cia-compliance-manager

v1.1.80

Published

a day ago

React components, hooks, and services for CIA triad security assessment, compliance management, and risk analysis — supporting ISO 27001, NIST 800-53, SOC 2, GDPR, HIPAA, and EU CRA frameworks

🔒 Supply-Chain Security & Provenance:

🚀 CI/CD Workflows:

📊 Code Quality & Metrics:

🔐 ISMS & Compliance Framework:

📚 Documentation & Reports:

🌐 Explore the Platform

CIA Compliance Manager is both a live assessment platform and a reusable npm library for building security-first React applications. Two entry points serve different audiences:

🎯 Why This Exists

Security and compliance are business-critical, but they're also expensive, complex, and frequently misunderstood by non-specialists. Organizations face a maze of overlapping frameworks (ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS, EU CRA), each with hundreds of controls, unclear mapping, and no built-in cost transparency. CISOs struggle to translate technical security requirements into business-justifiable budgets. Compliance officers can't easily demonstrate ROI for security investments. Small-to-medium enterprises lack the tools that large consulting firms use internally.

CIA Compliance Manager bridges this gap — it's the transparent, open-source compliance assessment platform that organizations can use to:

Assess security posture systematically using the CIA triad (Confidentiality, Integrity, Availability) as the unifying lens across all frameworks.
Map controls automatically to ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS, and EU CRA — see exactly which framework controls apply to your assessed security levels.
Estimate costs realistically with detailed CAPEX and OPEX breakdowns, so you can justify budgets and track ROI.
Model threats rigorously using STRIDE methodology, attack trees, and risk quantification — go beyond checkbox compliance to actual risk management.
Quantify business impact across financial, operational, reputational, and regulatory dimensions using our Classification Framework.
Demonstrate transparency — every methodology, every calculation, every control mapping is open-source and auditable.

This project is the open-source platform behind ciacompliancemanager.com: a production-ready assessment tool built following Hack23's Secure Development Policy and classified according to our ISMS standards. It serves as both an operational platform for security assessments and a live reference implementation of security-by-design principles.

| Pillar | What it means in this project | |---|---| | 🛡️ CIA Triad Assessment | Every security decision is evaluated across Confidentiality, Integrity, and Availability dimensions. We use a 5-level maturity model (Level 1: Basic → Level 5: Optimized) mapped to concrete technical controls, so you know exactly what "High Confidentiality" means in practice (encryption at rest + in transit, key management, access controls, etc.). | | 📊 Multi-Framework Compliance | Automated mapping to 7 major frameworks. Select your target security levels (e.g., "High Confidentiality, Medium Integrity, High Availability"), and the platform shows you which ISO 27001 Annex A controls, NIST 800-53 families, GDPR articles, HIPAA safeguards, SOC 2 criteria, PCI DSS requirements, and EU CRA essential requirements apply. | | 💰 Cost & ROI Transparency | Security has a price. We calculate CAPEX (licenses, hardware, consulting) and OPEX (staffing, maintenance, subscription costs) for each security level, broken down by category. ROI calculator lets you compare risk reduction value against implementation costs. | | 🎯 Threat Modeling | Integrated STRIDE analysis (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). Build attack trees, assign likelihood and impact scores, prioritize mitigations. Structured threat intelligence aligned with ISMS threat modeling standards. | | 🏷️ Data Classification | Systematic data classification engine based on CIA requirements. Input your data sensitivity, integrity needs, and availability SLAs; get back a clear classification label (Public, Internal, Confidential, Restricted) with handling requirements and retention policies. | | 📈 Business Impact Analysis | Quantify what happens when security fails. Our Business Impact Matrix scores financial loss, operational disruption, reputational damage, and regulatory penalties across 5 severity levels. Connect security controls to business value, not just compliance checkboxes. |

🎯 Purpose Statement

The CIA Compliance Manager is a comprehensive application designed to help organizations assess, implement, and manage security controls across the CIA triad (Confidentiality, Integrity, and Availability). It provides detailed security assessments, cost estimation tools, business impact analysis, and technical implementation guidance to support organizations in achieving their security objectives within budget constraints.

This compliance tool demonstrates Hack23 AB's commitment to security by design and transparency, serving as both an operational platform and a live demonstration of our cybersecurity consulting expertise. Built following our Secure Development Policy and classified according to our Classification Framework, this project exemplifies security best practices through transparent implementation.

— James Pether Sörling, CEO/Founder, Hack23 AB

🌟 Key Features

The CIA Compliance Manager provides enterprise-grade capabilities for security assessment and compliance management:

👥 Target Audience

This platform serves security professionals and decision-makers:

🎯 CISOs & Security Directors — Strategic security posture management and compliance oversight
📋 Compliance & Risk Officers — Regulatory compliance tracking and audit preparation
💼 IT Managers & System Administrators — Security control implementation and operational management
🏗️ Security Architects & Engineers — Technical security design and architecture validation
💰 Business Stakeholders — Security investment decisions and ROI analysis

🤖 GitHub Copilot Custom Agents

CIA Compliance Manager includes a set of specialized GitHub Copilot custom agents tailored to this project's architecture, ISMS alignment, and quality standards. Each agent focuses on a specific domain (product, development, testing, documentation, or security) to provide context-aware assistance across the codebase.

%%{init: {'theme': 'neutral'}}%%
graph TB
    subgraph "Product Coordination"
        TASK[🎯 Product Task Agent]:::task
    end
    
    subgraph "Development Agents"
        TS[⚛️ TypeScript React Agent]:::dev
        TEST[🧪 Testing Agent]:::test
    end
    
    subgraph "Quality & Security"
        CR[🔍 Code Review Agent]:::review
        SEC[🔐 Security Compliance Agent]:::security
    end
    
    subgraph "Documentation"
        DOC[📝 Documentation Agent]:::docs
    end
    
    TASK --> TS
    TASK --> TEST
    TASK --> CR
    TASK --> SEC
    TASK --> DOC
    
    classDef task fill:#FFC107,stroke:#F57C00,stroke-width:3px,color:#000
    classDef dev fill:#2E7D32,stroke:#1B5E20,stroke-width:2px,color:#fff
    classDef test fill:#1565C0,stroke:#0D47A1,stroke-width:2px,color:#fff
    classDef review fill:#7B1FA2,stroke:#4A148C,stroke-width:2px,color:#fff
    classDef security fill:#D32F2F,stroke:#B71C1C,stroke-width:2px,color:#fff
    classDef docs fill:#FF9800,stroke:#F57C00,stroke-width:2px,color:#fff

📋 Available Agents

🚀 Using Agents in This Project

You can explicitly address agents in your prompts when working in this repository:

@product-task-agent, create GitHub issues for improving the CRA assessment documentation.

@typescript-react-agent, refactor the SecuritySummaryWidget to reuse existing types and constants.

@testing-agent, add Vitest unit tests for the BusinessImpactAnalysisWidget.

@security-compliance-agent, review the cost estimation logic for compliance with the Classification Framework.

For full configuration details and advanced usage, see the Agent README and Skills Framework.

🎓 Foundational Skills Framework

Each agent is equipped with domain-specific skills that define reusable best practices, patterns, and compliance standards. Skills are stored in .github/skills/ and loaded by agents to ensure consistent, ISMS-aligned behavior across the codebase.

Core Skills:

documentation-standards.md — JSDoc, TypeDoc, Markdown, Mermaid diagram standards
c4-architecture-documentation.md — C4 model (Context/Container/Component/Code) for architecture diagrams
code-quality-excellence.md — TypeScript best practices, React patterns, ESLint rules, code organization
security-by-design.md — OWASP Top 10, secure coding patterns, input validation, authentication/authorization
testing-excellence.md — Vitest, React Testing Library, Cypress E2E, coverage thresholds, test design
compliance-frameworks.md — ISO 27001, NIST CSF 2.0, GDPR, HIPAA, SOC 2, PCI DSS, EU CRA control mapping

How Skills Work:

Agents load skills from .github/skills/ based on their domain (e.g., Documentation Agent loads documentation-standards.md + c4-architecture-documentation.md)
Skills define patterns using examples, rules, and constraints that agents apply when generating code, docs, or tests
Skills evolve with the project — when you update a skill file, all agents that reference it immediately adopt the new standard
Skills are versioned alongside the codebase, ensuring traceability between code changes and the standards that governed them

Example: Documentation Agent + Skills:

When the Documentation Agent updates SECURITY_ARCHITECTURE.md, it:

Follows documentation-standards.md for Markdown structure, heading hierarchy, and cross-references
Applies c4-architecture-documentation.md for C4 Context/Container diagrams using the project's Mermaid palette
Uses STYLE_GUIDE.md for CIA-triad colors (Confidentiality = Purple #7B1FA2, Integrity = DarkGreen #2E7D32, Availability = DarkBlue #1565C0)

This ensures every diagram, every heading, every cross-link follows the same visual and structural conventions.

📝 Featured Hack23 Blog Posts

Expert analysis and thought leadership from Hack23's cybersecurity blog, selected from the Hack23 site map for direct relevance to CIA Compliance Manager, CIA triad assessment, compliance automation, secure development, and business impact analysis:

🎯 CIA Compliance Manager Architecture & Code Deep Dives

📊 Compliance, Risk & Security Governance

🔐 Threat Modeling, Secure Development & Regulatory Readiness

📚 Related Hack23 Resources

All Hack23 Blog Posts — complete index of Hack23 cybersecurity articles.
CIA Triad FAQ — fundamentals for Confidentiality, Integrity, and Availability.
CIA Compliance Manager Overview — project overview and positioning.
CIA Compliance Manager Features — feature-level guide for assessment, compliance mapping, business impact, and threat modeling.
CIA Compliance Manager Documentation — technical documentation entry point on Hack23.

Want to contribute a blog post? We welcome guest articles on CIA triad security, compliance automation, threat modeling, and GRC best practices. See our Contributing Guidelines for submission details.

📊 Current Status / At a Glance

Version: 1.1.70 (Effective: 2026-04-28 | Next Review: 2026-07-28)

Package Health:

Build Status: ✅ All workflows passing
Test Coverage: 85%+ (Vitest + Cypress E2E)
Bundle Size: ~120 KB minified+gzipped (tree-shakeable)
Dependencies: |
ISMS Posture: ISO 27001:2022-aligned, NIST CSF 2.0-mapped, CIS Controls v8.1-compliant

Package Layout (10 Subpath Exports):

import { SecurityProfile, ComplianceFramework } from 'cia-compliance-manager';                  // root
import { CIALevel, SecurityControlMapping } from 'cia-compliance-manager/types';               // types
import { AssessmentService, ComplianceService } from 'cia-compliance-manager/services';        // services
import { useSecurityProfile, useCompliance } from 'cia-compliance-manager/hooks';              // hooks
import { formatCurrency, calculateROI } from 'cia-compliance-manager/utils';                   // utils
import { SecurityDashboard, ComplianceMatrix } from 'cia-compliance-manager/components';       // components
import { BusinessImpactWidget, ThreatModelWidget } from 'cia-compliance-manager/components/widgets'; // widgets
import { SECURITY_LEVELS, COMPLIANCE_FRAMEWORKS } from 'cia-compliance-manager/constants';     // constants
import { controlData, frameworkMappings } from 'cia-compliance-manager/data';                  // data
import { SecurityProfileProvider, ComplianceContext } from 'cia-compliance-manager/contexts';  // contexts

Technology Stack:

Runtime: Node ≥26.0.0, npm ≥10.0.0
Language: TypeScript 6.0.3 (ES2025 target)
Framework: React 19.2.5 + React DOM 19.2.5
Build: Vite 8.0.10 (ES module bundler)
Styling: Tailwind CSS 4.2.4
Testing: Vitest 4.1.5, @vitest/coverage-v8 4.1.5, Cypress 15.14.1
Linting: ESLint 10.2.1 + TypeScript ESLint 8.59.1
Documentation: TypeDoc 0.28.19 + typedoc-plugin-mermaid 1.12.0
Code Quality: Knip 6.7.0 (unused exports detection)

🏆 Business Value & Strategic Impact

🎯 Project Classification

CIA Compliance Manager is classified as PUBLIC per Hack23's Classification Framework. This public classification enables transparency, community contributions, and serves as a reference implementation for security-by-design principles.

🔒 Security Classification

CIA Triad Assessment:

Confidentiality: MEDIUM (Public data, but architecture patterns demonstrate security controls)
Integrity: HIGH (Code provenance, SLSA 3 attestations, immutable audit trails)
Availability: MEDIUM (Public CDN, GitHub Pages, S3 static hosting with CloudFront)

⏱️ Business Continuity

Recovery Time Objective (RTO): 4 hours
Recovery Point Objective (RPO): 1 hour
Maximum Tolerable Downtime (MTD): 24 hours

For detailed DR procedures, see Business Continuity Plan.

💰 Business Impact Analysis Matrix

Assessment of impact if CIA Compliance Manager were unavailable or compromised:

| Impact Dimension | Severity Level | Financial Impact | Description | |------------------|----------------|------------------|-------------| | Financial | MEDIUM | $10K–$100K | Loss of demonstration platform affects consulting sales pipeline and SaaS revenue potential | | Operational | LOW | <$10K | Alternative assessment tools available; manual processes feasible for short-term | | Reputational | MEDIUM | Brand damage | Security consulting firm with insecure platform creates trust deficit; media coverage risk | | Regulatory | LOW | Minimal | No regulated data processed; GDPR/HIPAA compliance demonstration affected but not business-critical |

Detailed methodology and scoring rubric: ISMS Classification Framework § Business Impact Matrix

🛡️ Security Investment Returns

Primary ROI Drivers:

Consulting Sales Enablement — Live platform demonstrates Hack23's security expertise to potential clients; reference implementation shortens sales cycles
Product Differentiation — Only open-source CIA triad assessment platform with multi-framework mapping and cost transparency; competitive moat in GRC consulting
Community Trust — Transparency builds credibility; security professionals prefer vendors who "eat their own dog food"
Reusable IP — npm library enables Hack23 to embed compliance features into client projects; reduces custom development costs

🎯 Competitive Differentiation

vs. Commercial GRC Platforms (e.g., OneTrust, LogicGate):

✅ Transparency: Every control mapping, every calculation is auditable — no vendor lock-in
✅ Cost: Open-source library + self-hosted option vs. $50K+ annual licenses
✅ Customization: Fork, extend, embed — vs. rigid SaaS feature sets

vs. Consulting Spreadsheets:

✅ Automation: Real-time calculations, live dashboards vs. error-prone manual updates
✅ Frameworks: 7 frameworks mapped simultaneously vs. single-framework silos
✅ Evidence: Traceable lineage from controls to frameworks to audit artifacts

vs. Other Open-Source Tools (e.g., OWASP Threat Dragon):

✅ Multi-Framework: ISO 27001 + NIST + GDPR + HIPAA + SOC 2 + PCI DSS + EU CRA vs. single-purpose tools
✅ Business Focus: Cost estimation, ROI analysis, business impact quantification — not just technical checklists

📈 Porter's Five Forces Strategic Impact

How CIA Compliance Manager affects Hack23's competitive position:

| Force | Impact | Analysis | |-------|--------|----------| | 🆚 Competitive Rivalry | Reduces intensity | Demonstrates superior technical capability vs. consulting competitors; transparent implementation builds trust faster than marketing claims | | 🚪 Threat of New Entrants | Raises barriers | Open-source platform + community contributions create network effects; new entrants must match feature breadth + framework coverage | | 🔄 Supplier Power | Reduces dependency | Self-hosted option eliminates reliance on third-party GRC vendors; control over roadmap and pricing | | 👥 Buyer Power | Strengthens position | Transparent pricing (free OSS + paid consulting) vs. opaque vendor contracts; clients choose based on value, not negotiation leverage | | 🔀 Substitutes | Mitigates threat | Superior UX + automation vs. manual spreadsheets; broader framework coverage vs. single-purpose tools; cost transparency vs. commercial SaaS black boxes |

🎯 ISMS Compliance Highlights

CIA Compliance Manager is built and operated in full compliance with Hack23's ISMS framework:

✅ Secure Development Policy: SLSA 3 provenance, SBOM generation, automated vulnerability scanning (Dependabot, CodeQL, ZAP), peer-reviewed PRs
✅ Threat Modeling: STRIDE analysis documented in THREAT_MODEL.md; attack surfaces mapped to mitigations
✅ Vulnerability Management: 24-hour critical-patch SLA; automated dependency updates; public disclosure policy
✅ Open Source Policy: Apache-2.0 licensed; CLA for contributors; FOSSA license compliance checks
✅ Transparency Plan: Public ISMS docs, public roadmap, public incident response procedures
✅ Data Classification: No PII/PHI processed; all data is PUBLIC per classification framework
✅ Business Continuity: RTO 4h, RPO 1h, MTD 24h; DR procedures documented in BCPPlan.md

📋 Framework Alignment

This project demonstrates compliance controls for multiple frameworks simultaneously:

| Framework | Standard/Version | Alignment Level | Evidence | |-----------|------------------|-----------------|----------| | ISO 27001 | 2022 (Annex A controls) | HIGH | Control Mapping, ISMS Reference | | NIST CSF | 2.0 | HIGH | Traceability Matrix | | CIS Controls | v8.1 | MEDIUM | CIS Mapping | | EU CRA | 2024/2847 (Essential Requirements) | MEDIUM | CRA Assessment | | GDPR | Regulation 2016/679 | MEDIUM | Data minimization, no personal data processing | | OWASP Top 10 | 2021 | HIGH | Input validation, CSP, HTTPS-only, secure dependencies | | WCAG | 2.1 Level AA | HIGH | Accessibility tested with Lighthouse, keyboard navigation, ARIA labels |

🎯 Why This Matters to You

If you're a CISO or Security Leader:

See how Hack23 implements its own ISMS policies in production code
Use this platform to assess your own organization's security posture
Fork and customize for your compliance framework mix

If you're a Developer or Architect:

Study a real-world React 19 + TypeScript 6 + Vite 8 project with 85%+ test coverage
Learn security-by-design patterns: input validation, CSP, HTTPS enforcement, least-privilege access
Explore C4 architecture diagrams, STRIDE threat models, and state machines

If you're a Compliance Professional:

Map your controls to multiple frameworks simultaneously
Generate audit-ready evidence with traceable lineage
Estimate compliance program costs with transparency

📚 Documentation Hub

📖 Quick Links

🌐 Live Application — Interactive assessment platform
📦 npm Package — Reusable React library (v1.1.70)
🗺️ Site Map — All platform pages and docs
📔 API Reference — TypeDoc-generated symbol documentation
📓 Test Coverage — Interactive Vitest coverage report
🎭 E2E Report — Cypress test results
🤖 Ask DeepWiki — AI-powered codebase Q&A

🏛️ Architecture Documentation

Current State (v1.1.70):

| Document | Description | Last Updated | |----------|-------------|--------------| | ARCHITECTURE.md | C4 Context + Container diagrams; system boundaries; external integrations | 2026-04-28 | | SYSTEM_ARCHITECTURE.md | Component-level architecture; React component tree; service layer | 2026-04-28 | | SECURITY_ARCHITECTURE.md | Trust boundaries, authentication/authorization, data flow security controls | 2026-04-28 | | THREAT_MODEL.md | STRIDE analysis; attack trees; mitigations mapped to threats | 2026-04-28 | | DATA_MODEL.md | TypeScript interfaces; data structures; state management patterns | 2026-04-28 | | FLOWCHART.md | User workflows; assessment processes; compliance report generation | 2026-04-28 | | STATEDIAGRAM.md | Security profile states; compliance status transitions | 2026-04-28 | | MINDMAP.md | Conceptual overview; feature hierarchy; domain model | 2026-04-28 | | SWOT.md | Strengths/Weaknesses/Opportunities/Threats analysis | 2026-04-28 | | WORKFLOWS.md | CI/CD pipelines; GitHub Actions workflows; deployment process | 2026-04-28 | | WIDGET_ANALYSIS.md | Dashboard widget architecture; reusable component patterns | 2026-04-28 |

Future State (Target Architecture):

| Document | Description | Purpose | |----------|-------------|---------| | FUTURE_ARCHITECTURE.md | Target system boundaries; planned integrations (SIEM, SOAR, GRC platforms) | Roadmap clarity | | FUTURE_SECURITY_ARCHITECTURE.md | Zero-trust model; mTLS; hardware security modules (HSM) integration | Security maturity | | FUTURE_THREAT_MODEL.md | Advanced persistent threats (APT); supply-chain attack scenarios | Proactive defense | | FUTURE_DATA_MODEL.md | Multi-tenant data isolation; encrypted storage at rest | Scalability + privacy | | FUTURE_FLOWCHART.md | Automated remediation workflows; AI-assisted control selection | Automation vision | | FUTURE_STATEDIAGRAM.md | Advanced compliance states (e.g., "Continuous Monitoring", "Auto-Remediation") | Maturity progression | | FUTURE_MINDMAP.md | Strategic expansion into GRC, ITSM, DevSecOps tooling | Product vision | | FUTURE_SWOT.md | Market analysis for SaaS offering; competitive positioning | Business strategy | | FUTURE_WORKFLOWS.md | GitOps deployment; infrastructure-as-code pipelines | Operational excellence |

🔐 ISMS Compliance Documentation

| Document | Framework Alignment | Purpose | |----------|---------------------|---------| | ISMS_IMPLEMENTATION_GUIDE.md | ISO 27001:2022, NIST CSF 2.0 | How Hack23 implements ISMS controls in this project | | ISMS_REFERENCE_MAPPING.md | ISO 27001 Annex A → Codebase | Traceable mapping from ISMS policies to code artifacts | | TRACEABILITY_MATRIX.md | NIST CSF 2.0, CIS Controls v8.1 | Control-to-evidence traceability for audits | | CRA-ASSESSMENT.md | EU Cyber Resilience Act 2024/2847 | Essential requirements compliance self-assessment | | control-mapping.md | ISO 27001, NIST 800-53, GDPR, HIPAA, SOC 2, PCI DSS | Multi-framework control mapping by CIA level | | SECURITY.md | ISMS Vulnerability Management Policy | Security disclosure process; vulnerability reporting | | BCPPlan.md | ISO 22301 (BCMS) | Business continuity and disaster recovery procedures |

🎓 Contributing & Community

CONTRIBUTING.md — How to contribute code, docs, or bug reports
CODE_OF_CONDUCT.md — Community standards and expected behavior
CODEOWNERS — Maintainer responsibilities and review assignments
.github/agents/README.md — GitHub Copilot custom agents documentation
.github/skills/README.md — Shared skills framework for agents

🌍 Hack23 Ecosystem

CIA Compliance Manager is part of the Hack23 open-source intelligence and security ecosystem. Explore our family of projects:

🏢 Parent Organization

Hack23.com — Cybersecurity consulting, ISMS implementation, and political intelligence services

🛡️ Governance & Standards

ISMS-PUBLIC — Public Information Security Management System (ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1)

🗳️ Political Intelligence Platforms

CIA (Citizen Intelligence Agency) — Political transparency platform for Swedish Riksdag data (Java, Spring, Hibernate)
- riksdagsmonitor.com — Live Swedish Parliament monitor
EU Parliament Monitor — European Parliament political intelligence platform with AI-generated news in 14 languages
- euparliamentmonitor.com — Live EU Parliament news + analysis portal
- European Parliament MCP Server — Model Context Protocol server for EP open data (60+ OSINT tools)

🎮 Reference Implementations

Black Trigram — Korean-themed RPG game demonstrating secure gaming architecture and ISMS alignment

Cross-Project Benefits:

Shared ISMS policies and compliance frameworks reduce audit overhead
Reusable security patterns (e.g., SLSA 3 provenance, CodeQL scanning, ZAP penetration testing)
Cross-linking boosts SEO across the Hack23 domain ecosystem
Unified documentation standards (C4 diagrams, Mermaid, TypeDoc) accelerate onboarding

🚀 Getting Started

Installation

# Install as npm dependency
npm install cia-compliance-manager

# or with yarn
yarn add cia-compliance-manager

# or with pnpm
pnpm add cia-compliance-manager

Quick Start (Library Usage)

import { SecurityProfile, AssessmentService } from 'cia-compliance-manager';
import { CIALevel } from 'cia-compliance-manager/types';

// Create a security profile
const profile: SecurityProfile = {
  confidentialityLevel: CIALevel.HIGH,
  integrityLevel: CIALevel.MEDIUM,
  availabilityLevel: CIALevel.HIGH
};

// Generate compliance mapping
const assessment = AssessmentService.generateAssessment(profile);

console.log(`Compliance Frameworks: ${assessment.frameworks.join(', ')}`);
console.log(`Total Controls: ${assessment.controls.length}`);
console.log(`Estimated Cost: $${assessment.estimatedCost.toLocaleString()}`);

Quick Start (Development)

# Clone repository
git clone https://github.com/Hack23/cia-compliance-manager.git
cd cia-compliance-manager

# Install dependencies (requires Node ≥26.0.0, npm ≥10.0.0)
npm install

# Run development server
npm run dev

# Run tests
npm test

# Run E2E tests
npm run test:e2e

# Build library
npm run build:lib

# Generate documentation
npm run docs:bundle

Subpath Exports

CIA Compliance Manager provides 10 subpath exports for tree-shaking and selective imports:

// Root export (all public symbols)
import { SecurityProfile } from 'cia-compliance-manager';

// Type definitions
import { CIALevel, ComplianceFramework } from 'cia-compliance-manager/types';

// Services (assessment, compliance, cost estimation)
import { AssessmentService, ComplianceService } from 'cia-compliance-manager/services';

// React hooks
import { useSecurityProfile, useCompliance } from 'cia-compliance-manager/hooks';

// Utility functions
import { formatCurrency, calculateROI } from 'cia-compliance-manager/utils';

// React components
import { SecurityDashboard, ComplianceMatrix } from 'cia-compliance-manager/components';

// Dashboard widgets
import { BusinessImpactWidget, ThreatModelWidget } from 'cia-compliance-manager/components/widgets';

// Constants
import { SECURITY_LEVELS, COMPLIANCE_FRAMEWORKS } from 'cia-compliance-manager/constants';

// Data (control mappings, framework definitions)
import { controlData, frameworkMappings } from 'cia-compliance-manager/data';

// React contexts
import { SecurityProfileProvider, ComplianceContext } from 'cia-compliance-manager/contexts';

🤝 Contributing

We welcome contributions from the community! See CONTRIBUTING.md for guidelines on:

Code contributions — Bug fixes, features, refactoring
Documentation — Improving guides, fixing typos, adding examples
Testing — Writing unit/integration/E2E tests
Security — Responsible disclosure of vulnerabilities (see SECURITY.md)
Compliance — Adding framework mappings, improving control definitions

Before submitting a PR:

Read CODE_OF_CONDUCT.md
Ensure tests pass (npm test)
Run linter (npm run lint)
Update documentation if changing public APIs
Sign the Contributor License Agreement (CLA)

📄 License

This project is licensed under the Apache License 2.0 — see LICENSE for details.

Key permissions:

✅ Commercial use — Use in proprietary products
✅ Modification — Fork, extend, customize
✅ Distribution — Redistribute modified versions
✅ Patent grant — Protection from patent litigation

Conditions:

📋 License and copyright notice — Include LICENSE and NOTICE files
📋 State changes — Document modifications clearly
📋 Trademark — Cannot use "Hack23" or "CIA Compliance Manager" trademarks without permission

🙏 Acknowledgments

James Pether Sörling (CEO/Founder, Hack23 AB) — Architecture, ISMS implementation, product vision
Simon Moon (Independent Security Consultant) — Business impact analysis methodology, blog post contributions
George Dorn (Security Strategist) — CIA triad strategic analysis, threat modeling patterns
Hack23 Community Contributors — Bug reports, feature requests, documentation improvements
OpenSSF Community — Scorecards, best practices guidance, SLSA framework
OWASP Community — Threat modeling resources, secure coding patterns

Special thanks to the maintainers of React, TypeScript, Vite, Vitest, Cypress, Tailwind CSS, and the broader open-source ecosystem.

📞 Support & Contact

🐛 Bug Reports: GitHub Issues
💬 Discussions: GitHub Discussions
🔒 Security: [email protected] (PGP key: keybase.io/hack23)
📧 General: [email protected]
🌐 Website: hack23.com
💼 LinkedIn: Hack23 AB