erosolar-cli 2.1.238 → 2.1.239

package/dist/core/governmentProcedures.js

@@ -0,0 +1,912 @@
+/**
+ * Government and Law Enforcement Procedures
+ *
+ * Comprehensive procedures for:
+ * - Law enforcement coordination
+ * - Government agency interfaces
+ * - Legal compliance frameworks
+ * - Evidence handling
+ * - Inter-agency cooperation
+ *
+ * For authorized security operations only.
+ */
+// ═══════════════════════════════════════════════════════════════════════════════
+// US FEDERAL AGENCY CONTACTS
+// ═══════════════════════════════════════════════════════════════════════════════
+export const US_FEDERAL_CONTACTS = [
+    {
+        agency: 'Federal Bureau of Investigation',
+        agencyType: 'federal-le',
+        division: 'Cyber Division',
+        contact: {
+            name: 'FBI Cyber Division',
+            title: 'Cyber Task Force',
+            phone: '1-800-CALL-FBI',
+            email: 'cywatch@ic.fbi.gov',
+            secureComms: 'FBI SIPR Portal',
+        },
+        jurisdiction: ['Federal cyber crimes', 'National security', 'Critical infrastructure'],
+        capabilities: ['Digital forensics', 'Malware analysis', 'Attribution', 'International coordination'],
+        responseTime: '24-48 hours for critical',
+        classification: 'secret',
+    },
+    {
+        agency: 'FBI Internet Crime Complaint Center',
+        agencyType: 'federal-le',
+        division: 'IC3',
+        contact: {
+            name: 'IC3',
+            title: 'Internet Crime Complaint Center',
+            phone: 'N/A',
+            email: 'ic3.gov',
+        },
+        jurisdiction: ['Internet crimes', 'Fraud', 'Ransomware'],
+        capabilities: ['Complaint intake', 'Pattern analysis', 'Referrals'],
+        responseTime: 'Varies',
+        classification: 'unclassified',
+    },
+    {
+        agency: 'US Secret Service',
+        agencyType: 'federal-le',
+        division: 'Criminal Investigative Division',
+        contact: {
+            name: 'USSS CID',
+            title: 'Electronic Crimes Task Force',
+            phone: '202-406-5708',
+            email: 'contact via local field office',
+        },
+        jurisdiction: ['Financial crimes', 'Counterfeit', 'Network intrusions affecting financial systems'],
+        capabilities: ['Financial forensics', 'Cryptocurrency tracing', 'ECTF network'],
+        responseTime: '24-72 hours',
+        classification: 'secret',
+    },
+    {
+        agency: 'Cybersecurity and Infrastructure Security Agency',
+        agencyType: 'cisa',
+        division: 'Cybersecurity Division',
+        contact: {
+            name: 'CISA',
+            title: '24/7 Operations Center',
+            phone: '1-888-282-0870',
+            email: 'central@cisa.dhs.gov',
+            secureComms: 'CISA Portal',
+        },
+        jurisdiction: ['Critical infrastructure', 'Federal networks', '.gov domains'],
+        capabilities: ['Incident response', 'Threat intelligence', 'Vulnerability coordination', 'Hunt teams'],
+        responseTime: '2-4 hours for critical',
+        classification: 'secret',
+    },
+    {
+        agency: 'National Security Agency',
+        agencyType: 'intelligence',
+        division: 'Cybersecurity Directorate',
+        contact: {
+            name: 'NSA Cybersecurity',
+            title: 'Cybersecurity Collaboration Center',
+            phone: 'Classified',
+            email: 'cybersecurity_inquiries@nsa.gov',
+            secureComms: 'NSA/CSS classified channels',
+        },
+        jurisdiction: ['National security systems', 'Defense industrial base', 'Foreign threats'],
+        capabilities: ['Signals intelligence', 'Cryptanalysis', 'Advanced threat detection'],
+        responseTime: 'Classified',
+        classification: 'ts-sci',
+    },
+    {
+        agency: 'Department of Justice',
+        agencyType: 'federal-le',
+        division: 'Computer Crime and Intellectual Property Section',
+        contact: {
+            name: 'DOJ CCIPS',
+            title: 'CCIPS',
+            phone: '202-514-1026',
+            email: 'CCIPS.Intake@usdoj.gov',
+        },
+        jurisdiction: ['Federal computer crimes', 'Intellectual property', 'International cybercrime'],
+        capabilities: ['Prosecution', 'Legal guidance', 'MLAT coordination'],
+        responseTime: 'Varies by case',
+        classification: 'secret',
+    },
+    {
+        agency: 'Department of Homeland Security',
+        agencyType: 'federal-le',
+        division: 'Homeland Security Investigations',
+        contact: {
+            name: 'HSI Cyber Crimes Center',
+            title: 'C3',
+            phone: '1-866-DHS-2-ICE',
+            email: 'HSI-Tip-Line@ice.dhs.gov',
+        },
+        jurisdiction: ['Transnational crime', 'Child exploitation', 'Dark web'],
+        capabilities: ['Undercover operations', 'Dark web investigations', 'International partnerships'],
+        responseTime: '24-48 hours',
+        classification: 'secret',
+    },
+    {
+        agency: 'Department of Defense',
+        agencyType: 'military',
+        division: 'US Cyber Command',
+        contact: {
+            name: 'USCYBERCOM',
+            title: 'Cyber National Mission Force',
+            phone: 'Classified',
+            email: 'Classified channels only',
+            secureComms: 'DOD SIPRNET/JWICS',
+        },
+        jurisdiction: ['DOD networks', 'National defense', 'Foreign military threats'],
+        capabilities: ['Offensive cyber', 'Defensive cyber', 'Military operations'],
+        responseTime: 'Mission dependent',
+        classification: 'ts-sci',
+    },
+    {
+        agency: 'Securities and Exchange Commission',
+        agencyType: 'regulatory',
+        division: 'Division of Enforcement',
+        contact: {
+            name: 'SEC Enforcement',
+            title: 'Cyber Unit',
+            phone: '202-551-8090',
+            email: 'enforcement@sec.gov',
+        },
+        jurisdiction: ['Securities fraud', 'Market manipulation', 'Public company breaches'],
+        capabilities: ['Civil enforcement', 'Subpoena power', 'Financial investigation'],
+        responseTime: '1-2 weeks',
+        classification: 'cui',
+    },
+    {
+        agency: 'Federal Trade Commission',
+        agencyType: 'regulatory',
+        division: 'Bureau of Consumer Protection',
+        contact: {
+            name: 'FTC',
+            title: 'Division of Privacy and Identity Protection',
+            phone: '877-FTC-HELP',
+            email: 'reportfraud.ftc.gov',
+        },
+        jurisdiction: ['Consumer protection', 'Privacy violations', 'Data security'],
+        capabilities: ['Civil enforcement', 'Consumer education', 'Industry guidance'],
+        responseTime: '1-4 weeks',
+        classification: 'unclassified',
+    },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// LEGAL FRAMEWORKS
+// ═══════════════════════════════════════════════════════════════════════════════
+export const LEGAL_FRAMEWORKS = [
+    {
+        id: 'cfaa',
+        name: 'Computer Fraud and Abuse Act (18 U.S.C. § 1030)',
+        jurisdiction: 'federal',
+        applicableAgencies: ['federal-le', 'intelligence'],
+        requirements: [
+            {
+                id: 'cfaa-auth',
+                requirement: 'Must have explicit authorization for any access to protected computers',
+                mandatory: true,
+                timeline: 'Before any access',
+                evidence: ['Written authorization', 'Scope documentation', 'Rules of engagement'],
+                verification: 'Legal counsel review',
+            },
+            {
+                id: 'cfaa-scope',
+                requirement: 'Must stay within authorized scope at all times',
+                mandatory: true,
+                timeline: 'During engagement',
+                evidence: ['Activity logs', 'Scope boundaries', 'Deviation documentation'],
+                verification: 'Continuous monitoring',
+            },
+        ],
+        penalties: ['Up to 10 years imprisonment for first offense', 'Up to 20 years for repeat', 'Civil liability'],
+        exemptions: ['Authorized penetration testing', 'Law enforcement with warrant', 'Intelligence activities'],
+        references: ['https://www.law.cornell.edu/uscode/text/18/1030'],
+    },
+    {
+        id: 'ecpa',
+        name: 'Electronic Communications Privacy Act',
+        jurisdiction: 'federal',
+        applicableAgencies: ['federal-le', 'state-le', 'local-le'],
+        requirements: [
+            {
+                id: 'ecpa-wiretap',
+                requirement: 'Wiretap warrant required for real-time interception',
+                mandatory: true,
+                timeline: 'Before interception',
+                evidence: ['Court order', 'Probable cause affidavit'],
+                verification: 'Judicial approval',
+            },
+            {
+                id: 'ecpa-stored',
+                requirement: 'Proper legal process for stored communications',
+                mandatory: true,
+                timeline: 'Before access',
+                evidence: ['Warrant/subpoena/court order as appropriate', 'Provider records'],
+                verification: 'Legal process documentation',
+            },
+        ],
+        penalties: ['Criminal penalties', 'Civil damages', 'Exclusion of evidence'],
+        exemptions: ['Consent', 'Service provider exception', 'Law enforcement with proper process'],
+        references: ['18 U.S.C. § 2510-2522', '18 U.S.C. § 2701-2712'],
+    },
+    {
+        id: 'fisma',
+        name: 'Federal Information Security Modernization Act',
+        jurisdiction: 'federal',
+        applicableAgencies: ['cisa', 'nist', 'contractor'],
+        requirements: [
+            {
+                id: 'fisma-risk',
+                requirement: 'Implement risk-based cybersecurity program',
+                mandatory: true,
+                timeline: 'Continuous',
+                evidence: ['Risk assessment', 'Security plan', 'POA&M'],
+                verification: 'Annual assessment',
+            },
+            {
+                id: 'fisma-incident',
+                requirement: 'Report incidents to CISA',
+                mandatory: true,
+                timeline: 'Within 24 hours for major incidents',
+                evidence: ['Incident report', 'Timeline', 'Impact assessment'],
+                verification: 'CISA confirmation',
+            },
+        ],
+        penalties: ['Agency sanctions', 'Funding impacts', 'Personnel actions'],
+        exemptions: ['National security systems (NSS)'],
+        references: ['44 U.S.C. § 3551-3558'],
+    },
+    {
+        id: 'circia',
+        name: 'Cyber Incident Reporting for Critical Infrastructure Act',
+        jurisdiction: 'federal',
+        applicableAgencies: ['cisa'],
+        requirements: [
+            {
+                id: 'circia-covered',
+                requirement: 'Report covered cyber incidents within 72 hours',
+                mandatory: true,
+                timeline: '72 hours',
+                evidence: ['Incident report', 'Impact assessment', 'IOCs'],
+                verification: 'CISA receipt confirmation',
+            },
+            {
+                id: 'circia-ransom',
+                requirement: 'Report ransomware payments within 24 hours',
+                mandatory: true,
+                timeline: '24 hours',
+                evidence: ['Payment details', 'Attacker demands', 'Decryption status'],
+                verification: 'CISA receipt confirmation',
+            },
+        ],
+        penalties: ['Civil penalties', 'Subpoena for non-compliance'],
+        exemptions: ['Already reported to another federal agency'],
+        references: ['Pub. L. 117-103, Division Y'],
+    },
+    {
+        id: 'hipaa',
+        name: 'Health Insurance Portability and Accountability Act',
+        jurisdiction: 'federal',
+        applicableAgencies: ['regulatory'],
+        requirements: [
+            {
+                id: 'hipaa-breach',
+                requirement: 'Report breaches affecting 500+ individuals to HHS and media',
+                mandatory: true,
+                timeline: '60 days',
+                evidence: ['Breach assessment', 'Notification letters', 'Media notice'],
+                verification: 'HHS portal submission',
+            },
+            {
+                id: 'hipaa-individual',
+                requirement: 'Notify affected individuals',
+                mandatory: true,
+                timeline: '60 days',
+                evidence: ['Notification letters', 'Delivery confirmation'],
+                verification: 'Documentation of notifications',
+            },
+        ],
+        penalties: ['$100-$50,000 per violation', 'Up to $1.5M per year', 'Criminal penalties'],
+        exemptions: ['Encrypted data (safe harbor)', 'Low probability of compromise'],
+        references: ['45 CFR Parts 160, 162, 164'],
+    },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// EVIDENCE HANDLING PROCEDURES
+// ═══════════════════════════════════════════════════════════════════════════════
+export const EVIDENCE_HANDLING_PROCEDURES = [
+    {
+        id: 'digital-forensics',
+        name: 'Digital Evidence Collection',
+        evidenceType: 'Digital media (hard drives, SSDs, USB, mobile devices)',
+        collectionMethod: `
+1. Document scene and device state (photos, notes)
+2. Isolate device from network (Faraday bag for mobile)
+3. Create bit-for-bit forensic image
+4. Calculate and record hash values (SHA-256)
+5. Verify image integrity
+6. Store original evidence in secure location
+7. Work only with forensic copies
+    `,
+        chainOfCustody: [
+            {
+                order: 1,
+                action: 'Initial seizure/collection',
+                responsible: 'Lead investigator',
+                documentation: 'Evidence tag, photo, collection form',
+                verification: 'Witness signature',
+            },
+            {
+                order: 2,
+                action: 'Transport to lab',
+                responsible: 'Evidence custodian',
+                documentation: 'Transport log, sealed evidence bag',
+                verification: 'Chain of custody form',
+            },
+            {
+                order: 3,
+                action: 'Lab intake',
+                responsible: 'Forensic examiner',
+                documentation: 'Intake form, condition assessment',
+                verification: 'Examiner signature',
+            },
+            {
+                order: 4,
+                action: 'Forensic imaging',
+                responsible: 'Forensic examiner',
+                documentation: 'Imaging log, hash values',
+                verification: 'Hash verification',
+            },
+            {
+                order: 5,
+                action: 'Analysis',
+                responsible: 'Forensic examiner',
+                documentation: 'Analysis notes, findings report',
+                verification: 'Peer review',
+            },
+            {
+                order: 6,
+                action: 'Storage/Return',
+                responsible: 'Evidence custodian',
+                documentation: 'Storage location, return form if applicable',
+                verification: 'Final chain of custody entry',
+            },
+        ],
+        storageRequirements: [
+            'Climate-controlled evidence room',
+            'Access logging',
+            '24/7 security',
+            'Backup of forensic images',
+            'Encryption for digital copies',
+        ],
+        retentionPeriod: 'Until case closure + appeals period (typically 5-10 years)',
+        destructionProcedure: 'DOD 5220.22-M compliant wiping or physical destruction',
+        legalConsiderations: [
+            'Fourth Amendment - warrant requirements',
+            'Best evidence rule',
+            'Authentication requirements (FRE 901)',
+            'Hearsay exceptions for business records',
+        ],
+    },
+    {
+        id: 'network-logs',
+        name: 'Network Log Collection',
+        evidenceType: 'Network logs, PCAP, flow data',
+        collectionMethod: `
+1. Identify relevant log sources
+2. Preserve logs before rotation
+3. Export with timestamps intact
+4. Document time zone and NTP status
+5. Calculate hash of log files
+6. Maintain chain of custody
+    `,
+        chainOfCustody: [
+            {
+                order: 1,
+                action: 'Log identification',
+                responsible: 'Incident responder',
+                documentation: 'Log source list, retention status',
+                verification: 'Verified with system admin',
+            },
+            {
+                order: 2,
+                action: 'Log preservation',
+                responsible: 'Incident responder',
+                documentation: 'Preservation notice, collection timestamp',
+                verification: 'Hash of collected logs',
+            },
+            {
+                order: 3,
+                action: 'Transfer to investigation team',
+                responsible: 'Evidence custodian',
+                documentation: 'Transfer form, hash verification',
+                verification: 'Receiving signature',
+            },
+        ],
+        storageRequirements: [
+            'Encrypted storage',
+            'Access controls',
+            'Audit logging',
+            'Backup copies',
+        ],
+        retentionPeriod: 'Per legal hold or organizational policy (typically 1-7 years)',
+        destructionProcedure: 'Secure deletion with verification',
+        legalConsiderations: [
+            'Authenticity of logs',
+            'Timestamp accuracy',
+            'Completeness of collection',
+            'Privacy considerations for content',
+        ],
+    },
+    {
+        id: 'malware-samples',
+        name: 'Malware Sample Handling',
+        evidenceType: 'Malware executables, scripts, documents',
+        collectionMethod: `
+1. Isolate infected system
+2. Collect sample without execution
+3. Archive in password-protected container
+4. Calculate multiple hash values
+5. Document collection context
+6. Submit to analysis sandbox (isolated)
+    `,
+        chainOfCustody: [
+            {
+                order: 1,
+                action: 'Sample identification',
+                responsible: 'Malware analyst',
+                documentation: 'File path, hash, metadata',
+                verification: 'Initial hash calculation',
+            },
+            {
+                order: 2,
+                action: 'Secure containment',
+                responsible: 'Malware analyst',
+                documentation: 'Container type, password storage',
+                verification: 'Contained hash verification',
+            },
+            {
+                order: 3,
+                action: 'Analysis',
+                responsible: 'Malware analyst',
+                documentation: 'Analysis report, IOCs extracted',
+                verification: 'Analysis methodology documented',
+            },
+        ],
+        storageRequirements: [
+            'Air-gapped storage',
+            'Encrypted containers',
+            'Access restricted to trained personnel',
+            'Separate from production systems',
+        ],
+        retentionPeriod: 'Indefinite for threat intelligence purposes',
+        destructionProcedure: 'N/A - samples typically retained',
+        legalConsiderations: [
+            'Authorization to possess malware',
+            'Sharing restrictions (export controls)',
+            'Attribution considerations',
+        ],
+    },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// REPORTING PROCEDURES
+// ═══════════════════════════════════════════════════════════════════════════════
+export const REPORTING_PROCEDURES = [
+    {
+        id: 'cisa-incident',
+        name: 'CISA Incident Report',
+        triggerConditions: [
+            'Critical infrastructure incident',
+            'Federal network compromise',
+            'Ransomware affecting CI',
+            'Major vulnerability exploitation',
+        ],
+        requiredAgencies: ['cisa'],
+        timeline: '24 hours for critical, 72 hours for significant',
+        reportFormat: 'CISA Incident Reporting Portal format',
+        deliveryMethod: 'CISA reporting portal (us-cert.cisa.gov) or 1-888-282-0870',
+        followUp: [
+            'Monitor for CISA requests for additional information',
+            'Provide updates on containment/eradication',
+            'Participate in information sharing if requested',
+        ],
+    },
+    {
+        id: 'fbi-cyber',
+        name: 'FBI Cyber Incident Report',
+        triggerConditions: [
+            'Suspected nation-state activity',
+            'Critical infrastructure attack',
+            'Ransomware with major impact',
+            'Significant financial loss',
+        ],
+        requiredAgencies: ['federal-le'],
+        timeline: 'As soon as practical after discovery',
+        reportFormat: 'FBI IC3 form or direct to local field office',
+        deliveryMethod: 'ic3.gov or local FBI field office',
+        followUp: [
+            'Assign case agent liaison',
+            'Provide evidence as requested',
+            'Coordinate on public disclosure',
+        ],
+    },
+    {
+        id: 'sec-8k',
+        name: 'SEC Form 8-K Cybersecurity Incident',
+        triggerConditions: [
+            'Material cybersecurity incident at public company',
+            'Significant impact on operations',
+            'Material financial impact',
+        ],
+        requiredAgencies: ['regulatory'],
+        timeline: '4 business days of materiality determination',
+        reportFormat: 'SEC Form 8-K Item 1.05',
+        deliveryMethod: 'EDGAR filing system',
+        followUp: [
+            'Quarterly 10-Q/10-K updates',
+            'Additional 8-K if circumstances change materially',
+        ],
+    },
+    {
+        id: 'hipaa-breach',
+        name: 'HIPAA Breach Notification',
+        triggerConditions: [
+            'PHI breach affecting 1+ individuals',
+            'Unauthorized access/disclosure of PHI',
+        ],
+        requiredAgencies: ['regulatory'],
+        timeline: '60 days from discovery (500+ requires immediate media)',
+        reportFormat: 'HHS Breach Notification Portal',
+        deliveryMethod: 'HHS portal + individual notification + media if 500+',
+        followUp: [
+            'Annual HHS report for breaches < 500',
+            'State attorney general notifications',
+            'OCR investigation response if audited',
+        ],
+    },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// COORDINATION PROTOCOLS
+// ═══════════════════════════════════════════════════════════════════════════════
+export const COORDINATION_PROTOCOLS = [
+    {
+        id: 'federal-cyber-unified',
+        name: 'Federal Cyber Unified Coordination Group',
+        participants: ['federal-le', 'cisa', 'intelligence'],
+        purpose: 'Coordinate federal response to significant cyber incidents',
+        initiationCriteria: [
+            'National security implications',
+            'Multiple federal agencies affected',
+            'Critical infrastructure at risk',
+            'Presidential directive',
+        ],
+        communicationChannels: [
+            {
+                type: 'secure-email',
+                classification: 'secret',
+                availability: '24/7',
+                contactInfo: 'ucg@cisa.dhs.gov (SIPRNET)',
+            },
+            {
+                type: 'secure-phone',
+                classification: 'secret',
+                availability: '24/7',
+                contactInfo: 'CISA SOC classified line',
+            },
+            {
+                type: 'classified-network',
+                classification: 'ts-sci',
+                availability: '24/7',
+                contactInfo: 'JWICS portal',
+            },
+        ],
+        informationSharing: [
+            {
+                dataType: 'IOCs (unattributed)',
+                canShareWith: ['federal-le', 'cisa', 'intelligence', 'contractor'],
+                restrictions: ['TLP:AMBER minimum'],
+                approval: 'Automatic',
+            },
+            {
+                dataType: 'Attribution',
+                canShareWith: ['intelligence', 'federal-le'],
+                restrictions: ['Need-to-know', 'Originator approval required'],
+                approval: 'Senior official',
+            },
+            {
+                dataType: 'Victim information',
+                canShareWith: ['federal-le'],
+                restrictions: ['Victim consent preferred', 'Privacy Act'],
+                approval: 'Legal counsel',
+            },
+        ],
+        escalationPath: [
+            {
+                level: 1,
+                criteria: 'Initial incident assessment',
+                contacts: ['CISA duty officer', 'FBI cyber watch'],
+                timeline: '1-2 hours',
+                actions: ['Establish facts', 'Assess scope', 'Initial notifications'],
+            },
+            {
+                level: 2,
+                criteria: 'Confirmed significant incident',
+                contacts: ['Agency CISO', 'Sector ISAC', 'Relevant sector agencies'],
+                timeline: '2-4 hours',
+                actions: ['Activate response team', 'Begin coordination calls', 'Engage victim'],
+            },
+            {
+                level: 3,
+                criteria: 'Critical infrastructure at risk or national security implications',
+                contacts: ['National Security Council', 'CISA Director', 'FBI Director'],
+                timeline: '4-8 hours',
+                actions: ['UCG activation', 'Senior briefings', 'Interagency coordination'],
+            },
+            {
+                level: 4,
+                criteria: 'National emergency',
+                contacts: ['White House', 'Cabinet-level', 'Congressional notification'],
+                timeline: 'Immediate',
+                actions: ['Presidential briefing', 'Emergency declarations', 'Public communications'],
+            },
+        ],
+        terminationCriteria: [
+            'Threat neutralized',
+            'Incident contained',
+            'Recovery complete',
+            'Transition to normal operations',
+        ],
+    },
+    {
+        id: 'state-local-coordination',
+        name: 'State/Local Law Enforcement Coordination',
+        participants: ['federal-le', 'state-le', 'local-le'],
+        purpose: 'Coordinate cyber response across jurisdictions',
+        initiationCriteria: [
+            'Multi-jurisdiction incident',
+            'State/local request for assistance',
+            'Federal nexus identified',
+        ],
+        communicationChannels: [
+            {
+                type: 'secure-portal',
+                classification: 'cui',
+                availability: 'Business hours + on-call',
+                contactInfo: 'FBI LEEP portal',
+            },
+            {
+                type: 'secure-phone',
+                classification: 'unclassified',
+                availability: '24/7',
+                contactInfo: 'Local FBI field office',
+            },
+        ],
+        informationSharing: [
+            {
+                dataType: 'Case information',
+                canShareWith: ['federal-le', 'state-le', 'local-le'],
+                restrictions: ['Need-to-know', 'Investigation sensitivity'],
+                approval: 'Case agent',
+            },
+            {
+                dataType: 'Threat intelligence',
+                canShareWith: ['state-le', 'local-le'],
+                restrictions: ['TLP:GREEN or above'],
+                approval: 'Intelligence unit',
+            },
+        ],
+        escalationPath: [
+            {
+                level: 1,
+                criteria: 'Local incident with federal nexus',
+                contacts: ['Local FBI field office', 'State fusion center'],
+                timeline: 'Same day',
+                actions: ['Information sharing', 'Jurisdiction determination'],
+            },
+            {
+                level: 2,
+                criteria: 'Multi-state or complex case',
+                contacts: ['FBI cyber squad', 'USAO cyber unit'],
+                timeline: '1-2 days',
+                actions: ['Joint investigation', 'Resource allocation'],
+            },
+        ],
+        terminationCriteria: [
+            'Case resolution',
+            'Jurisdiction transfer',
+            'Investigation closure',
+        ],
+    },
+    {
+        id: 'international-coordination',
+        name: 'International Law Enforcement Coordination',
+        participants: ['federal-le', 'international'],
+        purpose: 'Coordinate with foreign law enforcement on cyber investigations',
+        initiationCriteria: [
+            'Foreign-based threat actors',
+            'Cross-border criminal activity',
+            'Foreign victim assistance',
+            'Extradition matters',
+        ],
+        communicationChannels: [
+            {
+                type: 'secure-email',
+                classification: 'secret',
+                availability: 'Business hours',
+                contactInfo: 'FBI Legal Attaché network',
+            },
+            {
+                type: 'in-person',
+                classification: 'secret',
+                availability: 'Scheduled',
+                contactInfo: 'Via embassy coordination',
+            },
+        ],
+        informationSharing: [
+            {
+                dataType: 'Case information',
+                canShareWith: ['international'],
+                restrictions: ['MLAT required for formal cooperation', 'Originator control'],
+                approval: 'DOJ OIA',
+            },
+            {
+                dataType: 'IOCs',
+                canShareWith: ['international'],
+                restrictions: ['TLP:WHITE preferred', 'Attribution removed'],
+                approval: 'Case agent with legal review',
+            },
+        ],
+        escalationPath: [
+            {
+                level: 1,
+                criteria: 'International lead identified',
+                contacts: ['FBI Legal Attaché', 'Interpol NCB'],
+                timeline: '24-48 hours',
+                actions: ['Request information', 'Establish liaison'],
+            },
+            {
+                level: 2,
+                criteria: 'Formal cooperation needed',
+                contacts: ['DOJ OIA', 'Foreign ministry'],
+                timeline: 'Weeks to months',
+                actions: ['MLAT request', 'Diplomatic coordination'],
+            },
+        ],
+        terminationCriteria: [
+            'Investigation complete',
+            'Prosecution concluded',
+            'Cooperation no longer needed',
+        ],
+    },
+];
+// ═══════════════════════════════════════════════════════════════════════════════
+// HELPER FUNCTIONS
+// ═══════════════════════════════════════════════════════════════════════════════
+export function getAgencyContacts(agencyType) {
+    return US_FEDERAL_CONTACTS.filter(c => c.agencyType === agencyType);
+}
+export function getApplicableLegalFrameworks(agencyTypes) {
+    return LEGAL_FRAMEWORKS.filter(f => f.applicableAgencies.some(a => agencyTypes.includes(a)));
+}
+export function getReportingRequirements(triggerCondition) {
+    return REPORTING_PROCEDURES.filter(p => p.triggerConditions.some(tc => tc.toLowerCase().includes(triggerCondition.toLowerCase())));
+}
+export function getCoordinationProtocol(participants) {
+    return COORDINATION_PROTOCOLS.find(p => participants.every(part => p.participants.includes(part)));
+}
+export function generateIncidentReportTemplate(incidentType, agency) {
+    const contacts = getAgencyContacts(agency);
+    const frameworks = getApplicableLegalFrameworks([agency]);
+    const procedures = getReportingRequirements(incidentType);
+    return `
+# Incident Report: ${incidentType}
+Generated: ${new Date().toISOString()}
+
+## Reporting Agency Information
+${contacts.map(c => `- ${c.agency}: ${c.contact.phone} / ${c.contact.email}`).join('\n')}
+
+## Applicable Legal Frameworks
+${frameworks.map(f => `- ${f.name}`).join('\n')}
+
+## Reporting Timeline
+${procedures.map(p => `- ${p.name}: ${p.timeline}`).join('\n')}
+
+## Incident Details
+[TO BE COMPLETED]
+
+### Initial Discovery
+- Date/Time:
+- Discovery Method:
+- Initial Reporter:
+
+### Impact Assessment
+- Systems Affected:
+- Data Potentially Compromised:
+- Business Impact:
+
+### Technical Details
+- Attack Vector:
+- IOCs Identified:
+- Malware/Tools Used:
+
+### Response Actions
+- Containment Measures:
+- Eradication Steps:
+- Recovery Status:
+
+### Evidence Collected
+- Digital Evidence:
+- Network Logs:
+- Other Evidence:
+
+## Chain of Custody
+| Date | Action | Handler | Signature |
+|------|--------|---------|-----------|
+|      |        |         |           |
+
+## Notifications Made
+| Agency | Date | Method | Reference |
+|--------|------|--------|-----------|
+|        |      |        |           |
+
+## Approval
+- Prepared By:
+- Reviewed By:
+- Approved By:
+`;
+}
+export function generateEvidenceForm(evidenceType) {
+    const procedure = EVIDENCE_HANDLING_PROCEDURES.find(p => p.evidenceType.toLowerCase().includes(evidenceType.toLowerCase()));
+    if (!procedure) {
+        return '# Evidence Form - Type Not Found';
+    }
+    return `
+# Evidence Collection Form
+Type: ${procedure.evidenceType}
+Procedure: ${procedure.name}
+
+## Collection Information
+- Collection Date/Time:
+- Location:
+- Collector Name:
+- Collector Badge/ID:
+- Witness Name:
+- Witness Badge/ID:
+
+## Evidence Description
+- Item Description:
+- Serial Number (if applicable):
+- Condition at Collection:
+- Photos Taken: [ ] Yes [ ] No
+
+## Hash Values
+- MD5:
+- SHA-1:
+- SHA-256:
+
+## Collection Method
+${procedure.collectionMethod}
+
+## Chain of Custody
+
+${procedure.chainOfCustody.map(step => `
+### Step ${step.order}: ${step.action}
+- Responsible: ${step.responsible}
+- Documentation: ${step.documentation}
+- Verification: ${step.verification}
+- Date/Time:
+- Signature:
+`).join('')}
+
+## Storage Location
+- Initial Storage:
+- Current Storage:
+- Access Log Reference:
+
+## Legal Considerations
+${procedure.legalConsiderations.map(c => `- ${c}`).join('\n')}
+
+## Retention
+- Retention Period: ${procedure.retentionPeriod}
+- Destruction Procedure: ${procedure.destructionProcedure}
+`;
+}
+//# sourceMappingURL=governmentProcedures.js.map