vaspera 2.8.0 → 2.9.0

package/dist/compliance/nist-800-53.js

@@ -1,8 +1,20 @@
 /**
- * NIST 800-53 Security and Privacy Controls
+ * NIST SP 800-53 Rev. 5 Security Controls
  *
- * NIST Special Publication 800-53 Rev. 5 controls mapped to security finding categories.
- * Focuses on controls relevant to application security and code analysis.
+ * Security and Privacy Controls for Information Systems and Organizations.
+ * This implements controls relevant to software/code security.
+ *
+ * Control Families:
+ * - AC: Access Control
+ * - AU: Audit and Accountability
+ * - CA: Assessment, Authorization, and Monitoring
+ * - CM: Configuration Management
+ * - IA: Identification and Authentication
+ * - RA: Risk Assessment
+ * - SA: System and Services Acquisition
+ * - SC: System and Communications Protection
+ * - SI: System and Information Integrity
+ * - SR: Supply Chain Risk Management
  *
  * @module compliance/nist-800-53
  */
@@ -10,15 +22,17 @@
  * NIST 800-53 Rev. 5 Controls relevant to code security
  */
 export const NIST_800_53_CONTROLS = [
-    // AC - Access Control Family
+    // =========================================================================
+    // AC - Access Control
+    // =========================================================================
     {
         id: "AC-2",
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Account Management",
-        description: "Define and document the types of accounts allowed and specifically prohibited for use within the system. Assign account managers and establish conditions for group membership.",
+        description: "Define and document types of accounts allowed; create, enable, modify, disable, and remove accounts in accordance with policy.",
         keywords: ["account", "user management", "provisioning", "deprovisioning"],
-        findingCategories: ["auth-bypass", "broken-access-control"],
+        findingCategories: ["broken-access-control", "auth-bypass"],
         cweIds: ["CWE-269", "CWE-266", "CWE-284"],
         severityThreshold: "medium",
     },
@@ -28,7 +42,7 @@ export const NIST_800_53_CONTROLS = [
         category: "Access Control",
         title: "Access Enforcement",
         description: "Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.",
-        keywords: ["authorization", "access control", "permissions", "privilege"],
+        keywords: ["authorization", "access control", "permission", "rbac", "abac"],
         findingCategories: ["broken-access-control", "auth-bypass", "privilege-escalation"],
         cweIds: ["CWE-862", "CWE-863", "CWE-285"],
         severityThreshold: "high",
@@ -38,10 +52,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Information Flow Enforcement",
-        description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems.",
-        keywords: ["data flow", "information flow", "data transfer", "exfiltration"],
-        findingCategories: ["data-exposure", "ssrf", "insecure-transmission"],
-        cweIds: ["CWE-200", "CWE-918", "CWE-319"],
+        description: "Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on security policies.",
+        keywords: ["data flow", "information flow", "boundary", "cross-domain"],
+        findingCategories: ["data-exposure", "insecure-data-flow", "ssrf"],
+        cweIds: ["CWE-200", "CWE-918", "CWE-441"],
         severityThreshold: "high",
     },
     {
@@ -49,10 +63,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Separation of Duties",
-        description: "Separate duties of individuals to prevent malevolent activity. Define system access authorizations to support separation of duties.",
-        keywords: ["separation of duties", "role separation", "least privilege"],
-        findingCategories: ["broken-access-control", "privilege-escalation"],
-        cweIds: ["CWE-269", "CWE-250"],
+        description: "Separate duties of individuals to reduce risk of malevolent activity without collusion.",
+        keywords: ["separation", "segregation", "duties", "roles"],
+        findingCategories: ["privilege-escalation", "broken-access-control"],
+        cweIds: ["CWE-250", "CWE-269"],
         severityThreshold: "medium",
     },
     {
@@ -60,9 +74,9 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Least Privilege",
-        description: "Employ the principle of least privilege, allowing only authorized accesses for users which are necessary to accomplish assigned organizational tasks.",
-        keywords: ["least privilege", "minimal access", "privilege", "authorization"],
-        findingCategories: ["broken-access-control", "privilege-escalation"],
+        description: "Employ the principle of least privilege, allowing only authorized accesses that are necessary to accomplish assigned organizational tasks.",
+        keywords: ["least privilege", "minimum access", "need-to-know"],
+        findingCategories: ["privilege-escalation", "excessive-permissions"],
         cweIds: ["CWE-250", "CWE-269", "CWE-732"],
         severityThreshold: "medium",
     },
@@ -71,10 +85,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Unsuccessful Logon Attempts",
-        description: "Enforce a limit of consecutive invalid logon attempts by a user and automatically lock the account when the maximum number is exceeded.",
-        keywords: ["login", "brute force", "lockout", "authentication"],
-        findingCategories: ["auth-bypass", "weak-password"],
-        cweIds: ["CWE-307", "CWE-287"],
+        description: "Enforce a limit of consecutive invalid logon attempts and take action when the limit is exceeded.",
+        keywords: ["login", "brute force", "lockout", "rate limit"],
+        findingCategories: ["brute-force", "auth-bypass"],
+        cweIds: ["CWE-307", "CWE-799"],
         severityThreshold: "medium",
     },
     {
@@ -82,8 +96,8 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Concurrent Session Control",
-        description: "Limit the number of concurrent sessions for each system account to an organization-defined number.",
-        keywords: ["session", "concurrent", "session management"],
+        description: "Limit the number of concurrent sessions for each account.",
+        keywords: ["session", "concurrent", "login"],
         findingCategories: ["session-management"],
         cweIds: ["CWE-384", "CWE-613"],
         severityThreshold: "low",
@@ -93,8 +107,8 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Device Lock",
-        description: "Prevent further access to the system by initiating a session lock after a period of inactivity.",
-        keywords: ["session timeout", "idle timeout", "session lock"],
+        description: "Prevent further access to the system by initiating a device lock after a specified period of inactivity.",
+        keywords: ["session timeout", "idle", "lock", "inactivity"],
         findingCategories: ["session-management"],
         cweIds: ["CWE-613"],
         severityThreshold: "low",
@@ -104,43 +118,34 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Session Termination",
-        description: "Automatically terminate a user session after organization-defined conditions or trigger events.",
-        keywords: ["session termination", "logout", "session expiry"],
+        description: "Automatically terminate a user session after conditions or trigger events.",
+        keywords: ["logout", "session", "termination", "invalidation"],
         findingCategories: ["session-management"],
-        cweIds: ["CWE-613"],
+        cweIds: ["CWE-613", "CWE-384"],
         severityThreshold: "low",
     },
-    {
-        id: "AC-14",
-        framework: "NIST-800-53",
-        category: "Access Control",
-        title: "Permitted Actions without Identification or Authentication",
-        description: "Identify specific user actions that can be performed on the system without identification or authentication.",
-        keywords: ["unauthenticated access", "public access", "anonymous"],
-        findingCategories: ["auth-bypass", "broken-access-control"],
-        cweIds: ["CWE-287", "CWE-306"],
-        severityThreshold: "high",
-    },
     {
         id: "AC-17",
         framework: "NIST-800-53",
         category: "Access Control",
         title: "Remote Access",
-        description: "Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.",
-        keywords: ["remote access", "VPN", "SSH", "RDP"],
-        findingCategories: ["insecure-transmission", "auth-bypass"],
-        cweIds: ["CWE-319", "CWE-287"],
+        description: "Establish and document usage restrictions and implementation guidance for each type of remote access.",
+        keywords: ["remote", "vpn", "api", "external access"],
+        findingCategories: ["insecure-api", "auth-bypass"],
+        cweIds: ["CWE-287", "CWE-306"],
         severityThreshold: "high",
     },
-    // AU - Audit and Accountability Family
+    // =========================================================================
+    // AU - Audit and Accountability
+    // =========================================================================
     {
         id: "AU-2",
         framework: "NIST-800-53",
         category: "Audit and Accountability",
         title: "Event Logging",
-        description: "Identify the types of events that the system is capable of logging in support of the audit function.",
-        keywords: ["logging", "audit", "event logging", "audit trail"],
-        findingCategories: ["insufficient-logging"],
+        description: "Identify the types of events that the system is capable of logging and coordinate with related entities.",
+        keywords: ["logging", "audit", "events", "tracking"],
+        findingCategories: ["insufficient-logging", "security-misconfiguration"],
         cweIds: ["CWE-778", "CWE-223"],
         severityThreshold: "medium",
     },
@@ -149,20 +154,20 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Audit and Accountability",
         title: "Content of Audit Records",
-        description: "Ensure that audit records contain information that establishes what type of event occurred, when it occurred, where it occurred, source, outcome, and identity.",
-        keywords: ["audit content", "log format", "audit record"],
+        description: "Ensure that audit records contain information that establishes what type of event occurred, when, where, the source, outcome, and identity of involved individuals.",
+        keywords: ["audit content", "log format", "event details"],
         findingCategories: ["insufficient-logging"],
-        cweIds: ["CWE-778"],
-        severityThreshold: "medium",
+        cweIds: ["CWE-778", "CWE-532"],
+        severityThreshold: "low",
     },
     {
         id: "AU-6",
         framework: "NIST-800-53",
         category: "Audit and Accountability",
         title: "Audit Record Review, Analysis, and Reporting",
-        description: "Review and analyze system audit records for indications of inappropriate or unusual activity and report findings.",
-        keywords: ["audit review", "log analysis", "security monitoring"],
-        findingCategories: ["insufficient-logging"],
+        description: "Review and analyze system audit records for indications of inappropriate or unusual activity.",
+        keywords: ["log analysis", "monitoring", "detection", "siem"],
+        findingCategories: ["insufficient-logging", "security-misconfiguration"],
         cweIds: ["CWE-778"],
         severityThreshold: "medium",
     },
@@ -172,54 +177,23 @@ export const NIST_800_53_CONTROLS = [
         category: "Audit and Accountability",
         title: "Protection of Audit Information",
         description: "Protect audit information and audit logging tools from unauthorized access, modification, and deletion.",
-        keywords: ["log protection", "audit integrity", "tamper-proof"],
-        findingCategories: ["insufficient-logging", "broken-access-control"],
-        cweIds: ["CWE-778", "CWE-117"],
-        severityThreshold: "medium",
-    },
-    {
-        id: "AU-12",
-        framework: "NIST-800-53",
-        category: "Audit and Accountability",
-        title: "Audit Record Generation",
-        description: "Provide audit record generation capability for the events identified in AU-2 at system components.",
-        keywords: ["audit generation", "logging", "event recording"],
-        findingCategories: ["insufficient-logging"],
-        cweIds: ["CWE-778"],
-        severityThreshold: "medium",
-    },
-    // CA - Assessment, Authorization, and Monitoring Family
-    {
-        id: "CA-7",
-        framework: "NIST-800-53",
-        category: "Assessment and Authorization",
-        title: "Continuous Monitoring",
-        description: "Develop a continuous monitoring strategy and implement a continuous monitoring program that includes ongoing security assessments.",
-        keywords: ["continuous monitoring", "security assessment", "vulnerability scanning"],
-        findingCategories: ["security-misconfiguration", "dependency-vuln"],
-        cweIds: ["CWE-1035"],
-        severityThreshold: "medium",
-    },
-    {
-        id: "CA-8",
-        framework: "NIST-800-53",
-        category: "Assessment and Authorization",
-        title: "Penetration Testing",
-        description: "Conduct penetration testing at an organization-defined frequency on organization-defined systems or system components.",
-        keywords: ["penetration testing", "security testing", "red team"],
-        findingCategories: [],
+        keywords: ["log protection", "audit integrity", "tamper"],
+        findingCategories: ["log-injection", "insufficient-logging"],
+        cweIds: ["CWE-117", "CWE-532"],
         severityThreshold: "medium",
     },
-    // CM - Configuration Management Family
+    // =========================================================================
+    // CM - Configuration Management
+    // =========================================================================
     {
         id: "CM-2",
         framework: "NIST-800-53",
         category: "Configuration Management",
         title: "Baseline Configuration",
         description: "Develop, document, and maintain a current baseline configuration of the system.",
-        keywords: ["baseline", "configuration", "hardening"],
+        keywords: ["baseline", "configuration", "standard", "hardening"],
         findingCategories: ["security-misconfiguration"],
-        cweIds: ["CWE-1188"],
+        cweIds: ["CWE-16"],
         severityThreshold: "medium",
     },
     {
@@ -227,21 +201,21 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Configuration Management",
         title: "Configuration Change Control",
-        description: "Determine and document the types of changes to the system that are configuration-controlled.",
-        keywords: ["change control", "change management", "version control"],
+        description: "Determine and document types of changes and control configuration changes to the system.",
+        keywords: ["change management", "version control", "deployment"],
         findingCategories: ["security-misconfiguration"],
-        cweIds: ["CWE-1188"],
-        severityThreshold: "low",
+        cweIds: ["CWE-16"],
+        severityThreshold: "medium",
     },
     {
         id: "CM-6",
         framework: "NIST-800-53",
         category: "Configuration Management",
         title: "Configuration Settings",
-        description: "Establish and document configuration settings for system components that reflect the most restrictive mode consistent with operational requirements.",
-        keywords: ["configuration settings", "security settings", "hardening"],
-        findingCategories: ["security-misconfiguration"],
-        cweIds: ["CWE-1188", "CWE-16"],
+        description: "Establish and document configuration settings for components using security configuration checklists.",
+        keywords: ["settings", "configuration", "defaults", "hardening"],
+        findingCategories: ["security-misconfiguration", "insecure-defaults"],
+        cweIds: ["CWE-16", "CWE-1188"],
         severityThreshold: "medium",
     },
     {
@@ -249,33 +223,35 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Configuration Management",
         title: "Least Functionality",
-        description: "Configure the system to provide only essential capabilities and prohibit or restrict the use of non-essential functions, ports, protocols, and services.",
-        keywords: ["least functionality", "attack surface", "minimize exposure"],
-        findingCategories: ["security-misconfiguration"],
-        cweIds: ["CWE-1188"],
+        description: "Configure the system to provide only mission-essential capabilities and prohibit or restrict use of functions, ports, protocols, and services.",
+        keywords: ["minimize", "disable", "restrict", "ports", "services"],
+        findingCategories: ["security-misconfiguration", "excessive-permissions"],
+        cweIds: ["CWE-16", "CWE-250"],
         severityThreshold: "medium",
     },
-    // IA - Identification and Authentication Family
+    // =========================================================================
+    // IA - Identification and Authentication
+    // =========================================================================
     {
         id: "IA-2",
         framework: "NIST-800-53",
         category: "Identification and Authentication",
         title: "Identification and Authentication (Organizational Users)",
-        description: "Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.",
-        keywords: ["authentication", "identity", "user identification"],
-        findingCategories: ["auth-bypass", "session-management"],
+        description: "Uniquely identify and authenticate organizational users and associate that identity with processes acting on behalf of those users.",
+        keywords: ["authentication", "identity", "login", "credential"],
+        findingCategories: ["auth-bypass", "broken-authentication"],
         cweIds: ["CWE-287", "CWE-306"],
         severityThreshold: "high",
     },
     {
-        id: "IA-4",
+        id: "IA-3",
         framework: "NIST-800-53",
         category: "Identification and Authentication",
-        title: "Identifier Management",
-        description: "Manage system identifiers by receiving authorization to assign identifiers, selecting identifiers that identify individuals, and preventing reuse of identifiers.",
-        keywords: ["identifier", "user ID", "identity management"],
+        title: "Device Identification and Authentication",
+        description: "Uniquely identify and authenticate devices before establishing connections.",
+        keywords: ["device", "machine", "certificate", "mutual auth"],
         findingCategories: ["auth-bypass"],
-        cweIds: ["CWE-287"],
+        cweIds: ["CWE-287", "CWE-295"],
         severityThreshold: "medium",
     },
     {
@@ -283,9 +259,9 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Identification and Authentication",
         title: "Authenticator Management",
-        description: "Manage system authenticators by verifying identity before distributing authenticators, establishing initial authenticator content, and ensuring authenticators have sufficient strength.",
-        keywords: ["password", "credential", "authenticator", "token"],
-        findingCategories: ["weak-password", "auth-bypass", "secrets"],
+        description: "Manage system authenticators by verifying identity of individuals, establishing initial credentials, and transmitting and receiving authenticators securely.",
+        keywords: ["password", "credential", "token", "key management"],
+        findingCategories: ["weak-password", "credential-exposure", "secrets"],
         cweIds: ["CWE-521", "CWE-522", "CWE-798"],
         severityThreshold: "high",
     },
@@ -295,9 +271,9 @@ export const NIST_800_53_CONTROLS = [
         category: "Identification and Authentication",
         title: "Authentication Feedback",
         description: "Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation by unauthorized individuals.",
-        keywords: ["authentication feedback", "password masking", "login error"],
-        findingCategories: ["auth-bypass", "data-exposure"],
-        cweIds: ["CWE-203", "CWE-209"],
+        keywords: ["password masking", "feedback", "enumeration"],
+        findingCategories: ["user-enumeration", "information-disclosure"],
+        cweIds: ["CWE-204", "CWE-203"],
         severityThreshold: "low",
     },
     {
@@ -306,43 +282,37 @@ export const NIST_800_53_CONTROLS = [
         category: "Identification and Authentication",
         title: "Identification and Authentication (Non-Organizational Users)",
         description: "Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.",
-        keywords: ["external user", "third-party", "guest authentication"],
-        findingCategories: ["auth-bypass"],
-        cweIds: ["CWE-287", "CWE-306"],
+        keywords: ["external", "api key", "service account", "third-party"],
+        findingCategories: ["auth-bypass", "broken-authentication"],
+        cweIds: ["CWE-287"],
         severityThreshold: "high",
     },
-    // RA - Risk Assessment Family
-    {
-        id: "RA-3",
-        framework: "NIST-800-53",
-        category: "Risk Assessment",
-        title: "Risk Assessment",
-        description: "Conduct a risk assessment to identify, estimate, and prioritize risks to organizational operations, organizational assets, and individuals.",
-        keywords: ["risk assessment", "threat assessment", "vulnerability assessment"],
-        findingCategories: ["dependency-vuln", "security-misconfiguration"],
-        cweIds: ["CWE-1035"],
-        severityThreshold: "medium",
-    },
+    // =========================================================================
+    // RA - Risk Assessment
+    // =========================================================================
     {
         id: "RA-5",
         framework: "NIST-800-53",
         category: "Risk Assessment",
         title: "Vulnerability Monitoring and Scanning",
-        description: "Monitor and scan for vulnerabilities in the system and hosted applications and document and remediate vulnerabilities.",
-        keywords: ["vulnerability scanning", "security scanning", "SAST", "DAST"],
-        findingCategories: ["dependency-vuln", "sql-injection", "xss", "command-injection"],
-        cweIds: ["CWE-1035", "CWE-89", "CWE-79", "CWE-78"],
-        severityThreshold: "high",
+        description: "Monitor and scan for vulnerabilities in the system and hosted applications and remediate discovered vulnerabilities.",
+        keywords: ["vulnerability", "scanning", "assessment", "remediation"],
+        findingCategories: ["dependency-vulnerability", "outdated-component"],
+        cweIds: ["CWE-1104"],
+        severityThreshold: "medium",
     },
-    // SA - System and Services Acquisition Family
+    // =========================================================================
+    // SA - System and Services Acquisition
+    // =========================================================================
     {
         id: "SA-8",
         framework: "NIST-800-53",
         category: "System and Services Acquisition",
         title: "Security and Privacy Engineering Principles",
-        description: "Apply security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components.",
-        keywords: ["secure design", "security engineering", "privacy by design"],
-        findingCategories: ["security-misconfiguration", "type-safety"],
+        description: "Apply security and privacy engineering principles in the specification, design, development, implementation, and modification of the system.",
+        keywords: ["secure design", "security principles", "architecture"],
+        findingCategories: ["insecure-design"],
+        cweIds: ["CWE-657"],
         severityThreshold: "medium",
     },
     {
@@ -350,10 +320,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Services Acquisition",
         title: "Developer Configuration Management",
-        description: "Require the developer of the system to perform configuration management during system design, development, implementation, and operation.",
-        keywords: ["developer", "configuration management", "SDLC"],
+        description: "Require the developer to maintain the integrity of changes and document them, perform configuration management, and implement only organization-approved changes.",
+        keywords: ["development", "version control", "change tracking"],
         findingCategories: ["security-misconfiguration"],
-        cweIds: ["CWE-1188"],
+        cweIds: ["CWE-16"],
         severityThreshold: "low",
     },
     {
@@ -361,62 +331,44 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Services Acquisition",
         title: "Developer Testing and Evaluation",
-        description: "Require the developer of the system to create and implement a security and privacy assessment plan.",
-        keywords: ["security testing", "developer testing", "code review"],
-        findingCategories: ["type-safety", "error-handling"],
-        severityThreshold: "medium",
-    },
-    {
-        id: "SA-12",
-        framework: "NIST-800-53",
-        category: "System and Services Acquisition",
-        title: "Supply Chain Risk Management",
-        description: "Protect against supply chain risks by employing security safeguards in accordance with organization-defined supply chain risk management strategy.",
-        keywords: ["supply chain", "third-party", "dependency", "vendor"],
-        findingCategories: ["dependency-vuln"],
-        cweIds: ["CWE-1035", "CWE-829"],
-        severityThreshold: "high",
+        description: "Require the developer to create and implement a security and privacy assessment plan, demonstrate security and privacy control effectiveness.",
+        keywords: ["testing", "security testing", "code review", "assessment"],
+        findingCategories: ["insufficient-testing"],
+        cweIds: [],
+        severityThreshold: "low",
     },
     {
         id: "SA-15",
         framework: "NIST-800-53",
         category: "System and Services Acquisition",
         title: "Development Process, Standards, and Tools",
-        description: "Require the developer of the system to follow a documented development process that addresses security and privacy requirements.",
-        keywords: ["development process", "SDLC", "secure development"],
-        findingCategories: ["type-safety", "error-handling"],
+        description: "Require the developer to follow a documented development process that incorporates security and privacy considerations.",
+        keywords: ["sdlc", "secure development", "standards"],
+        findingCategories: ["insecure-design"],
+        cweIds: [],
         severityThreshold: "low",
     },
-    // SC - System and Communications Protection Family
+    // =========================================================================
+    // SC - System and Communications Protection
+    // =========================================================================
     {
         id: "SC-4",
         framework: "NIST-800-53",
         category: "System and Communications Protection",
         title: "Information in Shared System Resources",
         description: "Prevent unauthorized and unintended information transfer via shared system resources.",
-        keywords: ["shared resources", "information leakage", "data isolation"],
-        findingCategories: ["data-exposure"],
-        cweIds: ["CWE-200", "CWE-226"],
+        keywords: ["shared resources", "information leakage", "isolation"],
+        findingCategories: ["data-exposure", "information-disclosure"],
+        cweIds: ["CWE-200", "CWE-212"],
         severityThreshold: "medium",
     },
-    {
-        id: "SC-5",
-        framework: "NIST-800-53",
-        category: "System and Communications Protection",
-        title: "Denial-of-Service Protection",
-        description: "Protect against or limit the effects of denial-of-service attacks by employing security safeguards.",
-        keywords: ["denial of service", "DoS", "DDoS", "rate limiting"],
-        findingCategories: ["denial-of-service", "resource-exhaustion"],
-        cweIds: ["CWE-400", "CWE-770"],
-        severityThreshold: "high",
-    },
     {
         id: "SC-7",
         framework: "NIST-800-53",
         category: "System and Communications Protection",
         title: "Boundary Protection",
-        description: "Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system.",
-        keywords: ["boundary protection", "firewall", "network segmentation"],
+        description: "Monitor and control communications at the external managed interfaces to the system and at key internal boundaries.",
+        keywords: ["boundary", "firewall", "gateway", "api gateway"],
         findingCategories: ["ssrf", "path-traversal"],
         cweIds: ["CWE-918", "CWE-22"],
         severityThreshold: "high",
@@ -427,9 +379,9 @@ export const NIST_800_53_CONTROLS = [
         category: "System and Communications Protection",
         title: "Transmission Confidentiality and Integrity",
         description: "Protect the confidentiality and integrity of transmitted information.",
-        keywords: ["encryption", "TLS", "HTTPS", "data transmission"],
-        findingCategories: ["insecure-transmission"],
-        cweIds: ["CWE-319", "CWE-523"],
+        keywords: ["encryption", "tls", "https", "transmission"],
+        findingCategories: ["insecure-transmission", "cleartext"],
+        cweIds: ["CWE-319", "CWE-311"],
         severityThreshold: "high",
     },
     {
@@ -437,10 +389,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Communications Protection",
         title: "Cryptographic Key Establishment and Management",
-        description: "Establish and manage cryptographic keys when cryptography is employed within the system.",
-        keywords: ["cryptographic keys", "key management", "encryption keys"],
-        findingCategories: ["secrets", "weak-crypto"],
-        cweIds: ["CWE-320", "CWE-321", "CWE-798"],
+        description: "Establish and manage cryptographic keys used within the system.",
+        keywords: ["key management", "cryptographic", "keys", "rotation"],
+        findingCategories: ["weak-cryptography", "hardcoded-key"],
+        cweIds: ["CWE-321", "CWE-320"],
         severityThreshold: "high",
     },
     {
@@ -448,22 +400,22 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Communications Protection",
         title: "Cryptographic Protection",
-        description: "Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of information.",
-        keywords: ["cryptography", "encryption", "hashing"],
-        findingCategories: ["weak-crypto"],
-        cweIds: ["CWE-327", "CWE-328", "CWE-326"],
+        description: "Implement cryptographic mechanisms to protect confidentiality and integrity using approved algorithms.",
+        keywords: ["encryption", "cryptography", "algorithm", "cipher"],
+        findingCategories: ["weak-cryptography", "insecure-algorithm"],
+        cweIds: ["CWE-327", "CWE-328"],
         severityThreshold: "high",
     },
     {
-        id: "SC-18",
+        id: "SC-17",
         framework: "NIST-800-53",
         category: "System and Communications Protection",
-        title: "Mobile Code",
-        description: "Define acceptable and unacceptable mobile code and mobile code technologies and establish usage restrictions and implementation guidance.",
-        keywords: ["mobile code", "JavaScript", "active content", "executable"],
-        findingCategories: ["xss", "code-injection"],
-        cweIds: ["CWE-79", "CWE-94"],
-        severityThreshold: "high",
+        title: "Public Key Infrastructure Certificates",
+        description: "Issue public key certificates under an appropriate certificate policy and obtain certificates from an approved service provider.",
+        keywords: ["certificate", "pki", "ssl", "tls"],
+        findingCategories: ["certificate-validation", "insecure-tls"],
+        cweIds: ["CWE-295", "CWE-296"],
+        severityThreshold: "medium",
     },
     {
         id: "SC-23",
@@ -471,9 +423,9 @@ export const NIST_800_53_CONTROLS = [
         category: "System and Communications Protection",
         title: "Session Authenticity",
         description: "Protect the authenticity of communications sessions.",
-        keywords: ["session authenticity", "session hijacking", "CSRF"],
-        findingCategories: ["session-management", "csrf"],
-        cweIds: ["CWE-384", "CWE-352"],
+        keywords: ["session", "csrf", "session fixation", "hijacking"],
+        findingCategories: ["csrf", "session-management"],
+        cweIds: ["CWE-352", "CWE-384"],
         severityThreshold: "high",
     },
     {
@@ -482,21 +434,23 @@ export const NIST_800_53_CONTROLS = [
         category: "System and Communications Protection",
         title: "Protection of Information at Rest",
         description: "Protect the confidentiality and integrity of information at rest.",
-        keywords: ["data at rest", "encryption at rest", "storage encryption"],
-        findingCategories: ["data-exposure", "secrets"],
+        keywords: ["encryption at rest", "data protection", "storage"],
+        findingCategories: ["data-exposure", "unencrypted-data"],
         cweIds: ["CWE-311", "CWE-312"],
         severityThreshold: "high",
     },
-    // SI - System and Information Integrity Family
+    // =========================================================================
+    // SI - System and Information Integrity
+    // =========================================================================
     {
         id: "SI-2",
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "Flaw Remediation",
-        description: "Identify, report, and correct system flaws. Install security-relevant software and firmware updates.",
-        keywords: ["patching", "flaw remediation", "vulnerability fix", "update"],
-        findingCategories: ["dependency-vuln"],
-        cweIds: ["CWE-1035"],
+        description: "Identify, report, and correct system flaws; install security-relevant software and firmware updates.",
+        keywords: ["patching", "updates", "remediation", "vulnerabilities"],
+        findingCategories: ["dependency-vulnerability", "outdated-component"],
+        cweIds: ["CWE-1104"],
         severityThreshold: "high",
     },
     {
@@ -504,20 +458,20 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "Malicious Code Protection",
-        description: "Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.",
-        keywords: ["malware", "malicious code", "virus", "trojan"],
-        findingCategories: ["code-injection", "xss", "command-injection"],
-        cweIds: ["CWE-94", "CWE-79", "CWE-78"],
-        severityThreshold: "high",
+        description: "Implement malicious code protection that includes detection and eradication.",
+        keywords: ["malware", "virus", "malicious", "injection"],
+        findingCategories: ["code-injection", "xss", "sql-injection"],
+        cweIds: ["CWE-94", "CWE-79", "CWE-89"],
+        severityThreshold: "critical",
     },
     {
         id: "SI-4",
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "System Monitoring",
-        description: "Monitor the system to detect attacks and indicators of potential attacks, unauthorized local, network, and remote connections.",
-        keywords: ["monitoring", "intrusion detection", "security monitoring"],
-        findingCategories: ["insufficient-logging"],
+        description: "Monitor the system to detect attacks, unauthorized activities, and anomalies.",
+        keywords: ["monitoring", "detection", "intrusion", "anomaly"],
+        findingCategories: ["insufficient-logging", "security-misconfiguration"],
         cweIds: ["CWE-778"],
         severityThreshold: "medium",
     },
@@ -527,9 +481,9 @@ export const NIST_800_53_CONTROLS = [
         category: "System and Information Integrity",
         title: "Software, Firmware, and Information Integrity",
         description: "Employ integrity verification tools to detect unauthorized changes to software, firmware, and information.",
-        keywords: ["integrity", "checksum", "hash verification", "code signing"],
-        findingCategories: ["security-misconfiguration"],
-        cweIds: ["CWE-494", "CWE-829"],
+        keywords: ["integrity", "checksum", "hash", "verification"],
+        findingCategories: ["integrity-check"],
+        cweIds: ["CWE-354"],
         severityThreshold: "medium",
     },
     {
@@ -537,10 +491,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "Information Input Validation",
-        description: "Check the validity of information inputs.",
-        keywords: ["input validation", "sanitization", "data validation"],
+        description: "Check the validity of information inputs to the system.",
+        keywords: ["input validation", "sanitization", "filtering"],
         findingCategories: ["sql-injection", "xss", "command-injection", "path-traversal"],
-        cweIds: ["CWE-20", "CWE-89", "CWE-79", "CWE-78", "CWE-22"],
+        cweIds: ["CWE-20", "CWE-79", "CWE-89", "CWE-78", "CWE-22"],
         severityThreshold: "high",
     },
     {
@@ -548,10 +502,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "Error Handling",
-        description: "Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited.",
-        keywords: ["error handling", "error messages", "exception handling"],
-        findingCategories: ["error-handling", "data-exposure"],
-        cweIds: ["CWE-209", "CWE-755"],
+        description: "Generate error messages that provide information necessary for corrective actions without revealing information exploitable by adversaries.",
+        keywords: ["error handling", "exception", "error message"],
+        findingCategories: ["information-disclosure", "verbose-errors"],
+        cweIds: ["CWE-209", "CWE-497"],
         severityThreshold: "medium",
     },
     {
@@ -559,10 +513,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "Information Management and Retention",
-        description: "Manage and retain information within the system and information output from the system in accordance with applicable laws, regulations, and policy.",
-        keywords: ["data retention", "information management", "data disposal"],
-        findingCategories: ["data-exposure"],
-        cweIds: ["CWE-226", "CWE-212"],
+        description: "Manage and retain information within the system and output from the system in accordance with applicable requirements.",
+        keywords: ["data retention", "data management", "privacy"],
+        findingCategories: ["data-exposure", "pii-exposure"],
+        cweIds: ["CWE-200", "CWE-359"],
         severityThreshold: "medium",
     },
     {
@@ -570,22 +524,24 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "System and Information Integrity",
         title: "Memory Protection",
-        description: "Implement safeguards to protect the system memory from unauthorized code execution.",
-        keywords: ["memory protection", "buffer overflow", "memory safety"],
-        findingCategories: ["memory-safety", "buffer-overflow"],
-        cweIds: ["CWE-119", "CWE-120", "CWE-416"],
+        description: "Implement safeguards to protect memory from unauthorized code execution.",
+        keywords: ["memory", "buffer overflow", "stack", "heap"],
+        findingCategories: ["buffer-overflow", "memory-corruption"],
+        cweIds: ["CWE-119", "CWE-120", "CWE-787"],
         severityThreshold: "critical",
     },
-    // SR - Supply Chain Risk Management Family
+    // =========================================================================
+    // SR - Supply Chain Risk Management
+    // =========================================================================
     {
         id: "SR-3",
         framework: "NIST-800-53",
         category: "Supply Chain Risk Management",
         title: "Supply Chain Controls and Processes",
-        description: "Establish a process to identify and address weaknesses or deficiencies in the supply chain elements and processes.",
-        keywords: ["supply chain", "vendor management", "third-party risk"],
-        findingCategories: ["dependency-vuln"],
-        cweIds: ["CWE-1035", "CWE-829"],
+        description: "Establish a process to identify, assess, and mitigate supply chain risks.",
+        keywords: ["supply chain", "dependencies", "third-party", "vendor"],
+        findingCategories: ["dependency-vulnerability", "supply-chain"],
+        cweIds: ["CWE-1104"],
         severityThreshold: "high",
     },
     {
@@ -593,10 +549,10 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Supply Chain Risk Management",
         title: "Provenance",
-        description: "Document, monitor, and maintain valid provenance of systems, system components, and associated data.",
-        keywords: ["provenance", "SBOM", "software bill of materials", "supply chain"],
-        findingCategories: ["dependency-vuln"],
-        cweIds: ["CWE-1035"],
+        description: "Document, monitor, and maintain valid provenance of system components.",
+        keywords: ["provenance", "origin", "sbom", "bill of materials"],
+        findingCategories: ["supply-chain", "unknown-source"],
+        cweIds: [],
         severityThreshold: "medium",
     },
     {
@@ -604,31 +560,22 @@ export const NIST_800_53_CONTROLS = [
         framework: "NIST-800-53",
         category: "Supply Chain Risk Management",
         title: "Acquisition Strategies, Tools, and Methods",
-        description: "Employ acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks.",
+        description: "Employ acquisition strategies, tools, and methods to protect against supply chain risks.",
         keywords: ["acquisition", "procurement", "vendor assessment"],
-        findingCategories: ["dependency-vuln"],
-        severityThreshold: "medium",
-    },
-    {
-        id: "SR-6",
-        framework: "NIST-800-53",
-        category: "Supply Chain Risk Management",
-        title: "Supplier Assessments and Reviews",
-        description: "Assess and review the supply chain-related risks associated with suppliers or contractors.",
-        keywords: ["supplier assessment", "vendor review", "third-party audit"],
-        findingCategories: ["dependency-vuln"],
-        severityThreshold: "medium",
+        findingCategories: ["supply-chain"],
+        cweIds: [],
+        severityThreshold: "low",
     },
     {
         id: "SR-11",
         framework: "NIST-800-53",
         category: "Supply Chain Risk Management",
         title: "Component Authenticity",
-        description: "Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components.",
-        keywords: ["authenticity", "counterfeit", "component verification"],
-        findingCategories: ["dependency-vuln"],
-        cweIds: ["CWE-829"],
-        severityThreshold: "high",
+        description: "Develop and implement anti-counterfeit policy and procedures for detecting and preventing counterfeit components.",
+        keywords: ["authenticity", "counterfeit", "verification"],
+        findingCategories: ["supply-chain", "dependency-vulnerability"],
+        cweIds: [],
+        severityThreshold: "medium",
     },
 ];
 /**
@@ -641,24 +588,69 @@ export function getNIST80053Controls() {
  * Get NIST 800-53 controls by category (control family)
  */
 export function getNIST80053ControlsByCategory(category) {
-    return NIST_800_53_CONTROLS.filter((c) => c.category === category);
+    return NIST_800_53_CONTROLS.filter((c) => c.category.toLowerCase() === category.toLowerCase());
 }
 /**
  * Get NIST 800-53 control by ID
  */
 export function getNIST80053ControlById(id) {
-    return NIST_800_53_CONTROLS.find((c) => c.id === id);
+    return NIST_800_53_CONTROLS.find((c) => c.id === id || c.id === id.toUpperCase());
 }
 /**
- * Get NIST 800-53 control families (categories)
+ * Get all NIST 800-53 control categories (families)
  */
 export function getNIST80053Categories() {
-    return [...new Set(NIST_800_53_CONTROLS.map((c) => c.category))];
+    const categories = new Set(NIST_800_53_CONTROLS.map((c) => c.category));
+    return Array.from(categories).sort();
 }
 /**
- * Get NIST 800-53 control family code from control ID
+ * NIST 800-53 control family descriptions
  */
-export function getControlFamilyCode(controlId) {
-    return controlId.replace(/-\d+$/, "").toUpperCase();
-}
+export const NIST_CONTROL_FAMILIES = {
+    "Access Control": {
+        id: "AC",
+        name: "Access Control",
+        description: "Limit system access to authorized users, processes, or devices.",
+    },
+    "Audit and Accountability": {
+        id: "AU",
+        name: "Audit and Accountability",
+        description: "Create, protect, and retain system audit records; ensure accountability.",
+    },
+    "Configuration Management": {
+        id: "CM",
+        name: "Configuration Management",
+        description: "Establish and maintain configurations using security engineering principles.",
+    },
+    "Identification and Authentication": {
+        id: "IA",
+        name: "Identification and Authentication",
+        description: "Identify and authenticate users, processes, and devices.",
+    },
+    "Risk Assessment": {
+        id: "RA",
+        name: "Risk Assessment",
+        description: "Assess risks to organizational operations, assets, and individuals.",
+    },
+    "System and Services Acquisition": {
+        id: "SA",
+        name: "System and Services Acquisition",
+        description: "Allocate sufficient resources for security; employ secure development processes.",
+    },
+    "System and Communications Protection": {
+        id: "SC",
+        name: "System and Communications Protection",
+        description: "Protect communications and control boundaries between systems.",
+    },
+    "System and Information Integrity": {
+        id: "SI",
+        name: "System and Information Integrity",
+        description: "Identify, report, and correct system flaws; protect against malicious code.",
+    },
+    "Supply Chain Risk Management": {
+        id: "SR",
+        name: "Supply Chain Risk Management",
+        description: "Identify, assess, and mitigate supply chain risks.",
+    },
+};
 //# sourceMappingURL=nist-800-53.js.map