bmad-plus 0.7.5 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (281) hide show
  1. package/CHANGELOG.md +479 -425
  2. package/LICENSE +21 -21
  3. package/README.md +557 -447
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  21. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  22. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  23. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
  24. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  25. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  26. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  27. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  28. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  29. package/package.json +62 -57
  30. package/readme-international/README.de.md +584 -426
  31. package/readme-international/README.es.md +601 -518
  32. package/readme-international/README.fr.md +599 -516
  33. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  34. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  35. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  36. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  37. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  38. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  39. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  40. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  41. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  42. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  43. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  44. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  45. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  46. package/src/bmad-plus/module-help.csv +10 -10
  47. package/src/bmad-plus/module.yaml +283 -280
  48. package/src/bmad-plus/{agents → packs}/pack-animated/animated-website-agent.md +325 -325
  49. package/src/bmad-plus/{agents → packs}/pack-animated/templates/animated-website-workflow.md +55 -55
  50. package/src/bmad-plus/{agents → packs}/pack-backup/backup-agent.md +71 -71
  51. package/src/bmad-plus/{agents → packs}/pack-backup/templates/backup-workflow.md +51 -51
  52. package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
  53. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
  54. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
  55. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
  56. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
  57. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
  58. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
  59. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
  60. package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
  61. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
  62. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
  63. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
  64. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
  65. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
  66. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
  67. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
  68. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
  69. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
  70. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
  71. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
  72. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
  73. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
  74. package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
  75. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
  76. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
  77. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
  78. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
  79. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
  80. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
  81. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
  82. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
  83. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
  84. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
  85. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
  86. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
  87. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
  88. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
  89. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
  90. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
  91. package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
  92. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
  93. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
  94. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
  95. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
  96. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
  97. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
  98. package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
  99. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
  100. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
  101. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
  102. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
  103. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
  104. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
  105. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
  106. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
  107. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
  108. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
  109. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
  110. package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
  111. package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
  112. package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
  113. package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
  114. package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
  115. package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
  116. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  117. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  118. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  119. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  120. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  121. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  122. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  123. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  124. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  125. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  126. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  127. package/src/bmad-plus/{agents → packs}/pack-seo/SKILL.md +171 -171
  128. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  129. package/src/bmad-plus/{agents → packs}/pack-seo/checklist.md +140 -140
  130. package/src/bmad-plus/{agents → packs}/pack-seo/pagespeed-playbook.md +320 -320
  131. package/src/bmad-plus/{agents → packs}/pack-seo/ref/audit-schema.json +187 -187
  132. package/src/bmad-plus/{agents → packs}/pack-seo/ref/cwv-thresholds.md +87 -87
  133. package/src/bmad-plus/{agents → packs}/pack-seo/ref/eeat-criteria.md +123 -123
  134. package/src/bmad-plus/{agents → packs}/pack-seo/ref/geo-signals.md +167 -167
  135. package/src/bmad-plus/{agents → packs}/pack-seo/ref/hreflang-rules.md +153 -153
  136. package/src/bmad-plus/{agents → packs}/pack-seo/ref/quality-gates.md +133 -133
  137. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-catalog.md +91 -91
  138. package/src/bmad-plus/{agents → packs}/pack-seo/ref/schema-templates.json +356 -356
  139. package/src/bmad-plus/{agents → packs}/pack-seo/seo-chief.md +294 -294
  140. package/src/bmad-plus/{agents → packs}/pack-seo/seo-judge.md +241 -241
  141. package/src/bmad-plus/{agents → packs}/pack-seo/seo-scout.md +171 -171
  142. package/src/bmad-plus/{agents → packs}/pack-seo/templates/seo-audit-workflow.md +241 -241
  143. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  144. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  145. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
  146. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
  147. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
  148. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
  149. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
  150. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
  151. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
  152. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
  153. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
  154. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
  155. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
  156. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
  157. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  158. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  159. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  160. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  161. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  162. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
  163. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
  164. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
  165. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
  166. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
  167. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
  168. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
  169. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
  170. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
  171. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
  172. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  173. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  174. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  175. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  176. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  177. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  178. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  179. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  180. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  181. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  182. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  183. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  184. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  185. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  186. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  187. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  188. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  189. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  190. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  191. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  192. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  193. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  194. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  195. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  196. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  197. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  198. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  199. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  200. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  201. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  202. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  203. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  204. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  205. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  206. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  207. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  208. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  209. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  210. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  211. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  212. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  213. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  214. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  215. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  216. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  217. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  218. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  219. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  220. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  221. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  222. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  223. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  224. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  225. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  226. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  227. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  228. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  229. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  230. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  231. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  232. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  233. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  234. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  235. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  236. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  237. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  238. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  239. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  240. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  241. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  242. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  243. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  244. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  245. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  246. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  247. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  248. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  249. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  250. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  251. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  252. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  253. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  254. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  255. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  256. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  257. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  258. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  259. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  260. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  261. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  262. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  263. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  264. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  265. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  266. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  267. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  268. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  269. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  270. package/tools/bmad-plus-npx.js +3 -5
  271. package/tools/cli/commands/autoconfig.js +508 -489
  272. package/tools/cli/commands/doctor.js +219 -222
  273. package/tools/cli/commands/install.js +548 -739
  274. package/tools/cli/commands/memory.js +194 -194
  275. package/tools/cli/commands/scan.js +362 -350
  276. package/tools/cli/commands/uninstall.js +96 -96
  277. package/tools/cli/commands/update.js +116 -174
  278. package/tools/cli/i18n.js +845 -763
  279. package/tools/cli/lib/memory-init.js +114 -0
  280. package/tools/cli/lib/pack-copy.js +84 -0
  281. package/tools/cli/lib/packs.js +114 -0
@@ -1,276 +1,276 @@
1
- # SOC 2 Vendor Risk Reference
2
-
3
- ## Table of Contents
4
- 1. [Vendor Risk Program Overview](#vendor-risk-program-overview)
5
- 2. [Vendor Inventory Template](#vendor-inventory-template)
6
- 3. [Vendor Risk Questionnaire](#vendor-risk-questionnaire)
7
- 4. [Reviewing a Vendor's SOC 2 Report](#reviewing-a-vendors-soc-2-report)
8
- 5. [CUEC Management](#cuec-management)
9
- 6. [Vendor Onboarding Checklist](#vendor-onboarding-checklist)
10
-
11
- ---
12
-
13
- ## Vendor Risk Program Overview
14
-
15
- SOC 2 CC9.2 requires organizations to assess and manage risks arising from vendors and business
16
- partners who have access to systems or data, or on whom the organization depends for critical
17
- services.
18
-
19
- ### What auditors look for:
20
- 1. A **vendor inventory** exists and is maintained
21
- 2. Vendors are **tiered by risk** and assessed accordingly
22
- 3. **Due diligence** was performed before critical vendors were onboarded
23
- 4. Vendor assessments are **reviewed at least annually**
24
- 5. **Contracts** include appropriate security and data protection requirements
25
- 6. **CUECs** from vendor SOC 2 reports are identified and addressed
26
-
27
- ---
28
-
29
- ## Vendor Inventory Template
30
-
31
- Maintain a spreadsheet or GRC tool record for each vendor:
32
-
33
- | Field | Description |
34
- |---|---|
35
- | Vendor Name | Legal entity name |
36
- | Service Provided | What they do for you |
37
- | Risk Tier | Critical / High / Medium / Low |
38
- | Data Access | Types of data they can access (PII, Confidential, none) |
39
- | System Access | Production / Staging / None |
40
- | SOC 2 Available? | Yes / No / In progress |
41
- | Last Assessment Date | Date of most recent due diligence |
42
- | Next Review Due | Based on tier cadence |
43
- | Contract Expiry | Date |
44
- | DPA Signed? | Yes / No / N/A |
45
- | Security Addendum? | Yes / No / N/A |
46
- | Primary Contact | Vendor security/legal contact |
47
- | Owner | Internal stakeholder who owns the relationship |
48
-
49
- ### Risk Tier Definitions
50
-
51
- **Critical:** Vendor has access to production systems or processes/stores customer PII.
52
- Examples: AWS, Azure, GCP, Salesforce, Snowflake, Stripe, database vendors.
53
- - Requires: SOC 2 report review OR full questionnaire + annual re-assessment
54
- - Contract must include: DPA, security addendum, breach notification <72hr, right to audit
55
-
56
- **High:** Vendor processes sensitive business data or is operationally critical.
57
- Examples: HR systems (Workday, Rippling), GitHub, Slack, identity providers.
58
- - Requires: SOC 2 report or questionnaire annually
59
- - Contract must include: DPA (if any personal data), security requirements
60
-
61
- **Medium:** Limited data exposure, some operational dependency.
62
- Examples: Project management tools, design tools, analytics platforms.
63
- - Requires: Security questionnaire or SOC 2 review at onboarding + biennial review
64
- - Contract should include: acceptable use and data handling clauses
65
-
66
- **Low:** No meaningful data access, low operational risk.
67
- Examples: Office supplies vendors, most SaaS point solutions without data access.
68
- - Requires: Lightweight onboarding check (do they have a security program?)
69
- - Standard contract terms sufficient
70
-
71
- ---
72
-
73
- ## Vendor Risk Questionnaire
74
-
75
- Use this questionnaire for High/Critical vendors that don't have a SOC 2 report, or to
76
- supplement a SOC 2 report. Customize based on the vendor's service type.
77
-
78
- ---
79
-
80
- ### Section 1: Company and Security Program
81
-
82
- 1. Does your organization have a documented Information Security Policy? If yes, when was it last reviewed?
83
-
84
- 2. Do you have a dedicated security function (e.g., CISO, security team)? Please describe its structure.
85
-
86
- 3. Has your organization undergone any third-party security assessments in the past 12 months? (SOC 2, ISO 27001, pen test, etc.) If yes, please provide the most recent report or executive summary.
87
-
88
- 4. Does your organization carry cybersecurity insurance? Please provide coverage amount.
89
-
90
- 5. Have you experienced a security incident or data breach in the past 24 months that affected customers? If yes, please describe.
91
-
92
- ---
93
-
94
- ### Section 2: Access Controls
95
-
96
- 6. Do you enforce multi-factor authentication (MFA) for access to systems that process our data? Which systems require MFA?
97
-
98
- 7. How do you manage privileged/admin access? Do you use a Privileged Access Management (PAM) solution?
99
-
100
- 8. How quickly are accounts for terminated employees deprovisioned? What is your offboarding process?
101
-
102
- 9. Do you perform periodic access reviews? How frequently?
103
-
104
- 10. Is access to customer data restricted to personnel who require it for their role (least privilege)?
105
-
106
- ---
107
-
108
- ### Section 3: Data Protection
109
-
110
- 11. What data do you collect, process, or store on our behalf? Please provide a data inventory or data flow diagram.
111
-
112
- 12. Is data encrypted at rest? If yes, what encryption standard is used?
113
-
114
- 13. Is data encrypted in transit? What TLS version is enforced?
115
-
116
- 14. How is our data logically separated from data belonging to other customers (multi-tenancy)?
117
-
118
- 15. What is your data retention policy? How and when is our data deleted at contract end?
119
-
120
- 16. Do you have a sub-processor/sub-vendor list? Will you notify us before engaging new sub-processors?
121
-
122
- ---
123
-
124
- ### Section 4: Incident Response
125
-
126
- 17. Do you have a documented Incident Response Plan? When was it last tested?
127
-
128
- 18. What is your process and timeline for notifying customers of a security incident that affects their data?
129
-
130
- 19. Do you maintain security logs? For how long are logs retained?
131
-
132
- 20. Do you have a SIEM or security monitoring solution in place?
133
-
134
- ---
135
-
136
- ### Section 5: Vulnerability Management
137
-
138
- 21. How frequently do you perform vulnerability scanning on systems that process our data?
139
-
140
- 22. What is your SLA for remediating critical and high vulnerabilities?
141
-
142
- 23. How frequently do you perform penetration testing? Who performs it (internal or third-party)?
143
-
144
- 24. Do you have a patch management program? What is your patching cadence?
145
-
146
- ---
147
-
148
- ### Section 6: Business Continuity
149
-
150
- 25. Do you have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?
151
-
152
- 26. What are your RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for the systems we depend on?
153
-
154
- 27. How frequently do you test your DR plan? When was the last test performed?
155
-
156
- 28. Do you have redundant infrastructure (e.g., multi-region, HA setup)?
157
-
158
- ---
159
-
160
- ### Section 7: Compliance and Legal
161
-
162
- 29. Are you subject to any industry-specific compliance requirements (HIPAA, PCI-DSS, GDPR, etc.)? Are you currently compliant?
163
-
164
- 30. Are you willing to sign a Data Processing Agreement (DPA) with our organization?
165
-
166
- 31. Will you notify us within 72 hours of becoming aware of a breach involving our data?
167
-
168
- 32. Do you have a process for responding to Data Subject Requests (DSRs) that require action on data you process on our behalf?
169
-
170
- ---
171
-
172
- ### Scoring Guidance
173
-
174
- For each question, score:
175
- - **2** — Fully in place with evidence available
176
- - **1** — Partially in place or controls exist but not fully documented/tested
177
- - **0** — Not in place
178
-
179
- | Score Range | Risk Level | Recommendation |
180
- |---|---|---|
181
- | 45–64 | Low risk | Proceed; standard contract terms |
182
- | 30–44 | Medium risk | Proceed with DPA; annual re-review |
183
- | 15–29 | High risk | Requires security addendum; risk acceptance from CISO |
184
- | 0–14 | Critical risk | Escalate to leadership; consider alternative vendor |
185
-
186
- ---
187
-
188
- ## Reviewing a Vendor's SOC 2 Report
189
-
190
- When a vendor provides their SOC 2 report, review the following:
191
-
192
- ### 1. Report Basics
193
- - **Report type:** Is it Type 1 (design only) or Type 2 (operating effectiveness)? Prefer Type 2.
194
- - **Audit period:** Does it cover a recent period? Reports older than 12 months are stale.
195
- - **Criteria in scope:** Does the report include the criteria relevant to your use case? (e.g., if you care about availability, is Availability in scope?)
196
- - **Auditor:** Is the CPA firm reputable? (Larger firms: Deloitte, KPMG, EY, PwC, Grant Thornton, etc.)
197
-
198
- ### 2. Auditor's Opinion
199
- - **Unqualified (clean) opinion:** No material exceptions.
200
- - **Qualified opinion:** One or more criteria not met — flag for review.
201
- - **Adverse opinion:** Multiple failures — escalate, this is a significant red flag.
202
-
203
- ### 3. Exceptions and Deviations
204
- - Read the "results of tests of controls" section carefully.
205
- - Any **exceptions** (control failures during the audit period) must be evaluated:
206
- - Is the control we depend on the one that had exceptions?
207
- - What was the vendor's remediation plan?
208
- - Has it been addressed (look for management response)?
209
-
210
- ### 4. Complementary User Entity Controls (CUECs)
211
- - Look for a section titled "Complementary User Entity Controls" or similar.
212
- - These are controls the vendor *requires you to operate* for their controls to be effective.
213
- - You must address every applicable CUEC (see [CUEC Management](#cuec-management) below).
214
-
215
- ### 5. System Description
216
- - Does the description match the services you actually use?
217
- - Are the systems and infrastructure you depend on included in scope?
218
-
219
- ### Review Log Entry
220
-
221
- Document each vendor SOC 2 review:
222
- ```
223
- Vendor: [Name]
224
- Report Type: Type 1 / Type 2
225
- Audit Period: [From] – [To]
226
- Date Reviewed: [Date]
227
- Reviewed By: [Name / Role]
228
- Opinion: Unqualified / Qualified / Adverse
229
- Notable Exceptions: [None / Description]
230
- CUECs Identified: [None / List]
231
- CUECs Addressed: [Yes / Partial / No — with details]
232
- Risk Rating: Low / Medium / High
233
- Action Items: [Any follow-up required]
234
- ```
235
-
236
- ---
237
-
238
- ## CUEC Management
239
-
240
- CUECs (Complementary User Entity Controls) are controls a vendor assumes *you* have in place.
241
- If you don't have them, the vendor's controls may not fully protect your environment.
242
-
243
- ### Common CUECs and Typical Responses
244
-
245
- | Common CUEC | Typical Vendor (Example) | Your Corresponding Control |
246
- |---|---|---|
247
- | "User entities restrict access to the service using the vendor's access control features" | AWS, Salesforce | Access control policy; MFA enforcement; role-based access |
248
- | "User entities are responsible for monitoring for unauthorized access using access logs" | AWS CloudTrail, Okta | SIEM ingesting vendor logs; alerting on suspicious logins |
249
- | "User entities configure data encryption using the features provided" | AWS S3, RDS | Encryption enabled at rest; documented in system configuration |
250
- | "User entities are responsible for their users' credentials" | Any SaaS | Password policy; MFA policy; offboarding process |
251
- | "User entities notify the vendor of any personnel changes" | Managed service providers | Offboarding SOP includes notifying critical vendors |
252
- | "User entities perform their own risk assessments" | Most vendors | Annual risk assessment process (CC3) |
253
-
254
- ### CUEC Tracking Spreadsheet Fields
255
-
256
- | CUEC # | Vendor | CUEC Description | Applicable? | Corresponding Control | Evidence | Owner | Status |
257
- |---|---|---|---|---|---|---|---|
258
- | 1 | AWS | Users restrict access via IAM | Yes | Access Control Policy + IAM review | Quarterly IAM review records | DevOps | Met |
259
- | 2 | Salesforce | Users monitor login activity | Yes | SIEM ingests Salesforce logs | SIEM screenshots | Security | Met |
260
-
261
- ---
262
-
263
- ## Vendor Onboarding Checklist
264
-
265
- Before onboarding a new Critical or High-tier vendor:
266
-
267
- - [ ] Risk tier assigned based on data access and operational dependency
268
- - [ ] Security questionnaire sent (or SOC 2 report requested)
269
- - [ ] Questionnaire/report reviewed and scored
270
- - [ ] Risk acceptance documented if score is medium/high
271
- - [ ] Data Processing Agreement (DPA) executed (if PII involved)
272
- - [ ] Security addendum signed (for Critical vendors)
273
- - [ ] Contract includes: breach notification <72hr, data deletion on termination, right to audit
274
- - [ ] CUECs identified and mapped to internal controls
275
- - [ ] Vendor added to inventory with next review date
276
- - [ ] Onboarding approved by CISO or security owner
1
+ # SOC 2 Vendor Risk Reference
2
+
3
+ ## Table of Contents
4
+ 1. [Vendor Risk Program Overview](#vendor-risk-program-overview)
5
+ 2. [Vendor Inventory Template](#vendor-inventory-template)
6
+ 3. [Vendor Risk Questionnaire](#vendor-risk-questionnaire)
7
+ 4. [Reviewing a Vendor's SOC 2 Report](#reviewing-a-vendors-soc-2-report)
8
+ 5. [CUEC Management](#cuec-management)
9
+ 6. [Vendor Onboarding Checklist](#vendor-onboarding-checklist)
10
+
11
+ ---
12
+
13
+ ## Vendor Risk Program Overview
14
+
15
+ SOC 2 CC9.2 requires organizations to assess and manage risks arising from vendors and business
16
+ partners who have access to systems or data, or on whom the organization depends for critical
17
+ services.
18
+
19
+ ### What auditors look for:
20
+ 1. A **vendor inventory** exists and is maintained
21
+ 2. Vendors are **tiered by risk** and assessed accordingly
22
+ 3. **Due diligence** was performed before critical vendors were onboarded
23
+ 4. Vendor assessments are **reviewed at least annually**
24
+ 5. **Contracts** include appropriate security and data protection requirements
25
+ 6. **CUECs** from vendor SOC 2 reports are identified and addressed
26
+
27
+ ---
28
+
29
+ ## Vendor Inventory Template
30
+
31
+ Maintain a spreadsheet or GRC tool record for each vendor:
32
+
33
+ | Field | Description |
34
+ |---|---|
35
+ | Vendor Name | Legal entity name |
36
+ | Service Provided | What they do for you |
37
+ | Risk Tier | Critical / High / Medium / Low |
38
+ | Data Access | Types of data they can access (PII, Confidential, none) |
39
+ | System Access | Production / Staging / None |
40
+ | SOC 2 Available? | Yes / No / In progress |
41
+ | Last Assessment Date | Date of most recent due diligence |
42
+ | Next Review Due | Based on tier cadence |
43
+ | Contract Expiry | Date |
44
+ | DPA Signed? | Yes / No / N/A |
45
+ | Security Addendum? | Yes / No / N/A |
46
+ | Primary Contact | Vendor security/legal contact |
47
+ | Owner | Internal stakeholder who owns the relationship |
48
+
49
+ ### Risk Tier Definitions
50
+
51
+ **Critical:** Vendor has access to production systems or processes/stores customer PII.
52
+ Examples: AWS, Azure, GCP, Salesforce, Snowflake, Stripe, database vendors.
53
+ - Requires: SOC 2 report review OR full questionnaire + annual re-assessment
54
+ - Contract must include: DPA, security addendum, breach notification <72hr, right to audit
55
+
56
+ **High:** Vendor processes sensitive business data or is operationally critical.
57
+ Examples: HR systems (Workday, Rippling), GitHub, Slack, identity providers.
58
+ - Requires: SOC 2 report or questionnaire annually
59
+ - Contract must include: DPA (if any personal data), security requirements
60
+
61
+ **Medium:** Limited data exposure, some operational dependency.
62
+ Examples: Project management tools, design tools, analytics platforms.
63
+ - Requires: Security questionnaire or SOC 2 review at onboarding + biennial review
64
+ - Contract should include: acceptable use and data handling clauses
65
+
66
+ **Low:** No meaningful data access, low operational risk.
67
+ Examples: Office supplies vendors, most SaaS point solutions without data access.
68
+ - Requires: Lightweight onboarding check (do they have a security program?)
69
+ - Standard contract terms sufficient
70
+
71
+ ---
72
+
73
+ ## Vendor Risk Questionnaire
74
+
75
+ Use this questionnaire for High/Critical vendors that don't have a SOC 2 report, or to
76
+ supplement a SOC 2 report. Customize based on the vendor's service type.
77
+
78
+ ---
79
+
80
+ ### Section 1: Company and Security Program
81
+
82
+ 1. Does your organization have a documented Information Security Policy? If yes, when was it last reviewed?
83
+
84
+ 2. Do you have a dedicated security function (e.g., CISO, security team)? Please describe its structure.
85
+
86
+ 3. Has your organization undergone any third-party security assessments in the past 12 months? (SOC 2, ISO 27001, pen test, etc.) If yes, please provide the most recent report or executive summary.
87
+
88
+ 4. Does your organization carry cybersecurity insurance? Please provide coverage amount.
89
+
90
+ 5. Have you experienced a security incident or data breach in the past 24 months that affected customers? If yes, please describe.
91
+
92
+ ---
93
+
94
+ ### Section 2: Access Controls
95
+
96
+ 6. Do you enforce multi-factor authentication (MFA) for access to systems that process our data? Which systems require MFA?
97
+
98
+ 7. How do you manage privileged/admin access? Do you use a Privileged Access Management (PAM) solution?
99
+
100
+ 8. How quickly are accounts for terminated employees deprovisioned? What is your offboarding process?
101
+
102
+ 9. Do you perform periodic access reviews? How frequently?
103
+
104
+ 10. Is access to customer data restricted to personnel who require it for their role (least privilege)?
105
+
106
+ ---
107
+
108
+ ### Section 3: Data Protection
109
+
110
+ 11. What data do you collect, process, or store on our behalf? Please provide a data inventory or data flow diagram.
111
+
112
+ 12. Is data encrypted at rest? If yes, what encryption standard is used?
113
+
114
+ 13. Is data encrypted in transit? What TLS version is enforced?
115
+
116
+ 14. How is our data logically separated from data belonging to other customers (multi-tenancy)?
117
+
118
+ 15. What is your data retention policy? How and when is our data deleted at contract end?
119
+
120
+ 16. Do you have a sub-processor/sub-vendor list? Will you notify us before engaging new sub-processors?
121
+
122
+ ---
123
+
124
+ ### Section 4: Incident Response
125
+
126
+ 17. Do you have a documented Incident Response Plan? When was it last tested?
127
+
128
+ 18. What is your process and timeline for notifying customers of a security incident that affects their data?
129
+
130
+ 19. Do you maintain security logs? For how long are logs retained?
131
+
132
+ 20. Do you have a SIEM or security monitoring solution in place?
133
+
134
+ ---
135
+
136
+ ### Section 5: Vulnerability Management
137
+
138
+ 21. How frequently do you perform vulnerability scanning on systems that process our data?
139
+
140
+ 22. What is your SLA for remediating critical and high vulnerabilities?
141
+
142
+ 23. How frequently do you perform penetration testing? Who performs it (internal or third-party)?
143
+
144
+ 24. Do you have a patch management program? What is your patching cadence?
145
+
146
+ ---
147
+
148
+ ### Section 6: Business Continuity
149
+
150
+ 25. Do you have a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?
151
+
152
+ 26. What are your RTO (Recovery Time Objective) and RPO (Recovery Point Objective) for the systems we depend on?
153
+
154
+ 27. How frequently do you test your DR plan? When was the last test performed?
155
+
156
+ 28. Do you have redundant infrastructure (e.g., multi-region, HA setup)?
157
+
158
+ ---
159
+
160
+ ### Section 7: Compliance and Legal
161
+
162
+ 29. Are you subject to any industry-specific compliance requirements (HIPAA, PCI-DSS, GDPR, etc.)? Are you currently compliant?
163
+
164
+ 30. Are you willing to sign a Data Processing Agreement (DPA) with our organization?
165
+
166
+ 31. Will you notify us within 72 hours of becoming aware of a breach involving our data?
167
+
168
+ 32. Do you have a process for responding to Data Subject Requests (DSRs) that require action on data you process on our behalf?
169
+
170
+ ---
171
+
172
+ ### Scoring Guidance
173
+
174
+ For each question, score:
175
+ - **2** — Fully in place with evidence available
176
+ - **1** — Partially in place or controls exist but not fully documented/tested
177
+ - **0** — Not in place
178
+
179
+ | Score Range | Risk Level | Recommendation |
180
+ |---|---|---|
181
+ | 45–64 | Low risk | Proceed; standard contract terms |
182
+ | 30–44 | Medium risk | Proceed with DPA; annual re-review |
183
+ | 15–29 | High risk | Requires security addendum; risk acceptance from CISO |
184
+ | 0–14 | Critical risk | Escalate to leadership; consider alternative vendor |
185
+
186
+ ---
187
+
188
+ ## Reviewing a Vendor's SOC 2 Report
189
+
190
+ When a vendor provides their SOC 2 report, review the following:
191
+
192
+ ### 1. Report Basics
193
+ - **Report type:** Is it Type 1 (design only) or Type 2 (operating effectiveness)? Prefer Type 2.
194
+ - **Audit period:** Does it cover a recent period? Reports older than 12 months are stale.
195
+ - **Criteria in scope:** Does the report include the criteria relevant to your use case? (e.g., if you care about availability, is Availability in scope?)
196
+ - **Auditor:** Is the CPA firm reputable? (Larger firms: Deloitte, KPMG, EY, PwC, Grant Thornton, etc.)
197
+
198
+ ### 2. Auditor's Opinion
199
+ - **Unqualified (clean) opinion:** No material exceptions.
200
+ - **Qualified opinion:** One or more criteria not met — flag for review.
201
+ - **Adverse opinion:** Multiple failures — escalate, this is a significant red flag.
202
+
203
+ ### 3. Exceptions and Deviations
204
+ - Read the "results of tests of controls" section carefully.
205
+ - Any **exceptions** (control failures during the audit period) must be evaluated:
206
+ - Is the control we depend on the one that had exceptions?
207
+ - What was the vendor's remediation plan?
208
+ - Has it been addressed (look for management response)?
209
+
210
+ ### 4. Complementary User Entity Controls (CUECs)
211
+ - Look for a section titled "Complementary User Entity Controls" or similar.
212
+ - These are controls the vendor *requires you to operate* for their controls to be effective.
213
+ - You must address every applicable CUEC (see [CUEC Management](#cuec-management) below).
214
+
215
+ ### 5. System Description
216
+ - Does the description match the services you actually use?
217
+ - Are the systems and infrastructure you depend on included in scope?
218
+
219
+ ### Review Log Entry
220
+
221
+ Document each vendor SOC 2 review:
222
+ ```
223
+ Vendor: [Name]
224
+ Report Type: Type 1 / Type 2
225
+ Audit Period: [From] – [To]
226
+ Date Reviewed: [Date]
227
+ Reviewed By: [Name / Role]
228
+ Opinion: Unqualified / Qualified / Adverse
229
+ Notable Exceptions: [None / Description]
230
+ CUECs Identified: [None / List]
231
+ CUECs Addressed: [Yes / Partial / No — with details]
232
+ Risk Rating: Low / Medium / High
233
+ Action Items: [Any follow-up required]
234
+ ```
235
+
236
+ ---
237
+
238
+ ## CUEC Management
239
+
240
+ CUECs (Complementary User Entity Controls) are controls a vendor assumes *you* have in place.
241
+ If you don't have them, the vendor's controls may not fully protect your environment.
242
+
243
+ ### Common CUECs and Typical Responses
244
+
245
+ | Common CUEC | Typical Vendor (Example) | Your Corresponding Control |
246
+ |---|---|---|
247
+ | "User entities restrict access to the service using the vendor's access control features" | AWS, Salesforce | Access control policy; MFA enforcement; role-based access |
248
+ | "User entities are responsible for monitoring for unauthorized access using access logs" | AWS CloudTrail, Okta | SIEM ingesting vendor logs; alerting on suspicious logins |
249
+ | "User entities configure data encryption using the features provided" | AWS S3, RDS | Encryption enabled at rest; documented in system configuration |
250
+ | "User entities are responsible for their users' credentials" | Any SaaS | Password policy; MFA policy; offboarding process |
251
+ | "User entities notify the vendor of any personnel changes" | Managed service providers | Offboarding SOP includes notifying critical vendors |
252
+ | "User entities perform their own risk assessments" | Most vendors | Annual risk assessment process (CC3) |
253
+
254
+ ### CUEC Tracking Spreadsheet Fields
255
+
256
+ | CUEC # | Vendor | CUEC Description | Applicable? | Corresponding Control | Evidence | Owner | Status |
257
+ |---|---|---|---|---|---|---|---|
258
+ | 1 | AWS | Users restrict access via IAM | Yes | Access Control Policy + IAM review | Quarterly IAM review records | DevOps | Met |
259
+ | 2 | Salesforce | Users monitor login activity | Yes | SIEM ingests Salesforce logs | SIEM screenshots | Security | Met |
260
+
261
+ ---
262
+
263
+ ## Vendor Onboarding Checklist
264
+
265
+ Before onboarding a new Critical or High-tier vendor:
266
+
267
+ - [ ] Risk tier assigned based on data access and operational dependency
268
+ - [ ] Security questionnaire sent (or SOC 2 report requested)
269
+ - [ ] Questionnaire/report reviewed and scored
270
+ - [ ] Risk acceptance documented if score is medium/high
271
+ - [ ] Data Processing Agreement (DPA) executed (if PII involved)
272
+ - [ ] Security addendum signed (for Critical vendors)
273
+ - [ ] Contract includes: breach notification <72hr, data deletion on termination, right to audit
274
+ - [ ] CUECs identified and mapped to internal controls
275
+ - [ ] Vendor added to inventory with next review date
276
+ - [ ] Onboarding approved by CISO or security owner