fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/prompts/audit_preparation.txt

@@ -0,0 +1,592 @@
+I'll help you prepare for your FedRAMP 20x assessment and audit.
+
+# FedRAMP 20x Audit Preparation Guide
+
+## Pre-Assessment Preparation (8-12 Weeks Before)
+
+### Week -12 to -8: Documentation Review
+
+**Complete Documentation Checklist:**
+
+**Required Core Documents:**
+- [ ] System Security Plan (machine-readable format: JSON/XML)
+- [ ] FRR-ADS: Authorization Data Sharing API Documentation
+- [ ] FRR-VDR: Vulnerability Disclosure & Remediation Procedures
+- [ ] FRR-ICP: Incident Communication Plan
+- [ ] FRR-SCN: Significant Change Notification Procedures
+- [ ] FRR-CCM: Continuous Compliance Monitoring Plan
+- [ ] FRR-CCM-QR: Quarterly Review Procedures
+- [ ] FRR-PVA: Persistent Validation Procedures
+- [ ] FRR-MAS: Modernized Assessment Strategy
+- [ ] FRR-FSI: FedRAMP Security Inbox Procedures
+- [ ] FRR-RSC: Re-Authorization Service Continuity Plan
+
+**KSI Implementation Documents (72 total):**
+- [ ] All 72 KSI implementation procedures
+- [ ] Evidence collection methods for each KSI
+- [ ] Metrics and target values
+- [ ] Validation procedures
+
+**Supporting Documents:**
+- [ ] System architecture diagrams
+- [ ] Data flow diagrams
+- [ ] Network diagrams
+- [ ] Authorization boundary documentation
+- [ ] Interconnection agreements
+- [ ] POA&M (current)
+- [ ] Incident response plan
+- [ ] Business continuity/disaster recovery plans
+- [ ] Configuration management plan
+- [ ] Change management procedures
+- [ ] User guide / admin guide
+
+**Use documentation_generator prompt for templates.**
+
+### Week -8 to -6: Evidence Gathering
+
+**Organize Evidence by KSI Family:**
+
+**KSI-IAM (Identity & Access Management):**
+- [ ] MFA enrollment reports (phishing-resistant)
+- [ ] Access review logs (quarterly minimum)
+- [ ] Privileged access audit logs
+- [ ] Account lifecycle documentation
+- [ ] Screenshots of IAM configuration
+
+**KSI-MLA (Monitoring, Logging & Analysis):**
+- [ ] SIEM configuration screenshots
+- [ ] Sample log entries (system, application, security)
+- [ ] Log retention configuration
+- [ ] Automated alerting rules
+- [ ] Log analysis procedures
+
+**KSI-AFR (Automated Findings & Remediation):**
+- [ ] Vulnerability scan results (last 3 months)
+- [ ] Remediation tracking reports
+- [ ] Patch management logs
+- [ ] Evidence of automated scanning
+
+**KSI-CMT (Change Management & Testing):**
+- [ ] Change tickets (last 3 months)
+- [ ] CI/CD pipeline configuration
+- [ ] Automated testing results
+- [ ] Rollback procedures documentation
+
+**KSI-INR (Incident Notification & Response):**
+- [ ] Incident logs (last 12 months)
+- [ ] Incident response test results
+- [ ] Notification procedures
+- [ ] Post-incident reviews
+
+**KSI-RPL (Recovery Planning):**
+- [ ] Backup configuration
+- [ ] Backup test results (last 6 months)
+- [ ] Disaster recovery plan
+- [ ] DR test results (annual)
+
+**KSI-CNA (Cloud-Native Architecture):**
+- [ ] Infrastructure as Code (IaC) templates
+- [ ] Container scanning results
+- [ ] Immutable infrastructure evidence
+- [ ] Auto-scaling configurations
+
+**KSI-SVC (Service Management & Delivery):**
+- [ ] Service-level agreements
+- [ ] Uptime reports
+- [ ] Performance monitoring dashboards
+- [ ] Capacity management reports
+
+**Use get_implementation_examples tool for specific KSI evidence examples.**
+
+### Week -6 to -4: Technical Testing
+
+**Authorization Data Sharing API Testing:**
+
+**Functionality Tests:**
+- [ ] All 6 required endpoints operational
+- [ ] Machine-readable format validates
+- [ ] Authentication working (OAuth 2.0 or mTLS)
+- [ ] Rate limiting configured properly
+- [ ] Error handling returns proper codes
+
+**Performance Tests:**
+- [ ] Response times < 2 seconds
+- [ ] Can handle concurrent requests
+- [ ] No timeout errors
+
+**Security Tests:**
+- [ ] Authentication required on all endpoints
+- [ ] Authorization validates properly
+- [ ] No sensitive data leakage
+- [ ] TLS 1.2+ required
+- [ ] API keys/tokens properly secured
+
+**Data Accuracy Tests:**
+- [ ] System info matches SSP
+- [ ] Vulnerability data current (< 24 hours old)
+- [ ] KSI metrics accurate
+- [ ] Incident data complete
+- [ ] Change data accurate
+
+**Use validate_architecture tool to check your API implementation.**
+
+**KSI Validation Testing:**
+
+**For Each of 72 KSIs:**
+- [ ] Evidence collection automated (where applicable)
+- [ ] Metrics accurate and current
+- [ ] Target values being met
+- [ ] Alerting working for out-of-compliance
+
+**Priority KSIs to Test Thoroughly:**
+- KSI-IAM-01: MFA phishing-resistant
+- KSI-MLA-01: Centralized logging
+- KSI-MLA-05: Infrastructure as Code
+- KSI-AFR-01: Vulnerability scanning
+- KSI-CMT-03: Automated testing
+- KSI-CNA-04: Immutable infrastructure
+
+### Week -4 to -2: Process Validation
+
+**Continuous Monitoring Procedures:**
+- [ ] Run full monthly continuous monitoring cycle
+- [ ] Verify all data collected automatically
+- [ ] Validate Authorization Data Sharing API updated
+- [ ] Test quarterly review process
+
+**Vulnerability Management:**
+- [ ] Test vulnerability discovery process
+- [ ] Verify remediation tracking
+- [ ] Validate timeframe compliance
+- [ ] Test exception process (if applicable)
+
+**Incident Response:**
+- [ ] Conduct tabletop exercise
+- [ ] Test notification procedures
+- [ ] Validate logging and documentation
+- [ ] Verify agency notification process
+
+**Change Management:**
+- [ ] Review recent changes
+- [ ] Validate categorization (FRR-SCN)
+- [ ] Verify approval process
+- [ ] Test rollback procedures
+
+### Week -2 to Assessment: Final Preparation
+
+**Team Readiness:**
+- [ ] Identify key personnel for interviews
+- [ ] Prepare staff for questions
+- [ ] Schedule availability for assessment period
+- [ ] Create contact list for 3PAO
+
+**Technical Access:**
+- [ ] Provide 3PAO read-only access to systems
+- [ ] Provide API test credentials
+- [ ] Set up screen-sharing capabilities
+- [ ] Prepare demo environment (if needed)
+
+**Documentation Finalization:**
+- [ ] All documents version-controlled
+- [ ] All documents dated properly
+- [ ] All references consistent
+- [ ] All diagrams current
+
+## During Assessment (2-4 Weeks)
+
+### Week 1: Kickoff & Documentation Review
+
+**Day 1: Kickoff Meeting**
+- System overview presentation
+- Tour of Authorization Data Sharing API
+- Review assessment schedule
+- Address 3PAO questions
+
+**Days 2-5: Documentation Review**
+- 3PAO reviews all documentation
+- Answer clarifying questions promptly
+- Provide additional evidence as requested
+- Track all requests in spreadsheet
+
+**Tips:**
+- Respond to requests within 24 hours
+- Keep communications professional
+- Document all conversations
+- Assign one person as 3PAO liaison
+
+### Week 2: Technical Testing
+
+**Authorization Data Sharing API Testing:**
+- 3PAO will query all endpoints
+- Validate OSCAL format
+- Test authentication/authorization
+- Verify data accuracy
+
+**Infrastructure Testing:**
+- Network scans
+- Configuration reviews
+- Access control testing
+- Log analysis
+
+**Application Testing:**
+- Authentication testing
+- Authorization testing
+- Input validation
+- Session management
+
+**Be Prepared For:**
+- Requests to demonstrate functionality
+- Questions about configurations
+- Requests for additional evidence
+- Clarifications on procedures
+
+### Week 3-4: Interviews & Validation
+
+**Common Interview Topics:**
+
+**System Owner/ISSO:**
+- Overall system architecture
+- Security controls implementation
+- Continuous monitoring approach
+- Incident response procedures
+
+**Development Team:**
+- Secure development practices
+- CI/CD pipeline security
+- Code review processes
+- Testing procedures
+
+**Operations Team:**
+- Configuration management
+- Patch management
+- Backup/recovery procedures
+- Monitoring and alerting
+
+**Security Team:**
+- Vulnerability management
+- Log analysis procedures
+- Incident response
+- Security testing
+
+**Tips for Interviews:**
+- Answer questions honestly
+- Say "I don't know" if unsure (don't guess)
+- Provide evidence when possible
+- Keep answers concise
+
+### Handling Findings
+
+**If 3PAO Identifies Issues:**
+
+**During Assessment:**
+- Acknowledge the finding
+- Don't be defensive
+- Ask clarifying questions
+- Determine severity
+
+**Types of Findings:**
+
+**Critical Findings:**
+- Must remediate before authorization
+- Examples: No MFA, unpatched critical vulns, no logging
+
+**High Findings:**
+- Should remediate quickly
+- May require POA&M
+- Examples: Delayed patching, incomplete procedures
+
+**Moderate/Low Findings:**
+- Document in POA&M
+- Plan remediation
+- Examples: Documentation gaps, process improvements
+
+**Response Strategy:**
+- Quick fixes: Remediate immediately
+- Longer fixes: Document in POA&M with timeline
+- Process issues: Update procedures, retrain staff
+
+## Post-Assessment Activities
+
+### Immediate Actions (Week After Assessment)
+
+**Debrief Meeting:**
+- Review all findings
+- Understand 3PAO recommendations
+- Prioritize remediation
+
+**Remediation Planning:**
+- Create action plan for critical/high findings
+- Assign owners for each finding
+- Set deadlines
+- Allocate resources
+
+### Security Assessment Report (SAR) Review
+
+**When 3PAO Delivers SAR:**
+- [ ] Review for accuracy
+- [ ] Verify all findings documented correctly
+- [ ] Check that evidence referenced properly
+- [ ] Validate recommendations
+
+**Respond to SAR:**
+- [ ] Create POA&M for all findings
+- [ ] Provide remediation timelines
+- [ ] Document compensating controls (if applicable)
+- [ ] Submit POA&M to 3PAO and FedRAMP
+
+### Authorization Package Submission
+
+**Package Contents:**
+- [ ] Security Assessment Report (SAR)
+- [ ] Plan of Action & Milestones (POA&M)
+- [ ] System Security Plan (OSCAL)
+- [ ] All 11 FedRAMP 20x standard documents
+- [ ] All 72 KSI implementation documents
+- [ ] Authorization Data Sharing API documentation
+- [ ] Any additional evidence requested
+
+**Submission Process:**
+- [ ] Upload to FedRAMP portal
+- [ ] Notify authorizing agency
+- [ ] Provide API test credentials to FedRAMP
+- [ ] Address any FedRAMP questions
+
+## Common Audit Findings (FedRAMP 20x)
+
+### Top 10 Most Common Findings
+
+**1. Authorization Data Sharing API Issues**
+- API not fully operational
+- OSCAL format validation errors
+- Stale data (> 24 hours old)
+- Missing required endpoints
+- Authentication issues
+
+**Prevention:**
+- Test API thoroughly before assessment
+- Use OSCAL validators
+- Set up automated data refresh
+- Test all 6 required endpoints
+
+**2. KSI Evidence Not Automated**
+- Manual evidence collection
+- Evidence not current
+- No automated metrics
+
+**Prevention:**
+- Automate top 20 KSIs minimum
+- Set up dashboards for all KSIs
+- Test evidence collection process
+
+**3. MFA Not Phishing-Resistant (KSI-IAM-01)**
+- Using SMS or TOTP (not acceptable)
+- No FIDO2/WebAuthn implementation
+- Incomplete MFA coverage
+
+**Prevention:**
+- Implement FIDO2/WebAuthn or PIV/CAC
+- Enforce for all users (no exceptions)
+- Document implementation thoroughly
+
+**4. Incomplete Logging (KSI-MLA-01)**
+- Not all log sources captured
+- Logs not centralized
+- Log retention insufficient
+
+**Prevention:**
+- Inventory all log sources
+- Implement centralized SIEM
+- Configure 1-year retention minimum
+
+**5. Vulnerability Remediation Delays (FRR-VDR)**
+- Critical/High vulns not remediated in timeframe
+- No tracking process
+- Missing evidence
+
+**Prevention:**
+- Implement automated vulnerability management
+- Set up alerts for overdue vulns
+- Document remediation timelines
+
+**6. Infrastructure Not as Code (KSI-MLA-05)**
+- Manual infrastructure provisioning
+- No IaC templates
+- Configuration drift
+
+**Prevention:**
+- Migrate to Bicep/Terraform/ARM templates
+- Store IaC in version control
+- Use IaC for all infrastructure changes
+
+**7. Inadequate Testing (KSI-CMT-03)**
+- No automated testing in CI/CD
+- Security tests not automated
+- Test coverage insufficient
+
+**Prevention:**
+- Implement automated unit/integration tests
+- Add security tests (SAST/DAST)
+- Measure and improve coverage
+
+**8. Incomplete System Boundary (SSP)**
+- Boundary not clearly defined
+- Missing interconnections
+- Inaccurate architecture diagrams
+
+**Prevention:**
+- Document all system components
+- List all interconnections
+- Keep diagrams current
+
+**9. Inadequate Continuous Monitoring (FRR-CCM)**
+- Not truly continuous
+- Manual processes dominate
+- Data not real-time
+
+**Prevention:**
+- Automate as much as possible
+- Implement real-time monitoring
+- Update Authorization Data Sharing API daily
+
+**10. Incomplete Documentation (General)**
+- Procedures not documented
+- Documentation out of date
+- Missing required documents
+
+**Prevention:**
+- Use documentation_generator prompt for templates
+- Keep docs in version control
+- Review quarterly
+
+### KSI-Specific Common Findings
+
+**KSI-IAM (Identity & Access):**
+- Access reviews not quarterly
+- Privileged access not monitored
+- Service accounts not inventoried
+
+**KSI-MLA (Monitoring & Logging):**
+- Alert rules not tuned
+- No log analysis procedures
+- SIEM not configured properly
+
+**KSI-AFR (Findings & Remediation):**
+- Scan coverage incomplete
+- False positives not managed
+- No continuous scanning
+
+**KSI-CMT (Change & Testing):**
+- Changes not approved properly
+- No rollback procedures
+- Testing not adequate
+
+**KSI-INR (Incident Response):**
+- No incident response tests
+- Notification procedures unclear
+- Post-incident reviews not conducted
+
+**KSI-RPL (Recovery Planning):**
+- Backup tests not regular
+- DR plan not tested
+- Recovery objectives not met
+
+**KSI-CNA (Cloud-Native):**
+- Not using cloud-native services
+- No immutable infrastructure
+- Container security inadequate
+
+**KSI-SVC (Service Management):**
+- SLAs not defined
+- Uptime not measured
+- Capacity planning inadequate
+
+## Audit Preparation Checklist
+
+### 12 Weeks Before Assessment
+
+- [ ] Review all FedRAMP 20x requirements
+- [ ] Identify gaps in current implementation
+- [ ] Create remediation plan
+- [ ] Begin documentation updates
+
+### 8 Weeks Before Assessment
+
+- [ ] Complete all required documentation
+- [ ] Implement missing KSIs
+- [ ] Set up Authorization Data Sharing API
+- [ ] Begin evidence collection
+
+### 6 Weeks Before Assessment
+
+- [ ] Complete all KSI implementations
+- [ ] Finalize Authorization Data Sharing API
+- [ ] Test all procedures
+- [ ] Conduct internal audit
+
+### 4 Weeks Before Assessment
+
+- [ ] Address internal audit findings
+- [ ] Complete evidence gathering
+- [ ] Test Authorization Data Sharing API
+- [ ] Prepare team for interviews
+
+### 2 Weeks Before Assessment
+
+- [ ] Final documentation review
+- [ ] Provide 3PAO access
+- [ ] Confirm team availability
+- [ ] Prepare demo environment
+
+### Week of Assessment
+
+- [ ] Daily check-ins with 3PAO
+- [ ] Respond to requests promptly
+- [ ] Document all conversations
+- [ ] Address issues immediately
+
+### After Assessment
+
+- [ ] Debrief with team
+- [ ] Review SAR for accuracy
+- [ ] Create remediation plan
+- [ ] Submit authorization package
+
+## Resources and Tools
+
+**Use These MCP Tools:**
+- `get_control(requirement_id)` - Get specific requirement details
+- `search_requirements(keywords)` - Find relevant requirements
+- `get_ksi(ksi_id)` - Get KSI implementation guidance
+- `get_implementation_examples(requirement_id)` - See code examples
+- `validate_architecture(description)` - Validate your architecture
+- `check_requirement_dependencies(requirement_id)` - Understand dependencies
+- `estimate_implementation_effort(requirement_id)` - Plan remediation time
+
+**Use These MCP Prompts:**
+- `initial_assessment_roadmap` - Overall project planning
+- `quarterly_review_checklist` - Continuous monitoring procedures
+- `api_design_guide` - Authorization Data Sharing API design
+- `ksi_implementation_priorities` - KSI implementation order
+- `documentation_generator` - Documentation templates
+- `migration_from_rev5` - If transitioning from Rev 5
+
+## Success Factors
+
+**What Makes a Successful Assessment:**
+✓ Complete, accurate documentation
+✓ Fully operational Authorization Data Sharing API
+✓ Automated evidence collection for KSIs
+✓ Well-prepared, knowledgeable team
+✓ Responsive to 3PAO requests
+✓ Honest communication about any gaps
+✓ Quick remediation of identified issues
+
+**Red Flags to Avoid:**
+✗ Incomplete documentation
+✗ API not working during assessment
+✗ Team unfamiliar with procedures
+✗ Evidence not available
+✗ Defensive attitude toward findings
+✗ Lack of preparation
+
+Remember: The 3PAO is not your adversary. They want you to succeed. Be honest, prepared, and responsive, and you'll have a successful assessment.

fedramp_20x_mcp/prompts/authorization_boundary_review.txt

@@ -0,0 +1,76 @@
+I'll help you review your FedRAMP authorization boundary for completeness.
+
+**Minimum Assessment Scope (MAS) Boundary Review**:
+
+**1. Information Resources Inventory**
+
+Must include ALL information resources that are **likely to handle federal customer data** or **likely to impact information handling**:
+
+**Machine-Based Information Resources**:
+- [ ] Application servers
+- [ ] Database servers
+- [ ] Web servers
+- [ ] Load balancers
+- [ ] Storage systems
+- [ ] Network devices
+- [ ] Security appliances
+- [ ] Monitoring systems
+- [ ] Backup systems
+- [ ] Development/staging environments (if they handle customer data)
+
+**Non-Machine-Based Information Resources**:
+- [ ] Organizational policies
+- [ ] Security procedures
+- [ ] Employees with system access
+- [ ] Training programs
+- [ ] Incident response processes
+- [ ] Change management procedures
+
+**2. Third-Party Information Resources**
+
+Document ALL third-party services:
+- [ ] Cloud infrastructure providers
+- [ ] SaaS tools and services
+- [ ] Development tools
+- [ ] Monitoring/logging services
+- [ ] Identity providers
+- [ ] Payment processors
+- [ ] CDN providers
+
+**3. Federal Customer Data Flow**
+
+Trace data flow through your system:
+- Where does federal customer data enter?
+- What systems process or store it?
+- How is it transmitted?
+- Where is it backed up?
+- How is it deleted/archived?
+
+**4. Boundary Exclusions**
+
+FedRAMP explicitly excludes certain categories (per OMB direction):
+- Identify any excluded services
+- Document why they're out of scope
+- Verify exclusions are valid
+
+**5. Assessment Scope Validation**
+
+For each component, verify:
+- [ ] Is it documented in the system inventory?
+- [ ] Is its function clearly described?
+- [ ] Are security controls identified?
+- [ ] Is it included in the assessment scope?
+- [ ] Are interconnections documented?
+
+**Common Boundary Gaps**:
+❌ Missing development/staging environments that process customer data
+❌ Undocumented third-party services
+❌ Forgotten monitoring or logging systems
+❌ Backup systems not included
+❌ Non-machine resources (policies, procedures, people) omitted
+
+**Next Steps**:
+1. Use search_requirements with "minimum assessment scope" or "information resource"
+2. Use list_family_controls with "MAS" for detailed requirements
+3. Review get_definition for "Information Resource" and "Cloud Service Offering"
+4. Document any boundary additions or clarifications needed