framework-mcp 2.2.2 → 2.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -83,7 +83,7 @@ export class FrameworkHttpServer {
83
83
  res.json({
84
84
  status: 'healthy',
85
85
  uptime: Math.round(process.uptime()),
86
- version: '2.2.2',
86
+ version: '2.3.2',
87
87
  timestamp: new Date().toISOString()
88
88
  });
89
89
  });
@@ -183,7 +183,7 @@ export class FrameworkHttpServer {
183
183
  this.app.get('/api', (req, res) => {
184
184
  res.json({
185
185
  name: 'Framework MCP HTTP API',
186
- version: '2.2.2',
186
+ version: '2.3.2',
187
187
  description: 'Pure Data Provider serving authentic CIS Controls Framework data',
188
188
  endpoints: {
189
189
  'GET /api/safeguards': 'List all available CIS safeguards',
@@ -7,7 +7,7 @@ export class FrameworkMcpServer {
7
7
  constructor() {
8
8
  this.server = new Server({
9
9
  name: 'framework-analyzer',
10
- version: '2.2.2',
10
+ version: '2.3.2',
11
11
  });
12
12
  this.safeguardManager = new SafeguardManager();
13
13
  this.setupHandlers();
@@ -103,7 +103,7 @@ export class FrameworkMcpServer {
103
103
  safeguards,
104
104
  total: safeguards.length,
105
105
  framework: 'CIS Controls v8.1',
106
- version: '2.2.2'
106
+ version: '2.3.2'
107
107
  }, null, 2),
108
108
  },
109
109
  ],
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "framework-mcp",
3
- "version": "2.2.2",
3
+ "version": "2.3.2",
4
4
  "description": "Pure Data Provider architecture serving authentic CIS Controls Framework data via MCP and HTTP API. Empowers LLMs with authoritative safeguards data for analysis. Supports Microsoft Copilot custom connectors and DigitalOcean App Services deployment.",
5
5
  "main": "dist/interfaces/http/http-server.js",
6
6
  "type": "module",
@@ -726,23 +726,19 @@ export class SafeguardManager {
726
726
  "2.1": {
727
727
  id: "2.1",
728
728
  title: "Establish and Maintain a Software Inventory",
729
- description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
729
+ description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.",
730
730
  implementationGroup: "IG1",
731
- assetType: ["applications"],
731
+ assetType: ["Software"],
732
732
  securityFunction: ["Identify"],
733
733
  governanceElements: [ // Orange - MUST be met
734
- "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
735
- "The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date",
736
- "Review and update the software inventory bi-annually, or more frequently"
734
+ "Establish a Software Inventory",
735
+ "The software inventory must document the sub-taxonomical elements, where appropriate",
736
+ "Review and update the software inventory bi-annually, or more frequently - AKA Maintain"
737
737
  ],
738
738
  coreRequirements: [ // Green - The "what"
739
- "Detailed inventory of all licensed software",
740
- "Installed on enterprise Assets"
739
+ "Detailed inventory of all licensed software"
741
740
  ],
742
741
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
743
- "Establish",
744
- "Maintain",
745
- "Must Document",
746
742
  "Title",
747
743
  "Publisher",
748
744
  "Initial Install / Use Date",
@@ -751,10 +747,7 @@ export class SafeguardManager {
751
747
  "App Store(s)",
752
748
  "App Version(s)",
753
749
  "Deployment mechanism",
754
- "Decomm. Date",
755
- "Where appropriate",
756
- "bi-annually",
757
- "More Frequently"
750
+ "Decomm. Date"
758
751
  ],
759
752
  implementationSuggestions: [ // Gray - Implementation suggestions
760
753
  ],
@@ -844,7 +837,7 @@ export class SafeguardManager {
844
837
  title: "Ensure That Only Currently Supported Software Is Designated as Authorized",
845
838
  description: "Ensure that only currently supported software is designated as authorized in the software inventory",
846
839
  implementationGroup: "IG1",
847
- assetType: ["applications"],
840
+ assetType: ["Software"],
848
841
  securityFunction: ["Identify"],
849
842
  governanceElements: [ // Orange - MUST be met
850
843
  "Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
@@ -854,15 +847,10 @@ export class SafeguardManager {
854
847
  "Authorized in the software inventory"
855
848
  ],
856
849
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
857
- "Ensure",
858
850
  "Determine if Authorized Software Is Currently Supported",
859
- "If Unsupported",
860
851
  "Determine Necessity for Business",
861
- "Document Exception detailing mitigating controls",
862
- "Document Residual risk acceptance",
863
- "Review the software list",
864
- "Monthly",
865
- "More frequently"
852
+ "Document Exception detailing mitigating controls IF Unsupported",
853
+ "Document Residual risk acceptance IF Unsupported"
866
854
  ],
867
855
  implementationSuggestions: [ // Gray - Implementation suggestions
868
856
  ],
@@ -952,7 +940,7 @@ export class SafeguardManager {
952
940
  title: "Address Unauthorized Software",
953
941
  description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
954
942
  implementationGroup: "IG1",
955
- assetType: ["applications"],
943
+ assetType: ["Software"],
956
944
  securityFunction: ["Respond"],
957
945
  governanceElements: [ // Orange - MUST be met
958
946
  "Ensure",
@@ -964,9 +952,7 @@ export class SafeguardManager {
964
952
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
965
953
  "Address Unauthorized Software",
966
954
  "Remove from use",
967
- "Document Exception",
968
- "Monthly",
969
- "More Frequently"
955
+ "Document Exception"
970
956
  ],
971
957
  implementationSuggestions: [ // Gray - Implementation suggestions
972
958
  ],
@@ -1056,21 +1042,19 @@ export class SafeguardManager {
1056
1042
  title: "Utilize Automated Software Inventory Tools",
1057
1043
  description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
1058
1044
  implementationGroup: "IG2",
1059
- assetType: ["applications"],
1045
+ assetType: ["Software"],
1060
1046
  securityFunction: ["Detect"],
1061
1047
  governanceElements: [ // Orange - MUST be met
1062
1048
  "Utilize",
1063
1049
  "when possible"
1064
1050
  ],
1065
1051
  coreRequirements: [ // Green - The "what"
1066
- "software inventory tools",
1067
- "automate the discovery and documentation of installed software"
1052
+ "software inventory tools"
1068
1053
  ],
1069
1054
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1070
1055
  "Automate Discovery",
1071
1056
  "Automate Documentation",
1072
- "Installed Software",
1073
- "When possible"
1057
+ "Installed Software"
1074
1058
  ],
1075
1059
  implementationSuggestions: [ // Gray - Implementation suggestions
1076
1060
  ],
@@ -1160,7 +1144,7 @@ export class SafeguardManager {
1160
1144
  title: "Allowlist Authorized Software",
1161
1145
  description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
1162
1146
  implementationGroup: "IG2",
1163
- assetType: ["applications"],
1147
+ assetType: ["Software"],
1164
1148
  securityFunction: ["Protect"],
1165
1149
  governanceElements: [ // Orange - MUST be met
1166
1150
  "Use",
@@ -1172,13 +1156,9 @@ export class SafeguardManager {
1172
1156
  "only authorized software can execute or be accessed"
1173
1157
  ],
1174
1158
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1175
- "Allowlist Authorized Software",
1176
1159
  "Technical Controls",
1177
- "Execute",
1178
- "Accessed",
1179
- "Reassess",
1180
- "Bi-Annually",
1181
- "More Frequently"
1160
+ "Allow software to Execute",
1161
+ "Allow software to be Accessed"
1182
1162
  ],
1183
1163
  implementationSuggestions: [ // Gray - Implementation suggestions
1184
1164
  "Application Allowlisting"
@@ -1269,27 +1249,20 @@ export class SafeguardManager {
1269
1249
  title: "Allowlist Authorized Libraries",
1270
1250
  description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
1271
1251
  implementationGroup: "IG2",
1272
- assetType: ["applications"],
1252
+ assetType: ["Software"],
1273
1253
  securityFunction: ["Protect"],
1274
1254
  governanceElements: [ // Orange - MUST be met
1275
1255
  "Use",
1276
1256
  "Ensure",
1277
- "Block unauthorized libraries from loading into a system process",
1278
1257
  "Reassess bi-annually, or more frequently"
1279
1258
  ],
1280
1259
  coreRequirements: [ // Green - The "what"
1281
- "technical controls",
1282
1260
  "only authorized software libraries",
1283
1261
  "are allowed to load into a system process"
1284
1262
  ],
1285
1263
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1286
- "Only authorized software libraries",
1287
- "Are allowed to load into a system process",
1288
1264
  "Technical Controls",
1289
- "Block unauthorized libraries from loading into a system process",
1290
- "Reassess",
1291
- "Bi-Annually",
1292
- "More Frequently"
1265
+ "Block unauthorized libraries from loading into a system process"
1293
1266
  ],
1294
1267
  implementationSuggestions: [ // Gray - Implementation suggestions
1295
1268
  "Specific .dll files",
@@ -1382,25 +1355,19 @@ export class SafeguardManager {
1382
1355
  title: "Allowlist Authorized Scripts",
1383
1356
  description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
1384
1357
  implementationGroup: "IG3",
1385
- assetType: ["applications"],
1358
+ assetType: ["Software"],
1386
1359
  securityFunction: ["Protect"],
1387
1360
  governanceElements: [ // Orange - MUST be met
1388
1361
  "Use",
1389
1362
  "Ensure",
1390
- "Block unauthorized scripts from executing",
1391
1363
  "Reassess bi-annually, or more frequently"
1392
1364
  ],
1393
1365
  coreRequirements: [ // Green - The "what"
1394
- "technical controls",
1395
1366
  "only authorized files are allowed to execute"
1396
1367
  ],
1397
1368
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
1398
- "Only authorized files are allowed to execute",
1399
1369
  "Technical Controls",
1400
1370
  "Block unauthorized scripts from executing",
1401
- "Reassess",
1402
- "Bi-Annually",
1403
- "More Frequently"
1404
1371
  ],
1405
1372
  implementationSuggestions: [ // Gray - Implementation suggestions
1406
1373
  "Digital signatures",
@@ -1727,7 +1694,7 @@ export class SafeguardManager {
1727
1694
  "ACLS - \"aka\" Access Permissions",
1728
1695
  "Local",
1729
1696
  "Remote File Systems",
1730
- "Applications",
1697
+ "Software",
1731
1698
  "Databases"
1732
1699
  ],
1733
1700
  implementationSuggestions: [ // Gray - Implementation suggestions
@@ -2558,7 +2525,7 @@ export class SafeguardManager {
2558
2525
  subTaxonomicalElements: [ // Yellow - Sub-taxonomical elements
2559
2526
  "Encrypt Sensitive Data At Rest",
2560
2527
  "Servers",
2561
- "Applications",
2528
+ "Software",
2562
2529
  "Databases",
2563
2530
  "Storage Layer (server side) encryption",
2564
2531
  "Minimum Requirement"
@@ -2965,7 +2932,7 @@ export class SafeguardManager {
2965
2932
  title: "Establish and Maintain a Secure Configuration Process",
2966
2933
  description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
2967
2934
  implementationGroup: "IG1",
2968
- assetType: ["end-user devices", "network devices", "IoT devices", "servers", "applications"],
2935
+ assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
2969
2936
  securityFunction: ["Govern"],
2970
2937
  governanceElements: [ // Orange - MUST be met
2971
2938
  "Establish",
@@ -2988,7 +2955,7 @@ export class SafeguardManager {
2988
2955
  "Non-computing/IoT devices",
2989
2956
  "Servers",
2990
2957
  "OS",
2991
- "Applications"
2958
+ "Software"
2992
2959
  ],
2993
2960
  implementationSuggestions: [ // Gray - Implementation suggestions
2994
2961
  "Secure Configuration Policy / Process",
@@ -3507,7 +3474,7 @@ export class SafeguardManager {
3507
3474
  title: "Securely Manage Enterprise Assets and Software",
3508
3475
  description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
3509
3476
  implementationGroup: "IG1",
3510
- assetType: ["devices", "applications"],
3477
+ assetType: ["devices", "Software"],
3511
3478
  securityFunction: ["Protect"],
3512
3479
  governanceElements: [ // Orange - MUST be met
3513
3480
  "Do not use insecure management protocols",
@@ -3614,7 +3581,7 @@ export class SafeguardManager {
3614
3581
  title: "Manage Default Accounts on Enterprise Assets and Software",
3615
3582
  description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
3616
3583
  implementationGroup: "IG1",
3617
- assetType: ["devices", "applications", "users"],
3584
+ assetType: ["devices", "Software", "users"],
3618
3585
  securityFunction: ["Protect"],
3619
3586
  governanceElements: [ // Orange - MUST be met
3620
3587
  "Manage"
@@ -3721,7 +3688,7 @@ export class SafeguardManager {
3721
3688
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
3722
3689
  description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
3723
3690
  implementationGroup: "IG2",
3724
- assetType: ["devices", "applications"],
3691
+ assetType: ["devices", "Software"],
3725
3692
  securityFunction: ["Protect"],
3726
3693
  governanceElements: [ // Orange - MUST be met
3727
3694
  "Uninstall",
@@ -5914,7 +5881,7 @@ export class SafeguardManager {
5914
5881
  title: "Establish and Maintain a Remediation Process",
5915
5882
  description: "Establish and maintain a remediation process and SLA for security vulnerabilities",
5916
5883
  implementationGroup: "IG1",
5917
- assetType: ["applications"],
5884
+ assetType: ["Software"],
5918
5885
  securityFunction: ["Respond"],
5919
5886
  governanceElements: [ // Orange - MUST be met
5920
5887
  "establish remediation process",
@@ -6146,7 +6113,7 @@ export class SafeguardManager {
6146
6113
  title: "Perform Automated Application Patch Management",
6147
6114
  description: "Perform automated application patch management on enterprise assets",
6148
6115
  implementationGroup: "IG1",
6149
- assetType: ["applications"],
6116
+ assetType: ["Software"],
6150
6117
  securityFunction: ["Protect"],
6151
6118
  governanceElements: [ // Orange - MUST be met
6152
6119
  "perform automated application patching",
@@ -6262,7 +6229,7 @@ export class SafeguardManager {
6262
6229
  title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
6263
6230
  description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
6264
6231
  implementationGroup: "IG2",
6265
- assetType: ["devices", "applications"],
6232
+ assetType: ["devices", "Software"],
6266
6233
  securityFunction: ["Detect"],
6267
6234
  governanceElements: [ // Orange - MUST be met
6268
6235
  "perform automated vulnerability scans",
@@ -6378,7 +6345,7 @@ export class SafeguardManager {
6378
6345
  title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
6379
6346
  description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
6380
6347
  implementationGroup: "IG2",
6381
- assetType: ["devices", "applications"],
6348
+ assetType: ["devices", "Software"],
6382
6349
  securityFunction: ["Detect"],
6383
6350
  governanceElements: [ // Orange - MUST be met
6384
6351
  "perform automated vulnerability scans",
@@ -6494,7 +6461,7 @@ export class SafeguardManager {
6494
6461
  title: "Remediate Detected Vulnerabilities",
6495
6462
  description: "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis",
6496
6463
  implementationGroup: "IG2",
6497
- assetType: ["applications"],
6464
+ assetType: ["Software"],
6498
6465
  securityFunction: ["Respond"],
6499
6466
  governanceElements: [ // Orange - MUST be met
6500
6467
  "remediate detected vulnerabilities",
@@ -7872,7 +7839,7 @@ export class SafeguardManager {
7872
7839
  title: "Ensure Use of Only Fully Supported Browsers and Email Clients",
7873
7840
  description: "Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor",
7874
7841
  implementationGroup: "IG1",
7875
- assetType: ["applications"],
7842
+ assetType: ["Software"],
7876
7843
  securityFunction: ["Protect"],
7877
7844
  governanceElements: [ // Orange - MUST be met
7878
7845
  "ensure only fully supported browsers and email clients are allowed to execute",
@@ -8211,7 +8178,7 @@ export class SafeguardManager {
8211
8178
  title: "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions",
8212
8179
  description: "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
8213
8180
  implementationGroup: "IG2",
8214
- assetType: ["applications"],
8181
+ assetType: ["Software"],
8215
8182
  securityFunction: ["Protect"],
8216
8183
  governanceElements: [ // Orange - MUST be met
8217
8184
  "restrict unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
@@ -11927,7 +11894,7 @@ export class SafeguardManager {
11927
11894
  title: "Perform Application Layer Filtering",
11928
11895
  description: "Perform application layer filtering to protect against the enterprise's most common network-based attacks",
11929
11896
  implementationGroup: "IG3",
11930
- assetType: ["network", "applications"],
11897
+ assetType: ["network", "Software"],
11931
11898
  securityFunction: ["Protect"],
11932
11899
  governanceElements: [ // Orange - MUST be met
11933
11900
  "perform application layer filtering",
@@ -13967,7 +13934,7 @@ export class SafeguardManager {
13967
13934
  title: "Establish and Maintain a Secure Application Development Process",
13968
13935
  description: "Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
13969
13936
  implementationGroup: "IG2",
13970
- assetType: ["applications"],
13937
+ assetType: ["Software"],
13971
13938
  securityFunction: ["Govern"],
13972
13939
  governanceElements: [ // Orange - MUST be met
13973
13940
  "establish and maintain a secure application development process",
@@ -14084,7 +14051,7 @@ export class SafeguardManager {
14084
14051
  title: "Establish and Maintain a Process to Accept and Address Software Vulnerabilities",
14085
14052
  description: "Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders",
14086
14053
  implementationGroup: "IG2",
14087
- assetType: ["applications"],
14054
+ assetType: ["Software"],
14088
14055
  securityFunction: ["Govern"],
14089
14056
  governanceElements: [ // Orange - MUST be met
14090
14057
  "establish and maintain a process to accept and address reports of software vulnerabilities",
@@ -14205,7 +14172,7 @@ export class SafeguardManager {
14205
14172
  title: "Perform Root Cause Analysis on Security Vulnerabilities",
14206
14173
  description: "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise",
14207
14174
  implementationGroup: "IG2",
14208
- assetType: ["applications"],
14175
+ assetType: ["Software"],
14209
14176
  securityFunction: ["Protect"],
14210
14177
  governanceElements: [ // Orange - MUST be met
14211
14178
  "perform root cause analysis on security vulnerabilities"
@@ -14311,7 +14278,7 @@ export class SafeguardManager {
14311
14278
  title: "Establish and Manage an Inventory of Third-Party Software Components",
14312
14279
  description: "Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported",
14313
14280
  implementationGroup: "IG2",
14314
- assetType: ["applications"],
14281
+ assetType: ["Software"],
14315
14282
  securityFunction: ["Identify"],
14316
14283
  governanceElements: [ // Orange - MUST be met
14317
14284
  "establish and manage an updated inventory of third-party components used in development",
@@ -14425,7 +14392,7 @@ export class SafeguardManager {
14425
14392
  title: "Use Up-to-Date and Trusted Third-Party Software Components",
14426
14393
  description: "Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use",
14427
14394
  implementationGroup: "IG2",
14428
- assetType: ["applications"],
14395
+ assetType: ["Software"],
14429
14396
  securityFunction: ["Protect"],
14430
14397
  governanceElements: [ // Orange - MUST be met
14431
14398
  "use up-to-date and trusted third-party software components"
@@ -14536,7 +14503,7 @@ export class SafeguardManager {
14536
14503
  title: "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities",
14537
14504
  description: "Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually",
14538
14505
  implementationGroup: "IG2",
14539
- assetType: ["applications"],
14506
+ assetType: ["Software"],
14540
14507
  securityFunction: ["Govern"],
14541
14508
  governanceElements: [ // Orange - MUST be met
14542
14509
  "establish and maintain a severity rating system and process for application vulnerabilities",
@@ -14648,7 +14615,7 @@ export class SafeguardManager {
14648
14615
  title: "Use Standard Hardening Configuration Templates for Application Infrastructure",
14649
14616
  description: "Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening",
14650
14617
  implementationGroup: "IG2",
14651
- assetType: ["applications"],
14618
+ assetType: ["Software"],
14652
14619
  securityFunction: ["Protect"],
14653
14620
  governanceElements: [ // Orange - MUST be met
14654
14621
  "use standard, industry-recommended hardening configuration templates for application infrastructure components",
@@ -14983,7 +14950,7 @@ export class SafeguardManager {
14983
14950
  title: "Apply Secure Design Principles in Application Architectures",
14984
14951
  description: "Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts",
14985
14952
  implementationGroup: "IG2",
14986
- assetType: ["applications"],
14953
+ assetType: ["Software"],
14987
14954
  securityFunction: ["Protect"],
14988
14955
  governanceElements: [ // Orange - MUST be met
14989
14956
  "apply secure design principles in application architectures"
@@ -15099,7 +15066,7 @@ export class SafeguardManager {
15099
15066
  title: "Leverage Vetted Modules or Services for Application Security Components",
15100
15067
  description: "Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs",
15101
15068
  implementationGroup: "IG2",
15102
- assetType: ["applications"],
15069
+ assetType: ["Software"],
15103
15070
  securityFunction: ["Identify"],
15104
15071
  governanceElements: [ // Orange - MUST be met
15105
15072
  "leverage vetted modules or services for application security components",
@@ -15215,7 +15182,7 @@ export class SafeguardManager {
15215
15182
  title: "Implement Code-Level Security Checks",
15216
15183
  description: "Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed",
15217
15184
  implementationGroup: "IG3",
15218
- assetType: ["applications"],
15185
+ assetType: ["Software"],
15219
15186
  securityFunction: ["Protect"],
15220
15187
  governanceElements: [ // Orange - MUST be met
15221
15188
  "apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed"
@@ -15323,7 +15290,7 @@ export class SafeguardManager {
15323
15290
  title: "Conduct Application Penetration Testing",
15324
15291
  description: "Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user",
15325
15292
  implementationGroup: "IG3",
15326
- assetType: ["applications"],
15293
+ assetType: ["Software"],
15327
15294
  securityFunction: ["Detect"],
15328
15295
  governanceElements: [ // Orange - MUST be met
15329
15296
  "conduct application penetration testing"
@@ -15434,7 +15401,7 @@ export class SafeguardManager {
15434
15401
  title: "Conduct Threat Modeling",
15435
15402
  description: "Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses",
15436
15403
  implementationGroup: "IG3",
15437
- assetType: ["applications"],
15404
+ assetType: ["Software"],
15438
15405
  securityFunction: ["Protect"],
15439
15406
  governanceElements: [ // Orange - MUST be met
15440
15407
  "conduct threat modeling"
@@ -106,7 +106,7 @@ export class FrameworkHttpServer {
106
106
  res.json({
107
107
  status: 'healthy',
108
108
  uptime: Math.round(process.uptime()),
109
- version: '2.2.2',
109
+ version: '2.3.2',
110
110
  timestamp: new Date().toISOString()
111
111
  });
112
112
  });
@@ -222,7 +222,7 @@ export class FrameworkHttpServer {
222
222
  this.app.get('/api', (req, res) => {
223
223
  res.json({
224
224
  name: 'Framework MCP HTTP API',
225
- version: '2.2.2',
225
+ version: '2.3.2',
226
226
  description: 'Pure Data Provider serving authentic CIS Controls Framework data',
227
227
  endpoints: {
228
228
  'GET /api/safeguards': 'List all available CIS safeguards',
@@ -18,7 +18,7 @@ export class FrameworkMcpServer {
18
18
  this.server = new Server(
19
19
  {
20
20
  name: 'framework-analyzer',
21
- version: '2.2.2',
21
+ version: '2.3.2',
22
22
  }
23
23
  );
24
24
 
@@ -129,7 +129,7 @@ export class FrameworkMcpServer {
129
129
  safeguards,
130
130
  total: safeguards.length,
131
131
  framework: 'CIS Controls v8.1',
132
- version: '2.2.2'
132
+ version: '2.3.2'
133
133
  }, null, 2),
134
134
  },
135
135
  ],