feat: adds initial schema for Layer 5 (for discussion) #165
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Assisted by: Cursor Agent Signed-off-by: Jennifer Power <[email protected]>
jpower432
commented
Oct 22, 2025
| #EnforcementAction: { | ||
| metadata: #Metadata | ||
| // Executed indicates whether the enforcement action was successfully executed. | ||
| executed: bool |
There was a problem hiding this comment.
Consideration here - It might be useful to include a more descriptive status here if there was an failure during the enforcement action.
jpower432
commented
Oct 22, 2025
| #Result: "Not Run" | "Passed" | "Failed" | "Needs Review" | "Not Applicable" | "Unknown" | ||
|
|
||
| // RiskLevel from Layer 3 (Policy layer) | ||
| #RiskLevel: "Critical" | "High" | "Medium" | "Low" | "Informational" |
There was a problem hiding this comment.
This is not actually defined in explictly Layer 3, but we might want to introduce something like impact-level in Layer 3 at the maybe policy level and/or at the control level (ControlModifier?).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR introduces an initial structure for the Layer 5 schema for discussion
Main Points
Enforcement Actions
A new, top-level object,
EnforcementAction, is defined for declaring the required response to a set ofFindings. TheFindingis the interpreted outcome derived from a Layer 4AssessmentLog.The
EnforcementActioncorresponds to a single control from Layer 2/3, but can be a response to zero or more failures from Layer 4.The
EnforcementActionoptionally links to external enforcement , notification, or remediation plans. This approach is similar to how the non-compliance-plan is referenced in Layer 3.Schema Reuse
Several type definitions are reused directly from Layer 4 like
Mapping,MappingReferences, andMetadata.Exceptions and Risk
This
risk-levelis explicitly attached enforcement exceptions. I'm thinking we might want to introduce the concept of risk a little earlier, but it made sense here (e.g. accepted risk).Closes #158