bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,235 +1,235 @@
1
- # CIS Controls v8 — Implementation Guidance
2
-
3
- ## Getting Started: The Prioritization Principle
4
-
5
- The CIS Controls are deliberately ordered by impact. Research consistently shows that implementing Controls 1–6 (the foundational six) eliminates the vast majority of cyber risk:
6
-
7
- - **Controls 1–2** (Inventory): You can't protect what you don't know you have
8
- - **Controls 3–6** (Protective): Prevent the most common attack paths
9
- - **Control 7** (Vulnerability Management): Continuously reduce attack surface
10
- - **Controls 8–18** (Detect, Respond, Recover): Build operational security capability
11
-
12
- Start with IG1 completely before moving to IG2. IG1 is the minimum acceptable baseline for any organization.
13
-
14
- ---
15
-
16
- ## Implementation Group 1 (IG1) — Essential Cyber Hygiene
17
-
18
- **Target audience:** Organizations with limited IT resources, small teams, commercially available products
19
- **Goal:** Defend against opportunistic, non-targeted attacks (the majority of incidents affecting small organizations)
20
-
21
- ### IG1 Quick-Start Checklist (56 Safeguards)
22
-
23
- **Week 1-2: Know Your Assets**
24
- - [ ] Create hardware asset inventory (all computers, servers, printers, network devices) — Safeguard 1.1
25
- - [ ] Create software inventory (all installed applications) — Safeguard 2.1
26
- - [ ] Document all user accounts — Safeguard 5.1
27
- - [ ] Document all data types and where they are stored — Safeguard 3.2
28
-
29
- **Week 3-4: Secure Configuration**
30
- - [ ] Enable host-based firewall on all workstations and servers — Safeguards 4.4, 4.5
31
- - [ ] Set screen lock timeout to 15 minutes — Safeguard 4.3
32
- - [ ] Change all default passwords on network devices, routers, and systems — Safeguard 4.7
33
- - [ ] Enable full-disk encryption on all laptops — Safeguard 3.6
34
-
35
- **Month 2: Account and Access Controls**
36
- - [ ] Enforce strong password policy (14+ characters) — Safeguard 5.2
37
- - [ ] Separate admin accounts from day-to-day user accounts — Safeguard 5.4
38
- - [ ] Disable accounts unused for 90+ days — Safeguard 5.3
39
- - [ ] Define and document access request/revoke process — Safeguards 6.1, 6.2
40
-
41
- **Month 2: Patch Management**
42
- - [ ] Enable automatic OS updates on all endpoints — Safeguard 7.3
43
- - [ ] Enable automatic application updates (browsers, Office, etc.) — Safeguard 7.4
44
- - [ ] Define a remediation SLA (e.g., critical patches within 15 days) — Safeguard 7.2
45
-
46
- **Month 3: Backups, Training, Incident Response**
47
- - [ ] Implement automated, tested backups (3-2-1 rule) — Safeguard 11.2, 11.4
48
- - [ ] Conduct security awareness training for all employees — Safeguard 14.1, 14.2
49
- - [ ] Document a basic incident response procedure — Safeguard 17.4
50
- - [ ] Enable and retain basic audit logs (auth events, admin actions) — Safeguards 8.1, 8.2
51
-
52
- ---
53
-
54
- ## Implementation Group 2 (IG2) — Intermediate Controls
55
-
56
- **Target audience:** Organizations with dedicated IT staff, sensitive data, moderate risk tolerance
57
- **Goal:** Defend against more sophisticated, targeted attacks; comply with common regulatory frameworks
58
-
59
- ### Key IG2 Additions Beyond IG1
60
-
61
- **MFA Everywhere (Control 6)**
62
- - Deploy MFA on all externally accessible systems (VPN, webmail, SaaS, remote access) — Safeguard 6.3
63
- - Require MFA for administrative access — Safeguard 6.5
64
- - Phishing-resistant MFA (FIDO2/hardware keys) for privileged users
65
-
66
- **Application Allowlisting (Control 2)**
67
- - Implement application allowlisting via Microsoft AppLocker, WDAC, or Carbon Black
68
- - Allowlist approved scripts (PowerShell Constrained Language Mode) — Safeguard 2.7
69
- - Block unauthorized DLLs and libraries — Safeguard 2.6
70
-
71
- **Vulnerability Scanning (Control 7)**
72
- - Deploy authenticated vulnerability scanner (Nessus, Qualys, Tenable, Rapid7)
73
- - Weekly authenticated scans of all internal assets — Safeguard 7.5
74
- - Monthly scans of external attack surface — Safeguard 7.6
75
- - Track and remediate findings per SLA — Safeguard 7.7
76
-
77
- **SIEM and Log Centralization (Control 8)**
78
- - Deploy SIEM or log aggregation platform — Safeguard 8.9
79
- - Collect: Windows event logs (4624, 4625, 4648, 4720, 4728), Linux auth.log, firewall deny logs, DNS, VPN — Safeguard 8.5
80
- - Retain logs for minimum 12 months — Safeguard 8.10
81
- - Enable NTP synchronization across all assets — Safeguard 8.4
82
-
83
- **Email Security (Control 9)**
84
- - Implement DMARC policy (start with p=none monitoring, move to p=quarantine/reject) — Safeguard 9.5
85
- - Deploy email filtering with sandboxing — Safeguard 9.7
86
- - Block dangerous attachment types (.exe, .js, .vbs, .bat, .macro-enabled Office) — Safeguard 9.6
87
-
88
- **EDR/Next-Gen AV (Control 10)**
89
- - Replace signature-only AV with EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) — Safeguard 10.7
90
- - Enable behavioral analysis and memory protection — Safeguard 10.5
91
-
92
- **Network Architecture (Control 12)**
93
- - Segment network by function (servers, workstations, IoT, guest Wi-Fi) — Safeguard 12.2
94
- - Implement DMZ for externally accessible services — Safeguard 12.2
95
- - Deploy Next-Gen Firewall with deep packet inspection — Safeguard 12.2
96
-
97
- **Vendor Risk Management (Control 15)**
98
- - Classify all service providers by data access and criticality — Safeguard 15.3
99
- - Include security requirements in all vendor contracts — Safeguard 15.4
100
- - Conduct annual vendor risk assessments for critical suppliers — Safeguard 15.5
101
-
102
- ---
103
-
104
- ## Implementation Group 3 (IG3) — Advanced Controls
105
-
106
- **Target audience:** Large enterprises with security teams, sensitive regulated data, high-value targets
107
- **Goal:** Defend against sophisticated, persistent adversaries; maintain continuous security operations
108
-
109
- ### Key IG3 Capabilities
110
-
111
- **Penetration Testing (Control 18)**
112
- - External pen test: Annual minimum; quarterly for high-risk targets — Safeguard 18.2
113
- - Internal pen test: Semi-annual — Safeguard 18.5
114
- - Red team exercises with full adversary simulation — beyond base CIS scope
115
- - Purple team exercises — combine red team and SOC for knowledge transfer
116
-
117
- **Advanced Network Defense (Control 13)**
118
- - Deploy Network Detection and Response (NDR/NTA) solution — Safeguard 13.3
119
- - Implement SOAR for automated incident response playbooks
120
- - HIPS on all servers — Safeguard 13.7
121
- - Tune SIEM alert thresholds to reduce false positives — Safeguard 13.11
122
- - Threat hunting program: proactive analysis for unknown threats
123
-
124
- **Application Security (Control 16)**
125
- - SAST integrated into CI/CD pipeline (pre-commit, PR gate) — Safeguard 16.12
126
- - DAST for deployed applications (OWASP ZAP, Burp Suite) — Safeguard 16.12
127
- - SCA for third-party components (Snyk, Black Duck) — related to 16.5
128
- - Threat modeling for new features and applications — Safeguard 16.14
129
- - Bug bounty program or responsible disclosure policy — related to 16.4
130
-
131
- **Data Protection (Control 3)**
132
- - Deploy DLP across email, endpoints, and cloud — Safeguard 3.13
133
- - Segment data stores by sensitivity — Safeguard 3.12
134
- - Log all access to sensitive data — Safeguard 3.14
135
-
136
- ---
137
-
138
- ## Common Implementation Pitfalls
139
-
140
- ### Pitfall 1: Skipping IG1 to implement IG2/IG3 Controls
141
- **Problem:** Organizations try to deploy SIEM before they know what assets they have
142
- **Solution:** Complete IG1 systematically before advancing. Asset inventory (Controls 1-2) is the foundation for everything else.
143
-
144
- ### Pitfall 2: Treating CIS Controls as a checklist, not a program
145
- **Problem:** Point-in-time compliance; controls drift over time
146
- **Solution:** Build operational processes: scheduled scans, monthly reporting, quarterly reviews, annual assessments
147
-
148
- ### Pitfall 3: Ignoring cloud assets
149
- **Problem:** Cloud VMs, SaaS apps, cloud storage not included in inventory or scans
150
- **Solution:** CIS Controls v8 explicitly addresses cloud assets — include in all inventories; use CSPM tools (Wiz, Prisma, Defender for Cloud)
151
-
152
- ### Pitfall 4: MFA deployment gaps
153
- **Problem:** MFA enabled on some systems but not others; SMS OTP used for privileged access
154
- **Solution:** Comprehensive MFA inventory; phishing-resistant MFA for privileged and external access
155
-
156
- ### Pitfall 5: Log collection without review
157
- **Problem:** SIEM deployed but alerts are not actioned; logs retained but never searched
158
- **Solution:** Define alert response procedures; staff SOC or use MDR service; weekly log review as minimum
159
-
160
- ### Pitfall 6: Patch management without vulnerability scanning
161
- **Problem:** Patching OS only; missing application and firmware vulnerabilities
162
- **Solution:** Authenticated vulnerability scanning to identify all missing patches, misconfigurations, and CVEs
163
-
164
- ---
165
-
166
- ## Metrics and KPIs for CIS Controls
167
-
168
- ### IG1 KPIs
169
- | Metric | Target | Frequency |
170
- |--------|--------|-----------|
171
- | % assets in inventory | ≥ 95% | Monthly |
172
- | % endpoints with current AV | 100% | Weekly |
173
- | % endpoints with disk encryption | 100% | Monthly |
174
- | Critical patches applied within SLA | ≥ 95% | Monthly |
175
- | % accounts with strong passwords | 100% | Quarterly |
176
- | Backup test success rate | 100% | Quarterly |
177
-
178
- ### IG2 KPIs
179
- | Metric | Target | Frequency |
180
- |--------|--------|-----------|
181
- | % external systems with MFA | 100% | Monthly |
182
- | Mean Time to Patch (MTTP) — Critical | ≤ 15 days | Monthly |
183
- | Mean Time to Patch (MTTP) — High | ≤ 30 days | Monthly |
184
- | SIEM alert response rate | ≥ 90% actioned | Weekly |
185
- | Phishing click rate (simulation) | ≤ 5% | Quarterly |
186
- | Vendor assessments completed | 100% of critical | Annual |
187
-
188
- ### IG3 KPIs
189
- | Metric | Target | Frequency |
190
- |--------|--------|-----------|
191
- | Pen test critical findings remediated | 100% within 30 days | After test |
192
- | Mean Time to Detect (MTTD) | ≤ 24 hours | Monthly |
193
- | Mean Time to Respond (MTTR) | ≤ 4 hours for P1 | Monthly |
194
- | SAST scan coverage | 100% of repos | Per commit |
195
- | DLP policy violation rate | Trending down | Monthly |
196
-
197
- ---
198
-
199
- ## CIS CSAT Tool
200
-
201
- The **CIS Controls Self-Assessment Tool (CSAT)** is a free web-based platform from CIS:
202
- - URL: https://csat.cisecurity.org/
203
- - Maps to all 153 safeguards
204
- - Generates maturity scores and prioritized gap reports
205
- - Supports team collaboration and tracking
206
- - Produces executive summary reports
207
-
208
- **CIS SecureSuite Membership** provides access to additional resources:
209
- - CIS Benchmarks (configuration hardening guides for 100+ technologies)
210
- - CIS-CAT Pro (automated configuration assessment tool)
211
- - CIS RAM (Risk Assessment Method)
212
- - Priority and quick-start guides by sector
213
-
214
- ---
215
-
216
- ## Industry-Specific Guidance
217
-
218
- ### Healthcare (HIPAA alignment)
219
- - Priority: Controls 3 (PHI data protection), 6 (access control), 8 (audit logging), 17 (incident response)
220
- - IG2 minimum for any covered entity or business associate
221
- - Map CIS Controls to HIPAA Security Rule safeguards
222
-
223
- ### Finance (PCI DSS / GLBA alignment)
224
- - Priority: Controls 3, 6, 8, 12, 16 for cardholder data environments
225
- - IG2 minimum; IG3 for large financial institutions
226
- - CIS Controls v8 maps closely to PCI DSS v4.0 requirements
227
-
228
- ### Government (FISMA / CMMC alignment)
229
- - Priority: Full IG2 implementation for CMMC Level 2; IG3 elements for CMMC Level 3
230
- - CIS Controls map to NIST SP 800-171 requirements used in CMMC
231
- - Essential Eight (Australian cyber) aligns with CIS Controls 1-10
232
-
233
- ### Education (FERPA alignment)
234
- - Priority: Controls 1-7 for student data protection
235
- - IG1 minimum for K-12; IG2 for higher education with research data
1
+ # CIS Controls v8 — Implementation Guidance
2
+
3
+ ## Getting Started: The Prioritization Principle
4
+
5
+ The CIS Controls are deliberately ordered by impact. Research consistently shows that implementing Controls 1–6 (the foundational six) eliminates the vast majority of cyber risk:
6
+
7
+ - **Controls 1–2** (Inventory): You can't protect what you don't know you have
8
+ - **Controls 3–6** (Protective): Prevent the most common attack paths
9
+ - **Control 7** (Vulnerability Management): Continuously reduce attack surface
10
+ - **Controls 8–18** (Detect, Respond, Recover): Build operational security capability
11
+
12
+ Start with IG1 completely before moving to IG2. IG1 is the minimum acceptable baseline for any organization.
13
+
14
+ ---
15
+
16
+ ## Implementation Group 1 (IG1) — Essential Cyber Hygiene
17
+
18
+ **Target audience:** Organizations with limited IT resources, small teams, commercially available products
19
+ **Goal:** Defend against opportunistic, non-targeted attacks (the majority of incidents affecting small organizations)
20
+
21
+ ### IG1 Quick-Start Checklist (56 Safeguards)
22
+
23
+ **Week 1-2: Know Your Assets**
24
+ - [ ] Create hardware asset inventory (all computers, servers, printers, network devices) — Safeguard 1.1
25
+ - [ ] Create software inventory (all installed applications) — Safeguard 2.1
26
+ - [ ] Document all user accounts — Safeguard 5.1
27
+ - [ ] Document all data types and where they are stored — Safeguard 3.2
28
+
29
+ **Week 3-4: Secure Configuration**
30
+ - [ ] Enable host-based firewall on all workstations and servers — Safeguards 4.4, 4.5
31
+ - [ ] Set screen lock timeout to 15 minutes — Safeguard 4.3
32
+ - [ ] Change all default passwords on network devices, routers, and systems — Safeguard 4.7
33
+ - [ ] Enable full-disk encryption on all laptops — Safeguard 3.6
34
+
35
+ **Month 2: Account and Access Controls**
36
+ - [ ] Enforce strong password policy (14+ characters) — Safeguard 5.2
37
+ - [ ] Separate admin accounts from day-to-day user accounts — Safeguard 5.4
38
+ - [ ] Disable accounts unused for 90+ days — Safeguard 5.3
39
+ - [ ] Define and document access request/revoke process — Safeguards 6.1, 6.2
40
+
41
+ **Month 2: Patch Management**
42
+ - [ ] Enable automatic OS updates on all endpoints — Safeguard 7.3
43
+ - [ ] Enable automatic application updates (browsers, Office, etc.) — Safeguard 7.4
44
+ - [ ] Define a remediation SLA (e.g., critical patches within 15 days) — Safeguard 7.2
45
+
46
+ **Month 3: Backups, Training, Incident Response**
47
+ - [ ] Implement automated, tested backups (3-2-1 rule) — Safeguard 11.2, 11.4
48
+ - [ ] Conduct security awareness training for all employees — Safeguard 14.1, 14.2
49
+ - [ ] Document a basic incident response procedure — Safeguard 17.4
50
+ - [ ] Enable and retain basic audit logs (auth events, admin actions) — Safeguards 8.1, 8.2
51
+
52
+ ---
53
+
54
+ ## Implementation Group 2 (IG2) — Intermediate Controls
55
+
56
+ **Target audience:** Organizations with dedicated IT staff, sensitive data, moderate risk tolerance
57
+ **Goal:** Defend against more sophisticated, targeted attacks; comply with common regulatory frameworks
58
+
59
+ ### Key IG2 Additions Beyond IG1
60
+
61
+ **MFA Everywhere (Control 6)**
62
+ - Deploy MFA on all externally accessible systems (VPN, webmail, SaaS, remote access) — Safeguard 6.3
63
+ - Require MFA for administrative access — Safeguard 6.5
64
+ - Phishing-resistant MFA (FIDO2/hardware keys) for privileged users
65
+
66
+ **Application Allowlisting (Control 2)**
67
+ - Implement application allowlisting via Microsoft AppLocker, WDAC, or Carbon Black
68
+ - Allowlist approved scripts (PowerShell Constrained Language Mode) — Safeguard 2.7
69
+ - Block unauthorized DLLs and libraries — Safeguard 2.6
70
+
71
+ **Vulnerability Scanning (Control 7)**
72
+ - Deploy authenticated vulnerability scanner (Nessus, Qualys, Tenable, Rapid7)
73
+ - Weekly authenticated scans of all internal assets — Safeguard 7.5
74
+ - Monthly scans of external attack surface — Safeguard 7.6
75
+ - Track and remediate findings per SLA — Safeguard 7.7
76
+
77
+ **SIEM and Log Centralization (Control 8)**
78
+ - Deploy SIEM or log aggregation platform — Safeguard 8.9
79
+ - Collect: Windows event logs (4624, 4625, 4648, 4720, 4728), Linux auth.log, firewall deny logs, DNS, VPN — Safeguard 8.5
80
+ - Retain logs for minimum 12 months — Safeguard 8.10
81
+ - Enable NTP synchronization across all assets — Safeguard 8.4
82
+
83
+ **Email Security (Control 9)**
84
+ - Implement DMARC policy (start with p=none monitoring, move to p=quarantine/reject) — Safeguard 9.5
85
+ - Deploy email filtering with sandboxing — Safeguard 9.7
86
+ - Block dangerous attachment types (.exe, .js, .vbs, .bat, .macro-enabled Office) — Safeguard 9.6
87
+
88
+ **EDR/Next-Gen AV (Control 10)**
89
+ - Replace signature-only AV with EDR/XDR (CrowdStrike, SentinelOne, Microsoft Defender for Endpoint) — Safeguard 10.7
90
+ - Enable behavioral analysis and memory protection — Safeguard 10.5
91
+
92
+ **Network Architecture (Control 12)**
93
+ - Segment network by function (servers, workstations, IoT, guest Wi-Fi) — Safeguard 12.2
94
+ - Implement DMZ for externally accessible services — Safeguard 12.2
95
+ - Deploy Next-Gen Firewall with deep packet inspection — Safeguard 12.2
96
+
97
+ **Vendor Risk Management (Control 15)**
98
+ - Classify all service providers by data access and criticality — Safeguard 15.3
99
+ - Include security requirements in all vendor contracts — Safeguard 15.4
100
+ - Conduct annual vendor risk assessments for critical suppliers — Safeguard 15.5
101
+
102
+ ---
103
+
104
+ ## Implementation Group 3 (IG3) — Advanced Controls
105
+
106
+ **Target audience:** Large enterprises with security teams, sensitive regulated data, high-value targets
107
+ **Goal:** Defend against sophisticated, persistent adversaries; maintain continuous security operations
108
+
109
+ ### Key IG3 Capabilities
110
+
111
+ **Penetration Testing (Control 18)**
112
+ - External pen test: Annual minimum; quarterly for high-risk targets — Safeguard 18.2
113
+ - Internal pen test: Semi-annual — Safeguard 18.5
114
+ - Red team exercises with full adversary simulation — beyond base CIS scope
115
+ - Purple team exercises — combine red team and SOC for knowledge transfer
116
+
117
+ **Advanced Network Defense (Control 13)**
118
+ - Deploy Network Detection and Response (NDR/NTA) solution — Safeguard 13.3
119
+ - Implement SOAR for automated incident response playbooks
120
+ - HIPS on all servers — Safeguard 13.7
121
+ - Tune SIEM alert thresholds to reduce false positives — Safeguard 13.11
122
+ - Threat hunting program: proactive analysis for unknown threats
123
+
124
+ **Application Security (Control 16)**
125
+ - SAST integrated into CI/CD pipeline (pre-commit, PR gate) — Safeguard 16.12
126
+ - DAST for deployed applications (OWASP ZAP, Burp Suite) — Safeguard 16.12
127
+ - SCA for third-party components (Snyk, Black Duck) — related to 16.5
128
+ - Threat modeling for new features and applications — Safeguard 16.14
129
+ - Bug bounty program or responsible disclosure policy — related to 16.4
130
+
131
+ **Data Protection (Control 3)**
132
+ - Deploy DLP across email, endpoints, and cloud — Safeguard 3.13
133
+ - Segment data stores by sensitivity — Safeguard 3.12
134
+ - Log all access to sensitive data — Safeguard 3.14
135
+
136
+ ---
137
+
138
+ ## Common Implementation Pitfalls
139
+
140
+ ### Pitfall 1: Skipping IG1 to implement IG2/IG3 Controls
141
+ **Problem:** Organizations try to deploy SIEM before they know what assets they have
142
+ **Solution:** Complete IG1 systematically before advancing. Asset inventory (Controls 1-2) is the foundation for everything else.
143
+
144
+ ### Pitfall 2: Treating CIS Controls as a checklist, not a program
145
+ **Problem:** Point-in-time compliance; controls drift over time
146
+ **Solution:** Build operational processes: scheduled scans, monthly reporting, quarterly reviews, annual assessments
147
+
148
+ ### Pitfall 3: Ignoring cloud assets
149
+ **Problem:** Cloud VMs, SaaS apps, cloud storage not included in inventory or scans
150
+ **Solution:** CIS Controls v8 explicitly addresses cloud assets — include in all inventories; use CSPM tools (Wiz, Prisma, Defender for Cloud)
151
+
152
+ ### Pitfall 4: MFA deployment gaps
153
+ **Problem:** MFA enabled on some systems but not others; SMS OTP used for privileged access
154
+ **Solution:** Comprehensive MFA inventory; phishing-resistant MFA for privileged and external access
155
+
156
+ ### Pitfall 5: Log collection without review
157
+ **Problem:** SIEM deployed but alerts are not actioned; logs retained but never searched
158
+ **Solution:** Define alert response procedures; staff SOC or use MDR service; weekly log review as minimum
159
+
160
+ ### Pitfall 6: Patch management without vulnerability scanning
161
+ **Problem:** Patching OS only; missing application and firmware vulnerabilities
162
+ **Solution:** Authenticated vulnerability scanning to identify all missing patches, misconfigurations, and CVEs
163
+
164
+ ---
165
+
166
+ ## Metrics and KPIs for CIS Controls
167
+
168
+ ### IG1 KPIs
169
+ | Metric | Target | Frequency |
170
+ |--------|--------|-----------|
171
+ | % assets in inventory | ≥ 95% | Monthly |
172
+ | % endpoints with current AV | 100% | Weekly |
173
+ | % endpoints with disk encryption | 100% | Monthly |
174
+ | Critical patches applied within SLA | ≥ 95% | Monthly |
175
+ | % accounts with strong passwords | 100% | Quarterly |
176
+ | Backup test success rate | 100% | Quarterly |
177
+
178
+ ### IG2 KPIs
179
+ | Metric | Target | Frequency |
180
+ |--------|--------|-----------|
181
+ | % external systems with MFA | 100% | Monthly |
182
+ | Mean Time to Patch (MTTP) — Critical | ≤ 15 days | Monthly |
183
+ | Mean Time to Patch (MTTP) — High | ≤ 30 days | Monthly |
184
+ | SIEM alert response rate | ≥ 90% actioned | Weekly |
185
+ | Phishing click rate (simulation) | ≤ 5% | Quarterly |
186
+ | Vendor assessments completed | 100% of critical | Annual |
187
+
188
+ ### IG3 KPIs
189
+ | Metric | Target | Frequency |
190
+ |--------|--------|-----------|
191
+ | Pen test critical findings remediated | 100% within 30 days | After test |
192
+ | Mean Time to Detect (MTTD) | ≤ 24 hours | Monthly |
193
+ | Mean Time to Respond (MTTR) | ≤ 4 hours for P1 | Monthly |
194
+ | SAST scan coverage | 100% of repos | Per commit |
195
+ | DLP policy violation rate | Trending down | Monthly |
196
+
197
+ ---
198
+
199
+ ## CIS CSAT Tool
200
+
201
+ The **CIS Controls Self-Assessment Tool (CSAT)** is a free web-based platform from CIS:
202
+ - URL: https://csat.cisecurity.org/
203
+ - Maps to all 153 safeguards
204
+ - Generates maturity scores and prioritized gap reports
205
+ - Supports team collaboration and tracking
206
+ - Produces executive summary reports
207
+
208
+ **CIS SecureSuite Membership** provides access to additional resources:
209
+ - CIS Benchmarks (configuration hardening guides for 100+ technologies)
210
+ - CIS-CAT Pro (automated configuration assessment tool)
211
+ - CIS RAM (Risk Assessment Method)
212
+ - Priority and quick-start guides by sector
213
+
214
+ ---
215
+
216
+ ## Industry-Specific Guidance
217
+
218
+ ### Healthcare (HIPAA alignment)
219
+ - Priority: Controls 3 (PHI data protection), 6 (access control), 8 (audit logging), 17 (incident response)
220
+ - IG2 minimum for any covered entity or business associate
221
+ - Map CIS Controls to HIPAA Security Rule safeguards
222
+
223
+ ### Finance (PCI DSS / GLBA alignment)
224
+ - Priority: Controls 3, 6, 8, 12, 16 for cardholder data environments
225
+ - IG2 minimum; IG3 for large financial institutions
226
+ - CIS Controls v8 maps closely to PCI DSS v4.0 requirements
227
+
228
+ ### Government (FISMA / CMMC alignment)
229
+ - Priority: Full IG2 implementation for CMMC Level 2; IG3 elements for CMMC Level 3
230
+ - CIS Controls map to NIST SP 800-171 requirements used in CMMC
231
+ - Essential Eight (Australian cyber) aligns with CIS Controls 1-10
232
+
233
+ ### Education (FERPA alignment)
234
+ - Priority: Controls 1-7 for student data protection
235
+ - IG1 minimum for K-12; IG2 for higher education with research data