Risk register management skill for systematic risk identification, assessment, and tracking
Generates CLI commands and API scripts to collect point-in-time evidence for audit controls. Automates evidence gathering from cloud providers (AWS, Azure, GCP) and outputs…
Tutor that produces working primers on GRC frameworks and roles. Adapts depth to the learner's background.
Generates focused assessor interview questions from a technology stack and maps them to compliance frameworks with practical CLI/API evidence hints.
Use when creating a draw.io diagram for POA&M items, audit findings, remediation milestones, validation, closure, and escalation paths in a GRC, security, audit, compliance,…
Generates professional audit findings using the Condition-Criteria-Cause-Effect format. Creates management letter comments and remediation recommendations.
Expertise in evaluating AWS accounts for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret aws CLI output.
Use when creating a draw.io diagram for regulated data flows, data classifications, storage, processing, transfer, access, retention, and logging in a GRC, security, audit,…
Expertise in evaluating GitHub repositories for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret gh CLI output.
CSA CCM expert for cloud security. Deep knowledge of Cloud Security Alliance Cloud Controls Matrix including 197 controls, 17 domains, CAIQ questionnaire, cloud service models…
Essential 8 expert for Australian cyber security. Deep knowledge of ACSC Essential Eight mitigation strategies including 8 strategies, 3 maturity levels, implementation guidance,…
APRA CPS 234 expert for Australian prudential information security. Reference-depth framework plugin with scope determination, evidence checklist, and SCF-backed assessment…
FINRA Broker-Dealer Cybersecurity Guidance expert. Stub-depth framework plugin that routes to the SCF crosswalk.
US Export Controls expert covering ITAR and EAR. Provides comprehensive guidance on defense articles (USML), dual-use commercial items (CCL), jurisdiction determination, FIPS…
Use when creating a draw.io diagram for mapping controls and obligations across frameworks to show overlap, gaps, and conflicts in a GRC, security, audit, compliance, privacy,…
GRC-specific portfolio questionnaire that creates a site-config.json and SITE-PLAN.md tailored to GRC engineers — certifications, frameworks, audit experience, tools, and projects.
Canadian PBMM (Protected B, Medium Integrity, Medium Availability) expert. Provides comprehensive guidance on ITSG-33 controls, CCCS assessment, Canadian data residency, and…
Translates GRC findings, risks, and program activity into language leadership actually reads. Use when any /report:* command is composing output intended for a CISO, CIO, or…
NYDFS 23 NYCRR 500 expert for financial services. Deep knowledge of New York Department of Financial Services cybersecurity requirements including all 23 sections, annual…
Interpret splunk-inspector findings and translate Splunk retention, RBAC, audit, search ACL, and auth posture into compliance evidence and remediation.
FedRAMP Rev 5 authorization expert. Provides guidance on traditional authorization paths, SSP/SAP/SAR/POA&M documentation, NIST 800-53 Rev 5 control implementation, and 3PAO…
Interpret testssl-inspector normalized findings, recommend remediations, and tie evidence back to SCF anchor controls plus SOC 2 / NIST 800-53 r5 / PCI DSS 4.0.1 / ISO 27002:2022…
Swiss Federal Act on Data Protection (nFADP) expert. Deep knowledge of the revised 2023 Swiss FADP including voluntary DSO, risk-based breach notification, individual criminal…
CMMC v2.0 expert for DoD contractors. Provides deep knowledge of Cybersecurity Maturity Model Certification including 5 levels, 14 domains, 171 practices, NIST 800-171 alignment,…
Use when creating a draw.io diagram for evidence collection, evidence lifecycle, audit evidence pipelines, and systems of record in a GRC, security, audit, compliance, privacy,…
Drills the user on a framework with application-level scenario questions. Inspired by mattpocock/skills/grill-me.
Builds the React/Vite site, syncs to S3, and invalidates CloudFront cache. Uses the plugin's bundled deploy.sh script.
StateRAMP expert for state and local government cloud services. Deep knowledge of State Risk and Authorization Management Program including Low/Moderate impact levels, NIST 800-53…
Analyzes vendor security questionnaire responses. Identifies red flags, gaps, and areas requiring follow-up. Supports SIG, CAIQ, and custom questionnaires.
PCI DSS v4.0.1 compliance expert. Provides guidance on payment card industry security, ROC completion, SAQ selection, requirement interpretation, and the new March 2025 mandatory…
Use when creating a draw.io diagram for cloud/SaaS shared responsibility, inherited controls, provider controls, customer controls, and evidence ownership in a GRC, security,…
Use when creating a draw.io diagram for vendor intake, tiering, questionnaires, security/privacy/legal review, contracting, and ongoing monitoring in a GRC, security, audit,…
Expertise in evaluating GCP projects for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret gcloud output.
Designs and documents control testing procedures. Creates test plans, executes walkthroughs, and documents results for audit workpapers.
Deploys AWS CloudFormation infrastructure stacks for the website (S3, CloudFront, Route 53, ACM, and optionally contact form API).
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) expert. Deep knowledge of California Civil Code §1798.100 et seq., CPRA-amended applicabil — from…
Creates a GitHub repository for the website project, initializes git, and pushes the code.
Setup guidance for users running a /report:* command before their toolkit has enough context. Use when a report command detects missing findings, frameworks, or history.
Use when creating a draw.io diagram for high-level GRC program architecture, continuous compliance operating models, three lines of defense, and executive program maps in a GRC,…
Scaffolds a complete React/Vite website project from site-config.json. Generates components, styles, and configuration based on the site type and plan data.
Expertise in FedRAMP POA&M lifecycle management, FedRAMP 20x VDR generation, and vulnerability classification using CISA KEV, EPSS, N-ratings, LEV/IRV, and NIST 800-53 control…
HIPAA Security Rule expert for US healthcare compliance. Deep knowledge of 45 CFR Part 164 Subpart C, Administrative/Physical/Technical Safeguards, Required vs Addressable…
GDPR expert for EU privacy compliance. Deep knowledge of General Data Protection Regulation including 99 articles, 7 principles, 6 lawful bases, data subject rights, DPO…
CIS Controls v8 expert for baseline security. Deep knowledge of 18 controls, 153 safeguards, Implementation Groups (IG1/IG2/IG3), and practical implementation guidance for…
Helps you triage a quarterly user access review from an Okta, Azure AD, AWS IAM, GitHub, or generic CSV/JSON export.
Manages policy documents through their full lifecycle. Reviews policies for gaps, suggests updates based on framework changes, and tracks approval workflows.
Explains a single control once and shows every framework it maps to via the SCF crosswalk. Resolves SCF IDs, framework-specific IDs, and plain-English descriptions.
Use when creating a draw.io diagram for compliance scope, authorization boundaries, trust boundaries, in-scope/out-of-scope systems, and system context diagrams in a GRC,…
Verbatim reference for all 320 NIST 800-171A Rev 2 assessment objectives, plus the Rev 2 → Rev 3 control crosswalk.
Use when creating a draw.io diagram for risk intake, scoring, treatment, exception approval, residual risk, and monitoring workflows in a GRC, security, audit, compliance,…
India DPDPA expert for the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. Covers Data Fiduciary obligations, Data Principal rights, Significant Data Fiduciary…
Interpret datadog-inspector findings and translate Datadog monitoring, audit, log-retention, SSO, and RBAC results into GRC evidence and remediation.
Japanese ISMAP (Information System Security Management and Assessment Program) expert. Provides guidance on ISO 27001/27017/27018 compliance, Japanese government cloud…
Calculates vendor risk scores using inherent and residual risk factors. Generates risk ratings, comparisons, and treatment recommendations.
Singapore - Personal Data Protection Ac (PDPA) (2012) expert. Reference-depth framework plugin with assessment, scope determination, and evidence checklist — backed by the SCF…
Expertise on FedRAMP SSP authoring — what the DOCX templates contain, what OSCAL 1.2.0 SSP looks like for FedRAMP, how this plugin fits alongside Compliance Trestle and oscal-cli.
Patterns for synthesizing findings across multiple frameworks into one readable portfolio view. Use when a /report:* command is pulling from more than one framework plugin and…
Maps infrastructure code (Terraform, Kubernetes, CloudFormation) to compliance controls (ISO 27001, SOC 2, NIST 800-53).
Expertise in evaluating Azure subscription findings from azure-inspector and mapping them to SCF controls.
Use when creating a draw.io diagram for responsibility assignments across GRC, security, engineering, legal, HR, procurement, vendors, and auditors in a GRC, security, audit,…