framework-mcp 2.2.2 → 2.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/ci.yml +12 -1
- package/dist/core/safeguard-manager.d.ts.map +1 -1
- package/dist/core/safeguard-manager.js +48 -81
- package/dist/core/safeguard-manager.js.map +1 -1
- package/dist/interfaces/http/http-server.js +2 -2
- package/dist/interfaces/mcp/mcp-server.js +2 -2
- package/package.json +1 -1
- package/src/core/safeguard-manager.ts +48 -81
- package/src/interfaces/http/http-server.ts +2 -2
- package/src/interfaces/mcp/mcp-server.ts +2 -2
|
@@ -83,7 +83,7 @@ export class FrameworkHttpServer {
|
|
|
83
83
|
res.json({
|
|
84
84
|
status: 'healthy',
|
|
85
85
|
uptime: Math.round(process.uptime()),
|
|
86
|
-
version: '2.
|
|
86
|
+
version: '2.3.2',
|
|
87
87
|
timestamp: new Date().toISOString()
|
|
88
88
|
});
|
|
89
89
|
});
|
|
@@ -183,7 +183,7 @@ export class FrameworkHttpServer {
|
|
|
183
183
|
this.app.get('/api', (req, res) => {
|
|
184
184
|
res.json({
|
|
185
185
|
name: 'Framework MCP HTTP API',
|
|
186
|
-
version: '2.
|
|
186
|
+
version: '2.3.2',
|
|
187
187
|
description: 'Pure Data Provider serving authentic CIS Controls Framework data',
|
|
188
188
|
endpoints: {
|
|
189
189
|
'GET /api/safeguards': 'List all available CIS safeguards',
|
|
@@ -7,7 +7,7 @@ export class FrameworkMcpServer {
|
|
|
7
7
|
constructor() {
|
|
8
8
|
this.server = new Server({
|
|
9
9
|
name: 'framework-analyzer',
|
|
10
|
-
version: '2.
|
|
10
|
+
version: '2.3.2',
|
|
11
11
|
});
|
|
12
12
|
this.safeguardManager = new SafeguardManager();
|
|
13
13
|
this.setupHandlers();
|
|
@@ -103,7 +103,7 @@ export class FrameworkMcpServer {
|
|
|
103
103
|
safeguards,
|
|
104
104
|
total: safeguards.length,
|
|
105
105
|
framework: 'CIS Controls v8.1',
|
|
106
|
-
version: '2.
|
|
106
|
+
version: '2.3.2'
|
|
107
107
|
}, null, 2),
|
|
108
108
|
},
|
|
109
109
|
],
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "framework-mcp",
|
|
3
|
-
"version": "2.
|
|
3
|
+
"version": "2.3.2",
|
|
4
4
|
"description": "Pure Data Provider architecture serving authentic CIS Controls Framework data via MCP and HTTP API. Empowers LLMs with authoritative safeguards data for analysis. Supports Microsoft Copilot custom connectors and DigitalOcean App Services deployment.",
|
|
5
5
|
"main": "dist/interfaces/http/http-server.js",
|
|
6
6
|
"type": "module",
|
|
@@ -726,23 +726,19 @@ export class SafeguardManager {
|
|
|
726
726
|
"2.1": {
|
|
727
727
|
id: "2.1",
|
|
728
728
|
title: "Establish and Maintain a Software Inventory",
|
|
729
|
-
description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
|
|
729
|
+
description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.",
|
|
730
730
|
implementationGroup: "IG1",
|
|
731
|
-
assetType: ["
|
|
731
|
+
assetType: ["Software"],
|
|
732
732
|
securityFunction: ["Identify"],
|
|
733
733
|
governanceElements: [ // Orange - MUST be met
|
|
734
|
-
"Establish
|
|
735
|
-
"The software inventory must document the
|
|
736
|
-
"Review and update the software inventory bi-annually, or more frequently"
|
|
734
|
+
"Establish a Software Inventory",
|
|
735
|
+
"The software inventory must document the sub-taxonomical elements, where appropriate",
|
|
736
|
+
"Review and update the software inventory bi-annually, or more frequently - AKA Maintain"
|
|
737
737
|
],
|
|
738
738
|
coreRequirements: [ // Green - The "what"
|
|
739
|
-
"Detailed inventory of all licensed software"
|
|
740
|
-
"Installed on enterprise Assets"
|
|
739
|
+
"Detailed inventory of all licensed software"
|
|
741
740
|
],
|
|
742
741
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
743
|
-
"Establish",
|
|
744
|
-
"Maintain",
|
|
745
|
-
"Must Document",
|
|
746
742
|
"Title",
|
|
747
743
|
"Publisher",
|
|
748
744
|
"Initial Install / Use Date",
|
|
@@ -751,10 +747,7 @@ export class SafeguardManager {
|
|
|
751
747
|
"App Store(s)",
|
|
752
748
|
"App Version(s)",
|
|
753
749
|
"Deployment mechanism",
|
|
754
|
-
"Decomm. Date"
|
|
755
|
-
"Where appropriate",
|
|
756
|
-
"bi-annually",
|
|
757
|
-
"More Frequently"
|
|
750
|
+
"Decomm. Date"
|
|
758
751
|
],
|
|
759
752
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
760
753
|
],
|
|
@@ -844,7 +837,7 @@ export class SafeguardManager {
|
|
|
844
837
|
title: "Ensure That Only Currently Supported Software Is Designated as Authorized",
|
|
845
838
|
description: "Ensure that only currently supported software is designated as authorized in the software inventory",
|
|
846
839
|
implementationGroup: "IG1",
|
|
847
|
-
assetType: ["
|
|
840
|
+
assetType: ["Software"],
|
|
848
841
|
securityFunction: ["Identify"],
|
|
849
842
|
governanceElements: [ // Orange - MUST be met
|
|
850
843
|
"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
|
|
@@ -854,15 +847,10 @@ export class SafeguardManager {
|
|
|
854
847
|
"Authorized in the software inventory"
|
|
855
848
|
],
|
|
856
849
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
857
|
-
"Ensure",
|
|
858
850
|
"Determine if Authorized Software Is Currently Supported",
|
|
859
|
-
"If Unsupported",
|
|
860
851
|
"Determine Necessity for Business",
|
|
861
|
-
"Document Exception detailing mitigating controls",
|
|
862
|
-
"Document Residual risk acceptance"
|
|
863
|
-
"Review the software list",
|
|
864
|
-
"Monthly",
|
|
865
|
-
"More frequently"
|
|
852
|
+
"Document Exception detailing mitigating controls IF Unsupported",
|
|
853
|
+
"Document Residual risk acceptance IF Unsupported"
|
|
866
854
|
],
|
|
867
855
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
868
856
|
],
|
|
@@ -952,7 +940,7 @@ export class SafeguardManager {
|
|
|
952
940
|
title: "Address Unauthorized Software",
|
|
953
941
|
description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
|
|
954
942
|
implementationGroup: "IG1",
|
|
955
|
-
assetType: ["
|
|
943
|
+
assetType: ["Software"],
|
|
956
944
|
securityFunction: ["Respond"],
|
|
957
945
|
governanceElements: [ // Orange - MUST be met
|
|
958
946
|
"Ensure",
|
|
@@ -964,9 +952,7 @@ export class SafeguardManager {
|
|
|
964
952
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
965
953
|
"Address Unauthorized Software",
|
|
966
954
|
"Remove from use",
|
|
967
|
-
"Document Exception"
|
|
968
|
-
"Monthly",
|
|
969
|
-
"More Frequently"
|
|
955
|
+
"Document Exception"
|
|
970
956
|
],
|
|
971
957
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
972
958
|
],
|
|
@@ -1056,21 +1042,19 @@ export class SafeguardManager {
|
|
|
1056
1042
|
title: "Utilize Automated Software Inventory Tools",
|
|
1057
1043
|
description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
|
|
1058
1044
|
implementationGroup: "IG2",
|
|
1059
|
-
assetType: ["
|
|
1045
|
+
assetType: ["Software"],
|
|
1060
1046
|
securityFunction: ["Detect"],
|
|
1061
1047
|
governanceElements: [ // Orange - MUST be met
|
|
1062
1048
|
"Utilize",
|
|
1063
1049
|
"when possible"
|
|
1064
1050
|
],
|
|
1065
1051
|
coreRequirements: [ // Green - The "what"
|
|
1066
|
-
"software inventory tools"
|
|
1067
|
-
"automate the discovery and documentation of installed software"
|
|
1052
|
+
"software inventory tools"
|
|
1068
1053
|
],
|
|
1069
1054
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1070
1055
|
"Automate Discovery",
|
|
1071
1056
|
"Automate Documentation",
|
|
1072
|
-
"Installed Software"
|
|
1073
|
-
"When possible"
|
|
1057
|
+
"Installed Software"
|
|
1074
1058
|
],
|
|
1075
1059
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1076
1060
|
],
|
|
@@ -1160,7 +1144,7 @@ export class SafeguardManager {
|
|
|
1160
1144
|
title: "Allowlist Authorized Software",
|
|
1161
1145
|
description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
|
|
1162
1146
|
implementationGroup: "IG2",
|
|
1163
|
-
assetType: ["
|
|
1147
|
+
assetType: ["Software"],
|
|
1164
1148
|
securityFunction: ["Protect"],
|
|
1165
1149
|
governanceElements: [ // Orange - MUST be met
|
|
1166
1150
|
"Use",
|
|
@@ -1172,13 +1156,9 @@ export class SafeguardManager {
|
|
|
1172
1156
|
"only authorized software can execute or be accessed"
|
|
1173
1157
|
],
|
|
1174
1158
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1175
|
-
"Allowlist Authorized Software",
|
|
1176
1159
|
"Technical Controls",
|
|
1177
|
-
"Execute",
|
|
1178
|
-
"Accessed"
|
|
1179
|
-
"Reassess",
|
|
1180
|
-
"Bi-Annually",
|
|
1181
|
-
"More Frequently"
|
|
1160
|
+
"Allow software to Execute",
|
|
1161
|
+
"Allow software to be Accessed"
|
|
1182
1162
|
],
|
|
1183
1163
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1184
1164
|
"Application Allowlisting"
|
|
@@ -1269,27 +1249,20 @@ export class SafeguardManager {
|
|
|
1269
1249
|
title: "Allowlist Authorized Libraries",
|
|
1270
1250
|
description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
|
|
1271
1251
|
implementationGroup: "IG2",
|
|
1272
|
-
assetType: ["
|
|
1252
|
+
assetType: ["Software"],
|
|
1273
1253
|
securityFunction: ["Protect"],
|
|
1274
1254
|
governanceElements: [ // Orange - MUST be met
|
|
1275
1255
|
"Use",
|
|
1276
1256
|
"Ensure",
|
|
1277
|
-
"Block unauthorized libraries from loading into a system process",
|
|
1278
1257
|
"Reassess bi-annually, or more frequently"
|
|
1279
1258
|
],
|
|
1280
1259
|
coreRequirements: [ // Green - The "what"
|
|
1281
|
-
"technical controls",
|
|
1282
1260
|
"only authorized software libraries",
|
|
1283
1261
|
"are allowed to load into a system process"
|
|
1284
1262
|
],
|
|
1285
1263
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1286
|
-
"Only authorized software libraries",
|
|
1287
|
-
"Are allowed to load into a system process",
|
|
1288
1264
|
"Technical Controls",
|
|
1289
|
-
"Block unauthorized libraries from loading into a system process"
|
|
1290
|
-
"Reassess",
|
|
1291
|
-
"Bi-Annually",
|
|
1292
|
-
"More Frequently"
|
|
1265
|
+
"Block unauthorized libraries from loading into a system process"
|
|
1293
1266
|
],
|
|
1294
1267
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1295
1268
|
"Specific .dll files",
|
|
@@ -1382,25 +1355,19 @@ export class SafeguardManager {
|
|
|
1382
1355
|
title: "Allowlist Authorized Scripts",
|
|
1383
1356
|
description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
|
|
1384
1357
|
implementationGroup: "IG3",
|
|
1385
|
-
assetType: ["
|
|
1358
|
+
assetType: ["Software"],
|
|
1386
1359
|
securityFunction: ["Protect"],
|
|
1387
1360
|
governanceElements: [ // Orange - MUST be met
|
|
1388
1361
|
"Use",
|
|
1389
1362
|
"Ensure",
|
|
1390
|
-
"Block unauthorized scripts from executing",
|
|
1391
1363
|
"Reassess bi-annually, or more frequently"
|
|
1392
1364
|
],
|
|
1393
1365
|
coreRequirements: [ // Green - The "what"
|
|
1394
|
-
"technical controls",
|
|
1395
1366
|
"only authorized files are allowed to execute"
|
|
1396
1367
|
],
|
|
1397
1368
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
1398
|
-
"Only authorized files are allowed to execute",
|
|
1399
1369
|
"Technical Controls",
|
|
1400
1370
|
"Block unauthorized scripts from executing",
|
|
1401
|
-
"Reassess",
|
|
1402
|
-
"Bi-Annually",
|
|
1403
|
-
"More Frequently"
|
|
1404
1371
|
],
|
|
1405
1372
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
1406
1373
|
"Digital signatures",
|
|
@@ -1727,7 +1694,7 @@ export class SafeguardManager {
|
|
|
1727
1694
|
"ACLS - \"aka\" Access Permissions",
|
|
1728
1695
|
"Local",
|
|
1729
1696
|
"Remote File Systems",
|
|
1730
|
-
"
|
|
1697
|
+
"Software",
|
|
1731
1698
|
"Databases"
|
|
1732
1699
|
],
|
|
1733
1700
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
@@ -2558,7 +2525,7 @@ export class SafeguardManager {
|
|
|
2558
2525
|
subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
|
|
2559
2526
|
"Encrypt Sensitive Data At Rest",
|
|
2560
2527
|
"Servers",
|
|
2561
|
-
"
|
|
2528
|
+
"Software",
|
|
2562
2529
|
"Databases",
|
|
2563
2530
|
"Storage Layer (server side) encryption",
|
|
2564
2531
|
"Minimum Requirement"
|
|
@@ -2965,7 +2932,7 @@ export class SafeguardManager {
|
|
|
2965
2932
|
title: "Establish and Maintain a Secure Configuration Process",
|
|
2966
2933
|
description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
|
|
2967
2934
|
implementationGroup: "IG1",
|
|
2968
|
-
assetType: ["end-user devices", "network devices", "IoT devices", "servers", "
|
|
2935
|
+
assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
|
|
2969
2936
|
securityFunction: ["Govern"],
|
|
2970
2937
|
governanceElements: [ // Orange - MUST be met
|
|
2971
2938
|
"Establish",
|
|
@@ -2988,7 +2955,7 @@ export class SafeguardManager {
|
|
|
2988
2955
|
"Non-computing/IoT devices",
|
|
2989
2956
|
"Servers",
|
|
2990
2957
|
"OS",
|
|
2991
|
-
"
|
|
2958
|
+
"Software"
|
|
2992
2959
|
],
|
|
2993
2960
|
implementationSuggestions: [ // Gray - Implementation suggestions
|
|
2994
2961
|
"Secure Configuration Policy / Process",
|
|
@@ -3507,7 +3474,7 @@ export class SafeguardManager {
|
|
|
3507
3474
|
title: "Securely Manage Enterprise Assets and Software",
|
|
3508
3475
|
description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
|
|
3509
3476
|
implementationGroup: "IG1",
|
|
3510
|
-
assetType: ["devices", "
|
|
3477
|
+
assetType: ["devices", "Software"],
|
|
3511
3478
|
securityFunction: ["Protect"],
|
|
3512
3479
|
governanceElements: [ // Orange - MUST be met
|
|
3513
3480
|
"Do not use insecure management protocols",
|
|
@@ -3614,7 +3581,7 @@ export class SafeguardManager {
|
|
|
3614
3581
|
title: "Manage Default Accounts on Enterprise Assets and Software",
|
|
3615
3582
|
description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
|
|
3616
3583
|
implementationGroup: "IG1",
|
|
3617
|
-
assetType: ["devices", "
|
|
3584
|
+
assetType: ["devices", "Software", "users"],
|
|
3618
3585
|
securityFunction: ["Protect"],
|
|
3619
3586
|
governanceElements: [ // Orange - MUST be met
|
|
3620
3587
|
"Manage"
|
|
@@ -3721,7 +3688,7 @@ export class SafeguardManager {
|
|
|
3721
3688
|
title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
|
|
3722
3689
|
description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
|
|
3723
3690
|
implementationGroup: "IG2",
|
|
3724
|
-
assetType: ["devices", "
|
|
3691
|
+
assetType: ["devices", "Software"],
|
|
3725
3692
|
securityFunction: ["Protect"],
|
|
3726
3693
|
governanceElements: [ // Orange - MUST be met
|
|
3727
3694
|
"Uninstall",
|
|
@@ -5914,7 +5881,7 @@ export class SafeguardManager {
|
|
|
5914
5881
|
title: "Establish and Maintain a Remediation Process",
|
|
5915
5882
|
description: "Establish and maintain a remediation process and SLA for security vulnerabilities",
|
|
5916
5883
|
implementationGroup: "IG1",
|
|
5917
|
-
assetType: ["
|
|
5884
|
+
assetType: ["Software"],
|
|
5918
5885
|
securityFunction: ["Respond"],
|
|
5919
5886
|
governanceElements: [ // Orange - MUST be met
|
|
5920
5887
|
"establish remediation process",
|
|
@@ -6146,7 +6113,7 @@ export class SafeguardManager {
|
|
|
6146
6113
|
title: "Perform Automated Application Patch Management",
|
|
6147
6114
|
description: "Perform automated application patch management on enterprise assets",
|
|
6148
6115
|
implementationGroup: "IG1",
|
|
6149
|
-
assetType: ["
|
|
6116
|
+
assetType: ["Software"],
|
|
6150
6117
|
securityFunction: ["Protect"],
|
|
6151
6118
|
governanceElements: [ // Orange - MUST be met
|
|
6152
6119
|
"perform automated application patching",
|
|
@@ -6262,7 +6229,7 @@ export class SafeguardManager {
|
|
|
6262
6229
|
title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
|
|
6263
6230
|
description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
|
|
6264
6231
|
implementationGroup: "IG2",
|
|
6265
|
-
assetType: ["devices", "
|
|
6232
|
+
assetType: ["devices", "Software"],
|
|
6266
6233
|
securityFunction: ["Detect"],
|
|
6267
6234
|
governanceElements: [ // Orange - MUST be met
|
|
6268
6235
|
"perform automated vulnerability scans",
|
|
@@ -6378,7 +6345,7 @@ export class SafeguardManager {
|
|
|
6378
6345
|
title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
|
|
6379
6346
|
description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
|
|
6380
6347
|
implementationGroup: "IG2",
|
|
6381
|
-
assetType: ["devices", "
|
|
6348
|
+
assetType: ["devices", "Software"],
|
|
6382
6349
|
securityFunction: ["Detect"],
|
|
6383
6350
|
governanceElements: [ // Orange - MUST be met
|
|
6384
6351
|
"perform automated vulnerability scans",
|
|
@@ -6494,7 +6461,7 @@ export class SafeguardManager {
|
|
|
6494
6461
|
title: "Remediate Detected Vulnerabilities",
|
|
6495
6462
|
description: "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis",
|
|
6496
6463
|
implementationGroup: "IG2",
|
|
6497
|
-
assetType: ["
|
|
6464
|
+
assetType: ["Software"],
|
|
6498
6465
|
securityFunction: ["Respond"],
|
|
6499
6466
|
governanceElements: [ // Orange - MUST be met
|
|
6500
6467
|
"remediate detected vulnerabilities",
|
|
@@ -7872,7 +7839,7 @@ export class SafeguardManager {
|
|
|
7872
7839
|
title: "Ensure Use of Only Fully Supported Browsers and Email Clients",
|
|
7873
7840
|
description: "Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor",
|
|
7874
7841
|
implementationGroup: "IG1",
|
|
7875
|
-
assetType: ["
|
|
7842
|
+
assetType: ["Software"],
|
|
7876
7843
|
securityFunction: ["Protect"],
|
|
7877
7844
|
governanceElements: [ // Orange - MUST be met
|
|
7878
7845
|
"ensure only fully supported browsers and email clients are allowed to execute",
|
|
@@ -8211,7 +8178,7 @@ export class SafeguardManager {
|
|
|
8211
8178
|
title: "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions",
|
|
8212
8179
|
description: "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
|
|
8213
8180
|
implementationGroup: "IG2",
|
|
8214
|
-
assetType: ["
|
|
8181
|
+
assetType: ["Software"],
|
|
8215
8182
|
securityFunction: ["Protect"],
|
|
8216
8183
|
governanceElements: [ // Orange - MUST be met
|
|
8217
8184
|
"restrict unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
|
|
@@ -11927,7 +11894,7 @@ export class SafeguardManager {
|
|
|
11927
11894
|
title: "Perform Application Layer Filtering",
|
|
11928
11895
|
description: "Perform application layer filtering to protect against the enterprise's most common network-based attacks",
|
|
11929
11896
|
implementationGroup: "IG3",
|
|
11930
|
-
assetType: ["network", "
|
|
11897
|
+
assetType: ["network", "Software"],
|
|
11931
11898
|
securityFunction: ["Protect"],
|
|
11932
11899
|
governanceElements: [ // Orange - MUST be met
|
|
11933
11900
|
"perform application layer filtering",
|
|
@@ -13967,7 +13934,7 @@ export class SafeguardManager {
|
|
|
13967
13934
|
title: "Establish and Maintain a Secure Application Development Process",
|
|
13968
13935
|
description: "Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
|
|
13969
13936
|
implementationGroup: "IG2",
|
|
13970
|
-
assetType: ["
|
|
13937
|
+
assetType: ["Software"],
|
|
13971
13938
|
securityFunction: ["Govern"],
|
|
13972
13939
|
governanceElements: [ // Orange - MUST be met
|
|
13973
13940
|
"establish and maintain a secure application development process",
|
|
@@ -14084,7 +14051,7 @@ export class SafeguardManager {
|
|
|
14084
14051
|
title: "Establish and Maintain a Process to Accept and Address Software Vulnerabilities",
|
|
14085
14052
|
description: "Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders",
|
|
14086
14053
|
implementationGroup: "IG2",
|
|
14087
|
-
assetType: ["
|
|
14054
|
+
assetType: ["Software"],
|
|
14088
14055
|
securityFunction: ["Govern"],
|
|
14089
14056
|
governanceElements: [ // Orange - MUST be met
|
|
14090
14057
|
"establish and maintain a process to accept and address reports of software vulnerabilities",
|
|
@@ -14205,7 +14172,7 @@ export class SafeguardManager {
|
|
|
14205
14172
|
title: "Perform Root Cause Analysis on Security Vulnerabilities",
|
|
14206
14173
|
description: "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise",
|
|
14207
14174
|
implementationGroup: "IG2",
|
|
14208
|
-
assetType: ["
|
|
14175
|
+
assetType: ["Software"],
|
|
14209
14176
|
securityFunction: ["Protect"],
|
|
14210
14177
|
governanceElements: [ // Orange - MUST be met
|
|
14211
14178
|
"perform root cause analysis on security vulnerabilities"
|
|
@@ -14311,7 +14278,7 @@ export class SafeguardManager {
|
|
|
14311
14278
|
title: "Establish and Manage an Inventory of Third-Party Software Components",
|
|
14312
14279
|
description: "Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported",
|
|
14313
14280
|
implementationGroup: "IG2",
|
|
14314
|
-
assetType: ["
|
|
14281
|
+
assetType: ["Software"],
|
|
14315
14282
|
securityFunction: ["Identify"],
|
|
14316
14283
|
governanceElements: [ // Orange - MUST be met
|
|
14317
14284
|
"establish and manage an updated inventory of third-party components used in development",
|
|
@@ -14425,7 +14392,7 @@ export class SafeguardManager {
|
|
|
14425
14392
|
title: "Use Up-to-Date and Trusted Third-Party Software Components",
|
|
14426
14393
|
description: "Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use",
|
|
14427
14394
|
implementationGroup: "IG2",
|
|
14428
|
-
assetType: ["
|
|
14395
|
+
assetType: ["Software"],
|
|
14429
14396
|
securityFunction: ["Protect"],
|
|
14430
14397
|
governanceElements: [ // Orange - MUST be met
|
|
14431
14398
|
"use up-to-date and trusted third-party software components"
|
|
@@ -14536,7 +14503,7 @@ export class SafeguardManager {
|
|
|
14536
14503
|
title: "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities",
|
|
14537
14504
|
description: "Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually",
|
|
14538
14505
|
implementationGroup: "IG2",
|
|
14539
|
-
assetType: ["
|
|
14506
|
+
assetType: ["Software"],
|
|
14540
14507
|
securityFunction: ["Govern"],
|
|
14541
14508
|
governanceElements: [ // Orange - MUST be met
|
|
14542
14509
|
"establish and maintain a severity rating system and process for application vulnerabilities",
|
|
@@ -14648,7 +14615,7 @@ export class SafeguardManager {
|
|
|
14648
14615
|
title: "Use Standard Hardening Configuration Templates for Application Infrastructure",
|
|
14649
14616
|
description: "Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening",
|
|
14650
14617
|
implementationGroup: "IG2",
|
|
14651
|
-
assetType: ["
|
|
14618
|
+
assetType: ["Software"],
|
|
14652
14619
|
securityFunction: ["Protect"],
|
|
14653
14620
|
governanceElements: [ // Orange - MUST be met
|
|
14654
14621
|
"use standard, industry-recommended hardening configuration templates for application infrastructure components",
|
|
@@ -14983,7 +14950,7 @@ export class SafeguardManager {
|
|
|
14983
14950
|
title: "Apply Secure Design Principles in Application Architectures",
|
|
14984
14951
|
description: "Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts",
|
|
14985
14952
|
implementationGroup: "IG2",
|
|
14986
|
-
assetType: ["
|
|
14953
|
+
assetType: ["Software"],
|
|
14987
14954
|
securityFunction: ["Protect"],
|
|
14988
14955
|
governanceElements: [ // Orange - MUST be met
|
|
14989
14956
|
"apply secure design principles in application architectures"
|
|
@@ -15099,7 +15066,7 @@ export class SafeguardManager {
|
|
|
15099
15066
|
title: "Leverage Vetted Modules or Services for Application Security Components",
|
|
15100
15067
|
description: "Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs",
|
|
15101
15068
|
implementationGroup: "IG2",
|
|
15102
|
-
assetType: ["
|
|
15069
|
+
assetType: ["Software"],
|
|
15103
15070
|
securityFunction: ["Identify"],
|
|
15104
15071
|
governanceElements: [ // Orange - MUST be met
|
|
15105
15072
|
"leverage vetted modules or services for application security components",
|
|
@@ -15215,7 +15182,7 @@ export class SafeguardManager {
|
|
|
15215
15182
|
title: "Implement Code-Level Security Checks",
|
|
15216
15183
|
description: "Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed",
|
|
15217
15184
|
implementationGroup: "IG3",
|
|
15218
|
-
assetType: ["
|
|
15185
|
+
assetType: ["Software"],
|
|
15219
15186
|
securityFunction: ["Protect"],
|
|
15220
15187
|
governanceElements: [ // Orange - MUST be met
|
|
15221
15188
|
"apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed"
|
|
@@ -15323,7 +15290,7 @@ export class SafeguardManager {
|
|
|
15323
15290
|
title: "Conduct Application Penetration Testing",
|
|
15324
15291
|
description: "Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user",
|
|
15325
15292
|
implementationGroup: "IG3",
|
|
15326
|
-
assetType: ["
|
|
15293
|
+
assetType: ["Software"],
|
|
15327
15294
|
securityFunction: ["Detect"],
|
|
15328
15295
|
governanceElements: [ // Orange - MUST be met
|
|
15329
15296
|
"conduct application penetration testing"
|
|
@@ -15434,7 +15401,7 @@ export class SafeguardManager {
|
|
|
15434
15401
|
title: "Conduct Threat Modeling",
|
|
15435
15402
|
description: "Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses",
|
|
15436
15403
|
implementationGroup: "IG3",
|
|
15437
|
-
assetType: ["
|
|
15404
|
+
assetType: ["Software"],
|
|
15438
15405
|
securityFunction: ["Protect"],
|
|
15439
15406
|
governanceElements: [ // Orange - MUST be met
|
|
15440
15407
|
"conduct threat modeling"
|
|
@@ -106,7 +106,7 @@ export class FrameworkHttpServer {
|
|
|
106
106
|
res.json({
|
|
107
107
|
status: 'healthy',
|
|
108
108
|
uptime: Math.round(process.uptime()),
|
|
109
|
-
version: '2.
|
|
109
|
+
version: '2.3.2',
|
|
110
110
|
timestamp: new Date().toISOString()
|
|
111
111
|
});
|
|
112
112
|
});
|
|
@@ -222,7 +222,7 @@ export class FrameworkHttpServer {
|
|
|
222
222
|
this.app.get('/api', (req, res) => {
|
|
223
223
|
res.json({
|
|
224
224
|
name: 'Framework MCP HTTP API',
|
|
225
|
-
version: '2.
|
|
225
|
+
version: '2.3.2',
|
|
226
226
|
description: 'Pure Data Provider serving authentic CIS Controls Framework data',
|
|
227
227
|
endpoints: {
|
|
228
228
|
'GET /api/safeguards': 'List all available CIS safeguards',
|
|
@@ -18,7 +18,7 @@ export class FrameworkMcpServer {
|
|
|
18
18
|
this.server = new Server(
|
|
19
19
|
{
|
|
20
20
|
name: 'framework-analyzer',
|
|
21
|
-
version: '2.
|
|
21
|
+
version: '2.3.2',
|
|
22
22
|
}
|
|
23
23
|
);
|
|
24
24
|
|
|
@@ -129,7 +129,7 @@ export class FrameworkMcpServer {
|
|
|
129
129
|
safeguards,
|
|
130
130
|
total: safeguards.length,
|
|
131
131
|
framework: 'CIS Controls v8.1',
|
|
132
|
-
version: '2.
|
|
132
|
+
version: '2.3.2'
|
|
133
133
|
}, null, 2),
|
|
134
134
|
},
|
|
135
135
|
],
|