icdev 1.0.0__py3-none-any.whl

icdev/data/context/compliance/narrative_templates/AC.md.j2

@@ -0,0 +1,101 @@
+<!-- [TEMPLATE: CUI // SP-CTI] -->
+## {{ control_id }} — {{ control_title }}
+
+### Implementation Status
+
+**Status:** {{ status }}
+**Family:** {{ family }}
+
+### Implementation Narrative
+
+{% if implementation_detail %}
+{{ implementation_detail }}
+{% else %}
+This control has not yet been fully documented. Evidence gathering is in progress.
+{% endif %}
+
+### Account Management Procedures
+
+{% if control_id == "AC-2" or control_id.startswith("AC-2(") %}
+The organization manages information system accounts through the following procedures:
+
+- **Account Types:** Individual, group, system, application, guest, and temporary accounts are identified and categorized per organizational policy.
+- **Account Lifecycle:** Accounts follow a defined lifecycle from creation through modification, disabling, and removal. Inactive accounts are disabled after the organizationally defined inactivity period.
+- **Account Reviews:** Periodic account reviews are conducted to verify continued need, appropriate privilege levels, and compliance with separation of duties.
+- **Notification:** Account managers are notified when accounts are no longer required, when users are terminated or transferred, and when system usage or need-to-know changes.
+{% else %}
+Account management procedures are documented under AC-2. This control ({{ control_id }}) inherits or supplements those baseline account management practices as applicable.
+{% endif %}
+
+### Access Enforcement Mechanisms
+
+{% if control_id == "AC-3" or control_id.startswith("AC-3(") %}
+Access enforcement is implemented through the following mechanisms:
+
+- **Access Control Model:** The system enforces approved authorizations for logical access using role-based access control (RBAC), attribute-based access control (ABAC), or a combination as defined in the system security architecture.
+- **Policy Enforcement Points:** Access decisions are enforced at application, middleware, and infrastructure layers. Deny-by-default policies are applied at all enforcement points.
+- **Discretionary vs. Mandatory:** The system implements mandatory access control for classified/CUI data flows and discretionary access control for collaborative workspaces as appropriate to the impact level.
+{% else %}
+Access enforcement mechanisms are documented under AC-3. This control ({{ control_id }}) supports the overall access enforcement architecture.
+{% endif %}
+
+### Least Privilege Implementation
+
+{% if control_id == "AC-6" or control_id.startswith("AC-6(") %}
+Least privilege is enforced through:
+
+- **Privilege Assignment:** Users and processes are assigned only the minimum privileges necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
+- **Privileged Accounts:** Privileged accounts (administrators, root, service accounts) are separately tracked, audited, and subject to enhanced monitoring. Privileged access is time-limited and requires justification.
+- **Privilege Escalation:** Temporary privilege escalation is logged, requires approval, and automatically reverts after the defined time window.
+- **Separation of Duties:** Critical functions are divided among different individuals to reduce the risk of malicious activity without collusion.
+{% else %}
+Least privilege principles are documented under AC-6. This control ({{ control_id }}) adheres to the organizationally defined least privilege policies.
+{% endif %}
+
+### Remote Access Controls
+
+{% if control_id == "AC-17" or control_id.startswith("AC-17(") %}
+Remote access to the information system is controlled through:
+
+- **Authorized Methods:** Only organizationally approved remote access methods are permitted (e.g., VPN with FIPS 140-2/3 validated encryption, virtual desktop infrastructure).
+- **Usage Restrictions:** Remote access is restricted to authorized users with valid need-to-know. All remote sessions are encrypted end-to-end.
+- **Monitoring:** Remote access sessions are monitored and audited. Anomalous remote access patterns trigger automated alerts.
+- **Termination:** Remote sessions are automatically terminated after the organizationally defined inactivity timeout. Users are required to disconnect remote access when no longer needed.
+{% else %}
+Remote access controls are documented under AC-17. This control ({{ control_id }}) supports the remote access protection strategy.
+{% endif %}
+
+### Evidence
+
+{% if evidence_items %}
+{% for item in evidence_items %}
+- **{{ item.source }}** ({{ item.date | default("N/A") }}): {{ item.description }}
+{% endfor %}
+{% else %}
+No formal evidence has been collected for this control.
+{% endif %}
+
+### Assessment History
+
+{% if audit_events %}
+| Date | Actor | Action |
+|------|-------|--------|
+{% for event in audit_events[:10] %}
+| {{ event.created_at | default("N/A") }} | {{ event.actor | default("system") }} | {{ event.action | default("") }} |
+{% endfor %}
+{% else %}
+No assessment history available.
+{% endif %}
+
+### Related Framework Mappings
+
+{% if crosswalk_mappings %}
+{% for mapping in crosswalk_mappings %}
+- **{{ mapping.framework }}**: {{ mapping.requirement_id }} ({{ mapping.status | default("not_assessed") }})
+{% endfor %}
+{% else %}
+No crosswalk mappings available for this control.
+{% endif %}
+
+---
+*CUI // SP-CTI — Generated by ICDEV Narrative Generator*

icdev/data/context/compliance/narrative_templates/AU.md.j2

@@ -0,0 +1,106 @@
+<!-- [TEMPLATE: CUI // SP-CTI] -->
+## {{ control_id }} — {{ control_title }}
+
+### Implementation Status
+
+**Status:** {{ status }}
+**Family:** {{ family }}
+
+### Implementation Narrative
+
+{% if implementation_detail %}
+{{ implementation_detail }}
+{% else %}
+This control has not yet been fully documented. Evidence gathering is in progress.
+{% endif %}
+
+### Audit Event Types Captured
+
+{% if control_id == "AU-2" or control_id.startswith("AU-2(") %}
+The system is configured to audit the following event types in accordance with NIST 800-53 AU-2 and organizational policy:
+
+- **Authentication Events:** Successful and failed login attempts, account lockouts, password changes, MFA challenges, and session establishment/termination.
+- **Authorization Events:** Access control decisions (grants and denials), privilege escalation attempts, role changes, and permission modifications.
+- **Data Events:** Creation, modification, deletion, and access of CUI/sensitive records. Bulk data exports and database queries exceeding defined thresholds.
+- **System Events:** System startup and shutdown, service start/stop, configuration changes, software installation/removal, and patch application.
+- **Administrative Events:** Account creation/modification/deletion, security policy changes, audit configuration changes, and security group modifications.
+- **Network Events:** Firewall rule changes, VPN connections, network segmentation changes, and anomalous traffic patterns.
+
+Audit events are generated with sufficient detail to establish what type of event occurred, when it occurred, where it occurred, the source of the event, the outcome, and the identity of any individuals or subjects associated with the event.
+{% else %}
+Auditable event types are defined under AU-2. This control ({{ control_id }}) supports the overall audit capability.
+{% endif %}
+
+### Log Retention Policy
+
+{% if control_id == "AU-11" or control_id.startswith("AU-11(") %}
+Audit records are retained in accordance with the following policy:
+
+- **Online Retention:** Audit logs are retained in active storage for a minimum of 90 days, accessible for real-time analysis and incident response.
+- **Archive Retention:** After the online retention period, logs are archived to immutable storage (e.g., AWS S3 Glacier with Object Lock) for the organizationally defined retention period (minimum 1 year for IL4/IL5, 5 years for IL6).
+- **Integrity Protection:** Archived logs are cryptographically hashed (SHA-256) at time of archival. Integrity is verified periodically and upon retrieval.
+- **Disposal:** Audit records are disposed of only after the full retention period has elapsed and in accordance with the organizationally defined media sanitization procedures.
+
+The audit trail is append-only and immutable. No UPDATE or DELETE operations are permitted on audit tables.
+{% else %}
+Log retention policies are defined under AU-11. This control ({{ control_id }}) operates within the established retention framework.
+{% endif %}
+
+### Audit Review Procedures
+
+{% if control_id == "AU-6" or control_id.startswith("AU-6(") %}
+Audit records are reviewed and analyzed through the following procedures:
+
+- **Review Frequency:** Audit logs are reviewed at least weekly for indicators of inappropriate or unusual activity. High-severity events trigger immediate review.
+- **Automated Analysis:** Automated tools correlate audit records across multiple sources to detect anomalous patterns, policy violations, and potential security incidents.
+- **Escalation:** Findings from audit review are reported to the organizationally defined personnel or roles. Critical findings are escalated to the ISSO and incident response team within the defined timeframe.
+- **Documentation:** Audit review activities, findings, and resulting actions are documented and retained as part of the security assessment record.
+- **Adjustment:** Audit review frequency and scope are adjusted based on threat intelligence, risk assessment changes, and lessons learned from previous incidents.
+{% else %}
+Audit review procedures are documented under AU-6. This control ({{ control_id }}) contributes to the overall audit review and analysis capability.
+{% endif %}
+
+### SIEM Integration Status
+
+The system integrates with Security Information and Event Management (SIEM) infrastructure as follows:
+
+- **SIEM Platform:** Logs are forwarded to the organizationally approved SIEM solution (e.g., Splunk, ELK Stack) for centralized correlation and analysis.
+- **Log Forwarding:** Real-time log forwarding is configured using syslog (TLS-encrypted) or direct API integration. All audit event types defined in AU-2 are forwarded.
+- **Correlation Rules:** SIEM correlation rules are configured to detect known attack patterns, policy violations, and anomalous behavior. Rules are reviewed and updated quarterly.
+- **Alerting:** Automated alerts are configured for high-severity events including unauthorized access attempts, privilege escalation, data exfiltration indicators, and audit system failures.
+- **Dashboard:** SIEM dashboards provide near-real-time visibility into security posture, audit event trends, and compliance status.
+
+### Evidence
+
+{% if evidence_items %}
+{% for item in evidence_items %}
+- **{{ item.source }}** ({{ item.date | default("N/A") }}): {{ item.description }}
+{% endfor %}
+{% else %}
+No formal evidence has been collected for this control.
+{% endif %}
+
+### Assessment History
+
+{% if audit_events %}
+| Date | Actor | Action |
+|------|-------|--------|
+{% for event in audit_events[:10] %}
+| {{ event.created_at | default("N/A") }} | {{ event.actor | default("system") }} | {{ event.action | default("") }} |
+{% endfor %}
+{% else %}
+No assessment history available.
+{% endif %}
+
+### Related Framework Mappings
+
+{% if crosswalk_mappings %}
+{% for mapping in crosswalk_mappings %}
+- **{{ mapping.framework }}**: {{ mapping.requirement_id }} ({{ mapping.status | default("not_assessed") }})
+{% endfor %}
+{% else %}
+No crosswalk mappings available for this control.
+{% endif %}
+
+---
+*CUI // SP-CTI — Generated by ICDEV Narrative Generator*

icdev/data/context/compliance/narrative_templates/IA.md.j2

@@ -0,0 +1,104 @@
+<!-- [TEMPLATE: CUI // SP-CTI] -->
+## {{ control_id }} — {{ control_title }}
+
+### Implementation Status
+
+**Status:** {{ status }}
+**Family:** {{ family }}
+
+### Implementation Narrative
+
+{% if implementation_detail %}
+{{ implementation_detail }}
+{% else %}
+This control has not yet been fully documented. Evidence gathering is in progress.
+{% endif %}
+
+### Authentication Mechanisms (MFA, CAC/PIV)
+
+{% if control_id == "IA-2" or control_id.startswith("IA-2(") %}
+The system implements the following authentication mechanisms for user identification and authentication:
+
+- **Multi-Factor Authentication (MFA):** MFA is required for all privileged and non-privileged network access. Authentication factors include something you know (password/PIN), something you have (hardware token, CAC/PIV, FIDO2 key), and something you are (biometric) as applicable.
+- **CAC/PIV Authentication:** For DoD and federal users, Common Access Card (CAC) or Personal Identity Verification (PIV) card authentication is supported and enforced where required by organizational policy. Certificate validation includes revocation checking via OCSP or CRL.
+- **Phishing-Resistant MFA:** The system supports phishing-resistant authenticators (FIDO2/WebAuthn, PIV/CAC) in accordance with OMB M-22-09 and CISA guidance.
+- **Replay Resistance:** All authentication mechanisms implement replay resistance through nonce-based challenges, time-based tokens, or cryptographic protocols.
+
+Authentication mechanisms are validated against NIST SP 800-63B Digital Identity Guidelines at the appropriate assurance level for the system impact level.
+{% else %}
+Authentication mechanisms are documented under IA-2. This control ({{ control_id }}) supports the identification and authentication architecture.
+{% endif %}
+
+### Password and Authenticator Policies
+
+{% if control_id == "IA-5" or control_id.startswith("IA-5(") %}
+Authenticator management follows these organizational policies:
+
+- **Password Complexity:** Passwords meet minimum length requirements (15+ characters for privileged, 12+ for non-privileged) with composition rules per NIST SP 800-63B. Passwords are screened against known-compromised password lists.
+- **Password Rotation:** Password expiration is implemented per organizational policy. NIST SP 800-63B guidance on event-driven rotation (breach-triggered) is followed where applicable.
+- **Authenticator Protection:** Authenticators are protected at a level commensurate with the security category of the information to which use of the authenticator permits access. Passwords are stored using approved one-way cryptographic hashing (e.g., bcrypt, Argon2, PBKDF2).
+- **Token/Certificate Management:** Hardware tokens and digital certificates follow defined issuance, renewal, and revocation procedures. Expired or compromised authenticators are revoked immediately.
+- **Initial Distribution:** Initial authenticators are distributed through secure, out-of-band channels with identity verification. Temporary authenticators are changed upon first use.
+{% else %}
+Authenticator policies are documented under IA-5. This control ({{ control_id }}) operates within the established authenticator management framework.
+{% endif %}
+
+### Service Account Management
+
+Service accounts are managed with the following controls:
+
+- **Inventory:** All service accounts are inventoried, assigned an owner, and documented with their purpose and required privileges.
+- **Authentication:** Service accounts use strong authentication mechanisms (API keys, certificates, managed identities) rather than passwords where technically feasible.
+- **Least Privilege:** Service accounts are granted minimum necessary permissions. Wildcard or administrative permissions are prohibited unless explicitly justified and approved.
+- **Rotation:** Service account credentials are rotated on a defined schedule. Automated rotation through secrets management (e.g., AWS Secrets Manager) is preferred.
+- **Monitoring:** Service account usage is monitored for anomalous behavior including off-hours access, unusual API call patterns, and access from unexpected sources.
+- **Deprovisioning:** Service accounts are disabled or removed when the associated application or service is decommissioned.
+
+### Federation and SSO Configuration
+
+{% if control_id == "IA-8" or control_id.startswith("IA-8(") %}
+The system supports federated identity and single sign-on (SSO) through:
+
+- **Identity Federation:** The system accepts assertions from organizationally approved identity providers (IdPs) using SAML 2.0 or OpenID Connect (OIDC) protocols.
+- **SSO Integration:** Single sign-on reduces authentication fatigue while maintaining session security. SSO sessions are bounded by organizationally defined timeout values.
+- **Cross-Domain Trust:** Cross-domain trust relationships are documented, reviewed annually, and limited to approved partner organizations. Trust boundaries are enforced at the assertion consumer service.
+- **Attribute Mapping:** Federated identity attributes (roles, clearance level, organization) are mapped to local authorization decisions. Unmapped or unrecognized attributes default to minimum privilege.
+- **Session Management:** Federated sessions implement single logout (SLO) capabilities. Session tokens are cryptographically protected and validated on each request.
+{% else %}
+Federation and SSO configurations are documented under IA-8. This control ({{ control_id }}) supports the federated identity architecture.
+{% endif %}
+
+### Evidence
+
+{% if evidence_items %}
+{% for item in evidence_items %}
+- **{{ item.source }}** ({{ item.date | default("N/A") }}): {{ item.description }}
+{% endfor %}
+{% else %}
+No formal evidence has been collected for this control.
+{% endif %}
+
+### Assessment History
+
+{% if audit_events %}
+| Date | Actor | Action |
+|------|-------|--------|
+{% for event in audit_events[:10] %}
+| {{ event.created_at | default("N/A") }} | {{ event.actor | default("system") }} | {{ event.action | default("") }} |
+{% endfor %}
+{% else %}
+No assessment history available.
+{% endif %}
+
+### Related Framework Mappings
+
+{% if crosswalk_mappings %}
+{% for mapping in crosswalk_mappings %}
+- **{{ mapping.framework }}**: {{ mapping.requirement_id }} ({{ mapping.status | default("not_assessed") }})
+{% endfor %}
+{% else %}
+No crosswalk mappings available for this control.
+{% endif %}
+
+---
+*CUI // SP-CTI — Generated by ICDEV Narrative Generator*

icdev/data/context/compliance/narrative_templates/SC.md.j2

@@ -0,0 +1,102 @@
+<!-- [TEMPLATE: CUI // SP-CTI] -->
+## {{ control_id }} — {{ control_title }}
+
+### Implementation Status
+
+**Status:** {{ status }}
+**Family:** {{ family }}
+
+### Implementation Narrative
+
+{% if implementation_detail %}
+{{ implementation_detail }}
+{% else %}
+This control has not yet been fully documented. Evidence gathering is in progress.
+{% endif %}
+
+### Boundary Protection Architecture
+
+{% if control_id == "SC-7" or control_id.startswith("SC-7(") %}
+The system implements boundary protection through the following architecture:
+
+- **External Boundaries:** All external system boundaries are protected by managed interfaces consisting of boundary protection devices (firewalls, gateways, proxies) arranged in accordance with organizational security architecture.
+- **DMZ Architecture:** Publicly accessible system components are isolated in a demilitarized zone (DMZ) with separate network segments. Traffic between the DMZ and internal networks is filtered and inspected.
+- **Deny-by-Default:** Boundary protection devices enforce a deny-by-default, allow-by-exception policy. Only explicitly authorized traffic is permitted through managed interfaces.
+- **Subnetwork Isolation:** Internal subnetworks for publicly accessible components are physically or logically separated from internal organizational networks.
+- **Traffic Flow Enforcement:** Inbound and outbound traffic flow policies are defined, documented, and enforced at each managed interface. Traffic that does not match an approved flow is blocked and logged.
+{% else %}
+Boundary protection architecture is documented under SC-7. This control ({{ control_id }}) supports the overall boundary protection strategy.
+{% endif %}
+
+### Encryption Standards (FIPS 140-2/3)
+
+{% if control_id == "SC-13" or control_id.startswith("SC-13(") or control_id == "SC-28" or control_id.startswith("SC-28(") or control_id == "SC-8" or control_id.startswith("SC-8(") %}
+Cryptographic protections are implemented in accordance with the following standards:
+
+- **FIPS 140 Validation:** All cryptographic modules used within the system are FIPS 140-2 validated (minimum) or FIPS 140-3 validated. Validation certificates are maintained and referenced in system documentation.
+- **Data in Transit:** All data transmitted across network boundaries is encrypted using FIPS-approved algorithms. TLS 1.2 is the minimum supported version; TLS 1.3 is preferred.
+- **Data at Rest:** CUI and sensitive data at rest is encrypted using AES-256 (or equivalent FIPS-approved algorithm). Encryption keys are managed through an approved key management system (e.g., AWS KMS with FIPS 140-2 Level 3 HSMs).
+- **Key Management:** Cryptographic keys are generated, distributed, stored, rotated, and destroyed in accordance with NIST SP 800-57 guidance. Key escrow and recovery procedures are documented.
+- **Algorithm Agility:** The system is designed for cryptographic algorithm agility to support migration to post-quantum cryptographic algorithms as directed by CNSA 2.0 guidance.
+{% else %}
+Encryption standards are documented under SC-13, SC-28, and SC-8. This control ({{ control_id }}) adheres to the organizationally defined cryptographic policies.
+{% endif %}
+
+### Network Segmentation
+
+The system implements network segmentation as follows:
+
+- **Segment Architecture:** The network is segmented into distinct security zones (management, application, data, user) with traffic controls between zones enforced by firewalls and/or software-defined networking (SDN) policies.
+- **Microsegmentation:** Within application tiers, microsegmentation is implemented using Kubernetes NetworkPolicies (default-deny ingress and egress) or equivalent host-based firewall rules to limit lateral movement.
+- **Zero Trust Zones:** Network segments align with the Zero Trust Architecture principle that no implicit trust is granted based on network location. All inter-segment communication requires authentication and authorization.
+- **Monitoring:** Inter-segment traffic is monitored for anomalous patterns. East-west traffic analysis supplements traditional north-south perimeter monitoring.
+- **Isolation by Impact Level:** Systems at different impact levels (IL4/IL5/IL6) are deployed in physically or logically separated network segments with controlled interconnections documented in the system security plan.
+
+### TLS/mTLS Configuration
+
+{% if control_id == "SC-8" or control_id.startswith("SC-8(") or control_id == "SC-23" or control_id.startswith("SC-23(") %}
+Transport Layer Security is configured as follows:
+
+- **TLS Version:** TLS 1.2 is the minimum supported version. TLS 1.3 is enabled where supported by system components. TLS 1.0 and 1.1 are disabled.
+- **Cipher Suites:** Only FIPS-approved cipher suites are enabled. Weak ciphers (RC4, DES, 3DES, NULL) and export-grade ciphers are disabled. Forward secrecy (ECDHE, DHE) is required.
+- **Certificate Management:** Server certificates are issued by an organizationally approved Certificate Authority (CA). Certificate validity, revocation status (OCSP stapling or CRL), and chain-of-trust are validated on every connection.
+- **Mutual TLS (mTLS):** For inter-service communication within the system boundary (e.g., agent-to-agent, microservice-to-microservice), mutual TLS is enforced. Both client and server present and validate certificates.
+- **Session Integrity:** TLS session resumption is configured to balance performance and security. Session tickets are rotated regularly and protected against replay.
+{% else %}
+TLS/mTLS configuration is documented under SC-8 and SC-23. This control ({{ control_id }}) operates within the established transport protection framework.
+{% endif %}
+
+### Evidence
+
+{% if evidence_items %}
+{% for item in evidence_items %}
+- **{{ item.source }}** ({{ item.date | default("N/A") }}): {{ item.description }}
+{% endfor %}
+{% else %}
+No formal evidence has been collected for this control.
+{% endif %}
+
+### Assessment History
+
+{% if audit_events %}
+| Date | Actor | Action |
+|------|-------|--------|
+{% for event in audit_events[:10] %}
+| {{ event.created_at | default("N/A") }} | {{ event.actor | default("system") }} | {{ event.action | default("") }} |
+{% endfor %}
+{% else %}
+No assessment history available.
+{% endif %}
+
+### Related Framework Mappings
+
+{% if crosswalk_mappings %}
+{% for mapping in crosswalk_mappings %}
+- **{{ mapping.framework }}**: {{ mapping.requirement_id }} ({{ mapping.status | default("not_assessed") }})
+{% endfor %}
+{% else %}
+No crosswalk mappings available for this control.
+{% endif %}
+
+---
+*CUI // SP-CTI — Generated by ICDEV Narrative Generator*

icdev/data/context/compliance/narrative_templates/SI.md.j2

@@ -0,0 +1,111 @@
+<!-- [TEMPLATE: CUI // SP-CTI] -->
+## {{ control_id }} — {{ control_title }}
+
+### Implementation Status
+
+**Status:** {{ status }}
+**Family:** {{ family }}
+
+### Implementation Narrative
+
+{% if implementation_detail %}
+{{ implementation_detail }}
+{% else %}
+This control has not yet been fully documented. Evidence gathering is in progress.
+{% endif %}
+
+### Flaw Remediation SLA
+
+{% if control_id == "SI-2" or control_id.startswith("SI-2(") %}
+The organization identifies, reports, and corrects information system flaws in accordance with the following service level agreements:
+
+- **Critical Severity (CVSS 9.0-10.0):** Remediation within 15 calendar days of identification. Emergency patches may be deployed outside the standard change window with ISSO approval.
+- **High Severity (CVSS 7.0-8.9):** Remediation within 30 calendar days. Mitigating controls must be documented within 72 hours if the patch cannot be applied immediately.
+- **Medium Severity (CVSS 4.0-6.9):** Remediation within 90 calendar days during the next scheduled maintenance window.
+- **Low Severity (CVSS 0.1-3.9):** Remediation within 180 calendar days or the next major release cycle.
+- **Tracking:** All identified flaws are tracked in the Plan of Action and Milestones (POAM) with assigned owners, milestones, and estimated completion dates. SLA compliance is reported monthly.
+- **Testing:** Flaw remediation patches are tested in a staging environment prior to production deployment. Regression testing confirms that patches do not introduce new vulnerabilities or degrade functionality.
+- **Vendor Notifications:** The organization monitors vendor security advisories, CISA alerts, and IAVA/IAVB notifications for applicable flaws and initiates remediation within SLA timelines.
+{% else %}
+Flaw remediation SLAs are documented under SI-2. This control ({{ control_id }}) operates within the established flaw remediation framework.
+{% endif %}
+
+### Malicious Code Protection
+
+{% if control_id == "SI-3" or control_id.startswith("SI-3(") %}
+The system employs malicious code protection mechanisms at information system entry and exit points:
+
+- **Endpoint Protection:** Anti-malware/endpoint detection and response (EDR) software is deployed on all endpoints and servers. Definitions and signatures are updated automatically.
+- **Real-Time Scanning:** Real-time scanning is enabled for file system access, email attachments, and web downloads. On-access scanning detects malicious code at the point of introduction.
+- **Scheduled Scanning:** Full system scans are performed at the organizationally defined frequency (minimum weekly) during periods of low system utilization.
+- **Automatic Response:** Upon detection of malicious code, the system automatically quarantines the affected file, blocks the associated process, alerts the security operations team, and generates an audit record.
+- **False Positive Management:** False positive detections are reviewed, documented, and addressed through signature exclusion policies maintained by the security team.
+- **Container Scanning:** Container images are scanned for malware and known-vulnerable components prior to deployment. Runtime container monitoring detects anomalous process execution.
+{% else %}
+Malicious code protection is documented under SI-3. This control ({{ control_id }}) supports the malware defense architecture.
+{% endif %}
+
+### Information System Monitoring Tools
+
+{% if control_id == "SI-4" or control_id.startswith("SI-4(") %}
+The organization monitors the information system to detect attacks, indicators of potential attacks, unauthorized connections, and anomalous behavior:
+
+- **Intrusion Detection/Prevention:** Network-based IDS/IPS is deployed at managed network interfaces to detect and prevent known attack signatures and anomalous traffic patterns.
+- **Host-Based Monitoring:** Host-based intrusion detection (HIDS) and file integrity monitoring (FIM) are deployed on critical servers to detect unauthorized changes to system files, configurations, and binaries.
+- **Log Aggregation:** Security-relevant logs from all system components are aggregated in a centralized SIEM platform for correlation, analysis, and alerting. Log forwarding uses encrypted channels.
+- **Behavioral Analytics:** User and entity behavior analytics (UEBA) tools establish baseline behavior profiles and alert on deviations that may indicate compromised accounts or insider threats.
+- **Network Traffic Analysis:** Network flow data (NetFlow/sFlow) is collected and analyzed to identify anomalous communication patterns, data exfiltration attempts, and command-and-control traffic.
+- **Alert Management:** Monitoring alerts are triaged based on severity and confidence. High-fidelity alerts trigger automated incident response workflows. Alert fatigue is mitigated through tuning and correlation.
+{% else %}
+Information system monitoring tools are documented under SI-4. This control ({{ control_id }}) contributes to the overall continuous monitoring capability.
+{% endif %}
+
+### Software and Firmware Integrity Verification
+
+{% if control_id == "SI-7" or control_id.startswith("SI-7(") %}
+The organization employs integrity verification tools to detect unauthorized changes to software and firmware:
+
+- **Integrity Checking:** Cryptographic hash verification (SHA-256 minimum) is used to validate software and firmware integrity at boot time, at defined intervals, and upon notification of potential compromise.
+- **Supply Chain Verification:** Software packages are verified against publisher-provided signatures or checksums before installation. SBOM (Software Bill of Materials) is generated and maintained for all deployed software.
+- **Code Signing:** All internally developed code is digitally signed prior to deployment. Signature verification is enforced at deployment time; unsigned or tampered code is rejected.
+- **Firmware Protections:** Firmware updates are applied only from authenticated sources with verified digital signatures. Secure boot is enabled where supported by hardware.
+- **Automated Detection:** Automated integrity monitoring tools generate alerts when unauthorized modifications are detected. Automated response includes notification, quarantine, and rollback to a known-good state.
+- **Baseline Management:** A cryptographic baseline of authorized software and firmware versions is maintained. Deviations from the baseline trigger investigation and remediation.
+{% else %}
+Software and firmware integrity verification is documented under SI-7. This control ({{ control_id }}) supports the integrity assurance framework.
+{% endif %}
+
+### Evidence
+
+{% if evidence_items %}
+{% for item in evidence_items %}
+- **{{ item.source }}** ({{ item.date | default("N/A") }}): {{ item.description }}
+{% endfor %}
+{% else %}
+No formal evidence has been collected for this control.
+{% endif %}
+
+### Assessment History
+
+{% if audit_events %}
+| Date | Actor | Action |
+|------|-------|--------|
+{% for event in audit_events[:10] %}
+| {{ event.created_at | default("N/A") }} | {{ event.actor | default("system") }} | {{ event.action | default("") }} |
+{% endfor %}
+{% else %}
+No assessment history available.
+{% endif %}
+
+### Related Framework Mappings
+
+{% if crosswalk_mappings %}
+{% for mapping in crosswalk_mappings %}
+- **{{ mapping.framework }}**: {{ mapping.requirement_id }} ({{ mapping.status | default("not_assessed") }})
+{% endfor %}
+{% else %}
+No crosswalk mappings available for this control.
+{% endif %}
+
+---
+*CUI // SP-CTI — Generated by ICDEV Narrative Generator*

icdev/data/context/compliance/narrative_templates/__init__.py

@@ -0,0 +1 @@
+# Package marker for PyPI distribution

icdev/data/context/compliance/narrative_templates/default.md.j2

@@ -0,0 +1,50 @@
+<!-- [TEMPLATE: CUI // SP-CTI] -->
+## {{ control_id }} — {{ control_title }}
+
+### Implementation Status
+
+**Status:** {{ status }}
+**Family:** {{ family }}
+
+### Implementation Narrative
+
+{% if implementation_detail %}
+{{ implementation_detail }}
+{% else %}
+This control has not yet been fully documented. Evidence gathering is in progress.
+{% endif %}
+
+### Evidence
+
+{% if evidence_items %}
+{% for item in evidence_items %}
+- **{{ item.source }}** ({{ item.date | default("N/A") }}): {{ item.description }}
+{% endfor %}
+{% else %}
+No formal evidence has been collected for this control.
+{% endif %}
+
+### Assessment History
+
+{% if audit_events %}
+| Date | Actor | Action |
+|------|-------|--------|
+{% for event in audit_events[:10] %}
+| {{ event.created_at | default("N/A") }} | {{ event.actor | default("system") }} | {{ event.action | default("") }} |
+{% endfor %}
+{% else %}
+No assessment history available.
+{% endif %}
+
+### Related Framework Mappings
+
+{% if crosswalk_mappings %}
+{% for mapping in crosswalk_mappings %}
+- **{{ mapping.framework }}**: {{ mapping.requirement_id }} ({{ mapping.status | default("not_assessed") }})
+{% endfor %}
+{% else %}
+No crosswalk mappings available for this control.
+{% endif %}
+
+---
+*CUI // SP-CTI — Generated by ICDEV Narrative Generator*

icdev/data/context/compliance/narrative_templates/executive_summary.j2

@@ -0,0 +1,27 @@
+# Compliance Executive Summary
+
+**Project:** {{ project_name }}
+**Date:** {{ report_date }}
+**Overall Posture:** {{ overall_posture }}
+
+## Framework Status
+
+{% for fw in frameworks %}
+### {{ fw.name }}
+- **Controls Assessed:** {{ fw.total_controls }}
+- **Satisfied:** {{ fw.satisfied }} ({{ fw.satisfied_pct }}%)
+- **Partially Satisfied:** {{ fw.partial }}
+- **Not Satisfied:** {{ fw.not_satisfied }}
+- **Risk Level:** {{ fw.risk_level }}
+
+{% endfor %}
+
+## Risk Assessment
+
+{{ risk_narrative }}
+
+## Priority Recommendations
+
+{% for rec in recommendations %}
+{{ loop.index }}. **{{ rec.title }}** — {{ rec.description }}
+{% endfor %}

icdev/data/context/compliance/narrative_templates/poam_milestone.j2

@@ -0,0 +1,19 @@
+### POA&M Item: {{ poam_id }}
+
+**Control:** {{ control_id }} — {{ control_name }}
+**Status:** {{ status | title }}
+**Risk Level:** {{ risk_level | default("Moderate") }}
+
+**Weakness Description:**
+{{ weakness_description }}
+
+**Remediation Plan:**
+{{ remediation_plan }}
+
+**Milestones:**
+{% for milestone in milestones %}
+- {{ milestone.description }} (Target: {{ milestone.target_date }})
+{% endfor %}
+
+**Responsible Party:** {{ responsible_party }}
+**Scheduled Completion:** {{ scheduled_completion }}

icdev/data/context/compliance/narrative_templates/ssp_section.j2

@@ -0,0 +1,11 @@
+## {{ control_id }}: {{ control_name }}
+
+### Implementation Status: {{ status | title }}
+
+{{ description }}
+
+**Implementation Details:**
+{{ implementation_narrative }}
+
+**Responsible Role:** {{ responsible_role | default("Information System Security Officer (ISSO)") }}
+**Assessment Date:** {{ assessment_date | default("Not assessed") }}