vaspera 2.5.0 → 2.8.0

package/dist/compliance/nist-800-53.js

@@ -0,0 +1,664 @@
+/**
+ * NIST 800-53 Security and Privacy Controls
+ *
+ * NIST Special Publication 800-53 Rev. 5 controls mapped to security finding categories.
+ * Focuses on controls relevant to application security and code analysis.
+ *
+ * @module compliance/nist-800-53
+ */
+/**
+ * NIST 800-53 Rev. 5 Controls relevant to code security
+ */
+export const NIST_800_53_CONTROLS = [
+    // AC - Access Control Family
+    {
+        id: "AC-2",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Account Management",
+        description: "Define and document the types of accounts allowed and specifically prohibited for use within the system. Assign account managers and establish conditions for group membership.",
+        keywords: ["account", "user management", "provisioning", "deprovisioning"],
+        findingCategories: ["auth-bypass", "broken-access-control"],
+        cweIds: ["CWE-269", "CWE-266", "CWE-284"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AC-3",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Access Enforcement",
+        description: "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.",
+        keywords: ["authorization", "access control", "permissions", "privilege"],
+        findingCategories: ["broken-access-control", "auth-bypass", "privilege-escalation"],
+        cweIds: ["CWE-862", "CWE-863", "CWE-285"],
+        severityThreshold: "high",
+    },
+    {
+        id: "AC-4",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Information Flow Enforcement",
+        description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems.",
+        keywords: ["data flow", "information flow", "data transfer", "exfiltration"],
+        findingCategories: ["data-exposure", "ssrf", "insecure-transmission"],
+        cweIds: ["CWE-200", "CWE-918", "CWE-319"],
+        severityThreshold: "high",
+    },
+    {
+        id: "AC-5",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Separation of Duties",
+        description: "Separate duties of individuals to prevent malevolent activity. Define system access authorizations to support separation of duties.",
+        keywords: ["separation of duties", "role separation", "least privilege"],
+        findingCategories: ["broken-access-control", "privilege-escalation"],
+        cweIds: ["CWE-269", "CWE-250"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AC-6",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Least Privilege",
+        description: "Employ the principle of least privilege, allowing only authorized accesses for users which are necessary to accomplish assigned organizational tasks.",
+        keywords: ["least privilege", "minimal access", "privilege", "authorization"],
+        findingCategories: ["broken-access-control", "privilege-escalation"],
+        cweIds: ["CWE-250", "CWE-269", "CWE-732"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AC-7",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Unsuccessful Logon Attempts",
+        description: "Enforce a limit of consecutive invalid logon attempts by a user and automatically lock the account when the maximum number is exceeded.",
+        keywords: ["login", "brute force", "lockout", "authentication"],
+        findingCategories: ["auth-bypass", "weak-password"],
+        cweIds: ["CWE-307", "CWE-287"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AC-10",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Concurrent Session Control",
+        description: "Limit the number of concurrent sessions for each system account to an organization-defined number.",
+        keywords: ["session", "concurrent", "session management"],
+        findingCategories: ["session-management"],
+        cweIds: ["CWE-384", "CWE-613"],
+        severityThreshold: "low",
+    },
+    {
+        id: "AC-11",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Device Lock",
+        description: "Prevent further access to the system by initiating a session lock after a period of inactivity.",
+        keywords: ["session timeout", "idle timeout", "session lock"],
+        findingCategories: ["session-management"],
+        cweIds: ["CWE-613"],
+        severityThreshold: "low",
+    },
+    {
+        id: "AC-12",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Session Termination",
+        description: "Automatically terminate a user session after organization-defined conditions or trigger events.",
+        keywords: ["session termination", "logout", "session expiry"],
+        findingCategories: ["session-management"],
+        cweIds: ["CWE-613"],
+        severityThreshold: "low",
+    },
+    {
+        id: "AC-14",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Permitted Actions without Identification or Authentication",
+        description: "Identify specific user actions that can be performed on the system without identification or authentication.",
+        keywords: ["unauthenticated access", "public access", "anonymous"],
+        findingCategories: ["auth-bypass", "broken-access-control"],
+        cweIds: ["CWE-287", "CWE-306"],
+        severityThreshold: "high",
+    },
+    {
+        id: "AC-17",
+        framework: "NIST-800-53",
+        category: "Access Control",
+        title: "Remote Access",
+        description: "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.",
+        keywords: ["remote access", "VPN", "SSH", "RDP"],
+        findingCategories: ["insecure-transmission", "auth-bypass"],
+        cweIds: ["CWE-319", "CWE-287"],
+        severityThreshold: "high",
+    },
+    // AU - Audit and Accountability Family
+    {
+        id: "AU-2",
+        framework: "NIST-800-53",
+        category: "Audit and Accountability",
+        title: "Event Logging",
+        description: "Identify the types of events that the system is capable of logging in support of the audit function.",
+        keywords: ["logging", "audit", "event logging", "audit trail"],
+        findingCategories: ["insufficient-logging"],
+        cweIds: ["CWE-778", "CWE-223"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AU-3",
+        framework: "NIST-800-53",
+        category: "Audit and Accountability",
+        title: "Content of Audit Records",
+        description: "Ensure that audit records contain information that establishes what type of event occurred, when it occurred, where it occurred, source, outcome, and identity.",
+        keywords: ["audit content", "log format", "audit record"],
+        findingCategories: ["insufficient-logging"],
+        cweIds: ["CWE-778"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AU-6",
+        framework: "NIST-800-53",
+        category: "Audit and Accountability",
+        title: "Audit Record Review, Analysis, and Reporting",
+        description: "Review and analyze system audit records for indications of inappropriate or unusual activity and report findings.",
+        keywords: ["audit review", "log analysis", "security monitoring"],
+        findingCategories: ["insufficient-logging"],
+        cweIds: ["CWE-778"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AU-9",
+        framework: "NIST-800-53",
+        category: "Audit and Accountability",
+        title: "Protection of Audit Information",
+        description: "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.",
+        keywords: ["log protection", "audit integrity", "tamper-proof"],
+        findingCategories: ["insufficient-logging", "broken-access-control"],
+        cweIds: ["CWE-778", "CWE-117"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "AU-12",
+        framework: "NIST-800-53",
+        category: "Audit and Accountability",
+        title: "Audit Record Generation",
+        description: "Provide audit record generation capability for the events identified in AU-2 at system components.",
+        keywords: ["audit generation", "logging", "event recording"],
+        findingCategories: ["insufficient-logging"],
+        cweIds: ["CWE-778"],
+        severityThreshold: "medium",
+    },
+    // CA - Assessment, Authorization, and Monitoring Family
+    {
+        id: "CA-7",
+        framework: "NIST-800-53",
+        category: "Assessment and Authorization",
+        title: "Continuous Monitoring",
+        description: "Develop a continuous monitoring strategy and implement a continuous monitoring program that includes ongoing security assessments.",
+        keywords: ["continuous monitoring", "security assessment", "vulnerability scanning"],
+        findingCategories: ["security-misconfiguration", "dependency-vuln"],
+        cweIds: ["CWE-1035"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "CA-8",
+        framework: "NIST-800-53",
+        category: "Assessment and Authorization",
+        title: "Penetration Testing",
+        description: "Conduct penetration testing at an organization-defined frequency on organization-defined systems or system components.",
+        keywords: ["penetration testing", "security testing", "red team"],
+        findingCategories: [],
+        severityThreshold: "medium",
+    },
+    // CM - Configuration Management Family
+    {
+        id: "CM-2",
+        framework: "NIST-800-53",
+        category: "Configuration Management",
+        title: "Baseline Configuration",
+        description: "Develop, document, and maintain a current baseline configuration of the system.",
+        keywords: ["baseline", "configuration", "hardening"],
+        findingCategories: ["security-misconfiguration"],
+        cweIds: ["CWE-1188"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "CM-3",
+        framework: "NIST-800-53",
+        category: "Configuration Management",
+        title: "Configuration Change Control",
+        description: "Determine and document the types of changes to the system that are configuration-controlled.",
+        keywords: ["change control", "change management", "version control"],
+        findingCategories: ["security-misconfiguration"],
+        cweIds: ["CWE-1188"],
+        severityThreshold: "low",
+    },
+    {
+        id: "CM-6",
+        framework: "NIST-800-53",
+        category: "Configuration Management",
+        title: "Configuration Settings",
+        description: "Establish and document configuration settings for system components that reflect the most restrictive mode consistent with operational requirements.",
+        keywords: ["configuration settings", "security settings", "hardening"],
+        findingCategories: ["security-misconfiguration"],
+        cweIds: ["CWE-1188", "CWE-16"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "CM-7",
+        framework: "NIST-800-53",
+        category: "Configuration Management",
+        title: "Least Functionality",
+        description: "Configure the system to provide only essential capabilities and prohibit or restrict the use of non-essential functions, ports, protocols, and services.",
+        keywords: ["least functionality", "attack surface", "minimize exposure"],
+        findingCategories: ["security-misconfiguration"],
+        cweIds: ["CWE-1188"],
+        severityThreshold: "medium",
+    },
+    // IA - Identification and Authentication Family
+    {
+        id: "IA-2",
+        framework: "NIST-800-53",
+        category: "Identification and Authentication",
+        title: "Identification and Authentication (Organizational Users)",
+        description: "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.",
+        keywords: ["authentication", "identity", "user identification"],
+        findingCategories: ["auth-bypass", "session-management"],
+        cweIds: ["CWE-287", "CWE-306"],
+        severityThreshold: "high",
+    },
+    {
+        id: "IA-4",
+        framework: "NIST-800-53",
+        category: "Identification and Authentication",
+        title: "Identifier Management",
+        description: "Manage system identifiers by receiving authorization to assign identifiers, selecting identifiers that identify individuals, and preventing reuse of identifiers.",
+        keywords: ["identifier", "user ID", "identity management"],
+        findingCategories: ["auth-bypass"],
+        cweIds: ["CWE-287"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "IA-5",
+        framework: "NIST-800-53",
+        category: "Identification and Authentication",
+        title: "Authenticator Management",
+        description: "Manage system authenticators by verifying identity before distributing authenticators, establishing initial authenticator content, and ensuring authenticators have sufficient strength.",
+        keywords: ["password", "credential", "authenticator", "token"],
+        findingCategories: ["weak-password", "auth-bypass", "secrets"],
+        cweIds: ["CWE-521", "CWE-522", "CWE-798"],
+        severityThreshold: "high",
+    },
+    {
+        id: "IA-6",
+        framework: "NIST-800-53",
+        category: "Identification and Authentication",
+        title: "Authentication Feedback",
+        description: "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals.",
+        keywords: ["authentication feedback", "password masking", "login error"],
+        findingCategories: ["auth-bypass", "data-exposure"],
+        cweIds: ["CWE-203", "CWE-209"],
+        severityThreshold: "low",
+    },
+    {
+        id: "IA-8",
+        framework: "NIST-800-53",
+        category: "Identification and Authentication",
+        title: "Identification and Authentication (Non-Organizational Users)",
+        description: "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.",
+        keywords: ["external user", "third-party", "guest authentication"],
+        findingCategories: ["auth-bypass"],
+        cweIds: ["CWE-287", "CWE-306"],
+        severityThreshold: "high",
+    },
+    // RA - Risk Assessment Family
+    {
+        id: "RA-3",
+        framework: "NIST-800-53",
+        category: "Risk Assessment",
+        title: "Risk Assessment",
+        description: "Conduct a risk assessment to identify, estimate, and prioritize risks to organizational operations, organizational assets, and individuals.",
+        keywords: ["risk assessment", "threat assessment", "vulnerability assessment"],
+        findingCategories: ["dependency-vuln", "security-misconfiguration"],
+        cweIds: ["CWE-1035"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "RA-5",
+        framework: "NIST-800-53",
+        category: "Risk Assessment",
+        title: "Vulnerability Monitoring and Scanning",
+        description: "Monitor and scan for vulnerabilities in the system and hosted applications and document and remediate vulnerabilities.",
+        keywords: ["vulnerability scanning", "security scanning", "SAST", "DAST"],
+        findingCategories: ["dependency-vuln", "sql-injection", "xss", "command-injection"],
+        cweIds: ["CWE-1035", "CWE-89", "CWE-79", "CWE-78"],
+        severityThreshold: "high",
+    },
+    // SA - System and Services Acquisition Family
+    {
+        id: "SA-8",
+        framework: "NIST-800-53",
+        category: "System and Services Acquisition",
+        title: "Security and Privacy Engineering Principles",
+        description: "Apply security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components.",
+        keywords: ["secure design", "security engineering", "privacy by design"],
+        findingCategories: ["security-misconfiguration", "type-safety"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SA-10",
+        framework: "NIST-800-53",
+        category: "System and Services Acquisition",
+        title: "Developer Configuration Management",
+        description: "Require the developer of the system to perform configuration management during system design, development, implementation, and operation.",
+        keywords: ["developer", "configuration management", "SDLC"],
+        findingCategories: ["security-misconfiguration"],
+        cweIds: ["CWE-1188"],
+        severityThreshold: "low",
+    },
+    {
+        id: "SA-11",
+        framework: "NIST-800-53",
+        category: "System and Services Acquisition",
+        title: "Developer Testing and Evaluation",
+        description: "Require the developer of the system to create and implement a security and privacy assessment plan.",
+        keywords: ["security testing", "developer testing", "code review"],
+        findingCategories: ["type-safety", "error-handling"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SA-12",
+        framework: "NIST-800-53",
+        category: "System and Services Acquisition",
+        title: "Supply Chain Risk Management",
+        description: "Protect against supply chain risks by employing security safeguards in accordance with organization-defined supply chain risk management strategy.",
+        keywords: ["supply chain", "third-party", "dependency", "vendor"],
+        findingCategories: ["dependency-vuln"],
+        cweIds: ["CWE-1035", "CWE-829"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SA-15",
+        framework: "NIST-800-53",
+        category: "System and Services Acquisition",
+        title: "Development Process, Standards, and Tools",
+        description: "Require the developer of the system to follow a documented development process that addresses security and privacy requirements.",
+        keywords: ["development process", "SDLC", "secure development"],
+        findingCategories: ["type-safety", "error-handling"],
+        severityThreshold: "low",
+    },
+    // SC - System and Communications Protection Family
+    {
+        id: "SC-4",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Information in Shared System Resources",
+        description: "Prevent unauthorized and unintended information transfer via shared system resources.",
+        keywords: ["shared resources", "information leakage", "data isolation"],
+        findingCategories: ["data-exposure"],
+        cweIds: ["CWE-200", "CWE-226"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SC-5",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Denial-of-Service Protection",
+        description: "Protect against or limit the effects of denial-of-service attacks by employing security safeguards.",
+        keywords: ["denial of service", "DoS", "DDoS", "rate limiting"],
+        findingCategories: ["denial-of-service", "resource-exhaustion"],
+        cweIds: ["CWE-400", "CWE-770"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-7",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Boundary Protection",
+        description: "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.",
+        keywords: ["boundary protection", "firewall", "network segmentation"],
+        findingCategories: ["ssrf", "path-traversal"],
+        cweIds: ["CWE-918", "CWE-22"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-8",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Transmission Confidentiality and Integrity",
+        description: "Protect the confidentiality and integrity of transmitted information.",
+        keywords: ["encryption", "TLS", "HTTPS", "data transmission"],
+        findingCategories: ["insecure-transmission"],
+        cweIds: ["CWE-319", "CWE-523"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-12",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Cryptographic Key Establishment and Management",
+        description: "Establish and manage cryptographic keys when cryptography is employed within the system.",
+        keywords: ["cryptographic keys", "key management", "encryption keys"],
+        findingCategories: ["secrets", "weak-crypto"],
+        cweIds: ["CWE-320", "CWE-321", "CWE-798"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-13",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Cryptographic Protection",
+        description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of information.",
+        keywords: ["cryptography", "encryption", "hashing"],
+        findingCategories: ["weak-crypto"],
+        cweIds: ["CWE-327", "CWE-328", "CWE-326"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-18",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Mobile Code",
+        description: "Define acceptable and unacceptable mobile code and mobile code technologies and establish usage restrictions and implementation guidance.",
+        keywords: ["mobile code", "JavaScript", "active content", "executable"],
+        findingCategories: ["xss", "code-injection"],
+        cweIds: ["CWE-79", "CWE-94"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-23",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Session Authenticity",
+        description: "Protect the authenticity of communications sessions.",
+        keywords: ["session authenticity", "session hijacking", "CSRF"],
+        findingCategories: ["session-management", "csrf"],
+        cweIds: ["CWE-384", "CWE-352"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SC-28",
+        framework: "NIST-800-53",
+        category: "System and Communications Protection",
+        title: "Protection of Information at Rest",
+        description: "Protect the confidentiality and integrity of information at rest.",
+        keywords: ["data at rest", "encryption at rest", "storage encryption"],
+        findingCategories: ["data-exposure", "secrets"],
+        cweIds: ["CWE-311", "CWE-312"],
+        severityThreshold: "high",
+    },
+    // SI - System and Information Integrity Family
+    {
+        id: "SI-2",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Flaw Remediation",
+        description: "Identify, report, and correct system flaws. Install security-relevant software and firmware updates.",
+        keywords: ["patching", "flaw remediation", "vulnerability fix", "update"],
+        findingCategories: ["dependency-vuln"],
+        cweIds: ["CWE-1035"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SI-3",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Malicious Code Protection",
+        description: "Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.",
+        keywords: ["malware", "malicious code", "virus", "trojan"],
+        findingCategories: ["code-injection", "xss", "command-injection"],
+        cweIds: ["CWE-94", "CWE-79", "CWE-78"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SI-4",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "System Monitoring",
+        description: "Monitor the system to detect attacks and indicators of potential attacks, unauthorized local, network, and remote connections.",
+        keywords: ["monitoring", "intrusion detection", "security monitoring"],
+        findingCategories: ["insufficient-logging"],
+        cweIds: ["CWE-778"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SI-7",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Software, Firmware, and Information Integrity",
+        description: "Employ integrity verification tools to detect unauthorized changes to software, firmware, and information.",
+        keywords: ["integrity", "checksum", "hash verification", "code signing"],
+        findingCategories: ["security-misconfiguration"],
+        cweIds: ["CWE-494", "CWE-829"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SI-10",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Information Input Validation",
+        description: "Check the validity of information inputs.",
+        keywords: ["input validation", "sanitization", "data validation"],
+        findingCategories: ["sql-injection", "xss", "command-injection", "path-traversal"],
+        cweIds: ["CWE-20", "CWE-89", "CWE-79", "CWE-78", "CWE-22"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SI-11",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Error Handling",
+        description: "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.",
+        keywords: ["error handling", "error messages", "exception handling"],
+        findingCategories: ["error-handling", "data-exposure"],
+        cweIds: ["CWE-209", "CWE-755"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SI-12",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Information Management and Retention",
+        description: "Manage and retain information within the system and information output from the system in accordance with applicable laws, regulations, and policy.",
+        keywords: ["data retention", "information management", "data disposal"],
+        findingCategories: ["data-exposure"],
+        cweIds: ["CWE-226", "CWE-212"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SI-16",
+        framework: "NIST-800-53",
+        category: "System and Information Integrity",
+        title: "Memory Protection",
+        description: "Implement safeguards to protect the system memory from unauthorized code execution.",
+        keywords: ["memory protection", "buffer overflow", "memory safety"],
+        findingCategories: ["memory-safety", "buffer-overflow"],
+        cweIds: ["CWE-119", "CWE-120", "CWE-416"],
+        severityThreshold: "critical",
+    },
+    // SR - Supply Chain Risk Management Family
+    {
+        id: "SR-3",
+        framework: "NIST-800-53",
+        category: "Supply Chain Risk Management",
+        title: "Supply Chain Controls and Processes",
+        description: "Establish a process to identify and address weaknesses or deficiencies in the supply chain elements and processes.",
+        keywords: ["supply chain", "vendor management", "third-party risk"],
+        findingCategories: ["dependency-vuln"],
+        cweIds: ["CWE-1035", "CWE-829"],
+        severityThreshold: "high",
+    },
+    {
+        id: "SR-4",
+        framework: "NIST-800-53",
+        category: "Supply Chain Risk Management",
+        title: "Provenance",
+        description: "Document, monitor, and maintain valid provenance of systems, system components, and associated data.",
+        keywords: ["provenance", "SBOM", "software bill of materials", "supply chain"],
+        findingCategories: ["dependency-vuln"],
+        cweIds: ["CWE-1035"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SR-5",
+        framework: "NIST-800-53",
+        category: "Supply Chain Risk Management",
+        title: "Acquisition Strategies, Tools, and Methods",
+        description: "Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.",
+        keywords: ["acquisition", "procurement", "vendor assessment"],
+        findingCategories: ["dependency-vuln"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SR-6",
+        framework: "NIST-800-53",
+        category: "Supply Chain Risk Management",
+        title: "Supplier Assessments and Reviews",
+        description: "Assess and review the supply chain-related risks associated with suppliers or contractors.",
+        keywords: ["supplier assessment", "vendor review", "third-party audit"],
+        findingCategories: ["dependency-vuln"],
+        severityThreshold: "medium",
+    },
+    {
+        id: "SR-11",
+        framework: "NIST-800-53",
+        category: "Supply Chain Risk Management",
+        title: "Component Authenticity",
+        description: "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components.",
+        keywords: ["authenticity", "counterfeit", "component verification"],
+        findingCategories: ["dependency-vuln"],
+        cweIds: ["CWE-829"],
+        severityThreshold: "high",
+    },
+];
+/**
+ * Get all NIST 800-53 controls
+ */
+export function getNIST80053Controls() {
+    return NIST_800_53_CONTROLS;
+}
+/**
+ * Get NIST 800-53 controls by category (control family)
+ */
+export function getNIST80053ControlsByCategory(category) {
+    return NIST_800_53_CONTROLS.filter((c) => c.category === category);
+}
+/**
+ * Get NIST 800-53 control by ID
+ */
+export function getNIST80053ControlById(id) {
+    return NIST_800_53_CONTROLS.find((c) => c.id === id);
+}
+/**
+ * Get NIST 800-53 control families (categories)
+ */
+export function getNIST80053Categories() {
+    return [...new Set(NIST_800_53_CONTROLS.map((c) => c.category))];
+}
+/**
+ * Get NIST 800-53 control family code from control ID
+ */
+export function getControlFamilyCode(controlId) {
+    return controlId.replace(/-\d+$/, "").toUpperCase();
+}
+//# sourceMappingURL=nist-800-53.js.map