bmad-plus 0.9.0 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/LICENSE +21 -21
- package/README.md +106 -86
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +8 -3
- package/readme-international/README.es.md +8 -3
- package/readme-international/README.fr.md +8 -3
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +23 -59
- package/tools/cli/commands/doctor.js +14 -0
- package/tools/cli/commands/install.js +29 -128
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +44 -42
- package/tools/cli/commands/uninstall.js +10 -5
- package/tools/cli/commands/update.js +21 -3
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +0 -1
- package/tools/cli/lib/pack-copy.js +84 -84
- package/tools/cli/lib/packs.js +16 -8
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +50 -0
|
@@ -1,135 +1,135 @@
|
|
|
1
|
-
# NIST CSF 2.0 — Implementation Tiers
|
|
2
|
-
|
|
3
|
-
Source: NIST Cybersecurity Framework 2.0, Section 3.2 (February 2024)
|
|
4
|
-
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
## Overview
|
|
8
|
-
|
|
9
|
-
Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the CSF. They provide context for how an organization views cybersecurity risk management and the processes in place to manage risk.
|
|
10
|
-
|
|
11
|
-
**Key principles:**
|
|
12
|
-
- Tiers are **not maturity levels** — there is no requirement to advance to Tier 4
|
|
13
|
-
- Tier selection should reflect the organization's goals, legal/regulatory requirements, and risk reduction objectives
|
|
14
|
-
- Moving to a higher tier is appropriate only when it would reduce cybersecurity risk at a justifiable cost
|
|
15
|
-
- Organizations should operate at the tier appropriate for their risk environment — not the highest achievable tier
|
|
16
|
-
|
|
17
|
-
---
|
|
18
|
-
|
|
19
|
-
## The Four Tiers
|
|
20
|
-
|
|
21
|
-
### Tier 1 — Partial
|
|
22
|
-
|
|
23
|
-
**Risk Management Process**: Cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
|
|
24
|
-
|
|
25
|
-
**Integrated Risk Management Program**: There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation.
|
|
26
|
-
|
|
27
|
-
**External Participation**: The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not have the processes in place to participate in coordination or collaboration with other entities.
|
|
28
|
-
|
|
29
|
-
**Diagnostic indicators of Tier 1:**
|
|
30
|
-
- No formal cybersecurity policy exists or it has not been approved by leadership
|
|
31
|
-
- Asset inventories are incomplete or inconsistently maintained
|
|
32
|
-
- Risk assessments are performed reactively (after incidents, not proactively)
|
|
33
|
-
- No defined roles or responsibilities for cybersecurity
|
|
34
|
-
- Incident response is ad hoc with no documented plan
|
|
35
|
-
- Supply chain risks are not considered
|
|
36
|
-
|
|
37
|
-
---
|
|
38
|
-
|
|
39
|
-
### Tier 2 — Risk-Informed
|
|
40
|
-
|
|
41
|
-
**Risk Management Process**: Risk management practices are approved by management but may not be established as organisational-wide policy. The prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
|
|
42
|
-
|
|
43
|
-
**Integrated Risk Management Program**: There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation.
|
|
44
|
-
|
|
45
|
-
**External Participation**: The organisation knows its role in the larger ecosystem with respect to its own dependencies, but has not formalised its capabilities to interact and share information externally.
|
|
46
|
-
|
|
47
|
-
**Diagnostic indicators of Tier 2:**
|
|
48
|
-
- Cybersecurity policy exists and is management-approved, but inconsistently followed
|
|
49
|
-
- Risk assessments are performed but not on a regular schedule
|
|
50
|
-
- Asset inventory is maintained but may have gaps
|
|
51
|
-
- Roles for cybersecurity exist but accountability is not enforced
|
|
52
|
-
- Incident response plan exists but has not been tested
|
|
53
|
-
- Supply chain risk considered for some but not all suppliers
|
|
54
|
-
|
|
55
|
-
---
|
|
56
|
-
|
|
57
|
-
### Tier 3 — Repeatable
|
|
58
|
-
|
|
59
|
-
**Risk Management Process**: The organisation's risk management practices are formally approved and expressed as policy. Cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
|
|
60
|
-
|
|
61
|
-
**Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of assets.
|
|
62
|
-
|
|
63
|
-
**External Participation**: The organisation understands its dependencies and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. It collaborates with and receives information from supply chain partners, which enables prioritisation and validation of cybersecurity risk management activities.
|
|
64
|
-
|
|
65
|
-
**Diagnostic indicators of Tier 3:**
|
|
66
|
-
- Formal cybersecurity policy is enforced organisation-wide
|
|
67
|
-
- Risk assessments are conducted on a regular, defined schedule
|
|
68
|
-
- Asset inventory is comprehensive and actively maintained
|
|
69
|
-
- Defined roles with accountability metrics; performance reviewed
|
|
70
|
-
- Incident response plan is documented, tested, and updated
|
|
71
|
-
- Third-party risk is formally assessed for all critical suppliers
|
|
72
|
-
- Cybersecurity metrics are reported to leadership
|
|
73
|
-
|
|
74
|
-
---
|
|
75
|
-
|
|
76
|
-
### Tier 4 — Adaptive
|
|
77
|
-
|
|
78
|
-
**Risk Management Process**: The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
|
|
79
|
-
|
|
80
|
-
**Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on organisational systems and networks. The organisation can quickly and efficiently account for new knowledge to continuously improve security practices and integrate into risk management practices.
|
|
81
|
-
|
|
82
|
-
**External Participation**: The organisation receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally on a routine basis. The organisation uses real-time or near real-time information to understand and consistently act upon supply chain risks throughout the technology product and service lifecycle. The organisation communicates proactively, using formal and informal mechanisms, to develop and maintain strong supply chain relationships.
|
|
83
|
-
|
|
84
|
-
**Diagnostic indicators of Tier 4:**
|
|
85
|
-
- Cybersecurity risk management is embedded in organisational culture
|
|
86
|
-
- Threat intelligence is operationalised and feeds real-time risk decisions
|
|
87
|
-
- Continuous monitoring with automated anomaly detection
|
|
88
|
-
- Lessons learned from incidents systematically improve controls
|
|
89
|
-
- Active participation in information sharing communities (ISACs, etc.)
|
|
90
|
-
- Supply chain risk managed in real time across the full lifecycle
|
|
91
|
-
- Cybersecurity KPIs drive leadership strategy decisions
|
|
92
|
-
|
|
93
|
-
---
|
|
94
|
-
|
|
95
|
-
## Tier Assessment Guide
|
|
96
|
-
|
|
97
|
-
When assessing an organisation's current tier, evaluate these three dimensions:
|
|
98
|
-
|
|
99
|
-
### Dimension 1: Risk Management Process
|
|
100
|
-
Ask:
|
|
101
|
-
- Is cybersecurity risk management ad hoc (Tier 1), management-approved (Tier 2), policy-formalised (Tier 3), or continuously adapting (Tier 4)?
|
|
102
|
-
- Are risk assessments conducted reactively, periodically, or continuously?
|
|
103
|
-
- Is there a documented risk management methodology consistently applied?
|
|
104
|
-
|
|
105
|
-
### Dimension 2: Integrated Risk Management Program
|
|
106
|
-
Ask:
|
|
107
|
-
- Is cybersecurity risk managed in silos or integrated into enterprise risk management?
|
|
108
|
-
- Does cybersecurity risk information flow to leadership on a regular basis?
|
|
109
|
-
- Are cybersecurity objectives aligned with business objectives?
|
|
110
|
-
|
|
111
|
-
### Dimension 3: External Participation
|
|
112
|
-
Ask:
|
|
113
|
-
- Does the organisation know which external entities it depends on and which depend on it?
|
|
114
|
-
- Does the organisation participate in threat intelligence sharing?
|
|
115
|
-
- Is supply chain risk actively managed across all critical third parties?
|
|
116
|
-
|
|
117
|
-
---
|
|
118
|
-
|
|
119
|
-
## Tier Advancement Guidance
|
|
120
|
-
|
|
121
|
-
Advancing tiers requires sustained investment. Common barriers and enablers:
|
|
122
|
-
|
|
123
|
-
| From → To | Common Barriers | Key Enablers |
|
|
124
|
-
|-----------|----------------|-------------|
|
|
125
|
-
| 1 → 2 | No leadership buy-in, no budget | Tie first risk assessment to a business event (audit, incident, M&A) |
|
|
126
|
-
| 2 → 3 | Inconsistent enforcement, siloed teams | Embed cybersecurity in HR processes; create organisation-wide policy with enforcement |
|
|
127
|
-
| 3 → 4 | Technology and process gaps, culture | Implement threat intelligence feeds; automate monitoring; build continuous improvement loops |
|
|
128
|
-
|
|
129
|
-
**Recommended starting sequence for Tier 1 → 2 transition:**
|
|
130
|
-
1. GV.OC-01 — Document the organisational mission and cybersecurity context
|
|
131
|
-
2. GV.RM-01, GV.RM-02 — Establish risk management objectives and risk tolerance
|
|
132
|
-
3. ID.AM-01, ID.AM-02 — Build asset inventories
|
|
133
|
-
4. GV.RR-02 — Define cybersecurity roles and responsibilities
|
|
134
|
-
5. GV.PO-01 — Establish and communicate a cybersecurity policy
|
|
135
|
-
6. ID.RA-03, ID.RA-04 — Perform an initial risk assessment
|
|
1
|
+
# NIST CSF 2.0 — Implementation Tiers
|
|
2
|
+
|
|
3
|
+
Source: NIST Cybersecurity Framework 2.0, Section 3.2 (February 2024)
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Overview
|
|
8
|
+
|
|
9
|
+
Implementation Tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the CSF. They provide context for how an organization views cybersecurity risk management and the processes in place to manage risk.
|
|
10
|
+
|
|
11
|
+
**Key principles:**
|
|
12
|
+
- Tiers are **not maturity levels** — there is no requirement to advance to Tier 4
|
|
13
|
+
- Tier selection should reflect the organization's goals, legal/regulatory requirements, and risk reduction objectives
|
|
14
|
+
- Moving to a higher tier is appropriate only when it would reduce cybersecurity risk at a justifiable cost
|
|
15
|
+
- Organizations should operate at the tier appropriate for their risk environment — not the highest achievable tier
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## The Four Tiers
|
|
20
|
+
|
|
21
|
+
### Tier 1 — Partial
|
|
22
|
+
|
|
23
|
+
**Risk Management Process**: Cybersecurity risk management practices are not formalised, and risk is managed in an ad hoc and sometimes reactive manner. Prioritisation of cybersecurity activities may not be directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
|
|
24
|
+
|
|
25
|
+
**Integrated Risk Management Program**: There is limited awareness of cybersecurity risk at the organisational level. The organisation implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organisation may not have processes that enable cybersecurity information to be shared within the organisation.
|
|
26
|
+
|
|
27
|
+
**External Participation**: The organisation does not understand its role in the larger ecosystem with respect to either its dependencies or dependents. The organisation does not have the processes in place to participate in coordination or collaboration with other entities.
|
|
28
|
+
|
|
29
|
+
**Diagnostic indicators of Tier 1:**
|
|
30
|
+
- No formal cybersecurity policy exists or it has not been approved by leadership
|
|
31
|
+
- Asset inventories are incomplete or inconsistently maintained
|
|
32
|
+
- Risk assessments are performed reactively (after incidents, not proactively)
|
|
33
|
+
- No defined roles or responsibilities for cybersecurity
|
|
34
|
+
- Incident response is ad hoc with no documented plan
|
|
35
|
+
- Supply chain risks are not considered
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
### Tier 2 — Risk-Informed
|
|
40
|
+
|
|
41
|
+
**Risk Management Process**: Risk management practices are approved by management but may not be established as organisational-wide policy. The prioritisation of cybersecurity activities and protection needs is directly informed by organisational risk objectives, the threat environment, or business/mission requirements.
|
|
42
|
+
|
|
43
|
+
**Integrated Risk Management Program**: There is an awareness of cybersecurity risk at the organisational level, but an organisation-wide approach to managing cybersecurity risk has not been established. Cybersecurity information is shared within the organisation on an informal basis. Consideration of cybersecurity in organisational objectives and programs may occur at some but not all levels of the organisation.
|
|
44
|
+
|
|
45
|
+
**External Participation**: The organisation knows its role in the larger ecosystem with respect to its own dependencies, but has not formalised its capabilities to interact and share information externally.
|
|
46
|
+
|
|
47
|
+
**Diagnostic indicators of Tier 2:**
|
|
48
|
+
- Cybersecurity policy exists and is management-approved, but inconsistently followed
|
|
49
|
+
- Risk assessments are performed but not on a regular schedule
|
|
50
|
+
- Asset inventory is maintained but may have gaps
|
|
51
|
+
- Roles for cybersecurity exist but accountability is not enforced
|
|
52
|
+
- Incident response plan exists but has not been tested
|
|
53
|
+
- Supply chain risk considered for some but not all suppliers
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
### Tier 3 — Repeatable
|
|
58
|
+
|
|
59
|
+
**Risk Management Process**: The organisation's risk management practices are formally approved and expressed as policy. Cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
|
|
60
|
+
|
|
61
|
+
**Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. The organisation consistently and accurately monitors cybersecurity risk of assets.
|
|
62
|
+
|
|
63
|
+
**External Participation**: The organisation understands its dependencies and dependents in the larger ecosystem and may contribute to the community's broader understanding of risks. It collaborates with and receives information from supply chain partners, which enables prioritisation and validation of cybersecurity risk management activities.
|
|
64
|
+
|
|
65
|
+
**Diagnostic indicators of Tier 3:**
|
|
66
|
+
- Formal cybersecurity policy is enforced organisation-wide
|
|
67
|
+
- Risk assessments are conducted on a regular, defined schedule
|
|
68
|
+
- Asset inventory is comprehensive and actively maintained
|
|
69
|
+
- Defined roles with accountability metrics; performance reviewed
|
|
70
|
+
- Incident response plan is documented, tested, and updated
|
|
71
|
+
- Third-party risk is formally assessed for all critical suppliers
|
|
72
|
+
- Cybersecurity metrics are reported to leadership
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
### Tier 4 — Adaptive
|
|
77
|
+
|
|
78
|
+
**Risk Management Process**: The organisation adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organisation actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
|
|
79
|
+
|
|
80
|
+
**Integrated Risk Management Program**: There is an organisation-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organisational culture and evolves from an awareness of previous activities and continuous awareness of activities on organisational systems and networks. The organisation can quickly and efficiently account for new knowledge to continuously improve security practices and integrate into risk management practices.
|
|
81
|
+
|
|
82
|
+
**External Participation**: The organisation receives, generates, and reviews prioritised information that informs continuous analysis of its risks as the threat and technology landscapes evolve. The organisation shares that information internally and externally on a routine basis. The organisation uses real-time or near real-time information to understand and consistently act upon supply chain risks throughout the technology product and service lifecycle. The organisation communicates proactively, using formal and informal mechanisms, to develop and maintain strong supply chain relationships.
|
|
83
|
+
|
|
84
|
+
**Diagnostic indicators of Tier 4:**
|
|
85
|
+
- Cybersecurity risk management is embedded in organisational culture
|
|
86
|
+
- Threat intelligence is operationalised and feeds real-time risk decisions
|
|
87
|
+
- Continuous monitoring with automated anomaly detection
|
|
88
|
+
- Lessons learned from incidents systematically improve controls
|
|
89
|
+
- Active participation in information sharing communities (ISACs, etc.)
|
|
90
|
+
- Supply chain risk managed in real time across the full lifecycle
|
|
91
|
+
- Cybersecurity KPIs drive leadership strategy decisions
|
|
92
|
+
|
|
93
|
+
---
|
|
94
|
+
|
|
95
|
+
## Tier Assessment Guide
|
|
96
|
+
|
|
97
|
+
When assessing an organisation's current tier, evaluate these three dimensions:
|
|
98
|
+
|
|
99
|
+
### Dimension 1: Risk Management Process
|
|
100
|
+
Ask:
|
|
101
|
+
- Is cybersecurity risk management ad hoc (Tier 1), management-approved (Tier 2), policy-formalised (Tier 3), or continuously adapting (Tier 4)?
|
|
102
|
+
- Are risk assessments conducted reactively, periodically, or continuously?
|
|
103
|
+
- Is there a documented risk management methodology consistently applied?
|
|
104
|
+
|
|
105
|
+
### Dimension 2: Integrated Risk Management Program
|
|
106
|
+
Ask:
|
|
107
|
+
- Is cybersecurity risk managed in silos or integrated into enterprise risk management?
|
|
108
|
+
- Does cybersecurity risk information flow to leadership on a regular basis?
|
|
109
|
+
- Are cybersecurity objectives aligned with business objectives?
|
|
110
|
+
|
|
111
|
+
### Dimension 3: External Participation
|
|
112
|
+
Ask:
|
|
113
|
+
- Does the organisation know which external entities it depends on and which depend on it?
|
|
114
|
+
- Does the organisation participate in threat intelligence sharing?
|
|
115
|
+
- Is supply chain risk actively managed across all critical third parties?
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
## Tier Advancement Guidance
|
|
120
|
+
|
|
121
|
+
Advancing tiers requires sustained investment. Common barriers and enablers:
|
|
122
|
+
|
|
123
|
+
| From → To | Common Barriers | Key Enablers |
|
|
124
|
+
|-----------|----------------|-------------|
|
|
125
|
+
| 1 → 2 | No leadership buy-in, no budget | Tie first risk assessment to a business event (audit, incident, M&A) |
|
|
126
|
+
| 2 → 3 | Inconsistent enforcement, siloed teams | Embed cybersecurity in HR processes; create organisation-wide policy with enforcement |
|
|
127
|
+
| 3 → 4 | Technology and process gaps, culture | Implement threat intelligence feeds; automate monitoring; build continuous improvement loops |
|
|
128
|
+
|
|
129
|
+
**Recommended starting sequence for Tier 1 → 2 transition:**
|
|
130
|
+
1. GV.OC-01 — Document the organisational mission and cybersecurity context
|
|
131
|
+
2. GV.RM-01, GV.RM-02 — Establish risk management objectives and risk tolerance
|
|
132
|
+
3. ID.AM-01, ID.AM-02 — Build asset inventories
|
|
133
|
+
4. GV.RR-02 — Define cybersecurity roles and responsibilities
|
|
134
|
+
5. GV.PO-01 — Establish and communicate a cybersecurity policy
|
|
135
|
+
6. ID.RA-03, ID.RA-04 — Perform an initial risk assessment
|