bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,170 +1,170 @@
1
- # CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
2
-
3
- ## SPRS Score Calculation
4
-
5
- ### Scoring Methodology
6
- The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
7
- - **Starting score**: 110 points
8
- - **Each NOT MET practice**: Deduct the assigned point value
9
- - **Partial implementation**: Full deduction applies (no partial credit)
10
- - **Score range**: +110 (all practices met) to −203 (all not met)
11
- - **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
12
-
13
- ### Point Values by Domain
14
- Point values are assigned based on the practice's security impact:
15
-
16
- | Domain | Practices | Total Points at Risk |
17
- |--------|-----------|---------------------|
18
- | AC (Access Control) | 22 | ~50 |
19
- | AU (Audit & Accountability) | 9 | ~17 |
20
- | CM (Configuration Management) | 9 | ~19 |
21
- | IA (Identification & Authentication) | 11 | ~22 |
22
- | IR (Incident Response) | 3 | ~5 |
23
- | MA (Maintenance) | 6 | ~11 |
24
- | MP (Media Protection) | 9 | ~8 |
25
- | PE (Physical Protection) | 6 | ~11 |
26
- | PS (Personnel Security) | 2 | ~4 |
27
- | RA (Risk Assessment) | 3 | ~9 |
28
- | CA (Security Assessment) | 4 | ~9 |
29
- | SC (System & Communications) | 16 | ~39 |
30
- | SI (System & Information Integrity) | 7 | ~14 |
31
-
32
- *Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
33
-
34
- ### Highest-Impact Practices (Largest Point Deductions)
35
- Prioritize these when remediating — they carry the heaviest scoring weight:
36
- 1. **AC.L2-3.1.3** — CUI flow control (5 pts)
37
- 2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
38
- 3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
39
- 4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
40
- 5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
41
- 6. **AC.L2-3.1.5** — Least privilege (3 pts)
42
- 7. **AU.L2-3.3.1** — Audit logging (3 pts)
43
- 8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
44
-
45
- ---
46
-
47
- ## C3PAO Assessment Process
48
-
49
- ### Pre-Assessment (Contractor Responsibilities)
50
- Before engaging a C3PAO, ensure:
51
- - [ ] System Security Plan (SSP) is complete and covers all 110 practices
52
- - [ ] System boundary is defined with network diagrams
53
- - [ ] CUI data flows are documented
54
- - [ ] POA&M lists all practices not yet met
55
- - [ ] SPRS score has been self-calculated
56
- - [ ] Personnel responsible for each practice are identified
57
-
58
- ### Assessment Phases
59
-
60
- **Phase 1 — Documentation Review (Remote)**
61
- - C3PAO reviews SSP, network diagrams, policies, and POA&M
62
- - Requests artifact list: logs, screenshots, configuration exports, training records
63
- - Duration: 2–4 weeks
64
-
65
- **Phase 2 — Assessment Activities (On-site or Remote)**
66
- - Interviews with system administrators, security personnel, and executives
67
- - Technical testing: vulnerability scans, configuration reviews, access control verification
68
- - Observation of processes (incident response tabletop, maintenance procedures)
69
- - Duration: 1–3 weeks depending on scope
70
-
71
- **Phase 3 — Findings and Reporting**
72
- - C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
73
- - Contractor may provide additional evidence for disputed findings (limited window)
74
- - Final report submitted to CMMC-AB
75
-
76
- **Phase 4 — Certification Decision**
77
- - **All 110 practices MET**: Full certification issued; valid 3 years
78
- - **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
79
- - **Critical practices unmet**: No certification; remediate and reschedule
80
-
81
- ### Critical Practices (Cannot Have POA&M at Certification)
82
- The following practices must be fully MET for any certification to be issued:
83
- - AC.L2-3.1.3 (CUI flow control)
84
- - IA.L2-3.5.3 (Multifactor authentication)
85
- - SC.L2-3.13.8 (Encryption in transit)
86
- - SC.L2-3.13.11 (FIPS-validated cryptography)
87
- - SI.L2-3.14.6 (Attack monitoring)
88
- - AU.L2-3.3.1 (Audit logging)
89
- - IR.L2-3.6.1 (Incident response capability)
90
-
91
- ---
92
-
93
- ## POA&M Rules and Management
94
-
95
- ### What Can Be in a POA&M at Certification
96
- - Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
97
- - POA&M remediation deadline: **180 days** from certification date
98
- - Failure to remediate = certification revocation
99
- - Level 3: No POA&M at certification — all practices must be MET
100
-
101
- ### POA&M Entry Format
102
-
103
- | Field | Description |
104
- |-------|-------------|
105
- | Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
106
- | Weakness Description | What is not implemented and why |
107
- | Remediation Steps | Specific actions to achieve compliance |
108
- | Milestone 1–N | Intermediate checkpoints with dates |
109
- | Scheduled Completion | Target date for full implementation |
110
- | Resources Required | Personnel, tools, budget |
111
- | Status | Open / In Progress / Completed |
112
- | Evidence of Closure | What artifacts will demonstrate completion |
113
-
114
- ### POA&M Best Practices
115
- - Never list a critical practice in a POA&M if seeking certification
116
- - Update monthly; stale POA&Ms raise auditor concerns
117
- - Link each POA&M item to the relevant SSP section
118
- - Document root cause, not just the symptom
119
-
120
- ---
121
-
122
- ## Evidence Requirements by Practice Type
123
-
124
- ### Documentary Evidence (policies, procedures, plans)
125
- - Acceptable formats: PDF, Word, screenshots with metadata
126
- - Must show: author, date, version, approval signature
127
- - Examples: SSP, access control policy, incident response plan, training records
128
-
129
- ### Technical Evidence (system configuration, logs)
130
- - Configuration exports from firewalls, Active Directory, SIEM
131
- - Vulnerability scan reports (authenticated scans preferred)
132
- - MFA enrollment reports showing all privileged user enrollment
133
- - Patch management reports showing remediation timelines
134
-
135
- ### Interview Evidence
136
- - Assessors will interview: ISSO/ISSM, system admins, end users, executives
137
- - Prepare personnel to describe their security responsibilities
138
- - Cannot substitute documentation for interview — both required
139
-
140
- ---
141
-
142
- ## DIBNET Incident Reporting (DFARS 7012)
143
-
144
- DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
145
- - **Report to**: DIBNET portal (dibnet.dod.mil)
146
- - **Deadline**: Within **72 hours** of discovering the incident
147
- - **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
148
- - **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
149
- - **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
150
-
151
- ### What Constitutes a Reportable Incident
152
- - Unauthorized access to systems containing CUI
153
- - Exfiltration of CUI (actual or suspected)
154
- - Malware detected on systems that process CUI
155
- - Compromise of credentials that could lead to CUI access
156
-
157
- ---
158
-
159
- ## Common Assessment Findings
160
-
161
- | Practice | Common Finding | Typical Remediation |
162
- |----------|---------------|---------------------|
163
- | IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
164
- | SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
165
- | AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
166
- | CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
167
- | AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
168
- | RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
169
- | CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
170
- | AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
1
+ # CMMC 2.0 — Assessment Guide: SPRS Scoring, C3PAO Process & POA&M Rules
2
+
3
+ ## SPRS Score Calculation
4
+
5
+ ### Scoring Methodology
6
+ The SPRS score is calculated per the DoD Assessment Methodology for NIST SP 800-171:
7
+ - **Starting score**: 110 points
8
+ - **Each NOT MET practice**: Deduct the assigned point value
9
+ - **Partial implementation**: Full deduction applies (no partial credit)
10
+ - **Score range**: +110 (all practices met) to −203 (all not met)
11
+ - **Submission**: Required for all Level 2 contracts; submit at sprs.csd.disa.mil
12
+
13
+ ### Point Values by Domain
14
+ Point values are assigned based on the practice's security impact:
15
+
16
+ | Domain | Practices | Total Points at Risk |
17
+ |--------|-----------|---------------------|
18
+ | AC (Access Control) | 22 | ~50 |
19
+ | AU (Audit & Accountability) | 9 | ~17 |
20
+ | CM (Configuration Management) | 9 | ~19 |
21
+ | IA (Identification & Authentication) | 11 | ~22 |
22
+ | IR (Incident Response) | 3 | ~5 |
23
+ | MA (Maintenance) | 6 | ~11 |
24
+ | MP (Media Protection) | 9 | ~8 |
25
+ | PE (Physical Protection) | 6 | ~11 |
26
+ | PS (Personnel Security) | 2 | ~4 |
27
+ | RA (Risk Assessment) | 3 | ~9 |
28
+ | CA (Security Assessment) | 4 | ~9 |
29
+ | SC (System & Communications) | 16 | ~39 |
30
+ | SI (System & Information Integrity) | 7 | ~14 |
31
+
32
+ *Exact point values per practice are published in the DoD Assessment Methodology document (v2.2, Nov 2020).*
33
+
34
+ ### Highest-Impact Practices (Largest Point Deductions)
35
+ Prioritize these when remediating — they carry the heaviest scoring weight:
36
+ 1. **AC.L2-3.1.3** — CUI flow control (5 pts)
37
+ 2. **SC.L2-3.13.8** — Encryption in transit / FIPS validated (5 pts)
38
+ 3. **SC.L2-3.13.11** — FIPS-validated cryptography (5 pts)
39
+ 4. **IA.L2-3.5.3** — Multifactor authentication (5 pts)
40
+ 5. **SI.L2-3.14.6** — Monitoring for attacks (5 pts)
41
+ 6. **AC.L2-3.1.5** — Least privilege (3 pts)
42
+ 7. **AU.L2-3.3.1** — Audit logging (3 pts)
43
+ 8. **CM.L2-3.4.1** — Baseline configuration (3 pts)
44
+
45
+ ---
46
+
47
+ ## C3PAO Assessment Process
48
+
49
+ ### Pre-Assessment (Contractor Responsibilities)
50
+ Before engaging a C3PAO, ensure:
51
+ - [ ] System Security Plan (SSP) is complete and covers all 110 practices
52
+ - [ ] System boundary is defined with network diagrams
53
+ - [ ] CUI data flows are documented
54
+ - [ ] POA&M lists all practices not yet met
55
+ - [ ] SPRS score has been self-calculated
56
+ - [ ] Personnel responsible for each practice are identified
57
+
58
+ ### Assessment Phases
59
+
60
+ **Phase 1 — Documentation Review (Remote)**
61
+ - C3PAO reviews SSP, network diagrams, policies, and POA&M
62
+ - Requests artifact list: logs, screenshots, configuration exports, training records
63
+ - Duration: 2–4 weeks
64
+
65
+ **Phase 2 — Assessment Activities (On-site or Remote)**
66
+ - Interviews with system administrators, security personnel, and executives
67
+ - Technical testing: vulnerability scans, configuration reviews, access control verification
68
+ - Observation of processes (incident response tabletop, maintenance procedures)
69
+ - Duration: 1–3 weeks depending on scope
70
+
71
+ **Phase 3 — Findings and Reporting**
72
+ - C3PAO issues Findings Report: MET, NOT MET, or NOT APPLICABLE per practice
73
+ - Contractor may provide additional evidence for disputed findings (limited window)
74
+ - Final report submitted to CMMC-AB
75
+
76
+ **Phase 4 — Certification Decision**
77
+ - **All 110 practices MET**: Full certification issued; valid 3 years
78
+ - **Limited unmet practices (non-critical)**: Conditional certification with POA&M; must remediate within 180 days
79
+ - **Critical practices unmet**: No certification; remediate and reschedule
80
+
81
+ ### Critical Practices (Cannot Have POA&M at Certification)
82
+ The following practices must be fully MET for any certification to be issued:
83
+ - AC.L2-3.1.3 (CUI flow control)
84
+ - IA.L2-3.5.3 (Multifactor authentication)
85
+ - SC.L2-3.13.8 (Encryption in transit)
86
+ - SC.L2-3.13.11 (FIPS-validated cryptography)
87
+ - SI.L2-3.14.6 (Attack monitoring)
88
+ - AU.L2-3.3.1 (Audit logging)
89
+ - IR.L2-3.6.1 (Incident response capability)
90
+
91
+ ---
92
+
93
+ ## POA&M Rules and Management
94
+
95
+ ### What Can Be in a POA&M at Certification
96
+ - Level 2: Up to a limited number of non-critical practices may remain in POA&M at time of certification
97
+ - POA&M remediation deadline: **180 days** from certification date
98
+ - Failure to remediate = certification revocation
99
+ - Level 3: No POA&M at certification — all practices must be MET
100
+
101
+ ### POA&M Entry Format
102
+
103
+ | Field | Description |
104
+ |-------|-------------|
105
+ | Practice ID | CMMC practice identifier (e.g., CM.L2-3.4.2) |
106
+ | Weakness Description | What is not implemented and why |
107
+ | Remediation Steps | Specific actions to achieve compliance |
108
+ | Milestone 1–N | Intermediate checkpoints with dates |
109
+ | Scheduled Completion | Target date for full implementation |
110
+ | Resources Required | Personnel, tools, budget |
111
+ | Status | Open / In Progress / Completed |
112
+ | Evidence of Closure | What artifacts will demonstrate completion |
113
+
114
+ ### POA&M Best Practices
115
+ - Never list a critical practice in a POA&M if seeking certification
116
+ - Update monthly; stale POA&Ms raise auditor concerns
117
+ - Link each POA&M item to the relevant SSP section
118
+ - Document root cause, not just the symptom
119
+
120
+ ---
121
+
122
+ ## Evidence Requirements by Practice Type
123
+
124
+ ### Documentary Evidence (policies, procedures, plans)
125
+ - Acceptable formats: PDF, Word, screenshots with metadata
126
+ - Must show: author, date, version, approval signature
127
+ - Examples: SSP, access control policy, incident response plan, training records
128
+
129
+ ### Technical Evidence (system configuration, logs)
130
+ - Configuration exports from firewalls, Active Directory, SIEM
131
+ - Vulnerability scan reports (authenticated scans preferred)
132
+ - MFA enrollment reports showing all privileged user enrollment
133
+ - Patch management reports showing remediation timelines
134
+
135
+ ### Interview Evidence
136
+ - Assessors will interview: ISSO/ISSM, system admins, end users, executives
137
+ - Prepare personnel to describe their security responsibilities
138
+ - Cannot substitute documentation for interview — both required
139
+
140
+ ---
141
+
142
+ ## DIBNET Incident Reporting (DFARS 7012)
143
+
144
+ DFARS 252.204-7012 mandates cyber incident reporting regardless of CMMC level:
145
+ - **Report to**: DIBNET portal (dibnet.dod.mil)
146
+ - **Deadline**: Within **72 hours** of discovering the incident
147
+ - **What to report**: Systems affected, CUI categories involved, attack vectors, forensic indicators
148
+ - **Preserve evidence**: Maintain disk images and forensic evidence for 90 days; DoD may request copies
149
+ - **Notify prime**: If you are a subcontractor, notify the prime who notifies DoD
150
+
151
+ ### What Constitutes a Reportable Incident
152
+ - Unauthorized access to systems containing CUI
153
+ - Exfiltration of CUI (actual or suspected)
154
+ - Malware detected on systems that process CUI
155
+ - Compromise of credentials that could lead to CUI access
156
+
157
+ ---
158
+
159
+ ## Common Assessment Findings
160
+
161
+ | Practice | Common Finding | Typical Remediation |
162
+ |----------|---------------|---------------------|
163
+ | IA.L2-3.5.3 | MFA not enabled for all privileged accounts or remote access | Deploy MFA solution (Azure MFA, Duo, Okta); enforce via conditional access |
164
+ | SC.L2-3.13.11 | TLS 1.0/1.1 still enabled; non-FIPS algorithms in use | Disable TLS 1.0/1.1; enable only FIPS-validated cipher suites |
165
+ | AU.L2-3.3.1 | Logs not retained per policy; not all devices log to SIEM | Deploy/configure SIEM; set 3-year retention; cover all CUI-touching systems |
166
+ | CM.L2-3.4.1 | No formal baseline configuration document | Create baseline config docs per OS/application; store in change management |
167
+ | AC.L2-3.1.5 | Excessive admin rights; shared admin accounts | Implement PAM solution; audit/remove excess privileges quarterly |
168
+ | RA.L2-3.11.2 | Vulnerability scans not authenticated; not covering all assets | Configure credentialed scans; scan all in-scope assets monthly |
169
+ | CA.L2-3.12.4 | SSP outdated or incomplete | Update SSP; review and re-approve annually or after significant changes |
170
+ | AC.L2-3.1.3 | CUI accessible to users without need-to-know | Implement data classification labels; enforce access controls at file/folder level |
@@ -1,113 +1,113 @@
1
- # CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
2
-
3
- ## Level Comparison Table
4
-
5
- | Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
6
- |-----------|----------------------|-------------------|-----------------|
7
- | **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
8
- | **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
9
- | **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
10
- | **SPRS submission** | Yes | Yes | Yes |
11
- | **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
12
- | **Conditional certification** | No | Yes (limited POA&M allowed) | No |
13
- | **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
14
-
15
- ---
16
-
17
- ## DFARS Clause Mapping
18
-
19
- | DFARS Clause | Requirement | Level Implied |
20
- |-------------|-------------|---------------|
21
- | FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
22
- | DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
23
- | DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
24
- | DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
25
- | DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
26
-
27
- **Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
28
-
29
- ---
30
-
31
- ## Assessment Process by Level
32
-
33
- ### Level 1 — Self-Assessment
34
- 1. Assess all 17 practices against FAR 52.204-21
35
- 2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
36
- 3. Submit to SPRS at https://www.sprs.csd.disa.mil/
37
- 4. Senior official affirms accuracy
38
- 5. Repeat annually
39
-
40
- ### Level 2 — C3PAO Assessment (Critical Programs)
41
- 1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
42
- 2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
43
- 3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
44
- 4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
45
- 5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
46
- 6. **Certification**: Issued by CMMC-AB; valid for 3 years
47
- 7. **Annual affirmation**: Affirm continued compliance each year
48
-
49
- ### Level 2 — Self-Assessment (Non-Critical Programs)
50
- - Same 110 practices as C3PAO path
51
- - Self-assessed by contractor; senior official affirms in SPRS
52
- - DoD reserves right to audit; false statements = False Claims Act liability
53
- - Must still submit SPRS score
54
-
55
- ### Level 3 — DIBCAC Assessment
56
- 1. Contractor must hold a current Level 2 C3PAO certification first
57
- 2. DIBCAC (government team) conducts assessment — not contractor-selected
58
- 3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
59
- 4. No conditional certification — all practices must be MET
60
- 5. Government schedules the assessment; no commercial negotiation
61
-
62
- ---
63
-
64
- ## Flow-Down Requirements
65
-
66
- DFARS 252.204-7021(c) requires prime contractors to:
67
- - Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
68
- - Specify the required CMMC level in the subcontract
69
- - Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
70
- - Flow-down applies to **all tiers** — sub-subcontractors are not exempt
71
-
72
- **Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
73
-
74
- ---
75
-
76
- ## Timeline and Key Dates
77
-
78
- | Milestone | Date |
79
- |-----------|------|
80
- | CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
81
- | DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
82
- | CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
83
- | Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
84
- | Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
85
-
86
- ---
87
-
88
- ## CUI Categories Most Common in Defense Contracts
89
-
90
- | CUI Category | Examples | Typical Contract Types |
91
- |-------------|----------|----------------------|
92
- | Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
93
- | Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
94
- | Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
95
- | Privacy (PII) | Personnel records | HR, health, benefits |
96
- | Law Enforcement Sensitive | Investigation data | Base security contractors |
97
- | Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
98
-
99
- ---
100
-
101
- ## Key Definitions
102
-
103
- | Term | Definition |
104
- |------|-----------|
105
- | **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
106
- | **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
107
- | **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
108
- | **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
109
- | **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
110
- | **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
111
- | **OSC** | Organization Seeking Certification — the defense contractor being assessed |
112
- | **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
113
- | **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |
1
+ # CMMC 2.0 — Level Comparison, Assessment Types & Flow-Down Rules
2
+
3
+ ## Level Comparison Table
4
+
5
+ | Attribute | Level 1 — Foundational | Level 2 — Advanced | Level 3 — Expert |
6
+ |-----------|----------------------|-------------------|-----------------|
7
+ | **Practices** | 17 (FAR 52.204-21) | 110 (NIST SP 800-171 Rev 2) | 110+ (SP 800-171 + SP 800-172 subset) |
8
+ | **Focus** | Federal Contract Information (FCI) | Controlled Unclassified Information (CUI) | CUI on highest-priority DoD programs; APT resilience |
9
+ | **Assessment type** | Annual self-assessment | Triennial C3PAO assessment (critical) OR self-assessment (non-critical) | DIBCAC-led government assessment (triennial) |
10
+ | **SPRS submission** | Yes | Yes | Yes |
11
+ | **Certification body** | Self | C3PAO (CMMC Third-Party Assessment Organization) | DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) |
12
+ | **Conditional certification** | No | Yes (limited POA&M allowed) | No |
13
+ | **Who needs it** | All DoD contractors receiving/generating FCI | Contractors handling CUI on DoD contracts | Contractors on highest-priority programs (e.g., nuclear C3, certain weapons systems) |
14
+
15
+ ---
16
+
17
+ ## DFARS Clause Mapping
18
+
19
+ | DFARS Clause | Requirement | Level Implied |
20
+ |-------------|-------------|---------------|
21
+ | FAR 52.204-21 | Basic Safeguarding of FCI — 15 requirements | Level 1 baseline |
22
+ | DFARS 252.204-7012 | Safeguarding CUI; 72-hr DIBNET incident reporting; cloud = FedRAMP Moderate | Level 2 prerequisite |
23
+ | DFARS 252.204-7019 | NIST SP 800-171 self-assessment; SPRS submission required | Level 2 self-assessment |
24
+ | DFARS 252.204-7020 | DoD access to contractor assessment results in SPRS | Level 2 |
25
+ | DFARS 252.204-7021 | CMMC certification requirement; flow-down to subcontractors | Level 2 or 3 |
26
+
27
+ **Rule**: If your contract contains DFARS 252.204-7021, your CMMC level is specified in the contract. Check Section L or the Performance Work Statement.
28
+
29
+ ---
30
+
31
+ ## Assessment Process by Level
32
+
33
+ ### Level 1 — Self-Assessment
34
+ 1. Assess all 17 practices against FAR 52.204-21
35
+ 2. Calculate and submit SPRS score (17 practices, max score = 17, each = 1 point)
36
+ 3. Submit to SPRS at https://www.sprs.csd.disa.mil/
37
+ 4. Senior official affirms accuracy
38
+ 5. Repeat annually
39
+
40
+ ### Level 2 — C3PAO Assessment (Critical Programs)
41
+ 1. **Pre-assessment preparation** (6–12 months): SSP, POA&M, gap remediation
42
+ 2. **Select a C3PAO**: Must be CMMC-AB authorized; find at cyberAB.us
43
+ 3. **Contract with C3PAO**: Negotiate scope, timeline, NDA
44
+ 4. **Assessment**: C3PAO reviews evidence, interviews, observes (typically 2–4 weeks on-site/remote)
45
+ 5. **Findings**: CMMC-AB receives results; conditional certification possible with limited POA&M
46
+ 6. **Certification**: Issued by CMMC-AB; valid for 3 years
47
+ 7. **Annual affirmation**: Affirm continued compliance each year
48
+
49
+ ### Level 2 — Self-Assessment (Non-Critical Programs)
50
+ - Same 110 practices as C3PAO path
51
+ - Self-assessed by contractor; senior official affirms in SPRS
52
+ - DoD reserves right to audit; false statements = False Claims Act liability
53
+ - Must still submit SPRS score
54
+
55
+ ### Level 3 — DIBCAC Assessment
56
+ 1. Contractor must hold a current Level 2 C3PAO certification first
57
+ 2. DIBCAC (government team) conducts assessment — not contractor-selected
58
+ 3. Assesses SP 800-171 practices PLUS select SP 800-172 enhanced requirements
59
+ 4. No conditional certification — all practices must be MET
60
+ 5. Government schedules the assessment; no commercial negotiation
61
+
62
+ ---
63
+
64
+ ## Flow-Down Requirements
65
+
66
+ DFARS 252.204-7021(c) requires prime contractors to:
67
+ - Include CMMC requirements in **all subcontracts** where the subcontractor processes, stores, or transmits CUI
68
+ - Specify the required CMMC level in the subcontract
69
+ - Verify subcontractor certification before award (Level 2/3 must appear in SPRS/CMMC-AB registry)
70
+ - Flow-down applies to **all tiers** — sub-subcontractors are not exempt
71
+
72
+ **Practical implication**: If you're a prime, map your CUI to each subcontractor and determine which level applies to each. Document this in your supply chain security program.
73
+
74
+ ---
75
+
76
+ ## Timeline and Key Dates
77
+
78
+ | Milestone | Date |
79
+ |-----------|------|
80
+ | CMMC 2.0 Final Rule (32 CFR Part 170) effective | December 16, 2024 |
81
+ | DFARS rule (48 CFR Parts 204, 212, 252) effective | December 16, 2024 |
82
+ | CMMC requirements in new contracts | Phased: began Q1 2025, full rollout through 2026 |
83
+ | Level 1 self-assessments required | All contracts with FAR 52.204-21, immediately |
84
+ | Level 2 C3PAO assessments | Required when DFARS 7021 included in solicitation |
85
+
86
+ ---
87
+
88
+ ## CUI Categories Most Common in Defense Contracts
89
+
90
+ | CUI Category | Examples | Typical Contract Types |
91
+ |-------------|----------|----------------------|
92
+ | Export Controlled (CTI) | Technical data, software, drawings | Engineering, manufacturing |
93
+ | Naval Nuclear Propulsion (NOFORN) | Propulsion design data | Shipbuilding, nuclear |
94
+ | Controlled Technical Information (CTI) | ITAR/EAR-controlled technical data | Weapons systems, aerospace |
95
+ | Privacy (PII) | Personnel records | HR, health, benefits |
96
+ | Law Enforcement Sensitive | Investigation data | Base security contractors |
97
+ | Procurement/Acquisition | Pre-award contract info | Proposal/BD teams |
98
+
99
+ ---
100
+
101
+ ## Key Definitions
102
+
103
+ | Term | Definition |
104
+ |------|-----------|
105
+ | **FCI** | Federal Contract Information — information provided by or generated for the Government under contract, not intended for public release |
106
+ | **CUI** | Controlled Unclassified Information — information the Government creates or possesses that requires safeguarding per law/regulation/policy |
107
+ | **SPRS** | Supplier Performance Risk System — DoD portal where self-assessment scores are submitted |
108
+ | **C3PAO** | CMMC Third-Party Assessment Organization — authorized to conduct Level 2 assessments |
109
+ | **DIBCAC** | Defense Industrial Base Cybersecurity Assessment Center — DCSA organization conducting Level 3 government assessments |
110
+ | **CMMC-AB** | Cyber AB — accreditation body that certifies C3PAOs, assessors, and consultants |
111
+ | **OSC** | Organization Seeking Certification — the defense contractor being assessed |
112
+ | **POA&M** | Plan of Action & Milestones — documented remediation plan for unmet practices |
113
+ | **SSP** | System Security Plan — describes the system boundary, CUI flows, and control implementations |