feat: add NIST SP 800-39 Enterprise Risk Management skill#36
Open
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Open
feat: add NIST SP 800-39 Enterprise Risk Management skill#36sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
sjackson0109 wants to merge 1 commit intoSushegaad:mainfrom
Conversation
NIST Special Publication 800-39 -- Managing Information Security Risk: Organization, Mission, and Information System View Published: March 2011 | Source: https://doi.org/10.6028/NIST.SP.800-39 PLUGIN STRUCTURE - plugins/nist-sp-800-39/.claude-plugin/plugin.json - plugins/nist-sp-800-39/skills/nist-sp-800-39/SKILL.md - plugins/nist-sp-800-39/skills/nist-sp-800-39/references/three-tier-model.md - plugins/nist-sp-800-39/skills/nist-sp-800-39/references/risk-framing.md - plugins/nist-sp-800-39/skills/nist-sp-800-39/references/risk-response-monitoring.md FRAMEWORK COVERAGE SP 800-39 is the highest-level publication in the NIST risk management hierarchy, providing the overarching framework for enterprise information security risk management. The skill covers all four risk management components and the full three-tier hierarchy: Three-Tier Risk Management Hierarchy Tier 1 (Organisation): Risk governance, risk executive function, risk management strategy, risk tolerance, policy framework, mission-critical asset identification, security investment alignment Tier 2 (Mission/Business Process): Enterprise security architecture, system-to-mission mapping, business impact analysis, common control programme, supply chain governance, business continuity Tier 3 (Information System): Full RMF lifecycle per SP 800-37 (categorise through monitor) Information flows: top-down (strategy/direction) and bottom-up (risk reporting/aggregation) Four Risk Management Components Component 1 -- Frame Risk: Risk assumptions (threat, vulnerability, impact, environmental, temporal), risk constraints (legal, policy, mission, budget, technology, workforce, contractual), risk tolerance (dimensions: overall, CIA, privacy, supply chain, time), risk priorities and trade-offs; complete risk framing document template with approval requirements Component 2 -- Assess Risk: Integration with SP 800-30 for conducting assessments; scope by tier; risk aggregation from Tier 3 through Tier 2 to Tier 1 strategic picture Component 3 -- Respond to Risk: Four response options (Accept, Avoid, Mitigate, Transfer/Share) with when-to-use criteria, documentation requirements, risk acceptance authority by tier, risk response plan format with all required fields, mitigation strategies at each tier, transfer mechanism examples and limitations Component 4 -- Monitor Risk: Control effectiveness monitoring (formal assessments, automated scanning, SIEM, pen testing, metrics), risk environment monitoring (threat intelligence, vulnerability monitoring, incident monitoring, regulatory monitoring), risk acceptance review triggers, risk posture reporting by tier (Tier 3 to Tier 1), and immediate escalation triggers REFERENCE FILES three-tier-model.md: Detailed tier-by-tier breakdown of functions, artefacts, and roles for all three tiers; information flow tables (top-down, bottom-up, horizontal); SP 800-39 vs SP 800-37 vs SP 800-30 comparison table risk-framing.md: What risk framing is and why it is needed; four framing component categories with examples; risk assumptions documentation guide; risk constraints typology; risk tolerance dimensions with example statements; risk priorities and trade-off acknowledgements; full risk framing document template with all sections and field-level guidance risk-response-monitoring.md: Full coverage of all four risk response options with when-to-use criteria, documentation requirements, and examples; risk acceptance authority by tier table; mitigation plan component template; transfer mechanisms; complete risk response plan format; monitoring activities (control effectiveness, risk environment, risk acceptance review); risk posture reporting by tier; immediate escalation trigger table INTEGRATION POINTS - NIST SP 800-30 Rev 1: SP 800-39 directs risk assessments; SP 800-30 provides the how-to - NIST SP 800-37 Rev 2: RMF operates at Tier 3 within the SP 800-39 framework - NIST SP 800-53 Rev 5: Controls selected at Tier 3 to mitigate risks identified at Tier 2/3 - NIST SP 800-137: Continuous monitoring feeds the Monitor component at Tier 3 TESTS All 10 plugin structure tests pass (test_plugin_structure.py -k nist-sp-800-39)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
NIST SP 800-39 -- Managing Information Security Risk (Enterprise Risk Management)
Source: NIST Special Publication 800-39, March 2011
https://doi.org/10.6028/NIST.SP.800-39
Summary
This PR adds a complete Claude skill for NIST SP 800-39, the highest-level NIST risk management publication. SP 800-39 provides the enterprise governance framework within which SP 800-37 (the RMF) and SP 800-30 (risk assessments) operate. The skill covers the three-tier risk management hierarchy, all four risk management components (frame, assess, respond, monitor), risk framing, risk tolerance, risk response options, and risk monitoring.
Files Added
Framework Coverage
Three-Tier Hierarchy: Organisation (Tier 1) governance structure and outputs; Mission/Business Process (Tier 2) functions, artefacts, and roles; Information System (Tier 3) RMF integration. Information flow tables covering top-down (direction/context), bottom-up (risk aggregation), and horizontal (within-tier sharing) flows.
Four Risk Management Components:
Component 1 -- Frame Risk: Risk assumptions (threat, vulnerability, impact, environmental, temporal); risk constraints (legal, policy, mission, budget, technology, workforce, contractual); risk tolerance dimensions with example statements; risk priorities and trade-off acknowledgements; complete risk framing document template.
Component 2 -- Assess Risk: Integration with SP 800-30; tier-scoped assessment types; risk aggregation from system level through business process to enterprise strategic view.
Component 3 -- Respond to Risk: All four options (Accept, Avoid, Mitigate, Transfer/Share) with when-to-use criteria, documentation requirements, authority levels by tier, risk response plan template, mitigation strategies at each tier, and transfer mechanism types and limitations.
Component 4 -- Monitor Risk: Control effectiveness monitoring activities; risk environment monitoring sources; risk acceptance review triggers; risk posture reporting structure by tier (Tier 3 to Tier 2 to Tier 1); immediate escalation triggers.
Integration Points
Tests
All 10 plugin structure tests pass: