Pull Request Checklist

Please confirm the following before submitting:

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources
• Prompt Injection Safety Notice section preserved
• injection-hardened: true remains set in frontmatter
• allowed-tools remains scoped to minimum necessary permissions
• Tested with at least one AI coding agent: OpenAI Codex
• No prohibited patterns per SECURITY.md
• index.yaml not applicable; this improves an existing skill

What This PR Does

Closes #1166.

Adds C-SCRM evidence gates to nist-csf-assessment so supplier inventory and contract clauses cannot over-score supply-chain maturity without operational evidence.

The change adds:

• supplier concentration and substitutability evidence
• fourth-party / subprocessor chain evidence
• supplier incident participation evidence
• supplier exit and technical offboarding evidence
• not-evaluable reason codes for missing supplier evidence
• report output fields for C-SCRM evidence detail
• NIST SP 1305 and NIST SP 800-161 Rev. 1 references

Framework References

• NIST CSF 2.0 GV.OC-05, GV.SC-04, GV.SC-07, GV.SC-08, GV.SC-09, GV.SC-10
• NIST SP 1305, CSF 2.0 Quick-Start Guide for C-SCRM
• NIST SP 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices

Testing

• git diff --check
• Markdown fence balance check: 18 fences, balanced
• Marker checks for supplier concentration, fourth-party chain, supplier incident participation, supplier exit/offboarding, not-evaluable reason codes, and NIST SP 1305 / SP 800-161 references
• Source URL checks returned HTTP 200 for NIST CSF 2.0, NIST SP 1305, and NIST SP 800-161 Rev. 1

Bounty Request

Improver Moderate ($100) if accepted. Payment details can be coordinated privately after maintainer acceptance.