Module Documentation

Module Documentation

Comprehensive reference for every security audit module in the framework. Each module is fully self-contained and can be invoked standalone or via the orchestrator. All modules conform to the 9-field result-object schema documented in Output Reference.

Version: 6.1.2 Total modules: 16 Total checks: 3,994 Total module code: ~36,000 lines

Table of Contents

Module	Framework Focus	Checks	Lines
module-acsc.ps1	ACSC Essential Eight + ISM/PSPF	170	1,423
module-cis.ps1	CIS Controls v8 + IG2/IG3 + Cloud/Mobile/ICS-OT	260	2,711
module-cisa.ps1	CISA Best Practices + KEV + ZTMM + CPGs	289	2,792
module-cmmc.ps1	CMMC 2.0 L1/L2/L3 + DFARS + 800-172	145	1,421
module-core.ps1	Core Windows Security Baseline	243	2,545
module-enisa.ps1	ENISA + NIS2 + DORA + CRA	248	1,876
module-gdpr.ps1	GDPR + ePrivacy + Schrems II	183	1,693
module-hipaa.ps1	HIPAA Security Rule + 405(d) HICP + HITECH	237	2,126
module-iso27001.ps1	ISO 27001:2022 + 27002/27017/27018/27701	286	2,520
module-ms.ps1	Microsoft Security Baseline (Win11 24H2/Server 2025)	367	3,652
module-ms-defenderatp.ps1	Microsoft Defender for Endpoint	155	1,739
module-nist.ps1	NIST SP 800-53 R5 + CSF 2.0 + 800-171 + 800-207 + FedRAMP	520	5,218
module-nsa.ps1	NSA Cybersecurity (CSI + AD hardening + Top 10)	225	2,250
module-pcidss.ps1	PCI DSS v4.0/v4.0.1 + PIN Security + 3DS	279	2,495
module-soc2.ps1	SOC 2 Trust Service Criteria + AICPA TSP 100	162	1,506
module-stig.ps1	DISA STIGs + SRG cross-mapping + Defender STIG	225	2,264

---

Common Module Conventions

Every module shares the same conventions:

• Self-contained: dot-sources shared_components/audit-common.ps1 if available; otherwise defines inline fallbacks
• Standalone-runnable: invoking the .ps1 file directly returns the results array
• 9-field result objects: Module, Category, Status, Severity, Message, Details, Remediation, CrossReferences, Timestamp
• Cache-aware: every helper call passes -Cache $SharedData.Cache for performance
• Error-tolerant: every check is wrapped in try/catch; exceptions emit Status=Error results rather than aborting
• Cross-referenced: every check carries a CrossReferences hashtable mapping it to equivalent controls in other frameworks

---

module-acsc.ps1

Purpose: Australian Cyber Security Centre Essential Eight Maturity Model + Information Security Manual (ISM) + Protective Security Policy Framework (PSPF) Checks: 170 Lines: 1,423 Execution Time: ~15-30 seconds (cache-warmed) Severity Coverage: 170/170 (100%) Best For: Australian government agencies, defence industry contractors, any organization adopting Essential Eight

Categories

#	Category	Approx. Checks	Focus
1	E1 App Control	~22	AppLocker service, executable rules, WDAC enforcement, SRP, constrained language mode
2	E2 Patch Apps	~15	Office version currency, .NET Framework, Java detection, Adobe products, Flash EOL
3	E3 Office Macros	~16	VBA warnings (Word/Excel/PowerPoint), internet macro blocking, signed macro requirement
4	E4 App Hardening	~22	Flash COM killbit, OLE package blocking, SmartScreen, Windows Script Host, ActiveX
5	E5 Admin Privs	~25	Admin group membership, UAC, consent prompt, token filtering, LSA protection
6	E6 Patch OS	~18	Windows Update service, hotfix recency, OS EOL detection, auto-update, restart deadline
7	E7 MFA	~18	Credential Guard, Windows Hello, smart card removal, screen lock timeout, biometrics
8	E8 Backups	~22	VSS service, System Restore, BitLocker recovery, Controlled Folder Access, restore tests
9	ISM Controls	~5	Information Security Manual technical controls
10	Privacy Principles	~5	Australian Privacy Principles (APPs) technical control alignment
11	PSPF Controls	~2	Protective Security Policy Framework alignment

v6.1 Additions

• ISM Controls section (~5 checks) — direct ISM control number mapping
• Privacy Principles section (~5 checks) — APP 1, APP 11 technical controls
• PSPF section (~2 checks) — Australian government information protection alignment

Standalone Usage

.\modules\module-acsc.ps1
.\modules\module-acsc.ps1 | Where-Object { $_.Severity -eq 'Critical' }
.\modules\module-acsc.ps1 | Group-Object Category | Format-Table

Maturity Model Mapping

The module's results can be aggregated to compute Essential Eight Maturity Level (ML0/ML1/ML2/ML3) per strategy. Each E1-E8 category roughly maps to one strategy; passing checks within that category indicate maturity progression.

---

module-cis.ps1

Purpose: CIS (Center for Internet Security) Controls v8 with Implementation Group 2/3 + Cloud, Mobile, and ICS-OT Companion Guides Checks: 260 Lines: 2,711 Execution Time: ~25-40 seconds (cache-warmed) Severity Coverage: 260/260 (100%) Best For: Most general-purpose Windows hardening; baseline for CIS-aligned organizations

Categories

#	Category	Approx. Checks	Focus
1	CIS - Account Policy	~15	Password complexity, length, age, history, lockout
2	CIS - Local Policy	~30	User rights assignments, security options, MSS settings
3	CIS - Audit Policy	~25	Subcategory configurations, advanced audit policy
4	CIS - Windows Firewall	~25	Profile states, default actions, logging, rules
5	CIS - Defender	~20	Real-time protection, ASR rules, Network Protection
6	CIS - System Services	~25	Disabled services, dependent service hardening
7	CIS - Administrative Templates	~30	LGPO/SCT-aligned policies, system, network, control panel
8	CIS - User Configuration	~10	Personalization, accessibility, control panel restrictions
9	CIS - Cloud Companion	~25	Cloud-specific hardening (Entra ID/M365 alignment indicators)
10	CIS - Mobile Companion	~15	MDM/Intune posture, BYOD indicators
11	CIS - ICS-OT Companion	~15	Industrial control system markers, OT-specific service detection
12	CIS - IG2/IG3 Controls	~25	Implementation Group 2/3 advanced controls

v6.1 Additions

• Cloud Companion section (~25 checks)
• Mobile Companion section (~15 checks)
• ICS-OT Companion section (~15 checks)
• Implementation Group 2/3 advanced controls (~25 checks)

---

module-cisa.ps1

Purpose: CISA Best Practices + Known Exploited Vulnerabilities (KEV) catalog + Zero Trust Maturity Model + Cybersecurity Performance Goals (CPGs) v1.0.1 Checks: 289 Lines: 2,792 Execution Time: ~25-45 seconds Severity Coverage: 289/289 (100%) Best For: US federal agencies, critical infrastructure operators (CIRCIA), organizations under BOD compliance

Categories

#	Category	Approx. Checks	Focus
1	CISA - Cybersecurity Performance Goals	~30	CPG IDs 1.A through 4.E
2	CISA - KEV Catalog Mitigations	~40	Active KEVs in environment (CVE-2017-0144, CVE-2021-34527, CVE-2023-24932, CVE-2020-1472)
3	CISA - BOD 22-01/23-01	~25	Vulnerability disclosure, asset visibility
4	CISA - BOD 23-02	~15	Internet-exposed management interfaces mitigation
5	CISA - Bad Practices	~10	EOL software, default credentials, single-factor auth
6	CISA - Secure by Design	~25	Memory-safe languages, secure defaults, attestation
7	CISA - Zero Trust Maturity	~50	ZTMM 5 pillars: Identity, Devices, Networks, Applications & Workloads, Data
8	CISA - PRNI	~15	Pre-Ransomware Notification indicators
9	CISA - Supply Chain	~25	SBOM markers, third-party software identification
10	CISA - Critical Infrastructure	~25	NIST CSF alignment for ICS/OT
11	CISA - Tabletop Exercise Markers	~10	IR readiness configuration evidence
12	CISA - Logging & Monitoring	~19	Required logging configurations per CISA

---

module-cmmc.ps1

Purpose: Cybersecurity Maturity Model Certification 2.0 (Levels 1, 2, 3) + DFARS 252.204-7012 + NIST SP 800-172 enhanced security requirements Checks: 145 Lines: 1,421 Execution Time: ~15-25 seconds Severity Coverage: 145/145 (100%) Best For: Defense Industrial Base contractors handling CUI/FCI

Categories

#	Category	Approx. Checks	Focus
1	CMMC - Access Control (AC)	~18	14 controls in L1, expanded in L2
2	CMMC - Audit and Accountability (AU)	~18	Audit log generation, retention, protection
3	CMMC - Configuration Management (CM)	~13	Baseline config, change control
4	CMMC - Identification and Authentication (IA)	~13	MFA, password complexity
5	CMMC - Incident Response (IR)	~5	IR capability evidence
6	CMMC - Maintenance (MA)	~5	Authorized maintenance, remote access
7	CMMC - Media Protection (MP)	~5	CUI media handling, sanitization
8	CMMC - Personnel Security (PS)	~5	Personnel screening evidence
9	CMMC - Physical Protection (PE)	~5	Physical access logging
10	CMMC - Risk Assessment (RA)	~5	Vulnerability scanning evidence
11	CMMC - Security Assessment (CA)	~5	Continuous monitoring
12	CMMC - System and Communications Protection (SC)	~18	Boundary protection, encryption in transit
13	CMMC - System and Information Integrity (SI)	~13	Flaw remediation, malicious code protection
14	CMMC - 800-172 Enhanced (Level 3)	~10	Penetration-testing-aware controls
15	CMMC - DFARS Safeguarding	~7	DFARS 252.204-7012 markers

v6.1 Additions

• 800-172 Enhanced (Level 3) section (~10 checks)
• DFARS Safeguarding section (~7 checks)

SPRS Scoring

The module's pass/fail data feeds Supplier Performance Risk System (SPRS) scoring. CMMC Level 2 = 110 controls, max 110-point baseline (some reductions per Fail).

---

module-core.ps1

Purpose: Foundational Windows Security Baseline + modern Windows 11 features (VBS, HVCI, Pluton, kCET, MOTW, Smart App Control) Checks: 243 Lines: 2,545 Execution Time: ~20-35 seconds Severity Coverage: 243/243 (100%) Best For: Initial baseline assessment; any system regardless of compliance regime

Categories

#	Category	Approx. Checks	Focus
1	Core - System Information	~10	OS version, build, edition, architecture, install date
2	Core - Boot Integrity	~12	Secure Boot, UEFI, BIOS mode detection
3	Core - Hardware Security	~15	TPM 2.0, attestation, Pluton, IOMMU, virtualization extensions
4	Core - VBS Foundation	~15	VBS active, HVCI/Memory Integrity, Kernel CET, Kernel DMA Protection
5	Core - Credential Protection	~12	LSA Protection, Credential Guard, WDigest disabled
6	Core - User Account Control	~12	UAC level, consent prompts, secure desktop
7	Core - Windows Defender	~15	Real-time, behavior monitoring, cloud delivered protection
8	Core - Firewall	~10	Profile states, default actions
9	Core - PowerShell Hardening	~12	ConstrainedLanguage, ScriptBlockLogging, ModuleLogging, Transcription
10	Core - SMB Hardening	~10	SMBv1 disabled, SMB signing, encryption, guest auth
11	Core - TLS Configuration	~15	TLS 1.0/1.1 disabled, TLS 1.2/1.3 enabled, cipher suites
12	Core - Network Protection	~15	LLMNR/NetBIOS disabled, IPv6 RA filtering, Multicast
13	Core - Win11 Modern Features	~25	Smart App Control, Pluton, USB policy, Print Spooler hardened, Sandbox, MOTW
14	Core - System Hardening	~25	Service hardening, scheduled tasks, autoruns, registry permissions
15	Core - Modern Authentication	~15	Hello for Business, FIDO2, biometric template protection
16	Core - Update Posture	~15	Windows Update, hotfix recency, deferral policies

v6.1 Additions

• Win11 Modern Features section (~25 checks) — Smart App Control, Pluton, kCET, MOTW
• Modern Authentication section (~15 checks) — Hello for Business, FIDO2

---

module-enisa.ps1

Purpose: European Union Agency for Cybersecurity (ENISA) guidelines + NIS2 Directive + Cyber Resilience Act (CRA) + DORA (Digital Operational Resilience Act) Checks: 248 Lines: 1,876 Execution Time: ~20-35 seconds Severity Coverage: 248/248 (100%) Best For: EU-based organizations, NIS2-essential/important entities, financial sector (DORA)

Categories

#	Category	Approx. Checks	Focus
1	ENISA - Network Security	~25	Segmentation, encryption in transit
2	ENISA - Identity and Access Management	~20	MFA, privileged access, identity lifecycle
3	ENISA - Patch Management	~15	Vulnerability remediation, hotfix posture
4	ENISA - Cryptography	~20	Algorithm strength, key management
5	ENISA - Logging and Monitoring	~20	Centralized logging, retention, integrity
6	ENISA - Data Protection	~15	Encryption at rest, classification
7	ENISA - Incident Detection	~15	EDR, SIEM connectivity, threat intel
8	ENISA - Backup and Recovery	~15	Backup configuration, recovery testing markers
9	ENISA - Threat Landscape (RICT)	~15	Recent ENISA Threat Landscape report alignments
10	ENISA - NIS2 Directive	~30	Article 21 risk management measures
11	ENISA - EUCC Scheme	~10	EU Common Criteria certification markers
12	ENISA - Cyber Resilience Act	~20	CRA Annex I essential cybersecurity requirements
13	ENISA - DORA	~15	Financial sector ICT risk management
14	ENISA - AI Threat Landscape	~5	AI/ML system markers
15	ENISA - IoC Indicators	~8	ENISA-published indicator detection

v6.1 Additions

• NIS2 Directive section (~30 checks) — Article 21 measures
• EUCC Scheme section (~10 checks)
• Cyber Resilience Act section (~20 checks) — Annex I requirements
• DORA section (~15 checks)
• AI Threat Landscape (~5 checks)

---

module-gdpr.ps1

Purpose: GDPR Articles 5/15-21/28/32/35 technical safeguards + ePrivacy Directive + Schrems II considerations Checks: 183 Lines: 1,693 Execution Time: ~15-25 seconds Severity Coverage: 183/183 (100%) Best For: Data controllers/processors handling EU resident data; privacy-by-design assessments

Categories

#	Category	Approx. Checks	Focus
1	GDPR - Art. 5 Principles	~15	Lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity & confidentiality
2	GDPR - Art. 32 Security of Processing	~30	Encryption, pseudonymisation, CIA, resilience, restoration
3	GDPR - Art. 25 Data Protection by Design	~15	Default settings, technical measures
4	GDPR - Art. 33/34 Breach Notification	~10	Logging adequacy for breach detection
5	GDPR - Art. 35 DPIA Markers	~10	High-risk processing indicators
6	GDPR - Art. 15-21 Data Subject Rights	~15	Access, rectification, erasure, portability
7	GDPR - Art. 28 Processor	~10	Subprocessor controls, contract evidence markers
8	GDPR - International Transfers	~10	Schrems II considerations
9	GDPR - ePrivacy Directive	~15	Cookies, communications confidentiality, terminal equipment
10	GDPR - Encryption	~15	At-rest, in-transit, key management
11	GDPR - Pseudonymisation	~10	Identifier separation indicators
12	GDPR - Confidentiality	~15	Access controls, authentication strength
13	GDPR - Availability and Resilience	~13	Backup, restoration, BCP/DR

v6.1 Additions

• Art. 28 Processor section (~10 checks)
• International Transfers section (~10 checks) — Schrems II

---

module-hipaa.ps1

Purpose: HIPAA Security Rule (45 CFR 164) + NIST SP 800-66 R2 + HITECH Act + 405(d) Health Industry Cybersecurity Practices (HICP) Checks: 237 Lines: 2,126 Execution Time: ~20-35 seconds Severity Coverage: 237/237 (100%) Best For: Covered entities and business associates handling ePHI

Categories

#	Category	Approx. Checks	Focus
1	HIPAA - Sec.164.308 Administrative Safeguards	~20	Security management, workforce security
2	HIPAA - Sec.164.310 Physical Safeguards	~15	Facility access, workstation security
3	HIPAA - Sec.164.312(a) Access Control	~25	Unique user ID, emergency access, automatic logoff
4	HIPAA - Sec.164.312(a)(2)(iv)	~10	Encryption specification (addressable)
5	HIPAA - Sec.164.312(b) Audit Controls	~20	Activity logging, anomaly detection
6	HIPAA - Sec.164.312(c) Integrity	~15	Data integrity, ePHI alteration detection
7	HIPAA - Sec.164.312(d) Person Authentication	~15	Identity verification
8	HIPAA - Sec.164.312(e) Transmission Security	~15	Integrity, encryption in transit
9	HIPAA - Sec.164.314 Organizational	~10	BAA evidence markers
10	HIPAA - Sec.164.404 Breach Notification	~10	Detection and notification readiness
11	HIPAA - HHS RSP	~12	Recognized Security Practices (NIST CSF/800-53/HICP)
12	HIPAA - HITECH Act	~15	Enforcement, BA liability, audit trail
13	HIPAA - 405(d) HICP	~25	Health Industry Cybersecurity Practices
14	HIPAA - 800-66 R2	~20	NIST 800-66 Rev 2 alignment
15	HIPAA - Cures Act / ONC	~10	21st Century Cures Act + ONC alignment

v6.1 Additions

• HHS RSP, HITECH Act, 405(d) HICP, 800-66 R2 sections (~72 checks total)
• Cures Act / ONC section (~10 checks)
• Sec.164.312(a)(2)(iv) Encryption Specification (~10 checks)

---

module-iso27001.ps1

Purpose: ISO/IEC 27001:2022 + ISO/IEC 27002:2022 + ISO/IEC 27017 (Cloud) + ISO/IEC 27018 (Cloud PII) + ISO/IEC 27701 (Privacy Information Management) Checks: 286 Lines: 2,520 Execution Time: ~25-40 seconds Severity Coverage: 286/286 (100%) Best For: ISO 27001 ISMS implementations, internal audits supporting certification

Categories

#	Category	Approx. Checks	Focus
1	ISO27001 - Annex A.5 Organizational	~25	Policies, segregation of duties, info classification
2	ISO27001 - Annex A.6 People	~10	Screening, terms of employment, awareness
3	ISO27001 - Annex A.7 Physical	~15	Physical entry, secure areas, equipment
4	ISO27001 - Annex A.8 Technological	~80	User endpoint, privileged access, source code, secure dev
5	ISO27001 - 27002:2022 Guidance	~30	Implementation guidance for Annex A
6	ISO27001 - 27017/27018 Cloud	~25	Cloud-specific controls, virtual machines
7	ISO27001 - 27701 Privacy	~20	Privacy Information Management extensions
8	ISO27001 - 27005 Risk Management	~15	Risk identification, analysis, evaluation
9	ISO27001 - 27031 ICT Continuity	~15	Business continuity, RTO/RPO indicators
10	ISO27001 - Statement of Applicability	~15	SoA-supporting evidence
11	ISO27001 - Annex A.5/A.7 Evidence	~10	Documentation evidence markers
12	ISO27001 - Cryptography	~15	A.8.24 use of cryptography
13	ISO27001 - Backup	~11	A.8.13 information backup

v6.1 Additions

• 27002:2022 Guidance, 27017/27018 Cloud, 27701 Privacy sections (~75 checks total)
• Annex A.5/A.7 Evidence section (~10 checks)

---

module-ms.ps1

Purpose: Microsoft Security Baseline (Windows 11 24H2 / Server 2025) + Edge baseline + Microsoft 365 Apps for Enterprise + Smart App Control + Update channels Checks: 367 Lines: 3,652 Execution Time: ~30-50 seconds (cache-warmed) Severity Coverage: 367/367 (100%) Best For: Aligning with Microsoft Security Compliance Toolkit (SCT) baselines

Categories (high-level groupings)

#	Category Group	Approx. Checks	Focus
1	MS - Account Policy	~20	Password, account lockout per SCT
2	MS - Local Policy	~40	User Rights, Security Options
3	MS - Defender Antivirus	~30	All MAPS/cloud/sample submission settings
4	MS - Defender ASR	~20	All ASR rules per-rule
5	MS - AppLocker	~15	Default rules, custom rule presence
6	MS - Exploit Protection	~25	DEP, ASLR, CFG, system-wide and per-app
7	MS - Network	~20	Multicast, hardened UNC, secure DNS
8	MS - Hardened Win32k	~10	Win32k filter
9	MS - Edge Browser	~30	Edge security baseline
10	MS - M365 Apps	~25	Office macro hardening, Trust Center
11	MS - Update Channels	~10	WUfB, defer/release ring
12	MS - Auditing	~30	All Advanced Audit Policy subcategories
13	MS - IE Mode	~10	IE mode site list, deprecation tracking
14	MS - Smart App Control	~10	Win11 22H2+ SAC state
15	MS - Hyper-V Security	~15	Isolation, VBS in nested VMs
16	MS - LAPS	~10	Built-in Local Admin Password Solution
17	MS - Print Spooler	~10	Point-and-Print restrictions
18	MS - Wireless / 802.1X	~10	Wi-Fi profile, 802.1X auth
19	MS - Removable Storage	~10	Write-protect policies
20	MS - System Hardening	~17	SCT-defined system-wide hardening

v6.1 Additions

• Edge Browser section (~30 checks)
• M365 Apps section (~25 checks)
• Update Channels, Smart App Control, IE Mode (~30 checks combined)

---

module-ms-defenderatp.ps1

Purpose: Microsoft Defender for Endpoint (ATP/EDR) — onboarding, EDR, ASR per-rule, WDAC, Live Response, Cloud Apps, IOCs, Threat & Vulnerability Management Checks: 155 Lines: 1,739 Execution Time: ~15-30 seconds Severity Coverage: 155/155 (100%) Best For: Organizations deploying or auditing Microsoft Defender for Endpoint

Categories

#	Category	Approx. Checks	Focus
1	MS-DefenderATP - Component Currency	~10	Defender platform/engine/signature versions
2	MS-DefenderATP - EDR Sensor	~12	Onboarding, sense service, telemetry
3	MS-DefenderATP - TVM	~15	Threat & Vulnerability Mgmt evidence
4	MS-DefenderATP - ASR (per-rule)	~20	All 15 ASR rule GUIDs explicitly checked
5	MS-DefenderATP - Network Protection	~10	NP enforcement state
6	MS-DefenderATP - CFA	~10	Controlled Folder Access state, allowed apps
7	MS-DefenderATP - EPM	~10	Endpoint Privilege Management evidence
8	MS-DefenderATP - Web Content Filtering	~5	Indicator usage
9	MS-DefenderATP - WDAC Integration	~10	App control coverage
10	MS-DefenderATP - MDI	~10	Defender for Identity AD sensor
11	MS-DefenderATP - Live Response	~10	LR capability evidence
12	MS-DefenderATP - Cloud Apps	~10	Defender for Cloud Apps integration
13	MS-DefenderATP - IOC / IOA	~8	Custom indicator detection
14	MS-DefenderATP - Tamper Protection	~5	TP state
15	MS-DefenderATP - Behavior Monitoring	~10	AMSI integration, runtime detection

v6.1 Additions

• Per-rule ASR section (~20 checks) — all 15 GUIDs individually
• WDAC Integration, MDI, Live Response, Cloud Apps (~40 checks total)

---

module-nist.ps1

Purpose: NIST SP 800-53 R5 + Cybersecurity Framework 2.0 + SP 800-171 R3 + SP 800-207 Zero Trust + SP 800-161 Supply Chain Risk Management + FedRAMP R5 baselines Checks: 520 Lines: 5,218 (largest module) Execution Time: ~45-75 seconds Severity Coverage: 520/520 (100%) Best For: Federal civilian/defense agencies, FedRAMP-pursuing CSPs, anyone seeking deep NIST coverage

Categories (consolidated from 230 in v6.1.0)

The v6.1.0 release consolidated 230 control-specific categories into 20 framework-aligned groupings. Precise control IDs (e.g., AC-3, IA-5(1)) are preserved in each finding's CrossReferences hashtable for STIG Viewer / GRC platform import.

8 NIST 800-53 Control Families

#	Category	Approx. Checks	NIST Family
1	NIST - AC Access Control	~70	AC-1 through AC-25
2	NIST - AU Audit and Accountability	~50	AU-1 through AU-16
3	NIST - CM Configuration Management	~40	CM-1 through CM-14
4	NIST - IA Identification Authentication	~45	IA-1 through IA-12
5	NIST - IR Incident Response	~25	IR-1 through IR-10
6	NIST - MP Media Protection	~20	MP-1 through MP-8
7	NIST - SC System and Communications Protection	~80	SC-1 through SC-51
8	NIST - SI System and Information Integrity	~60	SI-1 through SI-23

12 Framework Extensions

#	Category	Approx. Checks	Focus
9	NIST - CSF 2.0 Govern	~15	CSF GV.* outcomes (new in CSF 2.0)
10	NIST - CSF 2.0 Identify	~15	CSF ID.* outcomes
11	NIST - CSF 2.0 Protect	~20	CSF PR.* outcomes
12	NIST - CSF 2.0 Detect	~15	CSF DE.* outcomes
13	NIST - CSF 2.0 Respond	~10	CSF RS.* outcomes
14	NIST - CSF 2.0 Recover	~10	CSF RC.* outcomes
15	NIST - 800-171 Rev 3	~25	110 controls aligned to revised 800-171 R3
16	NIST - 800-207 Zero Trust	~25	Zero Trust Architecture tenets
17	NIST - 800-161 Supply Chain	~15	Cybersecurity Supply Chain Risk Management
18	NIST - FedRAMP R5 Low	~5	FedRAMP Low baseline differential
19	NIST - FedRAMP R5 Moderate	~5	FedRAMP Moderate baseline differential
20	NIST - 800-218 SSDF	~5	Secure Software Development Framework markers

v6.1 Additions

• CSF 2.0 Govern function (~15 checks) — entirely new in CSF 2.0
• 800-171 R3 alignment (~25 checks)
• 800-207 Zero Trust (~25 checks)
• 800-161 Supply Chain (~15 checks)
• FedRAMP R5 Low/Moderate (~10 checks combined)
• 800-218 SSDF (~5 checks)

---

module-nsa.ps1

Purpose: NSA Cybersecurity Information Sheets + Top 10 Cybersecurity Mitigation Strategies + Active Directory hardening guidance + BlackLotus mitigation Checks: 225 Lines: 2,250 Execution Time: ~20-35 seconds Severity Coverage: 225/225 (100%) Best For: US national security systems, high-assurance environments, AD/Kerberos hardening

Categories

#	Category	Approx. Checks	Focus
1	NSA - Top 10 Mitigations	~30	Update/patch, control admin, app whitelisting, AV, etc.
2	NSA - Credential Isolation	~20	Credential Guard, LSA Protection, Protected Users group
3	NSA - Application Whitelisting	~20	AppLocker, WDAC, SRP enforcement
4	NSA - HVCI / Memory Integrity	~15	Code integrity, kernel-mode integrity
5	NSA - AD Domain Controller Hardening	~25	DC-specific protections
6	NSA - AD Member Server Hardening	~20	Domain-member protections
7	NSA - Kerberos Hardening	~15	KRBTGT rotation, AES enforcement, encryption types
8	NSA - PowerShell Hardening	~15	ConstrainedLanguage, ScriptBlockLogging, AMSI
9	NSA - BlackLotus Mitigation	~10	Secure Boot DBX, revoked bootloaders, May 2023 guidance
10	NSA - CSfC Markers	~10	Commercial Solutions for Classified
11	NSA - IPv6 Hardening	~10	IPv6 config, RA filtering
12	NSA - Wireless Security	~10	WPA3, 802.1X enterprise
13	NSA - DNS over HTTPS / DNSSEC	~10	DoH/DoT enforcement, DNSSEC validation
14	NSA - Boot Chain Trust	~10	UEFI Secure Boot, Measured Boot, TPM PCR
15	NSA - Remote Desktop Hardening	~10	RDP NLA, encryption, Restricted Admin

v6.1 Additions

• Top 10 Mitigations section (~30 checks) — explicit per-mitigation alignment
• BlackLotus Mitigation, CSfC, IPv6 Hardening (~30 checks combined)

---

module-pcidss.ps1

Purpose: PCI DSS v4.0 / v4.0.1 (revised June 2024) + PCI PIN Security Requirements + 3-D Secure Core + PCI Software Security Framework (SSF) Checks: 279 Lines: 2,495 Execution Time: ~25-40 seconds Severity Coverage: 279/279 (100%) Best For: Merchants, service providers, payment processors handling cardholder data

Categories

#	Category	Approx. Checks	Focus
1	PCI-DSS - Req 1 Network Security	~25	Firewalls, network segmentation, DMZ
2	PCI-DSS - Req 2 Secure Configuration	~25	System hardening, vendor defaults
3	PCI-DSS - Req 3 Stored CHD	~25	Encryption at rest, SAD prohibition, key management
4	PCI-DSS - Req 4 Encryption in Transit	~20	TLS configuration, strong cryptography
5	PCI-DSS - Req 5 Malware Protection	~15	Anti-malware on all systems
6	PCI-DSS - Req 6 Secure Development	~15	Vulnerability scanning, change control
7	PCI-DSS - Req 7 Access Restriction	~20	Need-to-know, role-based access
8	PCI-DSS - Req 8 Authentication	~25	MFA, password complexity, account lockout
9	PCI-DSS - Req 9 Physical	~15	Physical access markers, media controls
10	PCI-DSS - Req 10 Logging	~25	Audit logs, log review, 1-year retention
11	PCI-DSS - Req 11 Security Testing	~15	Vulnerability scan posture, IDS/IPS
12	PCI-DSS - Req 12 Information Security Policy	~10	Policy evidence markers
13	PCI-DSS - v4.0 Customized Approach	~15	CAT framework markers
14	PCI-DSS - SAQ Detection	~10	Self-Assessment Questionnaire scope
15	PCI-DSS - PIN Security	~10	PCI PIN Transaction Security
16	PCI-DSS - 3DS Core	~5	3-D Secure Core controls
17	PCI-DSS - SSF	~4	PCI Software Security Framework

v6.1 Additions

• Customized Approach, SAQ Detection, PIN Security, 3DS Core, SSF (~44 checks combined)
• Req 9 Physical section expanded (~15 checks)

---

module-soc2.ps1

Purpose: SOC 2 Trust Service Criteria (Common Criteria + Availability + Processing Integrity + Confidentiality + Privacy) + AICPA TSP Section 100 Points of Focus Checks: 162 Lines: 1,506 Execution Time: ~15-25 seconds Severity Coverage: 162/162 (100%) Best For: Service organizations pursuing SOC 2 Type II reports

Categories

#	Category	Approx. Checks	Focus
1	SOC2 - CC1 Control Environment	~10	Tone at the top markers
2	SOC2 - CC2 Communication	~5	Information flow indicators
3	SOC2 - CC3 Risk Assessment	~10	Risk identification config
4	SOC2 - CC4 Monitoring	~15	Continuous monitoring evidence
5	SOC2 - CC5 Control Activities	~15	Configuration management
6	SOC2 - CC6 Logical Access	~25	Authentication, authorization, sessions
7	SOC2 - CC7 System Operations	~25	Vulnerability mgmt, incident detection, change mgmt
8	SOC2 - CC8 Change Management	~15	Configuration change controls
9	SOC2 - CC9 Risk Mitigation	~10	Vendor risk markers
10	SOC2 - A Availability	~10	Backup, capacity, environmental markers
11	SOC2 - PI Processing Integrity	~5	Data integrity controls
12	SOC2 - C Confidentiality	~10	Confidentiality classification
13	SOC2 - P Privacy	~7	Privacy notice, consent collection markers

v6.1 Additions

• P Privacy section (~7 checks)

---

module-stig.ps1

Purpose: DISA Security Technical Implementation Guides (STIGs) + Security Requirements Guides (SRGs) cross-mapping + Microsoft Defender STIG Checks: 225 Lines: 2,264 Execution Time: ~20-35 seconds Severity Coverage: 225/225 (100%) Best For: US Department of Defense systems, defense contractors, STIG-mandated environments

Categories

#	Category	Approx. Checks	Focus
1	STIG - Account Policy	~15	Password complexity per V-numbers
2	STIG - Audit Policy	~25	All Advanced Audit Policy subcategories
3	STIG - User Rights Assignments	~30	Per-V-finding user right configurations
4	STIG - Security Options	~30	Per-V-finding security policy options
5	STIG - Registry Hardening	~30	Per-V-finding registry configurations
6	STIG - Service Hardening	~15	Service-specific V-findings
7	STIG - System Hardening	~25	System-wide V-findings
8	STIG - SRG Cross-Mapping	~20	Security Requirements Guide alignment
9	STIG - Microsoft Defender STIG	~15	Defender-specific V-finding compliance
10	STIG - BlackLotus Mitigation	~10	DBX update, revoked bootloaders

CAT I/II/III is reflected via Severity field on every finding (CAT I → Critical, CAT II → High, CAT III → Medium).

v6.1 Additions

• SRG Cross-Mapping section (~20 checks)
• Microsoft Defender STIG section (~15 checks)
• BlackLotus Mitigation section (~10 checks)

V-Finding Format

Every check's CrossReferences contains the V-number (e.g., V-220903, V-253263) for direct STIG Viewer / eMASS import.

POA&M Flagging

Every Fail-status STIG finding is suitable for inclusion in a Plan of Action and Milestones (POA&M) per DoD eMASS workflow.

---

Module Development

To add a new module, see Development Guide. All modules must:

1. Follow the canonical structure: header → param block → Initialize-Module → check sections → return $results
2. Use shared library helpers for cache-aware reads
3. Wrap every check in try { ... } catch { Add-Result -Status Error ... }
4. Populate CrossReferences hashtable for multi-framework correlation
5. Include severity rating on every check
6. Pass all linter and integrity scans (no BOM, no non-ASCII, balanced braces, exactly one return $results)

---

See also:

• Framework Reference — detailed framework background and specifications
• Output Reference — full result-object schema
• Architecture and Design — internal architecture
• Usage Guide — end-to-end usage walkthrough