Policy
Policy
Experimental
Policy represents a policy document with metadata, contacts, scope, imports, implementation plan, risks, and adherence requirements.
adherence Adherence Required
Adherence defines evaluation methods, assessment plans, enforcement methods, and non-compliance notifications.
contacts RACI Required
RACI defines the roles responsible for managing an artifact
imports Imports Required
Imports defines external policies, controls, and guidelines required by this policy.
metadata object Required
scope Scope Required
Scope defines what is included and excluded from policy applicability.
title string Required
implementation-plan ImplementationPlan
ImplementationPlan defines when and how the policy becomes active.
risks Risks
Risks defines mitigated and accepted risks addressed by this policy.
Scope
Experimental
Scope defines what is included and excluded from policy applicability.
in Dimensions Required
Dimensions specify the applicability criteria for a policy
out Dimensions
Dimensions specify the applicability criteria for a policy
Dimensions
Experimental
Dimensions specify the applicability criteria for a policy
geopolitical array[string]
geopolitical is an optional list of geopolitical regions
groups array[string]
sensitivity array[string]
sensitivity is an optional list of data classification levels
technologies array[string]
technologies is an optional list of technology categories or services
users array[string]
users is an optional list of user roles
Imports
Experimental
Imports defines external policies, controls, and guidelines required by this policy.
catalogs array[CatalogImport]
guidance array[GuidanceImport]
policies array[ArtifactMapping]
ImplementationPlan
Experimental
ImplementationPlan defines when and how the policy becomes active.
enforcement-timeline ImplementationDetails Required
ImplementationDetails specifies the timeline for policy implementation.
evaluation-timeline ImplementationDetails Required
ImplementationDetails specifies the timeline for policy implementation.
notification-process string
ImplementationDetails
Experimental
ImplementationDetails specifies the timeline for policy implementation.
notes string Required
start Datetime Required
Datetime represents an ISO 8601 formatted datetime string
end Datetime
Datetime represents an ISO 8601 formatted datetime string
Risks
Experimental
Risks defines mitigated and accepted risks addressed by this policy.
accepted array[AcceptedRisk]
Accepted risks require rationale (justification) and may include scope. Controls addressing these risks are implicitly identified through threat mappings.
mitigated array[MitigatedRisk]
Mitigated risks only need reference-id and risk-id (no justification required)
MitigatedRisk
Experimental
MitigatedRisk represents a risk addressed by the policy
id string Required
id allows this mitigated risk entry to be referenced by accepted risks
risk EntryMapping Required
risk references the risk being mitigated
AcceptedRisk
Experimental
AcceptedRisk documents a risk the organization has chosen to accept,
id string Required
id allows this accepted risk entry to be referenced
risk EntryMapping Required
risk references the risk being accepted
justification string
justification explains why the risk is accepted
scope Scope
scope defines where the risk acceptance applies
target-id string
target-id optionally links this acceptance to a mitigated risk entry
Adherence
Experimental
Adherence defines evaluation methods, assessment plans, enforcement methods, and non-compliance notifications.
assessment-plans array[AssessmentPlan]
enforcement-methods array[AcceptedMethod]
evaluation-methods array[AcceptedMethod]
non-compliance string
AssessmentPlan
Experimental
AssessmentPlan defines how a specific assessment requirement is evaluated.
evaluation-methods array[AcceptedMethod] Required
frequency string Required
id string Required
requirement-id string Required
evidence-requirements string
parameters array[Parameter]
AcceptedMethod
Experimental
AcceptedMethod defines a method for evaluation or enforcement.
id string Required
mode ModeType Required
required string Required
type MethodType Required
description string
executor Actor
Actor represents an entity (human or tool) that performs actions in evaluations
ModeType
- Type:
string
MethodType
- Type:
string
Parameter
Experimental
Parameter defines a configurable parameter for assessment or enforcement activities.
description string Required
id string Required
label string Required
accepted-values array[string]
GuidanceImport
Experimental
GuidanceImport defines how to import guidance documents with optional exclusions and constraints.
reference-id string Required
constraints array[Constraint]
Constraints allow policy authors to define ad hoc minimum requirements (e.g., “review at least annually”).
exclusions array[string]
CatalogImport
Experimental
CatalogImport defines how to import control catalogs with optional exclusions, constraints, and assessment requirement modifications.
reference-id string Required
assessment-requirement-modifications array[AssessmentRequirementModifier]
constraints array[Constraint]
exclusions array[string]
Constraint
Experimental
Constraint defines a prescriptive requirement that applies to a specific guidance or control.
id string Required
Unique ID for this constraint to enable Layer 5/6 tracking
target-id string Required
Links to the specific Guidance or Control being constrained
text string Required
The prescriptive requirement/constraint text
AssessmentRequirementModifier
Experimental
AssessmentRequirementModifier allows organizations to customize assessment requirements based on how an organization wants to gather evidence for the objective.
id string Required
modification-rationale string Required
modification-type ModType Required
ModType defines the type of modification to the assessment requirement.
target-id string Required
applicability array[string]
The updated applicability of the assessment requirement
recommendation string
The updated recommendation for the assessment requirement
text string
The updated text of the assessment requirement
ModType
ModType defines the type of modification to the assessment requirement.
- Type:
string