Compliance

Compliance#

Compliance Assessment Attributes#

Attributes added by compliance assessment tools to map policy results to compliance frameworks. Provides compliance context, risk assessment, and regulatory mapping for audit and reporting. Maps to GEMARA Layer 5 (Enforcement) for Policy-as-Code workflows.

Attribute	Type	Description	Examples	Stability
compliance.assessment.id	string	Unique identifier for the compliance assessment run or session. Used to group findings from the same assessment execution.	assessment-2024-001; scan-run-abc123; compliance-check-xyz789
compliance.control.applicability	string[]	Environments or contexts where this control applies.	["Production", "Staging"]; ["All Environments"]; ["Kubernetes", "AWS"]
compliance.control.catalog.id	string	Unique identifier for the security control catalog or framework.	OSPS-B; CCC; CIS
compliance.control.category	string	Category or family that the security control belongs to.	Access Control; Quality
compliance.control.id	string	Unique identifier for the security control and assessment requirement being assessed.	OSPS-QA-07.01
compliance.enrichment.status	string	Result of the compliance framework mapping and enrichment process, indicating whether compliance context was successfully added to the event.	Success; Unmapped; Partial
compliance.frameworks	string[]	Regulatory or industry standards being evaluated for compliance.	["NIST-800-53", "ISO-27001"]
compliance.remediation.action	string	Remediation action determined by the policy engine in response to the compliance assessment result.	Block; Allow; Remediate
compliance.remediation.description	string	Description of the recommended remediation strategy for this control.	This is a short description of the remediation strategy for this control.
compliance.remediation.exception.active	boolean	Whether the exception is active for this enforcement.	true; false
compliance.remediation.exception.id	string	Unique identifier for the approved exception, if applicable.	EX-2025-10-001; WAIVE-AC-1-001
compliance.remediation.status	string	Outcome of the remediation action execution, indicating whether the remediation was successfully applied.	Success; Fail; Skipped
compliance.requirements	string[]	Compliance requirement identifiers from the frameworks impacted.	["AC-1", "A.9.1.1"]
compliance.risk.level	string	Severity classification of the risk posed by non-compliance with the control requirement.	Critical; High; Medium
compliance.status	string	Overall compliance determination for the assessed resource or control, indicating whether it meets the compliance requirements.	Compliant; Non-Compliant; Exempt

compliance.enrichment.status has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

compliance.remediation.action has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

compliance.remediation.status has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

compliance.risk.level has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

compliance.status has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.