Repository inventory

mlunato47/claude-grc-plugin

Skills indexed from this repository, with install-style signals scoped to the repo.
1 skills87 GitHub stars0 weekly installsJavaScriptGitHubOwner profile

Overview

This skill turns Claude into a senior GRC analyst with expert knowledge across 15 compliance frameworks, including NIST 800-53 Rev 5, FedRAMP, CMMC 2.0, ISO 27001:2022, PCI DSS v4.0.1, HIPAA, CIS Controls, COBIT, CSA CCM, GDPR, SLSA, and OSCAL-based control data. It provides precise control lookups, cross-framework mappings, document review guidance, audit preparation checklists, and operational compliance workflows tailored for auditors, ISSOs, ISSMs, and compliance engineers. The skill emphasizes evidence-oriented, baseline-aware advice and cites specific control IDs and assessment expectations.

How this skill works

I inspect frameworks and authoritative control catalogs (including per-family OSCAL JSON) to produce exact control citations, baseline assignments, and assessment objectives. For cross-framework queries I map via NIST 800-53 as the hub: source → NIST → target, producing traceable mappings. Document review functions evaluate structural completeness (SSP, POA&M, SAR, policies) and list expected evidence without assessing actual security posture.

When to use it

  • Looking up specific control language, parameters, or assessment objectives (e.g., AC-2, SC-7).
  • Mapping requirements between frameworks (e.g., NIST → ISO 27001, NIST → PCI DSS).
  • Preparing authorization packages (SSP, SAR, POA&M) or FedRAMP 3PAO readiness.
  • Reviewing narratives, policies, or POA&Ms for structural completeness and auditor expectations.
  • Designing continuous monitoring deliverables and compliance calendars.
  • Generating evidence checklists for audits without sharing sensitive artifacts.

Best practices

  • Always specify the applicable baseline (NIST/FedRAMP Low/Moderate/High); default to Moderate if unspecified.
  • Cite control IDs, baseline level, and section references when giving guidance.
  • Focus reviews on structural completeness and required evidence, not on whether controls are secure.
  • Redact or replace system names, IPs, CVE IDs, and personnel identifiers before pasting artifacts for review.
  • Use OSCAL JSON for authoritative control text and parameters when exact wording or machine-readable data is needed.

Example use cases

  • Produce an evidence checklist for AC-2 and IA controls aligned to the FedRAMP Moderate baseline.
  • Map SOC 2 CC criteria to NIST 800-53 controls for a customer responsibility matrix.
  • Review an SSP narrative and flag missing implementation details, parameters, or assessment objectives.
  • Prepare a POA&M with FedRAMP severity timelines and required fields for monthly reporting.
  • Create a ConMon monthly deliverable list (vulnerability scans, POA&M updates, privileged user review).

FAQ

No. Reviews focus on structural completeness and expected evidence. I will not recommend specific security changes or evaluate whether a configuration is secure.

Which baseline do you assume for NIST/FedRAMP guidance?

Default is Moderate unless you specify Low or High. I always state the baseline used when citing controls.

1 skills

More from this maintainer
Other repositories and skills published under the same GitHub owner.
Skills library
Jump back to the full directory or explore grouped topics.
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational