Risk register management skill for systematic risk identification, assessment, and tracking
UK NCSC Cyber Essentials Plus (CE+) v3.3 Danzell expert. Reference-depth framework plugin with assessment, scope determination, and evidence checklist — backed by the SCF…
Converts unstructured risk assessments into structured Jira tickets. Extracts Likelihood, Impact, Mitigation from natural language and generates JSON formatted for Jira API with…
Japanese ISMAP (Information System Security Management and Assessment Program) expert. Provides guidance on ISO 27001/27017/27018 compliance, Japanese government cloud…
Generates focused assessor interview questions from a technology stack and maps them to compliance frameworks with practical CLI/API evidence hints.
Tutor that produces working primers on GRC frameworks and roles. Adapts depth to the learner's background.
Sarbanes-Oxley Act of 2002 (SOX) expert for ICFR-relevant IT and security work. Deep knowledge of 15 U.S.C.
GDPR expert for EU privacy compliance. Deep knowledge of General Data Protection Regulation including 99 articles, 7 principles, 6 lawful bases, data subject rights, DPO…
Track regulatory compliance for construction projects. Monitor permits, certifications, inspections, and regulatory requirements with automated alerts and reporting.
Analyzes vendor security questionnaire responses. Identifies red flags, gaps, and areas requiring follow-up. Supports SIG, CAIQ, and custom questionnaires.
CSA CCM expert for cloud security. Deep knowledge of Cloud Security Alliance Cloud Controls Matrix including 197 controls, 17 domains, CAIQ questionnaire, cloud service models…
NIST 800-53 control framework expert. Provides guidance on control families, baseline selection, tailoring, and federal compliance requirements including FedRAMP alignment.
Singapore MAS Technology Risk Management Guidelines expert. Reference-depth framework plugin with scope determination, evidence checklist, and SCF-backed assessment guidance for…
India DPDPA expert for the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. Covers Data Fiduciary obligations, Data Principal rights, Significant Data Fiduciary…
Generates professional audit findings using the Condition-Criteria-Cause-Effect format. Creates management letter comments and remediation recommendations.
HITRUST CSF expert for healthcare security. Implementation guidance, assessment workflow, and mapping to HIPAA/NIST/ISO/PCI frameworks.
Reviews pull requests for compliance regressions. Scans code diffs for security and compliance violations, flags issues, and suggests fixes aligned with frameworks like SOC 2, ISO…
FINRA Broker-Dealer Cybersecurity Guidance expert. Stub-depth framework plugin that routes to the SCF crosswalk.
SOC 2 Trust Service Criteria expert. Provides guidance on Type I/II audits, control mapping, evidence requirements, and audit preparation for all Trust Service Categories.
CIS Controls v8 expert for baseline security. Deep knowledge of 18 controls, 153 safeguards, Implementation Groups (IG1/IG2/IG3), and practical implementation guidance for…
Generates CLI commands and API scripts to collect point-in-time evidence for audit controls. Automates evidence gathering from cloud providers (AWS, Azure, GCP) and outputs…
Expertise in evaluating Okta configurations for compliance — policies, MFA, session management, admin accounts, lifecycle. Maps to FedRAMP/NIST/SOC2/PCI identity controls.
FedRAMP Rev 5 authorization expert. Provides guidance on traditional authorization paths, SSP/SAP/SAR/POA&M documentation, NIST 800-53 Rev 5 control implementation, and 3PAO…
Conducts comprehensive vendor security assessments. Evaluates vendor security posture, identifies risks, and generates assessment reports with recommendations.
Validates audit evidence artifacts for completeness, timeliness, relevance, and authenticity. Reviews screenshots, logs, configurations, and policies against control requirements.
ISO 27001 ISMS expert. Provides guidance on management system requirements, Annex A controls, certification process, and continuous improvement for information security.
Australian IRAP (Information Security Registered Assessors Program) expert. Provides guidance on ISM controls, Essential Eight maturity levels, ACSC guidelines, and Australian…
Expertise in FedRAMP POA&M lifecycle management, FedRAMP 20x VDR generation, and vulnerability classification using CISA KEV, EPSS, N-ratings, LEV/IRV, and NIST 800-53 control…
Essential 8 expert for Australian cyber security. Deep knowledge of ACSC Essential Eight mitigation strategies including 8 strategies, 3 maturity levels, implementation guidance,…
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) expert. Deep knowledge of California Civil Code §1798.100 et seq., CPRA-amended applicability…
US Export Controls expert covering ITAR and EAR. Provides comprehensive guidance on defense articles (USML), dual-use commercial items (CCL), jurisdiction determination, FIPS…
Swiss Federal Act on Data Protection (nFADP) expert. Deep knowledge of the revised 2023 Swiss FADP including voluntary DSO, risk-based breach notification, individual criminal…
Expertise on OSCAL (Open Security Controls Assessment Language) — what document types exist, when to use each, schema versioning, FedRAMP/eMASS/CSPM integration, round-trip…
Drills the user on a framework with application-level scenario questions. Inspired by mattpocock/skills/grill-me.
Expertise in evaluating AWS accounts for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret aws CLI output.
NYDFS 23 NYCRR 500 expert for financial services. Deep knowledge of New York Department of Financial Services cybersecurity requirements including all 23 sections, annual…
Japan APPI expert for the Act on the Protection of Personal Information. Reference-depth framework plugin with scope determination, evidence checklist, and SCF-backed assessment…
NIST Cybersecurity Framework v2.0 expert. Reference-depth knowledge of the six Functions (Govern, Identify, Protect, Detect, Respond, Recover), Categories and Subcategories,…
FedRAMP 20X modernization expert. Provides guidance on Key Security Indicators (KSIs), continuous monitoring automation, machine-readable policies, and the new automated…
HIPAA Security Rule expert for US healthcare compliance. Deep knowledge of 45 CFR Part 164 Subpart C, Administrative/Physical/Technical Safeguards, Required vs Addressable…
Explains a single control once and shows every framework it maps to via the SCF crosswalk. Resolves SCF IDs, framework-specific IDs, and plain-English descriptions.
Calculates vendor risk scores using inherent and residual risk factors. Generates risk ratings, comparisons, and treatment recommendations.
Expertise on FedRAMP SSP authoring — what the DOCX templates contain, what OSCAL 1.2.0 SSP looks like for FedRAMP, how this plugin fits alongside Compliance Trestle and oscal-cli.
Expertise in evaluating GCP projects for compliance — what checks are meaningful, which SCF controls they map to, and how to interpret gcloud output.
EU NIS2 Directive (Directive (EU) 2022/2555) expert. Reference-depth knowledge of essential vs important entity classification, Article 20 governance, the Article 21 ten…
Maps infrastructure code (Terraform, Kubernetes, CloudFormation) to compliance controls (ISO 27001, SOC 2, NIST 800-53).
GLBA expert for financial institutions. Deep knowledge of Gramm-Leach-Bliley Act including Safeguards Rule (16 CFR Part 314), Privacy Rule (16 CFR Part 313), FTC enforcement,…
PCI DSS v4.0.1 compliance expert. Provides guidance on payment card industry security, ROC completion, SAQ selection, requirement interpretation, and the new March 2025 mandatory…
DORA expert for EU financial entities. Deep knowledge of Digital Operational Resilience Act including 5 pillars, ICT risk management, incident reporting, resilience testing,…
Singapore - Personal Data Protection Ac (PDPA) (2012) expert. Reference-depth framework plugin with assessment, scope determination, and evidence checklist — backed by the SCF…
StateRAMP expert for state and local government cloud services. Deep knowledge of State Risk and Authorization Management Program including Low/Moderate impact levels, NIST 800-53…
Manages policy documents through their full lifecycle. Reviews policies for gaps, suggests updates based on framework changes, and tracks approval workflows.
Audience-specific tone and format guidance for leadership communications. Use when drafting any /report:* output to tune length, framing, and technical depth to the reader (board,…
Setup guidance for users running a /report:* command before their toolkit has enough context. Use when a report command detects missing findings, frameworks, or history.
Patterns for synthesizing findings across multiple frameworks into one readable portfolio view. Use when a /report:* command is pulling from more than one framework plugin and…
Translates GRC findings, risks, and program activity into language leadership actually reads. Use when any /report:* command is composing output intended for a CISO, CIO, or…
Canadian PBMM (Protected B, Medium Integrity, Medium Availability) expert. Provides comprehensive guidance on ITSG-33 controls, CCCS assessment, Canadian data residency, and…
Composes week-over-week automation coverage narratives. Use when /report:automation-coverage is running.
Designs and documents control testing procedures. Creates test plans, executes walkthroughs, and documents results for audit workpapers.
CMMC v2.0 expert for DoD contractors. Provides deep knowledge of Cybersecurity Maturity Model Certification including 5 levels, 14 domains, 171 practices, NIST 800-171 alignment,…