65
|
+
**Phase 2 — Assessment Activities (On-site or Remote)**
|
|
66
|
+
- Interviews with system administrators, security personnel, and executives
|
|
67
|
+
- Technical testing: vulnerability scans, configuration reviews, access control verification
|
|
68
|
+
- Observation of processes (incident response tabletop, maintenance procedures)
|
|
69
|
+
- Duration: 1–3 weeks depending on scope
|
|
70
|
+
|
|
71
|
+
**Phase 3 — Findings and Reporting**
|
|
72
|
+
- C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
|
|
73
|
+
- Contractor may provide additional evidence for disputed findings (limited window)
|
|
74
|
+
- Final report submitted to CMMC-AB
|
|
75
|
+
|
|
76
|
+
**Phase 4 — Certification Decision**
|
|
77
|
+
- **All 110 practices MET**: Full certification issued; valid 3 years
|
|
78
|
+
- **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
|
|
79
|
+
- **Critical practices unmet**: No certification; remediate and reschedule
|
|
80
|
+
|
|
81
|
+
### Critical Practices (Cannot Have POA&M at Certification)
|
|
82
|
+
The following practices must be fully MET for any certification to be issued:
|
|
83
|
+
- AC.L2-3.1.3 (CUI flow control)
|
|
84
|
+
- IA.L2-3.5.3 (Multifactor authentication)
|
|
85
|
+
- SC.L2-3.13.8 (Encryption in transit)
|
|
86
|
+
- SC.L2-3.13.11 (FIPS-validated cryptography)
|
|
87
|
+
- SI.L2-3.14.6 (Attack monitoring)
|
|
88
|
+
- AU.L2-3.3.1 (Audit logging)
|
|
89
|
+
- IR.L2-3.6.1 (Incident response capability)
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## POA&M Rules and Management
|
|
94
|
+
|
|
95
|
+
### What Can Be in a POA&M at Certification
|
|
96
|
+
- Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
|
|
97
|
+
- POA&M remediation deadline: **180 days** from certification date
|
|
98
|
+
- Failure to remediate = certification revocation
|
|
99
|
+
- Level 3: No POA&M at certification — all practices must be MET
|
|
100
|
+
|
|
101
|
+
### POA&M Entry Format
|
|
102
|
+
|
|
103
|
+
| Field | Description |
|
|
104
|
+
|-------|-------------|
|
|
105
|
+
| Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
|
|
106
|
+
| Weakness Description | What is not implemented and why |
|
|
107
|
+
| Remediation Steps | Specific actions to achieve compliance |
|
|
108
|
+
| Milestone 1–N | Intermediate checkpoints with dates |
|
|
109
|
+
| Scheduled Completion | Target date for full implementation |
|
|
110
|
+
| Resources Required | Personnel, tools, budget |
|
|
111
|
+
| Status | Open / In Progress / Completed |
|
|
112
|
+
| Evidence of Closure | What artifacts will demonstrate completion |
|
|
113
|
+
|
|
114
|
+
### POA&M Best Practices
|
|
115
|
+
- Never list a critical practice in a POA&M if seeking certification
|
|
116
|
+
- Update monthly; stale POA&Ms raise auditor concerns
|
|
117
|
+
- Link each POA&M item to the relevant SSP section
|
|
118
|
+
- Document root cause, not just the symptom
|
|
119
|
+
|
|
120
|
+
---
|
|
121
|
+
|
|
122
|
+
## Evidence Requirements by Practice Type
|
|
123
|
+
|
|
124
|
+
### Documentary Evidence (policies, procedures, plans)
|
|
125
|
+
- Acceptable formats: PDF, Word, screenshots with metadata
|
|
126
|
+
- Must show: author, date, version, approval signature
|
|
127
|
+
- Examples: SSP, access control policy, incident response plan, training records
|
|
128
|
+
|
|
129
|
+
### Technical Evidence (system configuration, logs)
|
|
130
|
+
- Configuration exports from firewalls, Active Directory, SIEM
|
|
131
|
+
- Vulnerability scan reports (authenticated scans preferred)
|
|
132
|
+
- MFA enrollment reports showing all privileged user enrollment
|
|
133
|
+
- Patch management reports showing remediation timelines
|
|
134
|
+
|
|
135
|
+
### Interview Evidence
|
|
136
|
+
- Assessors will interview: ISSO/ISSM, system admins, end users, executives
|
|
137
|
+
- Prepare personnel to describe their security responsibilities
|
|
138
|
+
- Cannot substitute documentation for interview — both required
|
|
139
|
+
|
|
140
|
+
---
|
|
141
|
+
|
|
142
|
+
## DIBNET Incident Reporting (DFARS 7012)
|
|
143
|
+
|
|
144
|
+
DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
|
|
145
|
+
- **Report to**: DIBNET portal (dibnet.dod.mil)
|
|
146
|
+
- **Deadline**: Within **72 hours** of discovering the incident
|
|
147
|
+
- **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
|
|
148
|
+
- **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
|
|
149
|
+
- **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
|
|
150
|
+
|
|
151
|
+
### What Constitutes a Reportable Incident
|
|
152
|
+
- Unauthorized access to systems containing CUI
|
|
153
|
+
- Exfiltration of CUI (actual or suspected)
|
|
154
|
+
- Malware detected on systems that process CUI
|
|
155
|
+
- Compromise of credentials that could lead to CUI access
|
|
156
|
+
|
|
157
|
+
---
|
|
158
|
+
|
|
159
|
+
## Common Assessment Findings
|
|
160
|
+
|
|
161
|
+
| Practice | Common Finding | Typical Remediation |
|
|
162
|
+
|----------|---------------|---------------------|
|
|
163
|
+
| IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
|
|
164
|
+
| SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
|
|
165
|
+
| AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
|
|
166
|
+
| CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
|
|
167
|
+
| AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
|
|
168
|
+
| RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
|
|
169
|
+
| CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
|
|
170
|
+
| AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
|
|
@@ -1,113 +1,113 @@
|
|
|
1
|
-
# CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
|
|
2
|
-
|
|
3
|
-
## Level Comparison Table
|
|
4
|
-
|
|
5
|
-
| Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
|
|
6
|
-
|-----------|----------------------|-------------------|-----------------|
|
|
7
|
-
| **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
|
|
8
|
-
| **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
|
|
9
|
-
| **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
|
|
10
|
-
| **SPRS submission** | Yes | Yes | Yes |
|
|
11
|
-
| **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
|
|
12
|
-
| **Conditional certification** | No | Yes (limited POA&M allowed) | No |
|
|
13
|
-
| **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
|
|
14
|
-
|
|
15
|
-
---
|
|
16
|
-
|
|
17
|
-
## DFARS Clause Mapping
|
|
18
|
-
|
|
19
|
-
| DFARS Clause | Requirement | Level Implied |
|
|
20
|
-
|-------------|-------------|---------------|
|
|
21
|
-
| FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
|
|
22
|
-
| DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
|
|
23
|
-
| DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
|
|
24
|
-
| DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
|
|
25
|
-
| DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
|
|
26
|
-
|
|
27
|
-
**Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
|
|
28
|
-
|
|
29
|
-
---
|
|
30
|
-
|
|
31
|
-
## Assessment Process by Level
|
|
32
|
-
|
|
33
|
-
### Level 1 — Self-Assessment
|
|
34
|
-
1. Assess all 17 practices against FAR 52.204-21
|
|
35
|
-
2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
|
|
36
|
-
3. Submit to SPRS at https://www.sprs.csd.disa.mil/
|
|
37
|
-
4. Senior official affirms accuracy
|
|
38
|
-
5. Repeat annually
|
|
39
|
-
|
|
40
|
-
### Level 2 — C3PAO Assessment (Critical Programs)
|
|
41
|
-
1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
|
|
42
|
-
2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
|
|
43
|
-
3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
|
|
44
|
-
4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
|
|
45
|
-
5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
|
|
46
|
-
6. **Certification**: Issued by CMMC-AB; valid for 3 years
|
|
47
|
-
7. **Annual affirmation**: Affirm continued compliance each year
|
|
48
|
-
|
|
49
|
-
### Level 2 — Self-Assessment (Non-Critical Programs)
|
|
50
|
-
- Same 110 practices as C3PAO path
|
|
51
|
-
- Self-assessed by contractor; senior official affirms in SPRS
|
|
52
|
-
- DoD reserves right to audit; false statements = False Claims Act liability
|
|
53
|
-
- Must still submit SPRS score
|
|
54
|
-
|
|
55
|
-
### Level 3 — DIBCAC Assessment
|
|
56
|
-
1. Contractor must hold a current Level 2 C3PAO certification first
|
|
57
|
-
2. DIBCAC (government team) conducts assessment — not contractor-selected
|
|
58
|
-
3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
|
|
59
|
-
4. No conditional certification — all practices must be MET
|
|
60
|
-
5. Government schedules the assessment; no commercial negotiation
|
|
61
|
-
|
|
62
|
-
---
|
|
63
|
-
|
|
64
|
-
## Flow-Down Requirements
|
|
65
|
-
|
|
66
|
-
DFARS 252.204-7021(c) requires prime contractors to:
|
|
67
|
-
- Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
|
|
68
|
-
- Specify the required CMMC level in the subcontract
|
|
69
|
-
- Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
|
|
70
|
-
- Flow-down applies to **all tiers** — sub-subcontractors are not exempt
|
|
71
|
-
|
|
72
|
-
**Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
|
|
73
|
-
|
|
74
|
-
---
|
|
75
|
-
|
|
76
|
-
## Timeline and Key Dates
|
|
77
|
-
|
|
78
|
-
| Milestone | Date |
|
|
79
|
-
|-----------|------|
|
|
80
|
-
| CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
|
|
81
|
-
| DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
|
|
82
|
-
| CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
|
|
83
|
-
| Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
|
|
84
|
-
| Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
|
|
85
|
-
|
|
86
|
-
---
|
|
87
|
-
|
|
88
|
-
## CUI Categories Most Common in Defense Contracts
|
|
89
|
-
|
|
90
|
-
| CUI Category | Examples | Typical Contract Types |
|
|
91
|
-
|-------------|----------|----------------------|
|
|
92
|
-
| Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
|
|
93
|
-
| Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
|
|
94
|
-
| Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
|
|
95
|
-
| Privacy (PII) | Personnel records | HR, health, benefits |
|
|
96
|
-
| Law Enforcement Sensitive | Investigation data | Base security contractors |
|
|
97
|
-
| Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
|
|
98
|
-
|
|
99
|
-
---
|
|
100
|
-
|
|
101
|
-
## Key Definitions
|
|
102
|
-
|
|
103
|
-
| Term | Definition |
|
|
104
|
-
|------|-----------|
|
|
105
|
-
| **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
|
|
106
|
-
| **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
|
|
107
|
-
| **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
|
|
108
|
-
| **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
|
|
109
|
-
| **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
|
|
110
|
-
| **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
|
|
111
|
-
| **OSC** | Organization Seeking Certification — the defense contractor being assessed |
|
|
112
|
-
| **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
|
|
113
|
-
| **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |
|
|
1
|
+
# CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
|
|
2
|
+
|
|
3
|
+
## Level Comparison Table
|
|
4
|
+
|
|
5
|
+
| Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
|
|
6
|
+
|-----------|----------------------|-------------------|-----------------|
|
|
7
|
+
| **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
|
|
8
|
+
| **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
|
|
9
|
+
| **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
|
|
10
|
+
| **SPRS submission** | Yes | Yes | Yes |
|
|
11
|
+
| **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
|
|
12
|
+
| **Conditional certification** | No | Yes (limited POA&M allowed) | No |
|
|
13
|
+
| **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## DFARS Clause Mapping
|
|
18
|
+
|
|
19
|
+
| DFARS Clause | Requirement | Level Implied |
|
|
20
|
+
|-------------|-------------|---------------|
|
|
21
|
+
| FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
|
|
22
|
+
| DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
|
|
23
|
+
| DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
|
|
24
|
+
| DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
|
|
25
|
+
| DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
|
|
26
|
+
|
|
27
|
+
**Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
## Assessment Process by Level
|
|
32
|
+
|
|
33
|
+
### Level 1 — Self-Assessment
|
|
34
|
+
1. Assess all 17 practices against FAR 52.204-21
|
|
35
|
+
2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
|
|
36
|
+
3. Submit to SPRS at https://www.sprs.csd.disa.mil/
|
|
37
|
+
4. Senior official affirms accuracy
|
|
38
|
+
5. Repeat annually
|
|
39
|
+
|
|
40
|
+
### Level 2 — C3PAO Assessment (Critical Programs)
|
|
41
|
+
1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
|
|
42
|
+
2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
|
|
43
|
+
3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
|
|
44
|
+
4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
|
|
45
|
+
5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
|
|
46
|
+
6. **Certification**: Issued by CMMC-AB; valid for 3 years
|
|
47
|
+
7. **Annual affirmation**: Affirm continued compliance each year
|
|
48
|
+
|
|
49
|
+
### Level 2 — Self-Assessment (Non-Critical Programs)
|
|
50
|
+
- Same 110 practices as C3PAO path
|
|
51
|
+
- Self-assessed by contractor; senior official affirms in SPRS
|
|
52
|
+
- DoD reserves right to audit; false statements = False Claims Act liability
|
|
53
|
+
- Must still submit SPRS score
|
|
54
|
+
|
|
55
|
+
### Level 3 — DIBCAC Assessment
|
|
56
|
+
1. Contractor must hold a current Level 2 C3PAO certification first
|
|
57
|
+
2. DIBCAC (government team) conducts assessment — not contractor-selected
|
|
58
|
+
3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
|
|
59
|
+
4. No conditional certification — all practices must be MET
|
|
60
|
+
5. Government schedules the assessment; no commercial negotiation
|
|
61
|
+
|
|
62
|
+
---
|
|
63
|
+
|
|
64
|
+
## Flow-Down Requirements
|
|
65
|
+
|
|
66
|
+
DFARS 252.204-7021(c) requires prime contractors to:
|
|
67
|
+
- Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
|
|
68
|
+
- Specify the required CMMC level in the subcontract
|
|
69
|
+
- Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
|
|
70
|
+
- Flow-down applies to **all tiers** — sub-subcontractors are not exempt
|
|
71
|
+
|
|
72
|
+
**Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## Timeline and Key Dates
|
|
77
|
+
|
|
78
|
+
| Milestone | Date |
|
|
79
|
+
|-----------|------|
|
|
80
|
+
| CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
|
|
81
|
+
| DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
|
|
82
|
+
| CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
|
|
83
|
+
| Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
|
|
84
|
+
| Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
|
|
85
|
+
|
|
86
|
+
---
|
|
87
|
+
|
|
88
|
+
## CUI Categories Most Common in Defense Contracts
|
|
89
|
+
|
|
90
|
+
| CUI Category | Examples | Typical Contract Types |
|
|
91
|
+
|-------------|----------|----------------------|
|
|
92
|
+
| Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
|
|
93
|
+
| Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
|
|
94
|
+
| Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
|
|
95
|
+
| Privacy (PII) | Personnel records | HR, health, benefits |
|
|
96
|
+
| Law Enforcement Sensitive | Investigation data | Base security contractors |
|
|
97
|
+
| Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## Key Definitions
|
|
102
|
+
|
|
103
|
+
| Term | Definition |
|
|
104
|
+
|------|-----------|
|
|
105
|
+
| **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
|
|
106
|
+
| **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
|
|
107
|
+
| **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
|
|
108
|
+
| **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
|
|
109
|
+
| **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
|
|
110
|
+
| **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
|
|
111
|
+
| **OSC** | Organization Seeking Certification — the defense contractor being assessed |
|
|
112
|
+
| **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
|
|
113
|
+
| **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |
|