grc-engineering-suite

GRC Engineering Plugin - Maps IaC to compliance controls, generates policies, collects evidence, reviews PRs for compliance, and transforms risks to Jira tickets

GRC Auditor Plugin - Evidence review, control validation, and audit workpaper generation for external auditors and assessors

GRC Internal Plugin - Policy management, risk registers, and compliance tracking for internal GRC teams

GRC Third-Party Risk Management Plugin - Vendor assessments, questionnaire analysis, and risk scoring

SOC 2 Compliance Plugin - Trust Service Criteria expertise, Type I/II assessment support, and control mapping

NIST 800-53 Plugin - Control families, baseline selection (Low/Moderate/High), and FedRAMP alignment

ISO 27001 Plugin - Annex A controls, ISMS implementation guidance, and certification support

FedRAMP Rev 5 Plugin - Traditional authorization path with SSP/SAP/SAR/POA&M documentation and NIST 800-53 Rev 5 control mapping

FedRAMP 20X Plugin - Modern automated authorization with Key Security Indicators (KSIs), continuous monitoring, and machine-readable policies synced from official FedRAMP docs

PCI DSS v4.0.1 Plugin - Payment Card Industry compliance with ROC guidance, SAQ selection, and March 2025 mandatory requirements

CMMC v2.0 Plugin - Cybersecurity Maturity Model Certification for DoD contractors with 5 levels and C3PAO assessment prep

HITRUST CSF Plugin - Healthcare Information Trust Alliance Common Security Framework with i1/r2 assessments and 156 controls

CIS Controls v8 Plugin - Center for Internet Security baseline with IG1/IG2/IG3 implementation groups and 153 safeguards

GDPR Plugin - EU General Data Protection Regulation with DPIA, data subject rights, and 72-hour breach notification

CSA CCM Plugin - Cloud Security Alliance Cloud Controls Matrix with 197 controls and CAIQ support

NYDFS 23 NYCRR 500 Plugin - New York Department of Financial Services cybersecurity requirements with annual certification

DORA Plugin - EU Digital Operational Resilience Act for financial entities with ICT risk management (effective January 2025)

StateRAMP Plugin - State Risk and Authorization Management Program for state and local government cloud services

Essential 8 Plugin - Australian Cyber Security Centre mitigation strategies with 3 maturity levels

GLBA Plugin - Gramm-Leach-Bliley Act for financial institutions with Safeguards Rule and Privacy Rule compliance

US Export Controls Plugin - ITAR and EAR compliance for defense and dual-use technologies

Canadian PBMM (Protected B Medium Medium) with ITSG-33 controls

Japanese ISMAP government cloud security (ISO 27001/27017/27018)

Australian IRAP (ISM + Essential Eight) for government cloud

GRC connector for AWS: evaluates IAM, S3, CloudTrail, EBS, and RDS for compliance misconfigurations. Emits findings conforming to schemas/finding.schema.json v1.

GRC connector for GitHub: evaluates repo protections, branch policies, Actions, secret scanning, Dependabot, and deploy keys. Emits findings conforming to schemas/finding.schema.json v1.

GRC connector for Google Cloud: evaluates IAM, Cloud Storage, audit logs, KMS rotation, and Compute for compliance misconfigurations. Emits findings conforming to schemas/finding.schema.json v1.

GRC connector for Okta: evaluates authentication policies, MFA enrollment, password policy, session management, and admin/privileged accounts. Emits findings conforming to schemas/finding.schema.json v1.

OSCAL (Open Security Controls Assessment Language) toolkit for Claude Code. Wraps ethanolivertroy/oscal-cli for validation and conversion of catalogs, profiles, SSPs, SAPs, SARs, POA&Ms, component definitions, and assessment results.

Convert FedRAMP Rev 5 Moderate SSP DOCX templates to validated OSCAL 1.2.0 JSON. Wraps ethanolivertroy/frdocx-to-froscal-ssp — ready for oscal-cli, Compliance Trestle, eMASS, and FedRAMP 20X workflows.