v1.2.7
Release v1.2.7
Previous release: v1.2.6
Release date: 2026-06-15
Highlights
NIST SP 800-53 Rev 5 Policy Pack — Full Government-Grade Compliance
Added a complete NIST SP 800-53 Rev 5 control catalog covering all 18 control families with 76 controls. This is a government-grade compliance framework designed for US federal systems, federal contractors, and FedRAMP authorization.
Government Policy Pack — Clarified as GESF Initiative
The existing Government Policy Pack (5 controls) is now clearly labeled as a GESF-defined initiative rather than an external standard. Users are directed to the NIST SP 800-53 pack for standard-based government compliance.
What's New
NIST SP 800-53 Rev 5 Policy Pack
Pack ID: nist-800-53
Framework: NIST-800-53 (scores independently from NIST CSF)
Controls: 76
Version: 5.0.0 (aligned with SP 800-53 Rev 5)
All 18 control families covered:
| Family | Name | Controls |
|---|---|---|
| AC | Access Control | 8 |
| AT | Awareness and Training | 3 |
| AU | Audit and Accountability | 5 |
| CA | Assessment, Authorization, and Monitoring | 3 |
| CM | Configuration Management | 5 |
| CP | Contingency Planning | 3 |
| IA | Identification and Authentication | 3 |
| IR | Incident Response | 4 |
| MA | Maintenance | 3 |
| MP | Media Protection | 3 |
| PE | Physical and Environmental Protection | 4 |
| PL | Planning | 2 |
| PS | Personnel Security | 5 |
| PT | PII Processing and Transparency | 5 |
| RA | Risk Assessment | 3 |
| SA | System and Services Acquisition | 6 |
| SC | System and Communications Protection | 5 |
| SI | System and Information Integrity | 6 |
Applicable project types: government-system (primary), saas, healthcare-system, generic-web-application, api-backend, mobile-application
Each control includes:
- Official SP 800-53 control identifier (e.g.,
NIST-800-53-AC-2) - Detailed implementation guidance referencing NIST publications
- 2–4 specific verification checks per control
- Severity classification (critical, high, medium, low)
New Framework Type
Added NIST-800-53 to the FrameworkName union type in @greenarmor/ges-core. This ensures the SP 800-53 controls score as their own independent framework in the dashboard — separate from the existing NIST CSF framework.
Government Policy Pack — Labeling Update
| Field | Before | After |
|---|---|---|
| Name | Government Policy Pack | Government Policy Pack (GESF Initiative) |
| Description | "Additional controls for government systems..." | Clarified as GESF-defined, not an external standard. Directs users to nist-800-53 for standard-based compliance |
The 5 GESF-initiative controls remain unchanged:
- GOV-001: Data Sovereignty
- GOV-002: Chain of Custody
- GOV-003: Tamper Evidence
- GOV-004: Record Integrity Verification
- GOV-005: Auditability
Pack Ecosystem Overview
GESF now ships 11 policy packs:
| # | Pack ID | Framework | Controls | Standard |
|---|---|---|---|---|
| 1 | gdpr |
GDPR | 20 | Official (GDPR Articles) |
| 2 | owasp |
OWASP | 10 | Official (OWASP ASVS) |
| 3 | ai |
GDPR | 6 | GESF Initiative |
| 4 | blockchain |
GDPR | 6 | GESF Initiative |
| 5 | government |
GDPR | 5 | GESF Initiative |
| 6 | cis |
CIS | 5 | Official (CIS Controls v8) |
| 7 | nist |
NIST | 34 | Official (NIST CSF 2.0) |
| 8 | nist-800-53 |
NIST-800-53 | 76 | Official (SP 800-53 Rev 5) |
| 9 | iso27001 |
ISO27001 | 14 | Official (ISO/IEC 27001) |
| 10 | iso27701 |
ISO27701 | 16 | Official (ISO/IEC 27701) |
| 11 | hipaa |
HIPAA | 19 | Official (HIPAA Security Rule) |
NIST CSF vs NIST SP 800-53
NIST CSF (nist) |
NIST SP 800-53 (nist-800-53) |
|
|---|---|---|
| Source | NIST Cybersecurity Framework 2.0 | NIST SP 800-53 Revision 5 |
| Controls | 34 (category-level) | 76 (18 control families) |
| Focus | General cybersecurity posture | Government systems, federal contractors, FedRAMP |
| Primary use | Any organization | Government agencies and contractors |
| Scores as | NIST framework |
NIST-800-53 framework |
Both packs can be installed together — they score independently in the dashboard.
Usage
Install via CLI
ges policy install nist-800-53Install via MCP
# Using the MCP server
policy_install(pack_id: "nist-800-53", project_path: "/your/project")View in Dashboard
ges dashboard
# NIST-800-53 appears as its own framework row with score and gradeFiles Changed
| File | Change |
|---|---|
packages/policy-engine/src/packs/nist-800-53.ts |
NEW — 76 controls, all 18 families |
packages/core/src/types/index.ts |
Added NIST-800-53 to FrameworkName union |
packages/policy-engine/src/index.ts |
Registered pack in ALL_PACKS, PACK_MAP, and exports |
packages/policy-engine/src/packs/government.ts |
Clarified as GESF initiative |
packages/policy-engine/src/index.test.ts |
Updated pack count assertion (10 → 11) |
Test Results
- 421 tests passing across all 15 test suites
- All 16 packages build clean
- E2E verified:
ges policy install nist-800-53installs 76 controlsNIST-800-53correctly added to.ges/config.json- Dashboard scores NIST-800-53 as independent framework
- All 18 control families visible in dashboard data
ges policy remove nist-800-53cleanly removes framework and controls- MCP
policy_listincludes the new pack
Upgrade Guide
No breaking changes. Existing projects are unaffected.
npm update @greenarmor/ges
# or
pnpm update @greenarmor/gesTo add NIST SP 800-53 controls to an existing project:
ges policy install nist-800-53
ges audit
ges dashboard