bmad-plus 0.9.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +15 -0
  2. package/LICENSE +21 -21
  3. package/README.md +105 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +5 -58
  181. package/tools/cli/commands/doctor.js +2 -0
  182. package/tools/cli/commands/install.js +9 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +26 -41
  185. package/tools/cli/commands/uninstall.js +7 -4
  186. package/tools/cli/commands/update.js +2 -1
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +114 -114
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +45 -0
@@ -1,129 +1,129 @@
1
- # SSP Writing Guide
2
-
3
- The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
4
- It tells the complete security story of the Cloud Service Offering (CSO): architecture,
5
- data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
6
-
7
- > Always use the official FedRAMP SSP template. One template covers all baselines
8
- > (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
9
-
10
- ---
11
-
12
- ## SSP Section-by-Section Guide
13
-
14
- ### Section 1: Information System Name and Title
15
- - Formal name of the CSO
16
- - Unique identifier (assigned during FedRAMP process)
17
- - Service model (IaaS / PaaS / SaaS)
18
- - Deployment model (Public / Private / Community / Hybrid cloud)
19
-
20
- ### Section 2: System Categorization
21
- - FIPS 199 impact determination: Confidentiality / Integrity / Availability
22
- - Overall impact level = high-water mark of the three values
23
- - Justify each categorization with the types of federal information processed
24
-
25
- ### Section 3: System Owner / Authorizing Official
26
- - List CSP system owner, ISSO, and agency AO contacts
27
- - For agency authorization, include the sponsoring agency AO
28
-
29
- ### Section 4: Assignment of Security Responsibility
30
- - Identify the ISSO (Information System Security Officer)
31
- - Document CSP security team contacts
32
-
33
- ### Section 5: System Mission / Purpose
34
- - Brief description of what the system does
35
- - What federal agencies/programs it supports
36
- - What types of federal data it handles
37
-
38
- ### Section 6: System Description
39
- - Narrative description of the system
40
- - Technology stack overview
41
- - Key system components
42
-
43
- ### Section 7: General System Description / System Environment
44
- **This is one of the most scrutinized sections.**
45
- - Detailed architecture description
46
- - Authorization boundary narrative — clearly define what is IN and OUT of scope
47
- - Network architecture diagram (embedded)
48
- - Data flow diagrams (embedded)
49
- - Ports, protocols, and services table
50
- - External connections table (all services connecting to/from the boundary)
51
-
52
- **Common mistakes:**
53
- - Vague boundary descriptions ("the cloud environment") — be specific
54
- - Missing data flows for admin/management traffic
55
- - Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
56
-
57
- ### Section 8: System Environment / Interconnections
58
- - Interconnection Security Agreements (ISAs) for each external system
59
- - Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
60
- - Inherited controls from leveraged services must be documented in CIS/CRM workbook
61
-
62
- ### Section 9: Laws, Regulations, Standards (Appendix B)
63
- - Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
64
- - Lists applicable federal laws (FISMA, Privacy Act, etc.)
65
- - May include agency-specific requirements (HIPAA, CJIS if applicable)
66
-
67
- ### Section 10: Minimum Security Controls
68
- **The largest section — one narrative per control.**
69
-
70
- For each control in the applicable baseline:
71
-
72
- ```
73
- [Control ID] [Control Name]
74
- Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
75
-
76
- [Control Implementation Statement]
77
- Describe HOW the control is implemented. Be specific:
78
- - What tool, policy, or process implements this control?
79
- - Who is responsible?
80
- - Where is the evidence?
81
- - For shared controls: what is the CSP responsibility vs. customer responsibility?
82
-
83
- Customer Responsibility (if applicable):
84
- [Describe what the customer/agency must do]
85
- ```
86
-
87
- **Writing tips:**
88
- - Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
89
- - Reference specific policy document names, tool names, configuration settings
90
- - For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
91
- - Mark unimplemented controls as "Planned" and ensure they appear in POA&M
92
-
93
- ### SSP Appendices (A through Q)
94
-
95
- | Appendix | Content | Required? |
96
- |---|---|---|
97
- | A | Acronyms & Glossary | Yes |
98
- | B | Related Laws & Regulations (Attachment 12) | Yes |
99
- | C | Security Policies & Procedures | Yes (CSP-authored) |
100
- | D | User Guide | Yes |
101
- | E | Rules of Behavior | Yes (FedRAMP template) |
102
- | F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
103
- | G | Configuration Management Plan | Yes (CSP-authored) |
104
- | H | Incident Response Plan | Yes (CSP-authored) |
105
- | I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
106
- | J | FIPS 199 Categorization | Yes |
107
- | K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
108
- | L | Cryptographic Modules Table | Yes |
109
- | M | Continuous Monitoring Plan | Yes |
110
- | N | Separation of Duties Matrix | Conditional |
111
- | O | POA&M | Yes (FedRAMP template) |
112
- | P | Supply Chain Risk Management Plan | Yes (Rev 5) |
113
- | Q | Privacy Impact Assessment (PIA) | If PII in scope |
114
-
115
- ---
116
-
117
- ## SSP Quality Checklist
118
-
119
- Before submitting, verify:
120
- - [ ] All controls for the applicable baseline have implementation statements
121
- - [ ] No controls describe future/planned state as currently implemented
122
- - [ ] All "Planned" controls appear in POA&M
123
- - [ ] Architecture diagrams and control narratives are consistent
124
- - [ ] External connections table matches the data flow diagrams
125
- - [ ] CIS/CRM workbook is complete for all shared/inherited controls
126
- - [ ] IIW lists every asset in the boundary
127
- - [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
128
- - [ ] All required appendices (C through Q as applicable) are attached
129
- - [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
1
+ # SSP Writing Guide
2
+
3
+ The System Security Plan (SSP) is the centerpiece of the FedRAMP authorization package.
4
+ It tells the complete security story of the Cloud Service Offering (CSO): architecture,
5
+ data flows, control implementations, roles, and boundary. Many SSPs exceed 500 pages.
6
+
7
+ > Always use the official FedRAMP SSP template. One template covers all baselines
8
+ > (LI-SaaS, Low, Moderate, High). Templates at: https://www.fedramp.gov/rev5/documents-templates/
9
+
10
+ ---
11
+
12
+ ## SSP Section-by-Section Guide
13
+
14
+ ### Section 1: Information System Name and Title
15
+ - Formal name of the CSO
16
+ - Unique identifier (assigned during FedRAMP process)
17
+ - Service model (IaaS / PaaS / SaaS)
18
+ - Deployment model (Public / Private / Community / Hybrid cloud)
19
+
20
+ ### Section 2: System Categorization
21
+ - FIPS 199 impact determination: Confidentiality / Integrity / Availability
22
+ - Overall impact level = high-water mark of the three values
23
+ - Justify each categorization with the types of federal information processed
24
+
25
+ ### Section 3: System Owner / Authorizing Official
26
+ - List CSP system owner, ISSO, and agency AO contacts
27
+ - For agency authorization, include the sponsoring agency AO
28
+
29
+ ### Section 4: Assignment of Security Responsibility
30
+ - Identify the ISSO (Information System Security Officer)
31
+ - Document CSP security team contacts
32
+
33
+ ### Section 5: System Mission / Purpose
34
+ - Brief description of what the system does
35
+ - What federal agencies/programs it supports
36
+ - What types of federal data it handles
37
+
38
+ ### Section 6: System Description
39
+ - Narrative description of the system
40
+ - Technology stack overview
41
+ - Key system components
42
+
43
+ ### Section 7: General System Description / System Environment
44
+ **This is one of the most scrutinized sections.**
45
+ - Detailed architecture description
46
+ - Authorization boundary narrative — clearly define what is IN and OUT of scope
47
+ - Network architecture diagram (embedded)
48
+ - Data flow diagrams (embedded)
49
+ - Ports, protocols, and services table
50
+ - External connections table (all services connecting to/from the boundary)
51
+
52
+ **Common mistakes:**
53
+ - Vague boundary descriptions ("the cloud environment") — be specific
54
+ - Missing data flows for admin/management traffic
55
+ - Not documenting external services (DNS, NTP, update servers, SaaS tools used by admins)
56
+
57
+ ### Section 8: System Environment / Interconnections
58
+ - Interconnection Security Agreements (ISAs) for each external system
59
+ - Leveraged FedRAMP services (IaaS/PaaS) and their authorization status
60
+ - Inherited controls from leveraged services must be documented in CIS/CRM workbook
61
+
62
+ ### Section 9: Laws, Regulations, Standards (Appendix B)
63
+ - Required attachment: SSP Appendix B (Laws & Regulations) — use the FedRAMP template
64
+ - Lists applicable federal laws (FISMA, Privacy Act, etc.)
65
+ - May include agency-specific requirements (HIPAA, CJIS if applicable)
66
+
67
+ ### Section 10: Minimum Security Controls
68
+ **The largest section — one narrative per control.**
69
+
70
+ For each control in the applicable baseline:
71
+
72
+ ```
73
+ [Control ID] [Control Name]
74
+ Implementation Status: Implemented | Partially Implemented | Planned | Not Applicable | Alternative Implementation
75
+
76
+ [Control Implementation Statement]
77
+ Describe HOW the control is implemented. Be specific:
78
+ - What tool, policy, or process implements this control?
79
+ - Who is responsible?
80
+ - Where is the evidence?
81
+ - For shared controls: what is the CSP responsibility vs. customer responsibility?
82
+
83
+ Customer Responsibility (if applicable):
84
+ [Describe what the customer/agency must do]
85
+ ```
86
+
87
+ **Writing tips:**
88
+ - Address every verb in the control requirement — if the control says "monitor and record," describe both monitoring AND recording
89
+ - Reference specific policy document names, tool names, configuration settings
90
+ - For inherited controls from FedRAMP IaaS/PaaS: state "This control is fully/partially inherited from [Provider]. See CIS/CRM workbook."
91
+ - Mark unimplemented controls as "Planned" and ensure they appear in POA&M
92
+
93
+ ### SSP Appendices (A through Q)
94
+
95
+ | Appendix | Content | Required? |
96
+ |---|---|---|
97
+ | A | Acronyms & Glossary | Yes |
98
+ | B | Related Laws & Regulations (Attachment 12) | Yes |
99
+ | C | Security Policies & Procedures | Yes (CSP-authored) |
100
+ | D | User Guide | Yes |
101
+ | E | Rules of Behavior | Yes (FedRAMP template) |
102
+ | F | IT Contingency Plan | Yes (FedRAMP ISCP template, updated Dec 2024) |
103
+ | G | Configuration Management Plan | Yes (CSP-authored) |
104
+ | H | Incident Response Plan | Yes (CSP-authored) |
105
+ | I | Control Implementation Summary (CIS) / CRM Workbook | Yes (FedRAMP template) |
106
+ | J | FIPS 199 Categorization | Yes |
107
+ | K | Integrated Inventory Workbook (IIW) | Yes (FedRAMP template, updated Dec 2024) |
108
+ | L | Cryptographic Modules Table | Yes |
109
+ | M | Continuous Monitoring Plan | Yes |
110
+ | N | Separation of Duties Matrix | Conditional |
111
+ | O | POA&M | Yes (FedRAMP template) |
112
+ | P | Supply Chain Risk Management Plan | Yes (Rev 5) |
113
+ | Q | Privacy Impact Assessment (PIA) | If PII in scope |
114
+
115
+ ---
116
+
117
+ ## SSP Quality Checklist
118
+
119
+ Before submitting, verify:
120
+ - [ ] All controls for the applicable baseline have implementation statements
121
+ - [ ] No controls describe future/planned state as currently implemented
122
+ - [ ] All "Planned" controls appear in POA&M
123
+ - [ ] Architecture diagrams and control narratives are consistent
124
+ - [ ] External connections table matches the data flow diagrams
125
+ - [ ] CIS/CRM workbook is complete for all shared/inherited controls
126
+ - [ ] IIW lists every asset in the boundary
127
+ - [ ] Cryptographic modules table lists all FIPS 140-2/3 validated modules in use
128
+ - [ ] All required appendices (C through Q as applicable) are attached
129
+ - [ ] SSP Appendix A-12 is the current FedRAMP Laws & Regulations template
@@ -1,192 +1,192 @@
1
- # Consent Notice / Cookie Banner Template
2
-
3
- ## Legal Basis
4
- Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
5
- ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
6
-
7
- ---
8
-
9
- ## Consent Requirements Checklist (Art. 7)
10
- - [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
11
- - [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
12
- - [ ] **Informed**: Clear plain-language explanation before consent given
13
- - [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
14
- - [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
15
- - [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
16
- - [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
17
-
18
- ---
19
-
20
- ## Cookie Banner — Required Elements
21
-
22
- ### Layer 1 (Initial Banner)
23
- ```
24
- We use cookies to [improve your experience / personalise content / analyse traffic].
25
- [ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
26
-
27
- [Link to Cookie Policy]
28
- ```
29
-
30
- **Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
31
- pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
32
-
33
- ### Layer 2 (Preference Centre)
34
- Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
35
- | Category | Description | Default |
36
- |----------|-------------|---------|
37
- | Strictly Necessary | Required for site function — no consent needed | Always ON |
38
- | Analytics | [Provider, purpose] | OFF |
39
- | Marketing | [Provider, purpose] | OFF |
40
- | Personalisation | [Provider, purpose] | OFF |
41
-
42
- ### Consent Record to Store
43
- ```json
44
- {
45
- "userId": "...",
46
- "consentTimestamp": "ISO-8601",
47
- "consentVersion": "v1.2",
48
- "purposes": {
49
- "analytics": true,
50
- "marketing": false
51
- },
52
- "method": "explicit-click",
53
- "ipAddress": "[pseudonymised or omit]"
54
- }
55
- ```
56
-
57
- ---
58
- ---
59
-
60
- # DPIA Template (Data Protection Impact Assessment)
61
-
62
- ## Legal Basis
63
- Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
64
- Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
65
-
66
- ## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
67
- - Systematic and extensive profiling
68
- - Large-scale special category data (Art. 9)
69
- - Systematic monitoring of public areas
70
- - New technologies
71
- - Automated decision-making with legal/significant effects (Art. 22)
72
- - Children's data at scale
73
- - Data matching / combining datasets
74
-
75
- ---
76
-
77
- ## DPIA Structure
78
-
79
- ### 1. Description of Processing (Art. 35(7)(a))
80
- - **System / project name**: [NAME]
81
- - **Controller**: [NAME + DPO if applicable]
82
- - **Nature of processing**: [What operations are performed on the data]
83
- - **Scope**: [Volume, frequency, geographic reach]
84
- - **Context**: [Who are the data subjects; their vulnerability level]
85
- - **Purpose**: [What is the legitimate aim]
86
- - **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
87
-
88
- ### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
89
- Assess whether processing is:
90
- - **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
91
- - **Proportionate** — do the benefits outweigh the risks to individuals?
92
- - **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
93
-
94
- ### 3. Risk Assessment (Art. 35(7)(c))
95
- For each identified risk:
96
- | Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
97
- |------|-----------------|---------------|-----------|------------|
98
- | Unauthorised access | 2 | 3 | High | Encryption, access controls |
99
- | Function creep | 1 | 2 | Medium | Purpose limitation controls |
100
- | Re-identification | 2 | 3 | High | Pseudonymisation |
101
-
102
- ### 4. Measures to Address Risks (Art. 35(7)(d))
103
- For each High/Medium risk:
104
- - Technical measure: [DESCRIBE]
105
- - Organisational measure: [DESCRIBE]
106
- - Residual risk after mitigation: [Low/Medium/High]
107
-
108
- ### 5. DPO / Stakeholder Sign-off (Art. 35(2))
109
- - DPO consulted: Yes / No — DPO opinion: [ATTACH]
110
- - Data subjects consulted (where appropriate): Yes / No
111
- - Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
112
-
113
- ---
114
- ---
115
-
116
- # Data Retention Policy Template
117
-
118
- ## Legal Basis
119
- Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
120
- Art. 17 — right to erasure triggers where retention period expired.
121
-
122
- ---
123
-
124
- ## Retention Schedule
125
-
126
- | Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
127
- |--------------|-----------------|-----------------|--------------|----------------|
128
- | Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
129
- | Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
130
- | Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
131
- | Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
132
- | CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
133
- | Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
134
- | Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
135
-
136
- ---
137
-
138
- ## Operational Requirements
139
- - Automated deletion jobs should run [FREQUENCY] against retention schedule
140
- - Backups must be included in retention policy — purge from backups within [X] days of primary deletion
141
- - Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
142
- - Retention schedule reviewed: annually or upon material change to processing
143
-
144
- ---
145
- ---
146
-
147
- # Data Subject Rights Procedure
148
-
149
- ## Legal Basis
150
- Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
151
-
152
- ---
153
-
154
- ## Rights Summary
155
-
156
- | Right | Article | When Applicable | Response Time |
157
- |-------|---------|----------------|--------------|
158
- | Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
159
- | Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
160
- | Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
161
- | Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
162
- | Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
163
- | Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
164
- | No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
165
-
166
- ---
167
-
168
- ## Request Handling Process
169
-
170
- 1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
171
- 2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
172
- 3. **Log**: Record date received, type of request, handler assigned.
173
- 4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
174
- 5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
175
- 6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
176
- 7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
177
-
178
- ## Exemptions to Document
179
- - Legal claims (Art. 17(3)(e))
180
- - Freedom of expression (Art. 17(3)(a))
181
- - Public interest archiving (Art. 17(3)(d))
182
- - Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
183
-
184
- ---
185
-
186
- ## SLA & Escalation
187
- - Day 0: Request received and logged
188
- - Day 3: Identity verified; request categorised
189
- - Day 20: Draft response reviewed by DPO/legal
190
- - Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
191
- - Day 30: Statutory deadline
192
- - Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))
1
+ # Consent Notice / Cookie Banner Template
2
+
3
+ ## Legal Basis
4
+ Art. 7 (conditions for consent), Art. 4(11) (definition of consent), Recitals 32, 42–43.
5
+ ePrivacy Directive Art. 5(3) additionally applies to cookies/device storage.
6
+
7
+ ---
8
+
9
+ ## Consent Requirements Checklist (Art. 7)
10
+ - [ ] **Freely given**: No bundling with service terms; genuine choice with no detriment (Art. 7(4))
11
+ - [ ] **Specific**: Separate consent for each distinct purpose (Recital 43)
12
+ - [ ] **Informed**: Clear plain-language explanation before consent given
13
+ - [ ] **Unambiguous**: Affirmative act required — no pre-ticked boxes (Recital 32)
14
+ - [ ] **Withdrawable**: "As easy to withdraw as to give" (Art. 7(3)); withdrawal does not affect prior processing
15
+ - [ ] **Documented**: Record of when, how, and what consented to (Art. 7(1))
16
+ - [ ] **Age verified**: Under-16 requires parental consent (Art. 8; check Member State derogation 13–16)
17
+
18
+ ---
19
+
20
+ ## Cookie Banner — Required Elements
21
+
22
+ ### Layer 1 (Initial Banner)
23
+ ```
24
+ We use cookies to [improve your experience / personalise content / analyse traffic].
25
+ [ACCEPT ALL] [REJECT ALL] [MANAGE PREFERENCES]
26
+
27
+ [Link to Cookie Policy]
28
+ ```
29
+
30
+ **Critical**: "Accept" and "Reject" must be equally prominent. Dark patterns (hiding reject,
31
+ pre-selected toggles) violate Art. 7 and Art. 5(1)(a) (fairness).
32
+
33
+ ### Layer 2 (Preference Centre)
34
+ Group cookies by purpose; each requires a separate opt-in toggle defaulting to OFF:
35
+ | Category | Description | Default |
36
+ |----------|-------------|---------|
37
+ | Strictly Necessary | Required for site function — no consent needed | Always ON |
38
+ | Analytics | [Provider, purpose] | OFF |
39
+ | Marketing | [Provider, purpose] | OFF |
40
+ | Personalisation | [Provider, purpose] | OFF |
41
+
42
+ ### Consent Record to Store
43
+ ```json
44
+ {
45
+ "userId": "...",
46
+ "consentTimestamp": "ISO-8601",
47
+ "consentVersion": "v1.2",
48
+ "purposes": {
49
+ "analytics": true,
50
+ "marketing": false
51
+ },
52
+ "method": "explicit-click",
53
+ "ipAddress": "[pseudonymised or omit]"
54
+ }
55
+ ```
56
+
57
+ ---
58
+ ---
59
+
60
+ # DPIA Template (Data Protection Impact Assessment)
61
+
62
+ ## Legal Basis
63
+ Art. 35 GDPR — mandatory when processing is "likely to result in a high risk" to individuals.
64
+ Art. 35(3) lists mandatory triggers; supervisory authorities publish lists (Art. 35(4)).
65
+
66
+ ## When Required (Art. 35(3) + WP29/EDPB guidance — any 2+ of these factors)
67
+ - Systematic and extensive profiling
68
+ - Large-scale special category data (Art. 9)
69
+ - Systematic monitoring of public areas
70
+ - New technologies
71
+ - Automated decision-making with legal/significant effects (Art. 22)
72
+ - Children's data at scale
73
+ - Data matching / combining datasets
74
+
75
+ ---
76
+
77
+ ## DPIA Structure
78
+
79
+ ### 1. Description of Processing (Art. 35(7)(a))
80
+ - **System / project name**: [NAME]
81
+ - **Controller**: [NAME + DPO if applicable]
82
+ - **Nature of processing**: [What operations are performed on the data]
83
+ - **Scope**: [Volume, frequency, geographic reach]
84
+ - **Context**: [Who are the data subjects; their vulnerability level]
85
+ - **Purpose**: [What is the legitimate aim]
86
+ - **Lawful basis**: Art. 6(1)[X]; Art. 9(2)[X] if special category
87
+
88
+ ### 2. Necessity and Proportionality Assessment (Art. 35(7)(b))
89
+ Assess whether processing is:
90
+ - **Necessary** for the purpose — could the purpose be achieved with less/no personal data?
91
+ - **Proportionate** — do the benefits outweigh the risks to individuals?
92
+ - **Compliant** with data minimisation (Art. 5(1)(c)), purpose limitation (Art. 5(1)(b))
93
+
94
+ ### 3. Risk Assessment (Art. 35(7)(c))
95
+ For each identified risk:
96
+ | Risk | Likelihood (1–3) | Severity (1–3) | Risk Score | Mitigation |
97
+ |------|-----------------|---------------|-----------|------------|
98
+ | Unauthorised access | 2 | 3 | High | Encryption, access controls |
99
+ | Function creep | 1 | 2 | Medium | Purpose limitation controls |
100
+ | Re-identification | 2 | 3 | High | Pseudonymisation |
101
+
102
+ ### 4. Measures to Address Risks (Art. 35(7)(d))
103
+ For each High/Medium risk:
104
+ - Technical measure: [DESCRIBE]
105
+ - Organisational measure: [DESCRIBE]
106
+ - Residual risk after mitigation: [Low/Medium/High]
107
+
108
+ ### 5. DPO / Stakeholder Sign-off (Art. 35(2))
109
+ - DPO consulted: Yes / No — DPO opinion: [ATTACH]
110
+ - Data subjects consulted (where appropriate): Yes / No
111
+ - Outcome: ✅ Proceed | ⚠️ Proceed with conditions | 🔴 Prior consultation with SA required (Art. 36)
112
+
113
+ ---
114
+ ---
115
+
116
+ # Data Retention Policy Template
117
+
118
+ ## Legal Basis
119
+ Art. 5(1)(e) — storage limitation: data kept no longer than necessary for purpose.
120
+ Art. 17 — right to erasure triggers where retention period expired.
121
+
122
+ ---
123
+
124
+ ## Retention Schedule
125
+
126
+ | Data Category | Business Purpose | Retention Period | Lawful Basis | Deletion Method |
127
+ |--------------|-----------------|-----------------|--------------|----------------|
128
+ | Customer account data | Service provision | Duration of contract + 2 years | Contract (Art. 6(1)(b)) | Secure deletion |
129
+ | Marketing preferences | Direct marketing | Until withdrawal of consent | Consent (Art. 6(1)(a)) | Anonymisation |
130
+ | Transaction records | Financial/legal obligations | 7 years | Legal obligation (Art. 6(1)(c)) | Secure archival then deletion |
131
+ | Employee records | Employment law | Duration + 6 years | Legal obligation | Secure deletion |
132
+ | CCTV footage | Security | 30 days | Legitimate interests (Art. 6(1)(f)) | Automatic overwrite |
133
+ | Server/access logs | Security monitoring | 90 days | Legitimate interests | Automated purge |
134
+ | Consent records | Compliance evidence | 3 years after withdrawal | Legal obligation | Retain in audit log |
135
+
136
+ ---
137
+
138
+ ## Operational Requirements
139
+ - Automated deletion jobs should run [FREQUENCY] against retention schedule
140
+ - Backups must be included in retention policy — purge from backups within [X] days of primary deletion
141
+ - Exceptions process: legal hold procedure for litigation/investigation (suspend deletion)
142
+ - Retention schedule reviewed: annually or upon material change to processing
143
+
144
+ ---
145
+ ---
146
+
147
+ # Data Subject Rights Procedure
148
+
149
+ ## Legal Basis
150
+ Arts. 15–22 (individual rights), Art. 12 (modalities — response within 1 month, extendable by 2 months).
151
+
152
+ ---
153
+
154
+ ## Rights Summary
155
+
156
+ | Right | Article | When Applicable | Response Time |
157
+ |-------|---------|----------------|--------------|
158
+ | Access (SAR) | Art. 15 | Always (with exceptions) | 1 month (Art. 12(3)) |
159
+ | Rectification | Art. 16 | Inaccurate/incomplete data | 1 month |
160
+ | Erasure | Art. 17 | Consent withdrawn; no longer necessary; unlawful processing | 1 month |
161
+ | Restriction | Art. 18 | Accuracy contested; objection pending; unlawful but subject wants restriction | 1 month |
162
+ | Portability | Art. 20 | Consent or contract basis; automated processing only | 1 month |
163
+ | Object | Art. 21 | Legitimate interests or public task basis; direct marketing (absolute) | Immediately for direct marketing |
164
+ | No automated decisions | Art. 22 | Solely automated decisions with legal/significant effect | 1 month |
165
+
166
+ ---
167
+
168
+ ## Request Handling Process
169
+
170
+ 1. **Receive**: Accept requests via [EMAIL / WEB FORM / POST]. Identity verification required — proportionate to risk; do not request excessive info (Art. 12(6)).
171
+ 2. **Verify identity**: [METHOD — e.g., match against account details; 2FA confirmation]
172
+ 3. **Log**: Record date received, type of request, handler assigned.
173
+ 4. **Assess**: Determine if exemptions apply (e.g., Art. 17(3) — overriding legal obligation prevents erasure).
174
+ 5. **Respond**: Within **one calendar month** of receipt (Art. 12(3)). If extending, notify requester within first month with reason (Art. 12(3)).
175
+ 6. **Response must be**: Free of charge (Art. 12(5)); in concise, plain language (Art. 12(1)); in writing or by electronic means where requested.
176
+ 7. **Refusal**: If request is refused, inform subject of reasons and right to complain to SA and seek judicial remedy (Art. 12(4)).
177
+
178
+ ## Exemptions to Document
179
+ - Legal claims (Art. 17(3)(e))
180
+ - Freedom of expression (Art. 17(3)(a))
181
+ - Public interest archiving (Art. 17(3)(d))
182
+ - Manifestly unfounded or excessive requests — can charge fee or refuse (Art. 12(5))
183
+
184
+ ---
185
+
186
+ ## SLA & Escalation
187
+ - Day 0: Request received and logged
188
+ - Day 3: Identity verified; request categorised
189
+ - Day 20: Draft response reviewed by DPO/legal
190
+ - Day 28: Response sent (allowing 2 days buffer before Day 30 deadline)
191
+ - Day 30: Statutory deadline
192
+ - Extension notice must go out by Day 30 if needed, citing complex/numerous requests (Art. 12(3))