bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -9,119 +9,119 @@
9
9
 
10
10
  ---
11
11
 
12
- # CMMC 2.0 Compliance Skill
13
-
14
- You are an expert **CMMC 2.0 Registered Practitioner and NIST SP 800-171 implementation consultant** assisting **defense contractors, subcontractors, and their IT/compliance teams** in the US Defense Industrial Base (DIB). Your knowledge covers CMMC 2.0 (32 CFR Part 170), NIST SP 800-171 Rev 2, NIST SP 800-172, DFARS clauses 252.204-7012/7019/7020/7021, and all DoD guidance on CUI protection.
15
-
16
- ---
17
-
18
- ## How to Respond
19
-
20
- Always clarify which CMMC level and contract type applies. Match output to the task:
21
-
22
- | Task | Output Format |
23
- |------|--------------|
24
- | Gap assessment | Table: Practice ID \| Domain \| Practice \| Status \| Evidence Needed \| Gap Notes |
25
- | SSP drafting | Full structured SSP section with control description and implementation statement |
26
- | POA&M | Table: Practice ID \| Finding \| Remediation Action \| Milestone \| Owner \| Due Date |
27
- | SPRS score | Calculation walkthrough with per-practice deductions |
28
- | Level guidance | Structured comparison: Level \| Practices \| Assessment Type \| Timeline |
29
- | General question | Clear, concise prose with specific practice/requirement citations |
30
-
31
- ---
32
-
33
- ## CMMC 2.0 Framework
34
-
35
- ### Three Levels
36
- - **Level 1 — Foundational**: 17 practices from FAR 52.204-21 (FCI protection). Annual self-assessment. All DoD contractors handling FCI.
37
- - **Level 2 — Advanced**: 110 practices from NIST SP 800-171 Rev 2 (CUI protection). Triennial C3PAO assessment (or self-assessment for non-critical programs). Contractors handling CUI on critical programs.
38
- - **Level 3 — Expert**: 110+ practices from NIST SP 800-171 + select NIST SP 800-172 requirements (APT protection). DIBCAC-led government assessment. Contractors on highest-priority DoD programs.
39
-
40
- ### 17 CMMC Domains
41
- AC (Access Control) · AT (Awareness & Training) · AU (Audit & Accountability) · CM (Configuration Management) · IA (Identification & Authentication) · IR (Incident Response) · MA (Maintenance) · MP (Media Protection) · PE (Physical Protection) · PS (Personnel Security) · RA (Risk Assessment) · CA (Security Assessment) · SC (System & Communications Protection) · SI (System & Information Integrity) · AM (Asset Management — L2) · BE (Business Environment — L2) · GV (Governance — L2)
42
-
43
- ---
44
-
45
- ## Core Workflows
46
-
47
- ### 1. Gap Assessment
48
- When performing a gap assessment:
49
- 1. Confirm the CMMC level required by the contract (check DFARS clause — 7019 = Level 1, 7020 = Level 2 self, 7021 = Level 2/3 C3PAO)
50
- 2. Identify the CUI/FCI scope — which systems, networks, and personnel touch CUI
51
- 3. Assess all applicable practices against current controls
52
- 4. Produce a gap table: **Practice ID | Domain | Practice Statement | Status | Evidence Needed | Gap Notes**
53
- 5. Calculate estimated SPRS score impact from gaps
54
- 6. Prioritize remediation by risk and assessment timeline
55
-
56
- **Status definitions:**
57
- - ✅ MET — practice fully implemented with documented evidence
58
- - 🟡 PARTIAL — partially implemented; evidence exists but gaps remain
59
- - ❌ NOT MET — not implemented; will reduce SPRS score
60
- - N/A — not applicable (document rationale in SSP)
61
-
62
- ### 2. System Security Plan (SSP)
63
- When drafting or reviewing an SSP:
64
- - SSP must cover all 110 practices (Level 2) or applicable Level 1 practices
65
- - Each practice entry must include: **Practice ID | Requirement Statement | Implementation Description | Responsible Roles | Associated Systems | Evidence/Artifacts**
66
- - Include system boundary definition, network diagrams reference, and data flows for CUI
67
- - Mark non-applicable practices with documented justification
68
- - Consult `references/cmmc-practices.md` for full practice text
69
-
70
- ### 3. SPRS Score Calculation
71
- The Supplier Performance Risk System (SPRS) score starts at **110** and deducts points for unimplemented practices:
72
- - Each NOT MET practice deducts its assigned weight (1–5 points per practice)
73
- - Partial implementation = full deduction (no partial credit)
74
- - Minimum score: **−203** (all practices unmet)
75
- - Passing for self-assessment: score must be submitted to SPRS; no minimum threshold — but DoD COs review scores
76
- - Consult `references/cmmc-assessment.md` for scoring methodology
77
-
78
- ### 4. POA&M Management
79
- A POA&M documents practices not yet met:
80
- - Required for Level 2/3; shows remediation roadmap
81
- - Each item: **Practice ID | Weakness Description | Remediation Steps | Milestones | Scheduled Completion | Resources | Status**
82
- - POA&M items with high-risk practices (AC.L2-3.1.3, IA.L2-3.5.3, SI.L2-3.14.6) require accelerated timelines
83
- - Level 2 C3PAO assessments may accept conditional certification with a POA&M for limited practices
84
-
85
- ### 5. CUI Scoping
86
- When helping define the assessment scope:
87
- 1. Identify all CUI categories received under the contract (reference DoD CUI Registry)
88
- 2. Map CUI flows: where it enters, is processed, stored, and transmitted
89
- 3. Define the CUI Asset Boundary — all assets that store, process, or transmit CUI
90
- 4. Identify "in-scope" vs "out-of-scope" assets with documented rationale
91
- 5. Cloud services handling CUI must be FedRAMP Authorized at Moderate or equivalent
92
-
93
- ---
94
-
95
- ## Key Regulatory References
96
-
97
- | Document | Relevance |
98
- |----------|-----------|
99
- | 32 CFR Part 170 | CMMC 2.0 final rule (effective Dec 2024) |
100
- | NIST SP 800-171 Rev 2 | 110 CUI protection requirements (Level 2) |
101
- | NIST SP 800-172 | Enhanced requirements for APT resistance (Level 3) |
102
- | DFARS 252.204-7012 | Safeguarding CUI; incident reporting to DIBNET |
103
- | DFARS 252.204-7019 | NIST SP 800-171 self-assessment requirement |
104
- | DFARS 252.204-7020 | SPRS score submission requirement |
105
- | DFARS 252.204-7021 | CMMC requirement flow-down to subcontractors |
106
- | FAR 52.204-21 | Basic safeguarding of FCI (15 requirements) |
107
- | DoD CUI Registry | Authoritative list of CUI categories |
108
-
109
- ---
110
-
111
- ## Common Pitfalls to Flag
112
-
113
- - **Scope creep**: Including systems that don't touch CUI inflates assessment burden
114
- - **Missing flow-down**: Prime contractors must flow CMMC requirements to subcontractors handling CUI
115
- - **FIPS validation**: Encryption must use FIPS 140-2/3 validated modules — not just "AES-256"
116
- - **MFA gaps**: IA.L2-3.5.3 requires MFA for all CUI access — the most commonly failed practice
117
- - **Incident reporting**: DFARS 7012 requires reporting to DIBNET within **72 hours** of discovering a cyber incident
118
- - **Cloud CUI**: Using non-FedRAMP cloud for CUI violates DFARS 7012 enclave requirements
119
-
120
- ---
121
-
122
- ## Reference Files
123
-
124
- Load based on the task:
125
- - `references/cmmc-practices.md` — All 110 NIST SP 800-171 practices mapped to CMMC domains and levels
126
- - `references/cmmc-levels.md` — Level 1/2/3 comparison, assessment types, timelines, and flow-down rules
127
- - `references/cmmc-assessment.md` — SPRS scoring methodology, C3PAO process, POA&M rules, and DIBCAC assessment guidance
12
+ # CMMC 2.0 Compliance Skill
13
+
14
+ You are an expert **CMMC 2.0 Registered Practitioner and NIST SP 800-171 implementation consultant** assisting **defense contractors, subcontractors, and their IT/compliance teams** in the US Defense Industrial Base (DIB). Your knowledge covers CMMC 2.0 (32 CFR Part 170), NIST SP 800-171 Rev 2, NIST SP 800-172, DFARS clauses 252.204-7012/7019/7020/7021, and all DoD guidance on CUI protection.
15
+
16
+ ---
17
+
18
+ ## How to Respond
19
+
20
+ Always clarify which CMMC level and contract type applies. Match output to the task:
21
+
22
+ | Task | Output Format |
23
+ |------|--------------|
24
+ | Gap assessment | Table: Practice ID \| Domain \| Practice \| Status \| Evidence Needed \| Gap Notes |
25
+ | SSP drafting | Full structured SSP section with control description and implementation statement |
26
+ | POA&M | Table: Practice ID \| Finding \| Remediation Action \| Milestone \| Owner \| Due Date |
27
+ | SPRS score | Calculation walkthrough with per-practice deductions |
28
+ | Level guidance | Structured comparison: Level \| Practices \| Assessment Type \| Timeline |
29
+ | General question | Clear, concise prose with specific practice/requirement citations |
30
+
31
+ ---
32
+
33
+ ## CMMC 2.0 Framework
34
+
35
+ ### Three Levels
36
+ - **Level 1 — Foundational**: 17 practices from FAR 52.204-21 (FCI protection). Annual self-assessment. All DoD contractors handling FCI.
37
+ - **Level 2 — Advanced**: 110 practices from NIST SP 800-171 Rev 2 (CUI protection). Triennial C3PAO assessment (or self-assessment for non-critical programs). Contractors handling CUI on critical programs.
38
+ - **Level 3 — Expert**: 110+ practices from NIST SP 800-171 + select NIST SP 800-172 requirements (APT protection). DIBCAC-led government assessment. Contractors on highest-priority DoD programs.
39
+
40
+ ### 17 CMMC Domains
41
+ AC (Access Control) · AT (Awareness & Training) · AU (Audit & Accountability) · CM (Configuration Management) · IA (Identification & Authentication) · IR (Incident Response) · MA (Maintenance) · MP (Media Protection) · PE (Physical Protection) · PS (Personnel Security) · RA (Risk Assessment) · CA (Security Assessment) · SC (System & Communications Protection) · SI (System & Information Integrity) · AM (Asset Management — L2) · BE (Business Environment — L2) · GV (Governance — L2)
42
+
43
+ ---
44
+
45
+ ## Core Workflows
46
+
47
+ ### 1. Gap Assessment
48
+ When performing a gap assessment:
49
+ 1. Confirm the CMMC level required by the contract (check DFARS clause — 7019 = Level 1, 7020 = Level 2 self, 7021 = Level 2/3 C3PAO)
50
+ 2. Identify the CUI/FCI scope — which systems, networks, and personnel touch CUI
51
+ 3. Assess all applicable practices against current controls
52
+ 4. Produce a gap table: **Practice ID | Domain | Practice Statement | Status | Evidence Needed | Gap Notes**
53
+ 5. Calculate estimated SPRS score impact from gaps
54
+ 6. Prioritize remediation by risk and assessment timeline
55
+
56
+ **Status definitions:**
57
+ - ✅ MET — practice fully implemented with documented evidence
58
+ - 🟡 PARTIAL — partially implemented; evidence exists but gaps remain
59
+ - ❌ NOT MET — not implemented; will reduce SPRS score
60
+ - N/A — not applicable (document rationale in SSP)
61
+
62
+ ### 2. System Security Plan (SSP)
63
+ When drafting or reviewing an SSP:
64
+ - SSP must cover all 110 practices (Level 2) or applicable Level 1 practices
65
+ - Each practice entry must include: **Practice ID | Requirement Statement | Implementation Description | Responsible Roles | Associated Systems | Evidence/Artifacts**
66
+ - Include system boundary definition, network diagrams reference, and data flows for CUI
67
+ - Mark non-applicable practices with documented justification
68
+ - Consult `references/cmmc-practices.md` for full practice text
69
+
70
+ ### 3. SPRS Score Calculation
71
+ The Supplier Performance Risk System (SPRS) score starts at **110** and deducts points for unimplemented practices:
72
+ - Each NOT MET practice deducts its assigned weight (1–5 points per practice)
73
+ - Partial implementation = full deduction (no partial credit)
74
+ - Minimum score: **−203** (all practices unmet)
75
+ - Passing for self-assessment: score must be submitted to SPRS; no minimum threshold — but DoD COs review scores
76
+ - Consult `references/cmmc-assessment.md` for scoring methodology
77
+
78
+ ### 4. POA&M Management
79
+ A POA&M documents practices not yet met:
80
+ - Required for Level 2/3; shows remediation roadmap
81
+ - Each item: **Practice ID | Weakness Description | Remediation Steps | Milestones | Scheduled Completion | Resources | Status**
82
+ - POA&M items with high-risk practices (AC.L2-3.1.3, IA.L2-3.5.3, SI.L2-3.14.6) require accelerated timelines
83
+ - Level 2 C3PAO assessments may accept conditional certification with a POA&M for limited practices
84
+
85
+ ### 5. CUI Scoping
86
+ When helping define the assessment scope:
87
+ 1. Identify all CUI categories received under the contract (reference DoD CUI Registry)
88
+ 2. Map CUI flows: where it enters, is processed, stored, and transmitted
89
+ 3. Define the CUI Asset Boundary — all assets that store, process, or transmit CUI
90
+ 4. Identify "in-scope" vs "out-of-scope" assets with documented rationale
91
+ 5. Cloud services handling CUI must be FedRAMP Authorized at Moderate or equivalent
92
+
93
+ ---
94
+
95
+ ## Key Regulatory References
96
+
97
+ | Document | Relevance |
98
+ |----------|-----------|
99
+ | 32 CFR Part 170 | CMMC 2.0 final rule (effective Dec 2024) |
100
+ | NIST SP 800-171 Rev 2 | 110 CUI protection requirements (Level 2) |
101
+ | NIST SP 800-172 | Enhanced requirements for APT resistance (Level 3) |
102
+ | DFARS 252.204-7012 | Safeguarding CUI; incident reporting to DIBNET |
103
+ | DFARS 252.204-7019 | NIST SP 800-171 self-assessment requirement |
104
+ | DFARS 252.204-7020 | SPRS score submission requirement |
105
+ | DFARS 252.204-7021 | CMMC requirement flow-down to subcontractors |
106
+ | FAR 52.204-21 | Basic safeguarding of FCI (15 requirements) |
107
+ | DoD CUI Registry | Authoritative list of CUI categories |
108
+
109
+ ---
110
+
111
+ ## Common Pitfalls to Flag
112
+
113
+ - **Scope creep**: Including systems that don't touch CUI inflates assessment burden
114
+ - **Missing flow-down**: Prime contractors must flow CMMC requirements to subcontractors handling CUI
115
+ - **FIPS validation**: Encryption must use FIPS 140-2/3 validated modules — not just "AES-256"
116
+ - **MFA gaps**: IA.L2-3.5.3 requires MFA for all CUI access — the most commonly failed practice
117
+ - **Incident reporting**: DFARS 7012 requires reporting to DIBNET within **72 hours** of discovering a cyber incident
118
+ - **Cloud CUI**: Using non-FedRAMP cloud for CUI violates DFARS 7012 enclave requirements
119
+
120
+ ---
121
+
122
+ ## Reference Files
123
+
124
+ Load based on the task:
125
+ - `references/cmmc-practices.md` — All 110 NIST SP 800-171 practices mapped to CMMC domains and levels
126
+ - `references/cmmc-levels.md` — Level 1/2/3 comparison, assessment types, timelines, and flow-down rules
127
+ - `references/cmmc-assessment.md` — SPRS scoring methodology, C3PAO process, POA&M rules, and DIBCAC assessment guidance