fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/prompts/initial_assessment_roadmap.txt

@@ -0,0 +1,202 @@
+I'll provide a comprehensive roadmap for starting your FedRAMP 20x authorization from scratch.
+
+# FedRAMP 20x Initial Assessment Roadmap
+
+**Important Note on OSCAL:** FedRAMP 20x requires **machine-readable** formats (JSON, XML, or structured data) for Authorization Data Sharing (FRR-ADS). **OSCAL is NOT mentioned in FedRAMP 20x requirements** - it's a NIST standard that can be used as one implementation approach. When you see "OSCAL" mentioned below, understand it's one option among custom JSON/XML formats. Choose based on your implementation needs.
+
+## Phase 1: Foundation
+
+**Understanding & Planning**
+- [ ] Review all FedRAMP 20x standards (use list_family_controls for each)
+- [ ] Identify your authorization level (Low, Moderate, High)
+- [ ] Determine service categorization (SaaS, PaaS, IaaS)
+- [ ] Assemble core team (CISO, compliance PM, engineering lead)
+- [ ] Budget for 3PAO, tools, and staff time
+
+**Initial Scoping**
+- [ ] Define authorization boundary (FRR-MAS)
+- [ ] Inventory all information resources
+- [ ] Document Federal Customer Data flows
+- [ ] Identify third-party dependencies
+- [ ] Review FRD definitions for terminology
+
+**Deliverables**: Authorization boundary diagram, resource inventory, project charter
+
+## Phase 2: Infrastructure & Tools
+
+**Security Monitoring**
+- [ ] Select and deploy SIEM solution (KSI-MLA-01)
+- [ ] Configure log forwarding from all systems
+- [ ] Set up vulnerability scanning (FRR-VDR-01)
+- [ ] Implement container/code scanning
+- [ ] Configure alerting and dashboards
+
+**Identity & Access**
+- [ ] Implement phishing-resistant MFA (KSI-IAM-01)
+- [ ] Configure least-privilege IAM (KSI-IAM-05)
+- [ ] Set up identity provider integration
+- [ ] Document access procedures
+
+**Automation Foundation**
+- [ ] Implement Infrastructure as Code (KSI-MLA-05)
+- [ ] Set up CI/CD pipelines (KSI-CMT-03)
+- [ ] Configure automated testing
+- [ ] Implement secret management (KSI-SVC-06)
+
+**Deliverables**: Operational SIEM, vulnerability scanning, MFA, IaC
+
+## Phase 3: Compliance Infrastructure
+
+**KSI Tracking**
+- [ ] Review all 72 KSIs (use list_ksi)
+- [ ] Map KSIs to your monitoring systems
+- [ ] Implement automated KSI collection
+- [ ] Create KSI dashboards
+- [ ] Document collection procedures
+
+**Authorization Data Sharing API**
+- [ ] Design API endpoints (FRR-ADS)
+- [ ] Implement machine-readable format (custom JSON/XML or OSCAL)
+- [ ] Configure authentication (OAuth 2.0 or mTLS)
+- [ ] Integrate with data sources
+- [ ] Test with sample queries
+
+**Continuous Monitoring Setup**
+- [ ] Document quarterly review process (FRR-CCM-QR)
+- [ ] Set up continuous vulnerability scanning
+- [ ] Configure persistent validation (FRR-PVA)
+- [ ] Establish agency collaboration procedures
+
+**Deliverables**: KSI collection system, Data Sharing API, ConMon procedures
+
+## Phase 4: Documentation
+
+**Core Documentation**
+- [ ] System Security Plan (OSCAL format)
+- [ ] Vulnerability Detection & Response procedures (FRR-VDR)
+- [ ] Incident Communications Procedures (FRR-ICP)
+- [ ] Significant Change Notification procedures (FRR-SCN)
+- [ ] All 72 KSI implementation descriptions
+
+**Policies & Procedures**
+- [ ] Security policies aligned to FedRAMP 20x
+- [ ] Change management procedures (KSI-CMT-04)
+- [ ] Incident response plan (KSI-INR-01)
+- [ ] Backup and recovery plan (KSI-RPL-02)
+- [ ] Training programs (KSI-CED)
+
+**Evidence Collection**
+- [ ] Configure automated evidence collection
+- [ ] Validate all KSI metrics are being tracked
+- [ ] Test Authorization Data Sharing API
+- [ ] Generate sample quarterly reports
+- [ ] Document evidence collection procedures
+
+**Deliverables**: Complete SSP, all policies/procedures, evidence collection system
+
+## Phase 5: Assessment Preparation
+
+**Internal Readiness**
+- [ ] Internal security assessment
+- [ ] Gap remediation
+- [ ] Evidence validation
+- [ ] Practice runs with team
+- [ ] Documentation review
+
+**3PAO Selection & Engagement**
+- [ ] Select 3PAO assessor
+- [ ] Kickoff meeting
+- [ ] Provide documentation
+- [ ] Schedule assessment
+
+**Assessment**
+- [ ] 3PAO conducts assessment
+- [ ] Daily standups with assessor
+- [ ] Address findings in real-time
+- [ ] Document any deviations
+
+**Deliverables**: Security Assessment Report (SAR)
+
+## Phase 6: Authorization
+
+**POA&M Development**
+- [ ] Document all findings
+- [ ] Create remediation plans
+- [ ] Assign ownership and timelines
+- [ ] Get executive approval
+
+**Package Submission**
+- [ ] Compile complete ATO package
+- [ ] Submit to agency/FedRAMP
+- [ ] Respond to initial questions
+
+**Authorization Review**
+- [ ] Agency/FedRAMP reviews package
+- [ ] Respond to questions
+- [ ] Provide additional evidence
+- [ ] Receive Authorization decision
+
+**Deliverables**: Authorization to Operate (ATO)
+
+## Ongoing: Continuous Monitoring (Post-Authorization)
+
+**Daily/Automated**
+- Vulnerability scanning
+- Log collection and analysis
+- KSI metric collection
+- Change tracking
+
+**Monthly**
+- Review vulnerability findings
+- Update POA&Ms
+- Security control validation
+
+**Quarterly (FRR-CCM-QR)**
+- Formal quarterly review
+- Update authorization package
+- Share data via API
+- Agency coordination
+
+**Annual**
+- Update authorization boundary
+- Review significant changes
+- Update risk assessment
+- Plan for re-assessment
+
+## Critical Success Factors
+
+**1. Executive Support** (KSI-PIY-08)
+- Secure budget and resources
+- Get organizational buy-in
+- Ensure priority status
+
+**2. Automation First** (FRD-ALL-07: "automatically if possible")
+- Automate evidence collection
+- Use IaC for all infrastructure
+- Implement CI/CD pipelines
+- Automated compliance checking
+
+**3. Team Skills**
+- FedRAMP 20x knowledge
+- Cloud-native expertise
+- Security automation skills
+- OSCAL format understanding
+
+**4. Vendor Selection**
+- Choose FedRAMP-ready tools
+- Ensure API integration capabilities
+- Verify OSCAL support
+- Check for KSI alignment
+
+## Timeline & Resource Planning
+
+Engineering teams should determine their own timelines based on available resources, organizational requirements, existing infrastructure maturity, and compliance readiness. Consider factors such as team size, budget constraints, existing security controls, and agency-specific requirements when planning your implementation schedule.
+
+## Next Steps
+
+1. Use get_implementation_examples for specific requirements
+2. Use check_requirement_dependencies to understand relationships
+3. Use check_requirement_dependencies to understand relationships
+4. Use search_requirements to find specific guidance
+
+Ready to start? Let me know which phase you'd like to focus on first!

fedramp_20x_mcp/prompts/ksi_implementation_priorities.txt

@@ -0,0 +1,283 @@
+I'll help you prioritize the implementation of FedRAMP 20x's 72 Key Security Indicators.
+
+# KSI Implementation Priority Guide
+
+**Note:** Engineering teams should determine their own implementation timelines based on system complexity, team size, existing infrastructure, and organizational resources. The priorities below indicate logical sequencing and dependencies, but actual durations will vary by organization.
+
+## Priority 1: Foundation
+**Must be completed first - other KSIs depend on these**
+
+### Critical Infrastructure
+1. **KSI-MLA-01: SIEM** ⭐ HIGHEST PRIORITY
+   - Why: Required for logging all other KSIs
+   - Impact: Blocks 15+ other KSIs
+   - Dependencies: None
+
+2. **KSI-IAM-01: Phishing-Resistant MFA** ⭐ HIGH PRIORITY
+   - Why: Security foundation, quick win
+   - Impact: Protects all access
+   - Dependencies: None
+
+3. **KSI-PIY-01: Automated Inventory**
+   - Why: Needed to track what you're securing
+   - Impact: Required for boundary management
+   - Dependencies: None
+
+4. **KSI-MLA-02: Audit Logging**
+   - Why: Foundation for compliance evidence
+   - Impact: Enables incident investigation
+   - Dependencies: KSI-MLA-01 (SIEM)
+
+## Priority 2: Security Controls
+**Core security capabilities**
+
+### Vulnerability Management
+5. **KSI-AFR-04: Vulnerability Detection and Response** (ties to FRR-VDR)
+   - Why: Required for continuous scanning
+   - Impact: Critical for compliance
+   - Dependencies: None
+
+6. **KSI-SVC-07: Patching**
+   - Why: Vulnerability remediation
+   - Impact: Keeps systems secure
+   - Dependencies: KSI-AFR-04, automated deployment
+
+### Access Management
+7. **KSI-IAM-05: Least Privilege**
+   - Why: Limits blast radius
+   - Impact: Reduces risk across all systems
+   - Dependencies: KSI-IAM-01, KSI-PIY-01
+
+8. **KSI-IAM-06: Suspicious Activity Detection**
+   - Why: Threat detection
+   - Impact: Early incident detection
+   - Dependencies: KSI-MLA-01 (SIEM)
+
+### Secret Management
+9. **KSI-SVC-06: Secret Management**
+   - Why: Prevents credential exposure
+   - Impact: Critical security control
+   - Dependencies: None
+
+## Priority 3: Automation & Operations
+**Improve efficiency and reduce manual work**
+
+### Infrastructure as Code
+10. **KSI-MLA-05: Infrastructure as Code**
+    - Why: Enables repeatability and audit
+    - Impact: Foundation for automation
+    - Dependencies: None
+
+11. **KSI-SVC-04: Configuration Automation**
+    - Why: Consistent, auditable configs
+    - Impact: Reduces drift, improves security
+    - Dependencies: KSI-MLA-05
+
+### CI/CD Integration
+12. **KSI-CMT-03: Automated Testing and Validation**
+    - Why: Quality and security gates
+    - Impact: Prevents bad deployments
+    - Dependencies: CI/CD pipeline
+
+13. **KSI-CMT-01: Log and Monitor Changes**
+    - Why: Change tracking and audit
+    - Impact: Required for FRR-SCN compliance
+    - Dependencies: KSI-MLA-01 (SIEM)
+
+## Priority 4: Cloud-Native Security
+**For containerized/Kubernetes environments**
+
+### Network Security
+14. **KSI-CNA-01: Restrict Network Traffic**
+    - Why: Defense in depth
+    - Impact: Limits lateral movement
+    - Dependencies: Network mapping
+
+15. **KSI-CNA-03: Enforce Traffic Flow**
+    - Why: Network segmentation
+    - Impact: Contains breaches
+    - Dependencies: KSI-CNA-01
+
+16. **KSI-CNA-04: Immutable Infrastructure**
+    - Why: Prevents tampering
+    - Impact: Improves security posture
+    - Dependencies: KSI-MLA-05 (IaC)
+
+### Continuous Assessment
+17. **KSI-CNA-08: Persistent Assessment and Automated Enforcement**
+    - Why: Real-time compliance checking
+    - Impact: Continuous validation
+    - Dependencies: Policy engine (OPA/Kyverno)
+
+## Priority 5: Incident Response
+**Detection and response capabilities**
+
+### Incident Management
+18. **KSI-INR-01: Incident Response Procedure**
+    - Why: Required for compliance
+    - Impact: Effective incident handling
+    - Dependencies: None
+
+19. **KSI-INR-02: Incident Logging**
+    - Why: Evidence and investigation
+    - Impact: Post-incident analysis
+    - Dependencies: KSI-MLA-01 (SIEM)
+
+20. **KSI-INR-03: Incident After Action Reports**
+    - Why: Continuous improvement
+    - Impact: Learn from incidents
+    - Dependencies: KSI-INR-01, KSI-INR-02
+
+## Priority 6: Business Continuity
+**Resilience and recovery**
+
+### Backup & Recovery
+21. **KSI-RPL-01: Recovery Objectives**
+    - Why: Define RTO/RPO
+    - Impact: Business continuity planning
+    - Dependencies: Business analysis
+
+22. **KSI-RPL-03: System Backups**
+    - Why: Data protection
+    - Impact: Recovery capability
+    - Dependencies: KSI-RPL-01
+
+23. **KSI-RPL-02: Recovery Plan**
+    - Why: Documented procedures
+    - Impact: Faster recovery
+    - Dependencies: KSI-RPL-01, KSI-RPL-03
+
+24. **KSI-RPL-04: Recovery Testing**
+    - Why: Validate backup/recovery works
+    - Impact: Confidence in recovery
+    - Dependencies: KSI-RPL-02, KSI-RPL-03
+
+## Priority 7: Governance & Culture
+**Organizational capabilities**
+
+### Education
+25. **KSI-CED-01: General Education**
+    - Why: Security awareness baseline
+    - Impact: Reduces human error
+    - Dependencies: Training platform
+
+26. **KSI-CED-02: Role-Specific Education**
+    - Why: Targeted training
+    - Impact: Better security practices
+    - Dependencies: KSI-CED-01
+
+27. **KSI-CED-03: Development and Engineering Education**
+    - Why: Secure coding practices
+    - Impact: Fewer vulnerabilities
+    - Dependencies: KSI-CED-01
+
+### Supply Chain
+28. **KSI-PIY-07: Supply Chain Risk Management**
+    - Why: Third-party risk
+    - Impact: Vendor security
+    - Dependencies: Vendor assessment process
+
+29. **KSI-TPR-04: Supply Chain Risk Monitoring**
+    - Why: Ongoing vendor oversight
+    - Impact: Continuous third-party risk
+    - Dependencies: KSI-PIY-07
+
+### Executive Support
+30. **KSI-PIY-08: Executive Support**
+    - Why: Resources and priority
+    - Impact: Project success
+    - Dependencies: Business case
+
+## Priority 8: Advanced Capabilities
+**Nice-to-have and advanced features**
+
+### Additional Security
+31. **KSI-IAM-02: Passwordless Authentication**
+    - Why: Better UX and security
+    - Impact: Reduces password attacks
+    - Dependencies: KSI-IAM-01
+
+32. **KSI-IAM-04: Just-in-Time Authorization**
+    - Why: Temporary elevated access
+    - Impact: Reduces standing privileges
+    - Dependencies: KSI-IAM-05
+
+33. **KSI-SVC-02: Network Encryption**
+    - Why: Data in transit protection
+    - Impact: Confidentiality
+    - Dependencies: TLS/mTLS implementation
+
+## Quick Wins (Can be done anytime)
+**High visibility, relatively straightforward**
+
+- **KSI-AFR-08: FedRAMP Security Inbox**
+  - Set up email forwarding to security inbox
+
+- **KSI-PIY-03: Vulnerability Disclosure Program**
+  - Create security.txt, disclosure policy
+
+- **KSI-SVC-10: Data Destruction**
+  - Document and implement data deletion procedures
+
+- **KSI-CMT-04: Change Management Procedure**
+  - Document existing change process
+
+## Implementation Strategy
+
+### Phase 1: Foundation
+Focus on Priority 1-2 KSIs
+- SIEM (KSI-MLA-01) ← Start immediately
+- MFA (KSI-IAM-01) ← Parallel track
+- Vulnerability scanning (KSI-AFR-04)
+- Basic logging (KSI-MLA-02)
+
+### Phase 2: Core Security
+Priority 3-4 KSIs
+- IaC (KSI-MLA-05)
+- Secret management (KSI-SVC-06)
+- Network controls (KSI-CNA-01, CNA-03)
+- Automated testing (KSI-CMT-03)
+
+### Phase 3: Operations
+Priority 5-6 KSIs
+- Incident response (KSI-INR-01, INR-02, INR-03)
+- Backup/recovery (KSI-RPL-01 through RPL-04)
+- Change tracking (KSI-CMT-01)
+
+### Phase 4: Maturity
+Priority 7-8 KSIs
+- Training programs (KSI-CED)
+- Supply chain management (KSI-PIY-07, TPR-04)
+- Advanced IAM (KSI-IAM-02, IAM-04)
+
+## Dependencies to Watch
+
+**Blockers:**
+- No SIEM = Can't implement 15+ other KSIs
+- No IaC = Can't implement immutable infrastructure
+- No CI/CD = Can't implement automated testing
+
+**Common Mistakes:**
+❌ Starting with advanced KSIs before foundation
+❌ Trying to implement all 72 simultaneously
+❌ Ignoring dependencies between KSIs
+❌ Underestimating SIEM implementation complexity
+
+**Success Patterns:**
+✓ Start with SIEM and MFA in parallel
+✓ Build automation early (IaC, CI/CD)
+✓ Focus on one category at a time
+✓ Collect evidence as you go
+
+## Resource Allocation
+
+**Minimum Team:**
+- 1 Security Engineer (SIEM, vulnerability management)
+- 1 DevOps/SRE (automation, IaC)
+- 1 IAM Specialist (MFA, access controls)
+- 1 Compliance PM (coordination, documentation)
+
+**Expanded Team:**
+Add 2-3 more engineers for parallel workstreams during peak implementation phases
+
+Use list_ksi to see all 72 indicators, and get_ksi(ksi_id) for detailed requirements.