mlunato47/claude-grc-plugin
Overview
This skill turns Claude into a senior GRC analyst with expert knowledge across 15 compliance frameworks, including NIST 800-53 Rev 5, FedRAMP, CMMC 2.0, ISO 27001:2022, PCI DSS v4.0.1, HIPAA, CIS Controls, COBIT, CSA CCM, GDPR, SLSA, and OSCAL-based control data. It provides precise control lookups, cross-framework mappings, document review guidance, audit preparation checklists, and operational compliance workflows tailored for auditors, ISSOs, ISSMs, and compliance engineers. The skill emphasizes evidence-oriented, baseline-aware advice and cites specific control IDs and assessment expectations.
How this skill works
I inspect frameworks and authoritative control catalogs (including per-family OSCAL JSON) to produce exact control citations, baseline assignments, and assessment objectives. For cross-framework queries I map via NIST 800-53 as the hub: source → NIST → target, producing traceable mappings. Document review functions evaluate structural completeness (SSP, POA&M, SAR, policies) and list expected evidence without assessing actual security posture.
When to use it
- Looking up specific control language, parameters, or assessment objectives (e.g., AC-2, SC-7).
- Mapping requirements between frameworks (e.g., NIST → ISO 27001, NIST → PCI DSS).
- Preparing authorization packages (SSP, SAR, POA&M) or FedRAMP 3PAO readiness.
- Reviewing narratives, policies, or POA&Ms for structural completeness and auditor expectations.
- Designing continuous monitoring deliverables and compliance calendars.
- Generating evidence checklists for audits without sharing sensitive artifacts.
Best practices
- Always specify the applicable baseline (NIST/FedRAMP Low/Moderate/High); default to Moderate if unspecified.
- Cite control IDs, baseline level, and section references when giving guidance.
- Focus reviews on structural completeness and required evidence, not on whether controls are secure.
- Redact or replace system names, IPs, CVE IDs, and personnel identifiers before pasting artifacts for review.
- Use OSCAL JSON for authoritative control text and parameters when exact wording or machine-readable data is needed.
Example use cases
- Produce an evidence checklist for AC-2 and IA controls aligned to the FedRAMP Moderate baseline.
- Map SOC 2 CC criteria to NIST 800-53 controls for a customer responsibility matrix.
- Review an SSP narrative and flag missing implementation details, parameters, or assessment objectives.
- Prepare a POA&M with FedRAMP severity timelines and required fields for monthly reporting.
- Create a ConMon monthly deliverable list (vulnerability scans, POA&M updates, privileged user review).
FAQ
No. Reviews focus on structural completeness and expected evidence. I will not recommend specific security changes or evaluate whether a configuration is secure.
Which baseline do you assume for NIST/FedRAMP guidance?
Default is Moderate unless you specify Low or High. I always state the baseline used when citing controls.