feat: add NIST SP 800-37 Rev 2 Risk Management Framework (RMF) skill#35
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
feat: add NIST SP 800-37 Rev 2 Risk Management Framework (RMF) skill#35sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Conversation
NIST Special Publication 800-37 Revision 2 -- Risk Management Framework for Information Systems and Organizations Published: December 2018 | Source: https://doi.org/10.6028/NIST.SP.800-37r2 PLUGIN STRUCTURE - plugins/nist-sp-800-37/.claude-plugin/plugin.json - plugins/nist-sp-800-37/skills/nist-sp-800-37/SKILL.md - plugins/nist-sp-800-37/skills/nist-sp-800-37/references/rmf-steps-tasks.md - plugins/nist-sp-800-37/skills/nist-sp-800-37/references/authorization-package.md - plugins/nist-sp-800-37/skills/nist-sp-800-37/references/roles-and-responsibilities.md FRAMEWORK COVERAGE SP 800-37 Rev 2 defines the NIST Risk Management Framework -- the authoritative process for managing security and privacy risk in federal information systems under FISMA. The skill covers all seven RMF steps including the new Prepare step added in Rev 2: Step 0 -- Prepare (new in Rev 2) - 10 organisation-level tasks (P-1 through P-10): risk management roles, strategy, org-level risk assessment, control assignments, mission analysis, information types, common controls, tailoring guidance, enterprise architecture, requirements - 8 system-level tasks (P-11 through P-18): stakeholders, roles, assets, system risk assessment, authorisation boundary, registration, laws/regulations, common control providers Step 1 -- Categorise - Task C-1: System description - Task C-2: Security categorisation using FIPS 199 and SP 800-60 - High-water mark rule; mapping to SP 800-53 baselines (Low/Moderate/High) Step 2 -- Select - Task S-1 through S-5: Baseline selection, tailoring (scoping, parameterisation, compensating controls, additions, overlays), control assignment (system/common/hybrid), monitoring strategy, SSP approval - Complete SP 800-53 Rev 5 control family reference (20 families) Step 3 -- Implement - Task I-1: Control implementation - Task I-2: SSP implementation narrative completion with full field-by-field template Step 4 -- Assess - Task A-1 through A-5: SAP preparation, control assessment (examine/interview/test), remediation, final SAR, POA&M - Assessment independence requirements by system impact level - SP 800-53A assessment method and depth/coverage guidance Step 5 -- Authorise - Task R-1 through R-5: Authorization package assembly, risk determination, risk response, authorization decision, FISMA reporting - Authorization types: ATO, ATU, Ongoing Authorization, DATO - ATO decision factors and risk acceptance guidance Step 6 -- Monitor - Task M-1 through M-7: Monitoring strategy, configuration management, ongoing assessments, risk response, authorization updates, security posture reporting, system disposal - Ongoing authorisation model requirements ROLES AND RESPONSIBILITIES Full coverage of all SP 800-37 Rev 2 roles: AO, AODR, SAOP/CPO, CISO/SAISO, Risk Executive, System Owner, ISSO, ISSM, SCA, CCP, Mission/Business Owner, System Administrator; role assignment requirements, combination rules, and conflict of interest prohibitions REFERENCE FILES rmf-steps-tasks.md: Complete task tables for all seven steps with task numbers, names, primary inputs, key outputs, and assigned roles; FIPS 199 categorisation step-by-step process; SP 800-53 Rev 5 control family index; SDLC integration mapping authorization-package.md: Full authorization package document checklist (required and conditional documents); SSP template with all required sections; SAR structure per SP 800-53A; POA&M format with all required fields per OMB M-02-01; authorization decision documentation requirements; ATO conditions and risk acceptance statement guidance roles-and-responsibilities.md: Detailed responsibilities for all 12 RMF roles; appointment requirements; role combination rules; critical role conflict prohibitions; common control examples INTEGRATION POINTS - NIST SP 800-30 Rev 1: Risk assessments inform categorisation (Step 1) and feed ATO package - NIST SP 800-39: RMF operates within the enterprise risk management tier structure - NIST SP 800-53 Rev 5: Control baselines selected and tailored in Step 2 - NIST SP 800-53A: Assessment procedures used in Step 4 - NIST SP 800-137: Continuous monitoring strategy feeds Step 6 - NIST CSF 2.0: Explicit alignment mapping referenced in Prepare step TESTS All 10 plugin structure tests pass (test_plugin_structure.py -k nist-sp-800-37)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-37 Rev 2 -- Risk Management Framework (RMF)
Source: NIST Special Publication 800-37 Revision 2, December 2018
https://doi.org/10.6028/NIST.SP.800-37r2
Summary
This PR adds a complete Claude skill for NIST SP 800-37 Rev 2, the authoritative NIST guide defining the Risk Management Framework (RMF) for federal information systems. The RMF is the standard process used across the US federal government for Authorisation to Operate (ATO) under FISMA. The skill covers all seven RMF steps, all defined roles, the full authorization package, SSP, SAR, and POA&M guidance.
Files Added
Framework Coverage
Seven RMF Steps (Rev 2 adds Prepare):
Step 0 -- Prepare: 10 organisation-level tasks (P-1 to P-10) covering risk management roles, strategy, org-level risk assessment, control assignments, mission/business analysis, information type taxonomy, common control identification, tailoring guidance, enterprise architecture, and requirements; 8 system-level tasks (P-11 to P-18) covering stakeholders, system roles, assets, system risk assessment, authorisation boundary, registration, legal requirements, and common control inheritance.
Step 1 -- Categorise: FIPS 199 high-water mark methodology; SP 800-60 information type taxonomy; provisional value adjustment; system impact level determination; mapping to SP 800-53 Rev 5 baselines.
Step 2 -- Select: Baseline selection; tailoring actions (scoping, parameterisation, compensating controls, additions, overlays); control assignment (system-specific, common/inherited, hybrid); monitoring strategy integration; SSP approval cycle. Complete SP 800-53 Rev 5 control family index (20 families, AC through SR).
Step 3 -- Implement: Control implementation; SSP implementation narrative with full field-by-field template for each control entry.
Step 4 -- Assess: SAP preparation; control assessment using examine/interview/test methods; SP 800-53A depth and coverage parameters; remediation before finalising SAR; POA&M creation. Assessor independence requirements by impact level.
Step 5 -- Authorise: Authorization package assembly; risk determination; risk response (accept/mitigate/transfer/avoid); ATO, ATU, Ongoing Authorization, and DATO types; ATO decision factors; risk acceptance statement format; FISMA reporting.
Step 6 -- Monitor: Continuous monitoring strategy; configuration management; ongoing assessments; ongoing risk response; authorization updates for significant changes; security posture reporting; system disposal.
Roles and Responsibilities: All 12 SP 800-37 Rev 2 roles with appointment requirements, responsibilities, role combination rules, and conflict-of-interest prohibitions (AO, AODR, SAOP, CISO, Risk Executive, System Owner, ISSO, ISSM, SCA, CCP, Mission Owner, System Administrator).
Reference Files
rmf-steps-tasks.md: Complete task tables for all seven RMF steps with task numbers, names, primary inputs, key outputs, and role assignments; FIPS 199 step-by-step categorisation process; SP 800-53 Rev 5 control family index; SDLC phase to RMF task integration mapping.
authorization-package.md: Full authorization package checklist (required and conditional documents); SSP template with all required sections and fields; SAR structure per SP 800-53A with per-control finding format; POA&M format with all required fields per OMB M-02-01; ATO memo contents; authorization conditions; risk acceptance statement guidance.
roles-and-responsibilities.md: Detailed responsibilities for all defined RMF roles; appointment authority; role combination permissions; critical conflict-of-interest prohibitions; common control provider examples.
Integration Points
Tests
All 10 plugin structure tests pass: