bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,252 +1,252 @@
1
- # CIS Controls v8 — All 153 Safeguards Detail
2
-
3
- ## How to Use This Reference
4
-
5
- Each safeguard entry shows:
6
- - **Safeguard ID:** CIS Control # . Safeguard #
7
- - **Title:** Official CIS safeguard name
8
- - **IG:** Minimum implementation group (1, 2, or 3)
9
- - **Asset Type:** Devices / Software / Data / Users / Network / Applications
10
- - **Security Function:** Govern / Identify / Protect / Detect / Respond / Recover
11
- - **Implementation Notes:** Practical guidance on what to do
12
-
13
- ---
14
-
15
- ## CIS Control 1: Inventory and Control of Enterprise Assets
16
-
17
- | Safeguard | Title | IG | Asset Type | Security Function |
18
- |-----------|-------|-----|-----------|------------------|
19
- | 1.1 | Establish and Maintain Detailed Enterprise Asset Inventory | 1 | Devices | Identify |
20
- | 1.2 | Address Unauthorized Assets | 1 | Devices | Respond |
21
- | 1.3 | Utilize an Active Discovery Tool | 2 | Devices | Identify |
22
- | 1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | 1 | Devices | Identify |
23
- | 1.5 | Use a Passive Asset Discovery Tool | 3 | Devices | Identify |
24
-
25
- **Implementation Notes:**
26
- - **1.1:** Maintain inventory in a CMDB, spreadsheet, or MDM tool. Include: IP address, hostname, MAC address, owner, location, OS, asset type, acquisition date
27
- - **1.2:** Define a process for handling unauthorized devices found on network — quarantine, investigate, document
28
- - **1.3:** Run network scanners (Nmap, Nessus, Qualys, Tenable) on scheduled basis (weekly minimum)
29
- - **1.4:** Enable DHCP server logging; correlate logs with asset inventory; flag unknown MACs
30
- - **1.5:** Deploy passive network TAP or IDS/NDR sensors for continuous asset detection without active scanning
31
-
32
- **Recommended Tools:** Microsoft Intune, CrowdStrike Falcon, Tanium, Qualys VMDR, Nessus, Axonius, ServiceNow CMDB
33
-
34
- ---
35
-
36
- ## CIS Control 2: Inventory and Control of Software Assets
37
-
38
- | Safeguard | Title | IG | Asset Type | Security Function |
39
- |-----------|-------|-----|-----------|------------------|
40
- | 2.1 | Establish and Maintain a Software Inventory | 1 | Applications | Identify |
41
- | 2.2 | Ensure Authorized Software is Currently Supported | 1 | Applications | Protect |
42
- | 2.3 | Address Unauthorized Software | 1 | Applications | Respond |
43
- | 2.4 | Utilize Automated Software Inventory Tools | 2 | Applications | Identify |
44
- | 2.5 | Allowlist Authorized Software | 2 | Applications | Protect |
45
- | 2.6 | Allowlist Authorized Libraries | 2 | Applications | Protect |
46
- | 2.7 | Allowlist Authorized Scripts | 2 | Applications | Protect |
47
-
48
- **Implementation Notes:**
49
- - **2.1:** Track all installed software: name, version, vendor, license, install date, responsible owner
50
- - **2.2:** Identify software nearing end-of-support (EOS/EOL); plan upgrades before EOS date
51
- - **2.3:** Detect and remove unauthorized software; consider policy/consequence for installing unauthorized tools
52
- - **2.5:** Implement application allowlisting via Windows AppLocker, WDAC, or endpoint agents
53
- - **2.6:** Track approved DLL, library, and package versions; use software composition analysis (SCA) for development
54
- - **2.7:** Control scripting environments (PowerShell Constrained Language Mode, Python virtual environments)
55
-
56
- **Recommended Tools:** Microsoft Intune, SCCM, Tanium, Flexera, Snyk (SCA), Veracode, AppLocker
57
-
58
- ---
59
-
60
- ## CIS Control 3: Data Protection
61
-
62
- | Safeguard | Title | IG | Asset Type | Security Function |
63
- |-----------|-------|-----|-----------|------------------|
64
- | 3.1 | Establish and Maintain a Data Management Process | 1 | Data | Govern |
65
- | 3.2 | Establish and Maintain a Data Inventory | 1 | Data | Identify |
66
- | 3.3 | Configure Data Access Control Lists | 1 | Data | Protect |
67
- | 3.4 | Enforce Data Retention | 1 | Data | Protect |
68
- | 3.5 | Securely Dispose of Data | 1 | Data | Protect |
69
- | 3.6 | Encrypt Data on End-User Devices | 2 | Data | Protect |
70
- | 3.7 | Establish and Maintain a Data Classification Scheme | 2 | Data | Protect |
71
- | 3.8 | Document Data Flows | 2 | Data | Identify |
72
- | 3.9 | Encrypt Data on Removable Media | 2 | Data | Protect |
73
- | 3.10 | Encrypt Sensitive Data in Transit | 2 | Data | Protect |
74
- | 3.11 | Encrypt Sensitive Data at Rest | 2 | Data | Protect |
75
- | 3.12 | Segment Data Processing and Storage Based on Sensitivity | 3 | Data | Protect |
76
- | 3.13 | Deploy a Data Loss Prevention Solution | 3 | Data | Protect |
77
- | 3.14 | Log Sensitive Data Access | 3 | Data | Detect |
78
-
79
- **Implementation Notes:**
80
- - **3.1:** Written policy covering classification, handling, retention, disposal — reviewed annually
81
- - **3.2:** Inventory must include: data type, sensitivity, location (on-prem/cloud), owner, retention period
82
- - **3.3:** Implement least-privilege on file shares, databases, cloud storage; review ACLs quarterly
83
- - **3.6:** Enable full-disk encryption (BitLocker for Windows, FileVault for macOS, LUKS for Linux)
84
- - **3.7:** Define classification labels: e.g., Public / Internal / Confidential / Restricted
85
- - **3.10:** Enforce TLS 1.2+ for all data in transit; disable older protocols (SSL, TLS 1.0/1.1)
86
- - **3.11:** Encrypt databases, backups, and file stores containing sensitive data
87
- - **3.13:** Deploy DLP on email, endpoints, and cloud services to prevent data exfiltration
88
-
89
- **Recommended Tools:** Microsoft Purview, Varonis, Symantec DLP, Zscaler, BitLocker, Vera (Digital Guardian)
90
-
91
- ---
92
-
93
- ## CIS Control 4: Secure Configuration
94
-
95
- | Safeguard | Title | IG | Asset Type | Security Function |
96
- |-----------|-------|-----|-----------|------------------|
97
- | 4.1 | Establish and Maintain a Secure Configuration Process | 1 | Devices | Protect |
98
- | 4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | 1 | Network | Protect |
99
- | 4.3 | Configure Automatic Session Locking on Enterprise Assets | 1 | Devices/Users | Protect |
100
- | 4.4 | Implement and Manage a Firewall on Servers | 1 | Devices | Protect |
101
- | 4.5 | Implement and Manage a Firewall on End-User Devices | 1 | Devices | Protect |
102
- | 4.6 | Securely Manage Enterprise Assets and Software | 2 | Devices | Protect |
103
- | 4.7 | Manage Default Accounts on Enterprise Assets and Software | 2 | Users | Protect |
104
- | 4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets | 2 | Devices | Protect |
105
- | 4.9 | Configure Trusted DNS Servers on Enterprise Assets | 2 | Devices/Network | Protect |
106
- | 4.10 | Enforce Automatic Device Lockout on Portable End-User Devices | 2 | Devices | Protect |
107
- | 4.11 | Enforce Remote Wipe Capability on Portable End-User Devices | 2 | Devices | Protect |
108
- | 4.12 | Separate Enterprise Workspaces on Mobile End-User Devices | 3 | Devices | Protect |
109
-
110
- **Implementation Notes:**
111
- - **4.1:** Use CIS Benchmarks as configuration baseline; automate hardening via Group Policy, Ansible, Chef, Puppet
112
- - **4.2:** Apply router/switch hardening; disable unused ports, protocols, and services on network devices
113
- - **4.3:** Set session timeout to 15 minutes or less; enforce screensaver lock via GPO/MDM
114
- - **4.4:** Enable Windows Firewall or host-based firewall on all servers; define least-privilege inbound/outbound rules
115
- - **4.7:** Rename or disable default admin accounts; change all default passwords immediately upon deployment
116
- - **4.8:** Disable/uninstall: Telnet, FTP, rsh, RPC where not needed; audit running services quarterly
117
-
118
- **CIS Benchmark Resources:** Free hardening guides available at cisecurity.org/benchmark for Windows, Linux, macOS, AWS, Azure, GCP, Kubernetes, Docker, browsers
119
-
120
- ---
121
-
122
- ## CIS Control 5: Account Management
123
-
124
- | Safeguard | Title | IG | Asset Type | Security Function |
125
- |-----------|-------|-----|-----------|------------------|
126
- | 5.1 | Establish and Maintain an Inventory of Accounts | 1 | Users | Identify |
127
- | 5.2 | Use Unique Passwords | 1 | Users | Protect |
128
- | 5.3 | Disable Dormant Accounts | 1 | Users | Protect |
129
- | 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | 1 | Users | Protect |
130
- | 5.5 | Establish and Maintain an Inventory of Service Accounts | 2 | Users | Identify |
131
- | 5.6 | Centralize Account Management | 2 | Users | Protect |
132
-
133
- **Implementation Notes:**
134
- - **5.1:** Inventory: all user, admin, service, and guest accounts across all systems
135
- - **5.2:** Password policy: minimum 14 characters (or MFA required); check against breached password databases (HaveIBeenPwned); use password manager
136
- - **5.3:** Disable accounts unused for 90 days; automate detection via IdP reporting
137
- - **5.4:** Never use admin accounts for daily work; separate admin credentials; use PAM solutions for privileged access
138
- - **5.5:** Service accounts: document purpose, owner, permissions; rotate passwords regularly
139
- - **5.6:** Use Active Directory, Azure AD/Entra ID, Okta, or similar IdP as single source of truth
140
-
141
- ---
142
-
143
- ## CIS Control 6: Access Control Management
144
-
145
- | Safeguard | Title | IG | Asset Type | Security Function |
146
- |-----------|-------|-----|-----------|------------------|
147
- | 6.1 | Establish an Access Granting Process | 1 | Users | Protect |
148
- | 6.2 | Establish an Access Revoking Process | 1 | Users | Protect |
149
- | 6.3 | Require MFA for Externally-Exposed Applications | 2 | Users | Protect |
150
- | 6.4 | Require MFA for Remote Network Access | 2 | Users | Protect |
151
- | 6.5 | Require MFA for Administrative Access | 2 | Users | Protect |
152
- | 6.6 | Establish and Maintain an Inventory of Authentication/Authorization Systems | 2 | Users | Identify |
153
- | 6.7 | Centralize Access Control | 2 | Users | Protect |
154
- | 6.8 | Define and Maintain Role-Based Access Control | 2 | Users | Protect |
155
-
156
- **Implementation Notes:**
157
- - **6.1/6.2:** Formal access request and approval process; link to onboarding/offboarding procedures; review quarterly
158
- - **6.3:** MFA on all SaaS, web portals, VPN, RDP — phishing-resistant MFA (FIDO2/passkeys) preferred over SMS OTP
159
- - **6.5:** Require MFA for all admin console access (cloud management, AD, network devices)
160
- - **6.8:** Define roles in RBAC model; avoid overly broad permissions; apply least-privilege principle
161
-
162
- ---
163
-
164
- ## CIS Control 7: Continuous Vulnerability Management
165
-
166
- | Safeguard | Title | IG | Asset Type | Security Function |
167
- |-----------|-------|-----|-----------|------------------|
168
- | 7.1 | Establish and Maintain a Vulnerability Management Process | 1 | Devices/Apps | Protect |
169
- | 7.2 | Establish and Maintain a Remediation Process | 1 | Devices/Apps | Respond |
170
- | 7.3 | Perform Automated Operating System Patch Management | 1 | Devices | Protect |
171
- | 7.4 | Perform Automated Application Patch Management | 1 | Applications | Protect |
172
- | 7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets | 2 | Devices | Identify |
173
- | 7.6 | Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets | 2 | Devices/Network | Identify |
174
- | 7.7 | Remediate Detected Vulnerabilities | 2 | Devices/Apps | Respond |
175
-
176
- **Remediation SLAs (common industry standards):**
177
- | CVSS Severity | Recommended Remediation Time |
178
- |---------------|------------------------------|
179
- | Critical (9.0–10.0) | 15 days |
180
- | High (7.0–8.9) | 30 days |
181
- | Medium (4.0–6.9) | 90 days |
182
- | Low (0.1–3.9) | 180 days or risk accepted |
183
-
184
- **Recommended Tools:** Qualys VMDR, Tenable Nessus/io, Rapid7 InsightVM, Microsoft Defender Vulnerability Management, CrowdStrike Spotlight
185
-
186
- ---
187
-
188
- ## CIS Control 8: Audit Log Management
189
-
190
- | Safeguard | Title | IG | Asset Type | Security Function |
191
- |-----------|-------|-----|-----------|------------------|
192
- | 8.1 | Establish and Maintain an Audit Log Management Process | 1 | Network/Devices | Protect |
193
- | 8.2 | Collect Audit Logs | 1 | Network/Devices | Detect |
194
- | 8.3 | Ensure Adequate Audit Log Storage | 2 | Network/Devices | Protect |
195
- | 8.4 | Standardize Time Synchronization | 2 | Network/Devices | Protect |
196
- | 8.5 | Collect Detailed Audit Logs | 2 | Network/Devices | Detect |
197
- | 8.6 | Collect DNS Query Audit Logs | 2 | Network | Detect |
198
- | 8.7 | Collect URL Request Audit Logs | 2 | Network | Detect |
199
- | 8.8 | Collect Command-Line Audit Logs | 2 | Devices | Detect |
200
- | 8.9 | Centralize Audit Logs | 2 | Network/Devices | Detect |
201
- | 8.10 | Retain Audit Logs | 2 | Network/Devices | Protect |
202
- | 8.11 | Conduct Audit Log Reviews | 2 | Network/Devices | Detect |
203
- | 8.12 | Collect Service Provider Logs | 2 | Data/Network | Detect |
204
-
205
- **Minimum Log Retention:** 90 days hot (searchable), 1 year cold storage (regulatory minimum varies)
206
- **Recommended Tools:** Splunk, Microsoft Sentinel, Elastic SIEM, Sumo Logic, IBM QRadar
207
-
208
- ---
209
-
210
- ## CIS Controls 9–18 Summary (Selected Key Safeguards)
211
-
212
- ### Control 9: Email and Web Browser Protections
213
- - 9.3 (IG1): Maintain/enforce email provider anti-spoofing (SPF, DKIM, DMARC)
214
- - 9.5 (IG2): Implement DMARC policy (p=quarantine or p=reject)
215
-
216
- ### Control 10: Malware Defenses
217
- - 10.1 (IG1): Deploy/maintain anti-malware on all endpoints
218
- - 10.7 (IG2): Use behavior-based/next-gen anti-malware (EDR)
219
-
220
- ### Control 11: Data Recovery
221
- - 11.2 (IG1): Automated backups on schedule; test restores quarterly
222
- - 11.4 (IG1): Store backup copy isolated/offline (3-2-1 rule)
223
-
224
- ### Control 12: Network Infrastructure Management
225
- - 12.1 (IG1): Keep network devices firmware/OS current
226
- - 12.7 (IG2): Require VPN for remote access with AAA
227
-
228
- ### Control 13: Network Monitoring and Defense
229
- - 13.1 (IG2): Centralize security event alerting (SIEM)
230
- - 13.3 (IG2): Deploy NIDS/NIPS or NDR solution
231
- - 13.7/13.8 (IG3): HIPS/NIPS for active blocking
232
-
233
- ### Control 14: Security Awareness Training
234
- - 14.2 (IG1): Annual phishing awareness training; quarterly simulations (IG2+)
235
- - 14.6 (IG1): Train employees to recognize and report incidents
236
-
237
- ### Control 15: Service Provider Management
238
- - 15.1 (IG1): Inventory of all service providers with data access
239
- - 15.4 (IG2): Contracts must include security requirements
240
- - 15.5 (IG2): Annual risk assessment of critical service providers
241
-
242
- ### Control 16: Application Software Security
243
- - 16.9 (IG2): Developer security training (OWASP Top 10)
244
- - 16.12 (IG3): SAST/DAST/IAST integrated in CI/CD pipeline
245
-
246
- ### Control 17: Incident Response Management
247
- - 17.4 (IG1): Document incident response plan; test annually
248
- - 17.7 (IG2): Conduct tabletop exercises; include ransomware scenarios
249
-
250
- ### Control 18: Penetration Testing
251
- - 18.2 (IG2): Annual external penetration test by qualified third party
252
- - 18.5 (IG3): Quarterly internal pen tests; red team exercises
1
+ # CIS Controls v8 — All 153 Safeguards Detail
2
+
3
+ ## How to Use This Reference
4
+
5
+ Each safeguard entry shows:
6
+ - **Safeguard ID:** CIS Control # . Safeguard #
7
+ - **Title:** Official CIS safeguard name
8
+ - **IG:** Minimum implementation group (1, 2, or 3)
9
+ - **Asset Type:** Devices / Software / Data / Users / Network / Applications
10
+ - **Security Function:** Govern / Identify / Protect / Detect / Respond / Recover
11
+ - **Implementation Notes:** Practical guidance on what to do
12
+
13
+ ---
14
+
15
+ ## CIS Control 1: Inventory and Control of Enterprise Assets
16
+
17
+ | Safeguard | Title | IG | Asset Type | Security Function |
18
+ |-----------|-------|-----|-----------|------------------|
19
+ | 1.1 | Establish and Maintain Detailed Enterprise Asset Inventory | 1 | Devices | Identify |
20
+ | 1.2 | Address Unauthorized Assets | 1 | Devices | Respond |
21
+ | 1.3 | Utilize an Active Discovery Tool | 2 | Devices | Identify |
22
+ | 1.4 | Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory | 1 | Devices | Identify |
23
+ | 1.5 | Use a Passive Asset Discovery Tool | 3 | Devices | Identify |
24
+
25
+ **Implementation Notes:**
26
+ - **1.1:** Maintain inventory in a CMDB, spreadsheet, or MDM tool. Include: IP address, hostname, MAC address, owner, location, OS, asset type, acquisition date
27
+ - **1.2:** Define a process for handling unauthorized devices found on network — quarantine, investigate, document
28
+ - **1.3:** Run network scanners (Nmap, Nessus, Qualys, Tenable) on scheduled basis (weekly minimum)
29
+ - **1.4:** Enable DHCP server logging; correlate logs with asset inventory; flag unknown MACs
30
+ - **1.5:** Deploy passive network TAP or IDS/NDR sensors for continuous asset detection without active scanning
31
+
32
+ **Recommended Tools:** Microsoft Intune, CrowdStrike Falcon, Tanium, Qualys VMDR, Nessus, Axonius, ServiceNow CMDB
33
+
34
+ ---
35
+
36
+ ## CIS Control 2: Inventory and Control of Software Assets
37
+
38
+ | Safeguard | Title | IG | Asset Type | Security Function |
39
+ |-----------|-------|-----|-----------|------------------|
40
+ | 2.1 | Establish and Maintain a Software Inventory | 1 | Applications | Identify |
41
+ | 2.2 | Ensure Authorized Software is Currently Supported | 1 | Applications | Protect |
42
+ | 2.3 | Address Unauthorized Software | 1 | Applications | Respond |
43
+ | 2.4 | Utilize Automated Software Inventory Tools | 2 | Applications | Identify |
44
+ | 2.5 | Allowlist Authorized Software | 2 | Applications | Protect |
45
+ | 2.6 | Allowlist Authorized Libraries | 2 | Applications | Protect |
46
+ | 2.7 | Allowlist Authorized Scripts | 2 | Applications | Protect |
47
+
48
+ **Implementation Notes:**
49
+ - **2.1:** Track all installed software: name, version, vendor, license, install date, responsible owner
50
+ - **2.2:** Identify software nearing end-of-support (EOS/EOL); plan upgrades before EOS date
51
+ - **2.3:** Detect and remove unauthorized software; consider policy/consequence for installing unauthorized tools
52
+ - **2.5:** Implement application allowlisting via Windows AppLocker, WDAC, or endpoint agents
53
+ - **2.6:** Track approved DLL, library, and package versions; use software composition analysis (SCA) for development
54
+ - **2.7:** Control scripting environments (PowerShell Constrained Language Mode, Python virtual environments)
55
+
56
+ **Recommended Tools:** Microsoft Intune, SCCM, Tanium, Flexera, Snyk (SCA), Veracode, AppLocker
57
+
58
+ ---
59
+
60
+ ## CIS Control 3: Data Protection
61
+
62
+ | Safeguard | Title | IG | Asset Type | Security Function |
63
+ |-----------|-------|-----|-----------|------------------|
64
+ | 3.1 | Establish and Maintain a Data Management Process | 1 | Data | Govern |
65
+ | 3.2 | Establish and Maintain a Data Inventory | 1 | Data | Identify |
66
+ | 3.3 | Configure Data Access Control Lists | 1 | Data | Protect |
67
+ | 3.4 | Enforce Data Retention | 1 | Data | Protect |
68
+ | 3.5 | Securely Dispose of Data | 1 | Data | Protect |
69
+ | 3.6 | Encrypt Data on End-User Devices | 2 | Data | Protect |
70
+ | 3.7 | Establish and Maintain a Data Classification Scheme | 2 | Data | Protect |
71
+ | 3.8 | Document Data Flows | 2 | Data | Identify |
72
+ | 3.9 | Encrypt Data on Removable Media | 2 | Data | Protect |
73
+ | 3.10 | Encrypt Sensitive Data in Transit | 2 | Data | Protect |
74
+ | 3.11 | Encrypt Sensitive Data at Rest | 2 | Data | Protect |
75
+ | 3.12 | Segment Data Processing and Storage Based on Sensitivity | 3 | Data | Protect |
76
+ | 3.13 | Deploy a Data Loss Prevention Solution | 3 | Data | Protect |
77
+ | 3.14 | Log Sensitive Data Access | 3 | Data | Detect |
78
+
79
+ **Implementation Notes:**
80
+ - **3.1:** Written policy covering classification, handling, retention, disposal — reviewed annually
81
+ - **3.2:** Inventory must include: data type, sensitivity, location (on-prem/cloud), owner, retention period
82
+ - **3.3:** Implement least-privilege on file shares, databases, cloud storage; review ACLs quarterly
83
+ - **3.6:** Enable full-disk encryption (BitLocker for Windows, FileVault for macOS, LUKS for Linux)
84
+ - **3.7:** Define classification labels: e.g., Public / Internal / Confidential / Restricted
85
+ - **3.10:** Enforce TLS 1.2+ for all data in transit; disable older protocols (SSL, TLS 1.0/1.1)
86
+ - **3.11:** Encrypt databases, backups, and file stores containing sensitive data
87
+ - **3.13:** Deploy DLP on email, endpoints, and cloud services to prevent data exfiltration
88
+
89
+ **Recommended Tools:** Microsoft Purview, Varonis, Symantec DLP, Zscaler, BitLocker, Vera (Digital Guardian)
90
+
91
+ ---
92
+
93
+ ## CIS Control 4: Secure Configuration
94
+
95
+ | Safeguard | Title | IG | Asset Type | Security Function |
96
+ |-----------|-------|-----|-----------|------------------|
97
+ | 4.1 | Establish and Maintain a Secure Configuration Process | 1 | Devices | Protect |
98
+ | 4.2 | Establish and Maintain a Secure Configuration Process for Network Infrastructure | 1 | Network | Protect |
99
+ | 4.3 | Configure Automatic Session Locking on Enterprise Assets | 1 | Devices/Users | Protect |
100
+ | 4.4 | Implement and Manage a Firewall on Servers | 1 | Devices | Protect |
101
+ | 4.5 | Implement and Manage a Firewall on End-User Devices | 1 | Devices | Protect |
102
+ | 4.6 | Securely Manage Enterprise Assets and Software | 2 | Devices | Protect |
103
+ | 4.7 | Manage Default Accounts on Enterprise Assets and Software | 2 | Users | Protect |
104
+ | 4.8 | Uninstall or Disable Unnecessary Services on Enterprise Assets | 2 | Devices | Protect |
105
+ | 4.9 | Configure Trusted DNS Servers on Enterprise Assets | 2 | Devices/Network | Protect |
106
+ | 4.10 | Enforce Automatic Device Lockout on Portable End-User Devices | 2 | Devices | Protect |
107
+ | 4.11 | Enforce Remote Wipe Capability on Portable End-User Devices | 2 | Devices | Protect |
108
+ | 4.12 | Separate Enterprise Workspaces on Mobile End-User Devices | 3 | Devices | Protect |
109
+
110
+ **Implementation Notes:**
111
+ - **4.1:** Use CIS Benchmarks as configuration baseline; automate hardening via Group Policy, Ansible, Chef, Puppet
112
+ - **4.2:** Apply router/switch hardening; disable unused ports, protocols, and services on network devices
113
+ - **4.3:** Set session timeout to 15 minutes or less; enforce screensaver lock via GPO/MDM
114
+ - **4.4:** Enable Windows Firewall or host-based firewall on all servers; define least-privilege inbound/outbound rules
115
+ - **4.7:** Rename or disable default admin accounts; change all default passwords immediately upon deployment
116
+ - **4.8:** Disable/uninstall: Telnet, FTP, rsh, RPC where not needed; audit running services quarterly
117
+
118
+ **CIS Benchmark Resources:** Free hardening guides available at cisecurity.org/benchmark for Windows, Linux, macOS, AWS, Azure, GCP, Kubernetes, Docker, browsers
119
+
120
+ ---
121
+
122
+ ## CIS Control 5: Account Management
123
+
124
+ | Safeguard | Title | IG | Asset Type | Security Function |
125
+ |-----------|-------|-----|-----------|------------------|
126
+ | 5.1 | Establish and Maintain an Inventory of Accounts | 1 | Users | Identify |
127
+ | 5.2 | Use Unique Passwords | 1 | Users | Protect |
128
+ | 5.3 | Disable Dormant Accounts | 1 | Users | Protect |
129
+ | 5.4 | Restrict Administrator Privileges to Dedicated Administrator Accounts | 1 | Users | Protect |
130
+ | 5.5 | Establish and Maintain an Inventory of Service Accounts | 2 | Users | Identify |
131
+ | 5.6 | Centralize Account Management | 2 | Users | Protect |
132
+
133
+ **Implementation Notes:**
134
+ - **5.1:** Inventory: all user, admin, service, and guest accounts across all systems
135
+ - **5.2:** Password policy: minimum 14 characters (or MFA required); check against breached password databases (HaveIBeenPwned); use password manager
136
+ - **5.3:** Disable accounts unused for 90 days; automate detection via IdP reporting
137
+ - **5.4:** Never use admin accounts for daily work; separate admin credentials; use PAM solutions for privileged access
138
+ - **5.5:** Service accounts: document purpose, owner, permissions; rotate passwords regularly
139
+ - **5.6:** Use Active Directory, Azure AD/Entra ID, Okta, or similar IdP as single source of truth
140
+
141
+ ---
142
+
143
+ ## CIS Control 6: Access Control Management
144
+
145
+ | Safeguard | Title | IG | Asset Type | Security Function |
146
+ |-----------|-------|-----|-----------|------------------|
147
+ | 6.1 | Establish an Access Granting Process | 1 | Users | Protect |
148
+ | 6.2 | Establish an Access Revoking Process | 1 | Users | Protect |
149
+ | 6.3 | Require MFA for Externally-Exposed Applications | 2 | Users | Protect |
150
+ | 6.4 | Require MFA for Remote Network Access | 2 | Users | Protect |
151
+ | 6.5 | Require MFA for Administrative Access | 2 | Users | Protect |
152
+ | 6.6 | Establish and Maintain an Inventory of Authentication/Authorization Systems | 2 | Users | Identify |
153
+ | 6.7 | Centralize Access Control | 2 | Users | Protect |
154
+ | 6.8 | Define and Maintain Role-Based Access Control | 2 | Users | Protect |
155
+
156
+ **Implementation Notes:**
157
+ - **6.1/6.2:** Formal access request and approval process; link to onboarding/offboarding procedures; review quarterly
158
+ - **6.3:** MFA on all SaaS, web portals, VPN, RDP — phishing-resistant MFA (FIDO2/passkeys) preferred over SMS OTP
159
+ - **6.5:** Require MFA for all admin console access (cloud management, AD, network devices)
160
+ - **6.8:** Define roles in RBAC model; avoid overly broad permissions; apply least-privilege principle
161
+
162
+ ---
163
+
164
+ ## CIS Control 7: Continuous Vulnerability Management
165
+
166
+ | Safeguard | Title | IG | Asset Type | Security Function |
167
+ |-----------|-------|-----|-----------|------------------|
168
+ | 7.1 | Establish and Maintain a Vulnerability Management Process | 1 | Devices/Apps | Protect |
169
+ | 7.2 | Establish and Maintain a Remediation Process | 1 | Devices/Apps | Respond |
170
+ | 7.3 | Perform Automated Operating System Patch Management | 1 | Devices | Protect |
171
+ | 7.4 | Perform Automated Application Patch Management | 1 | Applications | Protect |
172
+ | 7.5 | Perform Automated Vulnerability Scans of Internal Enterprise Assets | 2 | Devices | Identify |
173
+ | 7.6 | Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets | 2 | Devices/Network | Identify |
174
+ | 7.7 | Remediate Detected Vulnerabilities | 2 | Devices/Apps | Respond |
175
+
176
+ **Remediation SLAs (common industry standards):**
177
+ | CVSS Severity | Recommended Remediation Time |
178
+ |---------------|------------------------------|
179
+ | Critical (9.0–10.0) | 15 days |
180
+ | High (7.0–8.9) | 30 days |
181
+ | Medium (4.0–6.9) | 90 days |
182
+ | Low (0.1–3.9) | 180 days or risk accepted |
183
+
184
+ **Recommended Tools:** Qualys VMDR, Tenable Nessus/io, Rapid7 InsightVM, Microsoft Defender Vulnerability Management, CrowdStrike Spotlight
185
+
186
+ ---
187
+
188
+ ## CIS Control 8: Audit Log Management
189
+
190
+ | Safeguard | Title | IG | Asset Type | Security Function |
191
+ |-----------|-------|-----|-----------|------------------|
192
+ | 8.1 | Establish and Maintain an Audit Log Management Process | 1 | Network/Devices | Protect |
193
+ | 8.2 | Collect Audit Logs | 1 | Network/Devices | Detect |
194
+ | 8.3 | Ensure Adequate Audit Log Storage | 2 | Network/Devices | Protect |
195
+ | 8.4 | Standardize Time Synchronization | 2 | Network/Devices | Protect |
196
+ | 8.5 | Collect Detailed Audit Logs | 2 | Network/Devices | Detect |
197
+ | 8.6 | Collect DNS Query Audit Logs | 2 | Network | Detect |
198
+ | 8.7 | Collect URL Request Audit Logs | 2 | Network | Detect |
199
+ | 8.8 | Collect Command-Line Audit Logs | 2 | Devices | Detect |
200
+ | 8.9 | Centralize Audit Logs | 2 | Network/Devices | Detect |
201
+ | 8.10 | Retain Audit Logs | 2 | Network/Devices | Protect |
202
+ | 8.11 | Conduct Audit Log Reviews | 2 | Network/Devices | Detect |
203
+ | 8.12 | Collect Service Provider Logs | 2 | Data/Network | Detect |
204
+
205
+ **Minimum Log Retention:** 90 days hot (searchable), 1 year cold storage (regulatory minimum varies)
206
+ **Recommended Tools:** Splunk, Microsoft Sentinel, Elastic SIEM, Sumo Logic, IBM QRadar
207
+
208
+ ---
209
+
210
+ ## CIS Controls 9–18 Summary (Selected Key Safeguards)
211
+
212
+ ### Control 9: Email and Web Browser Protections
213
+ - 9.3 (IG1): Maintain/enforce email provider anti-spoofing (SPF, DKIM, DMARC)
214
+ - 9.5 (IG2): Implement DMARC policy (p=quarantine or p=reject)
215
+
216
+ ### Control 10: Malware Defenses
217
+ - 10.1 (IG1): Deploy/maintain anti-malware on all endpoints
218
+ - 10.7 (IG2): Use behavior-based/next-gen anti-malware (EDR)
219
+
220
+ ### Control 11: Data Recovery
221
+ - 11.2 (IG1): Automated backups on schedule; test restores quarterly
222
+ - 11.4 (IG1): Store backup copy isolated/offline (3-2-1 rule)
223
+
224
+ ### Control 12: Network Infrastructure Management
225
+ - 12.1 (IG1): Keep network devices firmware/OS current
226
+ - 12.7 (IG2): Require VPN for remote access with AAA
227
+
228
+ ### Control 13: Network Monitoring and Defense
229
+ - 13.1 (IG2): Centralize security event alerting (SIEM)
230
+ - 13.3 (IG2): Deploy NIDS/NIPS or NDR solution
231
+ - 13.7/13.8 (IG3): HIPS/NIPS for active blocking
232
+
233
+ ### Control 14: Security Awareness Training
234
+ - 14.2 (IG1): Annual phishing awareness training; quarterly simulations (IG2+)
235
+ - 14.6 (IG1): Train employees to recognize and report incidents
236
+
237
+ ### Control 15: Service Provider Management
238
+ - 15.1 (IG1): Inventory of all service providers with data access
239
+ - 15.4 (IG2): Contracts must include security requirements
240
+ - 15.5 (IG2): Annual risk assessment of critical service providers
241
+
242
+ ### Control 16: Application Software Security
243
+ - 16.9 (IG2): Developer security training (OWASP Top 10)
244
+ - 16.12 (IG3): SAST/DAST/IAST integrated in CI/CD pipeline
245
+
246
+ ### Control 17: Incident Response Management
247
+ - 17.4 (IG1): Document incident response plan; test annually
248
+ - 17.7 (IG2): Conduct tabletop exercises; include ransomware scenarios
249
+
250
+ ### Control 18: Penetration Testing
251
+ - 18.2 (IG2): Annual external penetration test by qualified third party
252
+ - 18.5 (IG3): Quarterly internal pen tests; red team exercises