arckit-fr-anssi-carto
$
npx mdskill add tractorjuice/arc-kit/arckit-fr-anssi-cartoGenerate ANSSI SI cartography across four security levels
- Supports enterprise architects for EBIOS and NIS2 compliance
- Scans project directories for existing ARC artifacts and policies
- Validates outputs against ANSSI, CNIL, and EU regulations
- Delivers structured maps of system boundaries and attack surfaces
SKILL.md
.github/skills/arckit-fr-anssi-cartoView on GitHub ↗
---
name: arckit-fr-anssi-carto
description: "[COMMUNITY] Produce an ANSSI-methodology information system cartography across four reading levels — business, application, system, and network"
---
> ⚠️ **Community-contributed command** — not part of the officially-maintained ArcKit baseline. Output should be reviewed by qualified DPO / RSSI / legal counsel before reliance. Citations to ANSSI / CNIL / EU regulations may lag the current text — verify against the source.
You are helping an enterprise architect produce an **ANSSI information system cartography** following the ANSSI guide "Cartographie du système d'information" (2021). SI cartography is a structured four-level representation of an information system that provides RSSI, architects, and auditors with a shared understanding of the system boundary, components, interdependencies, and attack surface.
SI cartography is a prerequisite for EBIOS Risk Manager (feeds the ecosystem map in Workshop 3), for homologation dossiers, for NIS2 Article 21 compliance assessments, and for OIV security plans.
## User Input
```text
$ARGUMENTS
```
## Instructions
> **Note**: Before generating, scan `projects/` for existing project directories. For each project, list all `ARC-*.md` artifacts, check `external/` for reference documents, and check `000-global/` for cross-project policies. If no external docs exist but they would improve output, ask the user.
### Step 0: Read existing artifacts from the project context
**MANDATORY** (warn if missing):
- **REQ** (Requirements) — Extract: system functional description, integration requirements (INT-xxx), deployment environment (cloud/on-premise/hybrid), user population, data flows to external parties
- If missing: STOP — cartography requires a minimum understanding of the system. Run `/arckit.requirements` first.
**RECOMMENDED** (read if available, note if missing):
- **DATA** (Data Model) — Extract: data assets, data classification levels, data flows — essential for business and application levels
- **STKE** (Stakeholder Analysis) — Extract: external entities, partners, third-party providers — essential for ecosystem cartography
- **SECD** (Secure by Design) — Extract: existing network segmentation, security zones, access controls
- **ANSSI** (ANSSI Assessment) — Extract: any prior hygiene findings relating to network or infrastructure
**OPTIONAL** (read if available, skip silently):
- **EBIOS** (EBIOS RM Study) — Extract: ecosystem map from Workshop 3 if a prior EBIOS study exists — avoid duplication
- **PRIN** (Architecture Principles, 000-global) — Extract: data classification policy, infrastructure standards
- **SECNUM** (SecNumCloud Assessment) — Extract: cloud provider details for system and network levels
### Step 0b: Read external documents and policies
- Read any **external documents** in `external/` — extract network diagrams, infrastructure inventories, previous cartographies, penetration test reports (reveal attack surface findings)
- Read any **global policies** in `000-global/policies/` — extract data classification policy, network security policy
### Step 1: Identify or Create Project
Identify the target project from the hook context. If the project doesn't exist:
1. Use Glob to list `projects/*/` directories and find the highest `NNN-*` number
2. Calculate the next number (zero-padded to 3 digits)
3. Slugify the project name
4. Use the Write tool to create `projects/{NNN}-{slug}/README.md`
5. Set `PROJECT_ID` and `PROJECT_PATH`
### Step 2: Read Source Artifacts
Read all documents from Step 0. Extract:
- Business processes and essential data assets (Level 1 inputs)
- Application inventory and interdependencies (Level 2 inputs)
- Server, database, and infrastructure inventory (Level 3 inputs)
- Network segments, interconnections, and internet entry points (Level 4 inputs)
- External parties and trusted relationships across all levels
### Step 3: Cartography Template Reading
**Read the template** (with user override support):
- **First**, check if `.arckit/templates/fr-anssi-carto-template.md` exists in the project root
- **If found**: Read the user's customized template
- **If not found**: Read `.arckit/templates/fr-anssi-carto-template.md`
### Step 4: Four-Level Cartography
Work through the four ANSSI cartography levels in order. Each level progressively increases in technical detail. Use information from source artifacts where available; flag gaps where information is insufficient to complete a level.
#### Level 1 — Business View (Vue Métier)
**Objective**: Identify the business processes and essential information assets that the IS supports. This is the "what does it do and what does it protect?" level.
1. **Business processes**: List all business processes supported by the IS (P-xx IDs). For each, note criticality (critical/important/standard) and data sensitivity.
2. **Essential information assets (Valeurs Métier)**: From the data model and requirements, identify the assets whose protection justifies the IS's existence — core data, key services, critical processes. Assign VM-xx IDs (consistent with EBIOS if a study exists).
3. **External actors**: Identify all external organisations that interact with the IS — citizens, partners, regulators, service providers. Note the nature of the interaction and trust level.
4. **Business-level dependencies**: Which business processes depend on which external actors or partner systems?
#### Level 2 — Application View (Vue Applicative)
**Objective**: Map business processes to the applications and services that implement them, and document the data flows between applications.
1. **Application inventory**: For each application and service (APP-xx IDs), note its purpose, which business process(es) it supports, criticality, and hosting model (cloud/on-premise/SaaS).
2. **Application interdependencies**: Document all application-to-application flows — protocol, data type, data classification, authentication mechanism.
3. **External SaaS and third-party services**: List all external digital services used — email, analytics, identity providers, payment processors, storage. Note data shared with each.
4. **Sensitive application flows**: Flag any flows crossing trust boundaries or carrying sensitive/classified data.
#### Level 3 — System / Infrastructure View (Vue Système)
**Objective**: Map applications to the physical or virtual infrastructure components that host them.
1. **Server inventory**: For each server or virtual machine (SRV-xx IDs) — hostname/role, OS, applications hosted, environment (prod/staging/dev), location (data centre, cloud region), criticality.
2. **Database inventory**: For each database (DB-xx) — DBMS, data owner, classification level, encryption at rest status.
3. **Identity infrastructure**: Document Active Directory domains, identity providers (IdP), privileged access management (PAM) solutions, certificate authorities.
4. **Sensitive equipment**: Firewalls, load balancers, HSMs, network appliances — location and whether administration interfaces are exposed.
5. **Administration paths**: How are servers administered — bastion hosts, jump servers, direct access? From which networks?
#### Level 4 — Network View (Vue Réseau)
**Objective**: Map network segments and their interconnections, including external connections and internet exposure.
1. **Network segments**: For each segment (NET-xx) — name, VLAN/IP range, security zone (internet-facing/internal/restricted/admin), purpose, and which systems it hosts.
2. **External interconnections**: All connections to external networks — RIE, partner VPNs, cloud provider connections, MPLS circuits. For each: encryption, authentication, direction.
3. **Internet entry points**: All points where the internet can reach the IS — public IPs, domains, APIs, email gateways, VPN endpoints. For each: protection in place (WAF, DDoS, firewall rules).
4. **Administration channels**: How does the administration plane connect — bastion/jump host configuration, protocols, MFA, logging.
5. **Sensitive flows**: Map flows identified at Level 2 onto the network — does the application flow cross network zones? Is it encrypted? Does it transit an untrusted network?
#### Attack Surface Summary
After completing all four levels, synthesise the key attack surface findings:
1. **Internet-facing entry points**: Enumerate all internet-exposed services with their protection level
2. **Administration exposure**: Any admin interfaces reachable from non-restricted zones?
3. **Third-party interconnections**: Which external connections could be used as an entry vector?
4. **Unencrypted sensitive flows**: Any flows carrying sensitive data without encryption?
5. **Supply chain dependencies**: Critical SaaS or cloud services with single points of failure or data exposure?
### Step 5: Generate Cartography Document
**CRITICAL**: Use the **Write tool** to create the full cartography document.
1. **Detect version**: Check for existing `ARC-{PROJECT_ID}-CARTO-v*.md` files:
- No existing file → VERSION="1.0"
- Existing file → minor increment if refreshed, major if scope changed
2. **Auto-populate Document Control**:
- Document ID: `ARC-{PROJECT_ID}-CARTO-v{VERSION}`
- Status: DRAFT
- Created Date: {current_date}
- Next Review Date: {current_date + 12 months}
- Classification: OFFICIAL-SENSITIVE minimum (cartography reveals attack surface — restrict distribution)
3. Write the complete cartography following the template populated with Step 4 findings.
Before writing the file, read `.arckit/references/quality-checklist.md` and verify all **Common Checks** plus **CARTO** per-type checks pass.
Write the document to:
```text
projects/{project_id}/ARC-{PROJECT_ID}-CARTO-v{VERSION}.md
```
### Step 6: Summary Output
```text
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ SI Cartography Generated
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📄 Document: projects/{project_id}/ARC-{PROJECT_ID}-CARTO-v{VERSION}.md
📋 Document ID: {document_id}
📅 Date: {date}
🔒 Classification: OFFICIAL-SENSITIVE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📊 Cartography Summary
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Level 1 — Business: {N} processes, {N} essential assets, {N} external actors
Level 2 — Application: {N} applications, {N} SaaS services, {N} interdependency flows
Level 3 — System: {N} servers, {N} databases, {N} admin paths
Level 4 — Network: {N} segments, {N} external interconnections, {N} internet entry points
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🚨 Attack Surface Findings
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Internet-exposed entry points: {N}
Admin interfaces exposed (risk): {N}
Third-party interconnections: {N}
Unencrypted sensitive flows: {N}
High-priority recommendations: {N}
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Next steps:
1. Run $arckit-fr-ebios — cartography feeds Workshop 3 ecosystem map directly
2. Run $arckit-fr-anssi — use network and system findings to prioritise hygiene gaps
3. Run $arckit-diagram — generate visual diagrams from cartography data
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
```
## Important Notes
- **Cartography is security-sensitive**: A complete SI cartography reveals attack surface, administration paths, and asset locations. Always classify OFFICIAL-SENSITIVE minimum and restrict distribution to personnel with a need to know.
- **Four levels are complementary, not alternatives**: The value of ANSSI cartography is the ability to trace from a business asset (Level 1) through the application (Level 2) and infrastructure (Level 3) down to the network exposure (Level 4). Completing only one or two levels produces an incomplete picture.
- **EBIOS synergy**: If an EBIOS Risk Manager study is planned or exists, the cartography feeds directly into Workshop 3 (ecosystem map) and Workshop 4 (operational scenarios). The VM-xx IDs should be consistent between the two documents.
- **Living document**: The cartography must be updated when the IS architecture changes significantly. A stale cartography is worse than no cartography — it gives false confidence. Set a review trigger on major architectural change.
- **Visual diagrams**: This command produces a structured text cartography. Use `/arckit.diagram` to generate visual Mermaid or PlantUML diagrams from the cartography data for presentations and homologation dossiers.
## Key References
| Document | Publisher | URL |
|----------|-----------|-----|
| Guide de cartographie du système d'information | ANSSI | https://cyber.gouv.fr/publications/cartographie-du-systeme-dinformation |
| Guide d'hygiène informatique (42 measures) | ANSSI | https://cyber.gouv.fr/publications/guide-dhygiene-informatique |
| EBIOS Risk Manager guide (Workshop 3 ecosystem map) | ANSSI | https://cyber.gouv.fr/publications/la-methode-ebios-risk-manager |
| ANSSI publications catalogue | ANSSI | https://cyber.gouv.fr/publications |
## Success Criteria
- ✅ Cartography document created at `projects/{project_id}/ARC-{PROJECT_ID}-CARTO-v{VERSION}.md`
- ✅ Level 1 (business): processes, essential assets, and external actors documented
- ✅ Level 2 (application): application inventory, interdependencies, and SaaS services documented
- ✅ Level 3 (system): server and database inventory, identity infrastructure, admin paths documented
- ✅ Level 4 (network): network segments, external interconnections, and internet entry points documented
- ✅ Sensitive flows identified and mapped across all four levels
- ✅ Attack surface summary with internet-exposed entry points and admin exposure
- ✅ Security recommendations prioritised from attack surface findings
- ✅ Document classified OFFICIAL-SENSITIVE minimum
## Example Usage
```text
$arckit-fr-anssi-carto Produce SI cartography for a French ministry digital services platform — three production data centres, Azure cloud, 50k citizen users, integration with FranceConnect and DGFIP APIs
$arckit-fr-anssi-carto Cartography for 001 — regional hospital IS (SIH), OIV santé designation, connected to Mon Espace Santé, mix of on-premise VMware and SaaS clinical software
$arckit-fr-anssi-carto ANSSI cartography for a French energy operator (OIV énergie), separate IT and OT networks, SCADA interconnection, cloud-hosted analytics platform
```
## Suggested Next Steps
After completing this command, consider running:
- `$arckit-fr-ebios` -- Use the cartography ecosystem map and attack surface summary as Workshop 3 input *(when Cartography reveals interconnections and trust boundaries that need risk analysis)*
- `$arckit-fr-anssi` -- Use cartography findings to prioritise ANSSI hygiene measures assessment *(when Network view reveals exposed interfaces or unprotected sensitive flows)*
- `$arckit-diagram` -- Generate architecture diagrams from the cartography data *(when Visual diagram representation of cartography levels is needed)*
- `$arckit-secure` -- Address security findings from the cartography attack surface analysis *(when Cartography reveals unacceptable attack surface exposure)*