fedramp-20x-mcp 0.4.8__py3-none-any.whl

fedramp_20x_mcp/prompts/migration_from_rev5.txt

@@ -0,0 +1,440 @@
+I'll help you migrate from FedRAMP Rev 5 to FedRAMP 20x.
+
+# Migration Guide: FedRAMP Rev 5 → FedRAMP 20x
+
+**Important Note on OSCAL:** FedRAMP 20x requires **machine-readable** formats (JSON/XML) for Authorization Data Sharing. **OSCAL is NOT mentioned in FedRAMP 20x** - it's a NIST standard you may already use in Rev 5. When migrating, focus on machine-readable formats - continue with OSCAL only if it serves your needs, or use custom JSON/XML.
+
+## Executive Summary
+
+**Key Changes:**
+- Document-based → API-based data sharing
+- Annual assessment → Continuous monitoring
+- Static boundary → Dynamic, cloud-native support
+- Manual evidence → Automated collection
+- 320 controls → 72 Key Security Indicators + 11 standards
+
+**Timeline:** 6-12 months for full transition
+**Effort:** Significant automation investment required
+
+## Phase 1: Assessment & Planning (Weeks 1-4)
+
+### Gap Analysis
+
+**What You Have (Rev 5):**
+- System Security Plan (Word/PDF)
+- Annual 3PAO assessment
+- Monthly ConMon scans
+- Quarterly POA&M updates
+- Manual evidence packages
+
+**What You Need (FedRAMP 20x):**
+- Machine-readable SSP (JSON/XML - custom or OSCAL)
+- Authorization Data Sharing API
+- Continuous monitoring with KSI tracking
+- Quarterly reviews with automated data sharing
+- Real-time evidence via APIs
+
+### Current State Inventory
+
+**Document Your Current Implementation:**
+- [ ] List all security controls from Rev 5 SSP
+- [ ] Inventory monitoring/security tools
+- [ ] Document current ConMon process
+- [ ] List evidence collection methods
+- [ ] Review 3PAO assessment findings
+
+### Map Rev 5 to FedRAMP 20x
+
+**Control Mapping:**
+```
+Rev 5 Control Family → FedRAMP 20x Standard
+
+AC (Access Control) → KSI-IAM (Identity & Access)
+AU (Audit) → KSI-MLA (Monitoring, Logging & Analysis)
+CA (Assessment) → FRR-MAS, FRR-PVA (Assessment, Validation)
+CM (Configuration) → KSI-CMT, KSI-SVC (Change, Services)
+CP (Contingency) → KSI-RPL (Recovery & Planning)
+IA (Identification) → KSI-IAM (Identity & Access)
+IR (Incident Response) → KSI-INR, FRR-ICP (Incidents, Communications)
+RA (Risk Assessment) → KSI-AFR, FRR-VDR (Vulnerabilities)
+SA (System Services) → KSI-TPR, KSI-PIY (Third-party, Investment)
+SC (System Communications) → KSI-CNA, KSI-SVC (Cloud-native, Services)
+SI (System Integrity) → FRR-VDR, KSI-SVC (Vulnerabilities, Services)
+```
+
+**Use compare_with_rev4 tool to see detailed comparisons for specific areas.**
+
+## Phase 2: Infrastructure Preparation (Weeks 5-16)
+
+### Priority 1: SIEM & Monitoring (Weeks 5-10)
+
+**If you have SIEM already:**
+- [ ] Verify it can track 72 KSIs
+- [ ] Configure automated KSI data collection
+- [ ] Set up API access for data export
+- [ ] Test OSCAL format export (if supported)
+
+**If you need new SIEM:**
+- [ ] Select FedRAMP-authorized SIEM (Splunk, Datadog, etc.)
+- [ ] Migrate log sources
+- [ ] Configure KSI tracking dashboards
+- [ ] Set up API for Authorization Data Sharing
+
+**Gap from Rev 5:**
+- Rev 5: Monthly scan reports emailed
+- FedRAMP 20x: Real-time data via API
+
+### Priority 2: Authorization Data Sharing API (Weeks 8-16)
+
+**Build New API:**
+```
+Required Endpoints:
+- GET /api/v1/system (OSCAL SSP format)
+- GET /api/v1/vulnerabilities
+- GET /api/v1/ksi-metrics
+- GET /api/v1/incidents
+- GET /api/v1/changes
+- GET /api/v1/poam
+```
+
+**Authentication:**
+- OAuth 2.0 or mTLS
+- Provide test credentials to FedRAMP
+
+**Use api_design_guide prompt for detailed implementation guidance.**
+
+### Priority 3: KSI Implementation (Weeks 6-16)
+
+**Quick Wins (Weeks 6-8):**
+Already compliant from Rev 5, just need to document:
+- KSI-IAM-01: MFA (you already have this for AC-2)
+- KSI-MLA-02: Audit logging (you already have this for AU-2)
+- KSI-INR-01: Incident response (you already have this for IR-8)
+- KSI-RPL-03: Backups (you already have this for CP-9)
+
+**New Requirements (Weeks 8-16):**
+Not required in Rev 5, need implementation:
+- KSI-IAM-01: Must be phishing-resistant (upgrade from TOTP to FIDO2)
+- KSI-PIY-01: Automated inventory (upgrade from manual)
+- KSI-MLA-05: Infrastructure as Code (new requirement)
+- KSI-CMT-03: Automated testing in CI/CD (new requirement)
+- KSI-CNA-04: Immutable infrastructure (new requirement)
+
+**Use ksi_implementation_priorities prompt to plan implementation order.**
+
+## Phase 3: Documentation Conversion (Weeks 12-20)
+
+### Convert SSP to Machine-Readable Format (OSCAL Preferred)
+
+**Rev 5 SSP (Word/PDF):**
+```
+Section 1: System Information
+Section 2: System Environment
+Section 3: System Characteristics
+...
+Section 13: Control Responses (320 controls)
+```
+
+**FedRAMP 20x SSP (OSCAL JSON):**
+```json
+{
+  "system-security-plan": {
+    "metadata": {...},
+    "system-characteristics": {...},
+    "system-implementation": {...},
+    "control-implementation": {...}
+  }
+}
+```
+
+**Migration Approach:**
+
+**Option 1: Automated Conversion**
+- Use OSCAL conversion tools (NIST provides some)
+- Requires manual cleanup and validation
+- Faster but less accurate
+
+**Option 2: Manual Conversion**
+- Extract data from Word/PDF
+- Map to OSCAL structure
+- More accurate but time-consuming
+
+**Option 3: Fresh Start**
+- Use current architecture to generate new OSCAL SSP
+- Most accurate for cloud-native systems
+- Recommended if architecture changed significantly
+
+**Use documentation_generator prompt for OSCAL templates.**
+
+### New Documentation Requirements
+
+**Documents you didn't have in Rev 5:**
+
+1. **FRR-ADS: Authorization Data Sharing API Documentation**
+   - API endpoints
+   - Authentication methods
+   - Data formats (OSCAL)
+   - SLAs
+
+2. **FRR-KSI: All 72 KSI Implementation Documents**
+   - How each KSI is implemented
+   - Evidence collection methods
+   - Metrics and targets
+
+3. **FRR-PVA: Persistent Validation Procedures**
+   - Continuous validation approach
+   - Automated validation tools
+   - Validation frequency
+
+4. **FRR-CCM-QR: Quarterly Review Procedures**
+   - Structured review process
+   - Agency collaboration procedures
+
+## Phase 4: Process Changes (Weeks 16-24)
+
+### Continuous Monitoring (FRR-CCM)
+
+**Rev 5 Process:**
+```
+Monthly: Run vulnerability scans
+Monthly: Submit ConMon deliverable
+Quarterly: Update POA&M
+Annually: 3PAO assessment
+```
+
+**FedRAMP 20x Process:**
+```
+Continuously: Automated scanning and monitoring
+Real-time: KSI metrics collection
+Daily: Authorization Data Sharing API updated
+Quarterly: Structured quarterly review (FRR-CCM-QR)
+As-needed: Persistent validation (FRR-PVA)
+```
+
+**Key Changes:**
+- Manual → Automated evidence collection
+- Monthly deliverables → Real-time API access
+- Annual assessment → Continuous validation
+
+### Vulnerability Management (FRR-VDR)
+
+**Rev 5 Approach:**
+- 30 days for High vulnerabilities
+- POA&M for longer remediation
+- Monthly ConMon scans
+
+**FedRAMP 20x Approach:**
+- Timeframes vary by severity AND impact level
+- High impact: 7-15 days for Critical/High
+- Formal exception process (FRR-VDR-EX)
+- Agency-specific reporting (FRR-VDR-RP)
+
+**Action Items:**
+- [ ] Review current vulnerability remediation times
+- [ ] Implement automated scanning (if not already)
+- [ ] Update procedures for new timeframes
+- [ ] Set up agency reporting workflow
+
+### Significant Change Notifications (FRR-SCN)
+
+**Rev 5 Approach:**
+- Notify FedRAMP of "significant changes"
+- Vague definition of "significant"
+- Email-based notifications
+
+**FedRAMP 20x Approach:**
+- Clear categories: Routine, Administrative, Transformative, Impact
+- Structured notification process
+- Must use FedRAMP Security Inbox (FRR-FSI)
+- Specific triggers defined
+
+**Action Items:**
+- [ ] Document change categorization process
+- [ ] Update change management procedures
+- [ ] Train team on FRR-SCN requirements
+
+## Phase 5: Testing & Validation (Weeks 20-26)
+
+### Internal Testing
+
+**Test Authorization Data Sharing API:**
+- [ ] All endpoints return correct data
+- [ ] Machine-readable format validates (OSCAL preferred)
+- [ ] Authentication works properly
+- [ ] Rate limiting configured
+- [ ] Error handling works
+
+**Test KSI Collection:**
+- [ ] All 72 KSIs being tracked
+- [ ] Automated collection working
+- [ ] Data accurate and timely
+- [ ] Dashboards showing correct metrics
+
+**Test Continuous Monitoring:**
+- [ ] Vulnerability scans running continuously
+- [ ] Incidents logged automatically
+- [ ] Changes tracked automatically
+- [ ] Evidence collected automatically
+
+### FedRAMP Coordination
+
+**Schedule Review with FedRAMP:**
+- [ ] Provide test API credentials
+- [ ] Demonstrate data collection
+- [ ] Show OSCAL documentation
+- [ ] Review quarterly process
+
+**Address Feedback:**
+- [ ] Fix any API issues
+- [ ] Update documentation
+- [ ] Adjust procedures
+
+## Phase 6: Transition (Weeks 24-28)
+
+### Final Preparation
+
+**Documentation:**
+- [ ] All 11 FedRAMP 20x standard documents complete
+- [ ] All 72 KSI implementation documents complete
+- [ ] OSCAL SSP finalized
+- [ ] API documentation complete
+
+**Technical:**
+- [ ] Authorization Data Sharing API in production
+- [ ] All KSI metrics being collected
+- [ ] Continuous monitoring operational
+- [ ] Quarterly review process tested
+
+**Team:**
+- [ ] Team trained on new processes
+- [ ] Roles and responsibilities updated
+- [ ] Runbooks created for new procedures
+
+### Go-Live
+
+**Cutover Activities:**
+- [ ] Final data validation
+- [ ] Enable Authorization Data Sharing API for FedRAMP
+- [ ] Conduct first quarterly review under new process
+- [ ] Communicate change to agencies
+
+**Post-Cutover:**
+- [ ] Monitor API usage and performance
+- [ ] Collect feedback from FedRAMP/agencies
+- [ ] Adjust processes based on feedback
+- [ ] Document lessons learned
+
+## Phase 7: Continuous Improvement (Ongoing)
+
+### First 90 Days
+
+**Weeks 1-4:**
+- Daily check-ins on API performance
+- Validate KSI metrics accuracy
+- Address any immediate issues
+
+**Weeks 5-8:**
+- First quarterly review under new process
+- Gather feedback from team
+- Optimize automation
+
+**Weeks 9-12:**
+- Refine procedures based on experience
+- Update documentation with lessons learned
+- Plan for additional automation
+
+### Ongoing Activities
+
+**Monthly:**
+- Review KSI metrics for trends
+- Validate evidence collection
+- Update procedures as needed
+
+**Quarterly:**
+- Conduct formal quarterly review (FRR-CCM-QR)
+- Update Authorization Data Sharing API with latest data
+- Coordinate with agencies
+
+**Annually:**
+- Review overall 20x compliance
+- Plan improvements for next year
+- Update risk assessment
+
+## Common Migration Challenges
+
+### Challenge 1: Legacy Tools Don't Support APIs
+
+**Problem:** Current tools can't export data via API
+
+**Solutions:**
+- Build middleware to expose tool data via API
+- Replace tools with FedRAMP 20x-compatible alternatives
+- Use manual export + automation (short-term workaround)
+
+### Challenge 2: Manual Evidence Collection
+
+**Problem:** Most evidence collected manually in Rev 5
+
+**Solution:**
+- Implement automation for top 20 KSIs first
+- Use scripts to aggregate data
+- Invest in tools with built-in KSI tracking
+
+### Challenge 3: OSCAL Conversion Complexity
+
+**Problem:** Converting Word SSP to OSCAL is difficult
+
+**Solutions:**
+- Start with OSCAL templates, populate from scratch
+- Use OSCAL tools (NIST provides some)
+- Consider consulting services for conversion
+
+### Challenge 4: Team Knowledge Gap
+
+**Problem:** Team doesn't know FedRAMP 20x or OSCAL
+
+**Solutions:**
+- Training on FedRAMP 20x requirements (use this MCP server!)
+- OSCAL training (NIST resources)
+- Hire consultant for initial setup
+- Phase transition to allow learning time
+
+## Budget Considerations
+
+**New Costs:**
+- Authorization Data Sharing API development: $50K-150K
+- SIEM upgrades/new tools: $50K-200K/year
+- OSCAL conversion: $20K-50K
+- Training: $10K-30K
+- Consulting (optional): $50K-200K
+
+**Potential Savings:**
+- Less manual evidence collection (saves time)
+- Automated compliance checking
+- Faster quarterly reviews
+- Reduced 3PAO hours (potentially)
+
+**Total Migration Cost:** $180K-630K
+**Ongoing Additional Cost:** $50K-200K/year (tools)
+
+## Success Criteria
+
+**Technical:**
+✓ Authorization Data Sharing API operational
+✓ All 72 KSIs being tracked automatically
+✓ OSCAL SSP validates successfully
+✓ Continuous monitoring operational
+
+**Process:**
+✓ Quarterly reviews conducted on time
+✓ Vulnerabilities remediated within timeframes
+✓ Changes properly categorized and notified
+✓ Incidents handled per FRR-ICP
+
+**Compliance:**
+✓ FedRAMP accepts Authorization Data Sharing API
+✓ Agencies can query system data
+✓ Documentation meets FedRAMP 20x requirements
+✓ 3PAO validates transition
+
+Use compare_with_rev4 for specific area comparisons, and search_requirements to find requirements related to your migration challenges.

fedramp_20x_mcp/prompts/quarterly_review_checklist.txt

@@ -0,0 +1,231 @@
+I'll guide you through the FedRAMP 20x quarterly review process.
+
+# Quarterly Review Checklist (FRR-CCM-QR)
+
+## Pre-Review Preparation (Week Before)
+
+**Data Collection (FRR-CCM-QR-01 through QR-11)**
+- [ ] Pull KSI metrics for the quarter (all 72 indicators)
+- [ ] Generate vulnerability scan reports
+- [ ] Compile incident logs
+- [ ] Gather change notifications
+- [ ] Review POA&M status
+- [ ] Collect evidence from Authorization Data Sharing API
+
+**Team Coordination**
+- [ ] Schedule review meeting with stakeholders
+- [ ] Notify authorizing agencies
+- [ ] Prepare agenda
+- [ ] Assign action items from last quarter
+
+## Quarterly Review Activities
+
+### 1. Key Security Indicators Review
+
+**Authorization Framework (KSI-AFR-01 through AFR-11)**
+- [ ] Review assessment scope for changes
+- [ ] Validate KSI tracking is current
+- [ ] Check authorization data sharing functionality
+- [ ] Review vulnerability response metrics
+- [ ] Verify change notification compliance
+- [ ] Check continuous monitoring effectiveness
+- [ ] Validate secure configuration baselines
+- [ ] Review security inbox activity
+- [ ] Check persistent validation results
+- [ ] Review incident communications
+- [ ] Validate cryptographic module usage
+
+**Cybersecurity Education (KSI-CED-01 through CED-04)**
+- [ ] General education completion rates
+- [ ] Role-specific training completion
+- [ ] Development/engineering security training
+- [ ] Incident response training status
+
+**Change Management (KSI-CMT-01 through CMT-05)**
+- [ ] Review all changes logged this quarter
+- [ ] Verify redeployment procedures followed
+- [ ] Check automated testing coverage
+- [ ] Validate change management procedures
+- [ ] Review change impacts
+
+**Cloud Native Architecture (KSI-CNA-01 through CNA-08)**
+- [ ] Network traffic restrictions effective
+- [ ] Attack surface minimization progress
+- [ ] Traffic flow enforcement working
+- [ ] Immutable infrastructure compliance
+- [ ] Unwanted activity detection
+- [ ] High availability metrics
+- [ ] Best practices adherence
+- [ ] Persistent assessment results
+
+**Identity & Access Management (KSI-IAM-01 through IAM-07)**
+- [ ] MFA usage (phishing-resistant)
+- [ ] Passwordless authentication adoption
+- [ ] Non-user account management
+- [ ] Just-in-time authorization usage
+- [ ] Least privilege validation
+- [ ] Suspicious activity detections
+- [ ] Automated account management effectiveness
+
+**Incident Response (KSI-INR-01 through INR-03)**
+- [ ] Review incident response procedures
+- [ ] Check incident logging completeness
+- [ ] Review after-action reports
+
+**Monitoring, Logging & Analysis (KSI-MLA-01 through MLA-08)**
+- [ ] SIEM operational status
+- [ ] Audit logging coverage
+- [ ] Infrastructure as Code usage
+- [ ] Event type coverage
+- [ ] Log data access controls
+
+**Proactive Investment (KSI-PIY-01 through PIY-08)**
+- [ ] Automated inventory accuracy
+- [ ] Security objectives progress
+- [ ] Vulnerability disclosure program status
+- [ ] CISA Secure by Design alignment
+- [ ] Implementation evaluation results
+- [ ] Security investment effectiveness
+- [ ] Supply chain risk management
+- [ ] Executive support validation
+
+**Recovery & Planning (KSI-RPL-01 through RPL-04)**
+- [ ] Recovery objectives current
+- [ ] Recovery plan tested this quarter
+- [ ] System backups validated
+- [ ] Recovery testing results
+
+**Services (KSI-SVC-01 through SVC-10)**
+- [ ] Continuous improvement activities
+- [ ] Network encryption status
+- [ ] Configuration automation effectiveness
+- [ ] Resource integrity validation
+- [ ] Secret management review
+- [ ] Patching compliance rates
+- [ ] Shared resource security
+- [ ] Communication integrity
+- [ ] Data destruction procedures
+
+**Third-Party Risk (KSI-TPR-01 through TPR-04)**
+- [ ] Supply chain risk management activities
+- [ ] Supply chain risk monitoring results
+
+### 2. Vulnerability Management Review (FRR-VDR)
+
+**Vulnerability Scanning**
+- [ ] Scan frequency maintained (continuous)
+- [ ] All systems/containers/code scanned
+- [ ] Scan coverage verification
+
+**Remediation Timeframes**
+- [ ] Critical/High within timeframes (7-15 days)
+- [ ] Medium within timeframes (30-90 days)
+- [ ] Low within timeframes (180 days)
+- [ ] Exceptions properly documented (FRR-VDR-EX)
+
+**Reporting**
+- [ ] Agency-specific vulnerabilities reported
+- [ ] Reporting timeframes met
+- [ ] Follow-up communications documented
+
+### 3. Significant Changes Review (FRR-SCN)
+
+**Change Categories**
+- [ ] Routine/recurring changes documented
+- [ ] Administrative changes tracked
+- [ ] Transformative changes assessed
+- [ ] Impact changes reported
+- [ ] Notifications sent to appropriate parties
+
+### 4. Authorization Boundary Review (FRR-MAS)
+
+- [ ] No unauthorized changes to boundary
+- [ ] New components added properly
+- [ ] Removed components documented
+- [ ] Third-party services reviewed
+- [ ] Inventory accuracy validated
+
+### 5. Incident Review (FRR-ICP, FRR-FSI)
+
+**Incidents This Quarter**
+- [ ] All incidents logged
+- [ ] Communications followed procedures
+- [ ] Security Inbox used appropriately
+- [ ] Agency notifications completed
+- [ ] Lessons learned documented
+
+### 6. Persistent Validation (FRR-PVA)
+
+- [ ] Continuous validation operational
+- [ ] Results reviewed and analyzed
+- [ ] Issues addressed
+- [ ] Validation coverage adequate
+
+### 7. Authorization Data Sharing (FRR-ADS)
+
+**API Functionality**
+- [ ] API operational and accessible
+- [ ] Authentication working properly
+- [ ] Data current and accurate
+- [ ] Agencies able to query successfully
+- [ ] OSCAL format compliance
+
+**Data Shared**
+- [ ] System boundary information
+- [ ] Vulnerability data
+- [ ] KSI metrics
+- [ ] Incident data
+- [ ] Change notifications
+- [ ] POA&M status
+
+## Post-Review Actions
+
+**Documentation**
+- [ ] Complete quarterly review report
+- [ ] Update POA&Ms with new findings
+- [ ] Document any exceptions or deviations
+- [ ] Record decisions and action items
+
+**Communication**
+- [ ] Share results with authorizing agencies
+- [ ] Update Authorization Data Sharing API
+- [ ] Notify stakeholders of significant findings
+- [ ] Schedule follow-up meetings if needed
+
+**Continuous Improvement**
+- [ ] Identify process improvements
+- [ ] Update procedures based on lessons learned
+- [ ] Address any gaps found
+- [ ] Plan next quarter's activities
+
+## Deliverables Checklist
+
+- [ ] Quarterly Review Report
+- [ ] Updated KSI metrics dashboard
+- [ ] Vulnerability scan results summary
+- [ ] Incident summary report
+- [ ] POA&M updates
+- [ ] Change log for the quarter
+- [ ] Evidence package (via Authorization Data Sharing API)
+- [ ] Agency coordination notes
+
+## Red Flags to Escalate
+
+⚠ **Immediate escalation required if:**
+- Critical/High vulnerabilities past remediation deadline
+- Unauthorized boundary changes
+- Security incidents not properly reported
+- KSI metrics showing degradation
+- Authorization Data Sharing API unavailable
+- Required training completion below threshold
+- Significant changes not properly notified
+
+## Next Quarter Planning
+
+- [ ] Review upcoming system changes
+- [ ] Plan security improvements
+- [ ] Schedule next quarterly review
+- [ ] Assign preparatory tasks
+- [ ] Update calendar reminders
+
+Use search_requirements to find specific requirement details for any area needing deeper investigation.

fedramp_20x_mcp/prompts/significant_change_assessment.txt

@@ -0,0 +1,50 @@
+I'll help you assess your planned change and determine FedRAMP notification requirements.
+
+**Significant Change Classification (SCN)**:
+
+**1. Change Description**
+Please describe the change you're planning:
+- What systems/components are affected?
+- What functionality is changing?
+- When is the change scheduled?
+
+**2. Change Categories (per FedRAMP SCN requirements)**:
+
+**Routine/Recurring Changes**:
+- Regularly scheduled updates following documented procedures
+- Changes within normal operational parameters
+- No substantial impact to security posture
+- Examples: Patch updates, regular maintenance
+
+**Adaptive Changes**:
+- Modifications to existing functionality
+- Changes in response to operational needs
+- May affect some security controls
+- Examples: Configuration changes, minor feature updates
+
+**Transformative Changes**:
+- Major architectural changes
+- New technologies or services
+- Significant impact to authorization boundary
+- Examples: Major version upgrades, infrastructure changes, adding new services
+
+**3. Impact Assessment**:
+Does your change affect:
+- [ ] Authorization boundary?
+- [ ] Federal customer data handling?
+- [ ] Security controls implementation?
+- [ ] Third-party service dependencies?
+- [ ] Cryptographic modules?
+- [ ] Information resources in assessment scope?
+
+**4. Notification Requirements**:
+Based on your classification:
+- **Routine**: Covered by continuous monitoring, no special notification
+- **Adaptive**: May require notification depending on impact
+- **Transformative**: Requires notification and may require re-assessment
+
+**Next Steps**:
+1. Use get_control with "FRR-SCN-*" IDs to review detailed change requirements
+2. Use search_requirements with "significant change" to find related guidance
+3. Document your change classification and justification
+4. Prepare notification if required