CyberForge is a collection of standalone, practical tools built for cybersecurity professionals working in federal compliance, vulnerability management, and GRC (Governance, Risk & Compliance) disciplines.
Every tool in this repository is designed with the same philosophy:
- No bloat — minimal or zero dependencies
- No infrastructure — runs locally without servers, containers, or cloud accounts
- No barriers — open-source, free to use, and built to be understood
- Compliance-focused — aligned with NIST, CISA, FedRAMP, FIPS 140-3, and federal security standards
Whether you are tracking known exploited vulnerabilities, preparing for an ATO, validating a cryptographic module, or managing a GRC program — CyberForge has tools built for that work.
📁 Browse all tools:
tools/
A fully standalone, offline-capable browser for the CISA Known Exploited Vulnerabilities (KEV) Catalog.
| Catalog entries | 1,558+ KEVs tracked |
| Ransomware-confirmed | 313 vulnerabilities |
| Data source | CISA live JSON feed |
| Dependencies | Zero (Python stdlib only) |
| Output | Single standalone HTML file |
Key capabilities:
- 🔍 Full-text search across CVE ID, vendor, product, description, CWE, and notes
- 🎛️ Filter by vendor, ransomware campaign use, CWE, and date range
- 📊 Sortable columns — newest CVEs displayed first by default
- 📋 Detail modal per CVE — required action, due date, NVD/CISA/vendor reference links
⚠️ Overdue remediation date highlighting- 📤 Export any filtered view to CSV
- 🔄 One command to pull the latest data from CISA
Quick start:
# Clone CyberForge with all tools
git clone --recurse-submodules https://github.com/IAwiz87/CyberForge.git
cd CyberForge/tools/cisa-kev-browser
python3 build.py # fetches latest CISA KEV data
open cisa-kev-browser.html # open in any browser📄 Full documentation · 🌐 Project page · 📦 Standalone repo
Combines NIST OSCAL baseline awareness with multi-scanner vulnerability ingestion to produce FedRAMP-compliant POA&M documentation automatically.
| Baselines | LI-SaaS · Low · Moderate · High |
| Scanners | Qualys VM · Tenable · Wiz · Generic CSV |
| SLA windows | FedRAMP ConMon: Critical=30d · High=90d · Medium=180d · Low=365d |
| Dependencies | pandas · openpyxl · python-dateutil |
| Outputs | Excel POA&M · HTML Dashboard · Gap Report · Out-of-Scope CSV |
Key capabilities:
- 🗺️ Maps every finding to its NIST 800-53 control automatically
- 🎯 Classifies findings as in-scope or out-of-scope for your baseline
- ⏱️ Applies FedRAMP ConMon SLA windows (not generic CVSS dates)
- 🔴 Flags Critical/High findings as FedRAMP 20x KSI triggers
- 📋 Gap report surfaces baseline controls with no findings (scanner blind spots)
- 📊 Standalone HTML dashboard — no server, no install required
Quick start:
cd tools/fedramp-poam-pipeline
pip install -r requirements.txt
# Run against your scan
python FedRAMP_pipeline.py --scan your_scan.csv --baseline Moderate --html
# Test with included samples
python FedRAMP_pipeline.py \
--scan tests/sample_qualys_scan.csv \
--baseline Moderate --html📄 Full documentation · 🔒 Private repo
A compliance automation platform with multi-framework GRC workflows — built for security engineers in federal and regulated environments.
| Standards | NIST SP 800-53 · FedRAMP · CMMC v2 |
| Frameworks | SOC 2 · ISO 27001:2022 · PCI DSS 4.0.1 · NIST CSF 2.0 |
| Scan Engines | OpenSCAP · Anchore · CISA KEV integration |
| Architecture | Offline-capable · Air-gap compatible · No cloud required |
| Download | Latest Release → |
Key capabilities:
- 🔍 Automated compliance scanning mapped to NIST 800-53 control families
- 📋 Structured evidence collection for audits and ATOs
- 🗺️ Single-pane control mapping across 8+ frameworks simultaneously
- 📝 Compliance-aligned policy and procedure template library
- 📊 Standalone HTML audit dashboard with gap analysis and POA&M generation
- ⚙️ OpenSSL, StrongSwan, wolfSSL integration with FPGA and PQC hybrid readiness
Quick start:
git clone https://github.com/IAwiz87/ForgeGRC.git
cd ForgeGRC
# See docs/INSTALL.md for full setup guide📄 Full documentation · 🌐 Project page · 📦 Download latest release
Tools planned or in development for this repository:
| Tool | Focus Area | Status |
|---|---|---|
| CISA KEV Browser | Vulnerability Management | ✅ Live |
| FedRAMP Baseline → POA&M Pipeline | FedRAMP / GRC / ATO | 🧪 alpha_Testing |
| ForgeGRC — GRC Platform | GRC Compliance Pipeline | 🔧 Active Development |
| NIST SP 800-53 Control Browser | Compliance / ATO | 🔜 Planned |
| CertForge — CMVP Readiness Platform | Cryptographic Certification | 🔜 Planned |
Tools in this repository are built with awareness of and alignment to:
- NIST SP 800-53 — Security and Privacy Controls
- NIST CSF 2.0 — Cybersecurity Framework
- CISA KEV Catalog — Known Exploited Vulnerabilities
- FedRAMP — Federal Risk and Authorization Management Program
- FIPS 140-3 — Cryptographic Module Validation
- CMMC v2 — Cybersecurity Maturity Model Certification
- ISO/IEC 27001:2022 — Information Security Management
- PCI DSS 4.0.1 — Payment Card Industry Data Security Standard
- NIST SP 800-171 — CUI Protection
CyberForge/
├── tools/
│ └── cisa-kev-browser/ # CISA KEV standalone browser (submodule)
│ ├── build.py # fetches latest KEV data from CISA
│ ├── cisa-kev-browser.html # fully offline standalone app
│ ├── README.md
│ └── docs/ # GitHub Pages project documentation
└── README.md
Related repositories:
- ForgeGRC — FIPS 140-3 & GRC compliance platform
- CyberForge-Compendium — InfoSec knowledge base
- fedramp-poam-pipeline — FedRAMP POA&M automation
Clone with all tools:
git clone --recurse-submodules https://github.com/IAwiz87/CyberForge.gitIf already cloned without submodules:
git submodule update --init --recursiveUpdate all tools to latest versions:
git submodule update --remote --mergeHave a tool idea focused on federal compliance, vulnerability management, or GRC? Open an issue or submit a pull request. Contributions that align with the project's no-bloat, compliance-first philosophy are welcome.
This repository is an independent open-source project. It is not affiliated with, endorsed by, or produced by CISA, NIST, or the U.S. Government. Always refer to official sources for authoritative compliance and security guidance.
Built for the federal cybersecurity and GRC community
🛡️ CISA KEV Browser · 🔐 ForgeGRC · 🌐 ForgeGRC Project Page · 📋 Issues