Compliance Documentation
Excalibur provides comprehensive compliance features for enterprise regulatory requirements including FedRAMP, GDPR, SOC 2, and HIPAA.
Quick Navigationโ
๐ Getting Startedโ
New to compliance? Start with the Quick Start Guide - a 30-minute walkthrough covering installation, configuration, and verification.
Visual learner? Check out the Navigation Guide with flowcharts, diagrams, and timelines for all frameworks.
๐ Certification Checklistsโ
Step-by-step guides for achieving compliance certification:
| Framework | When to Use | Checklist | Certification Time |
|---|---|---|---|
| FedRAMP | Selling to US federal government | NIST 800-53 (14/14 controls) | 6-12 months |
| GDPR | Processing EU resident data | Articles 17, 30, 32 | 3-6 months |
| SOC 2 | SaaS, cloud, MSP businesses | Trust Services Criteria | 3-18 months |
| HIPAA | Healthcare data (PHI) | Security + Privacy Rules | 6-12 months |
๐ง Framework Featuresโ
Core compliance capabilities provided by Excalibur.Dispatch:
| Feature | Documentation | FedRAMP | GDPR | SOC 2 | HIPAA |
|---|---|---|---|---|---|
| Access Control | Security Guide | AC-3, AC-6 | Art 32 | CC5, CC6 | ยง164.312(a) |
| Audit Logging | Audit Logging | AU-2, AU-3, AU-9 | Art 32 | CC4, CC7 | ยง164.312(b) |
| Encryption | Encryption Architecture | SC-28 | Art 25, 32 | C2 | ยง164.312(a)(2)(iv) |
| Data Masking | Data Masking | N/A | Art 32 | C2 | ยง164.312 |
| GDPR Erasure | GDPR Erasure | N/A | Art 17 | C3 | Disposal |
๐ FedRAMP Epic Closureโ
Status: โ 14/14 NIST 800-53 controls SATISFIED (100% complete)
The FedRAMP compliance epic (i43v) has been successfully closed after a 7-sprint journey (Sprints 265-272):
- FedRAMP Overview - Complete 14/14 control implementation
- CM-8 SBOM - Software Bill of Materials (CycloneDX)
Compliance Overviewโ
flowchart TB
subgraph Framework["Excalibur Framework"]
AC[Access Control<br/>RequirePermission]
AL[Audit Logging<br/>IAuditLogger]
EN[Encryption<br/>IEncryptionProvider]
ER[GDPR Erasure<br/>IErasureService]
DM[Data Masking]
end
subgraph Standards["Regulatory Standards"]
FR[FedRAMP<br/>NIST 800-53]
GD[GDPR<br/>EU 2016/679]
S2[SOC 2<br/>Trust Services]
HP[HIPAA<br/>Security + Privacy]
end
AC --> FR
AC --> GD
AC --> S2
AC --> HP
AL --> FR
AL --> GD
AL --> S2
AL --> HP
EN --> FR
EN --> GD
EN --> S2
EN --> HP
ER --> GD
ER --> S2
DM --> HP
DM --> GD
Quick Startโ
Install Packagesโ
All frameworks require the core security packages:
# Core domain capabilities (required for all)
dotnet add package Excalibur.Domain
# Compliance features (GDPR erasure, SOC 2 validation)
dotnet add package Excalibur.Dispatch.Compliance
# Audit logging
dotnet add package Excalibur.Dispatch.AuditLogging
# For production audit persistence (SQL Server)
dotnet add package Excalibur.Dispatch.AuditLogging.SqlServer
# For production erasure/legal hold persistence (SQL Server)
dotnet add package Excalibur.Compliance.SqlServer
Basic Configurationโ
using Excalibur.Dispatch.Compliance;
var builder = WebApplication.CreateBuilder(args);
// 1. Access Control (All frameworks)
builder.Services.AddAuthorization();
// 2. Encryption (FedRAMP, GDPR, SOC 2, HIPAA)
builder.Services.AddEncryption(encryption => encryption
.UseKeyManagement<AesGcmEncryptionProvider>("aes-gcm-primary")
.ConfigureOptions(options => options.DefaultPurpose = "field-encryption"));
// 3. Audit Logging (All frameworks)
builder.Services.AddSqlServerAuditStore(options =>
{
options.ConnectionString = builder.Configuration.GetConnectionString("Compliance")!;
options.SchemaName = "audit";
options.EnableHashChain = true;
});
// 4. GDPR Erasure (GDPR + optional for others)
builder.Services.AddGdprErasure(options =>
{
options.DefaultGracePeriod = TimeSpan.FromHours(72);
options.RequireVerification = true;
});
Usage Exampleโ
using Excalibur.Dispatch.Compliance;
// 1. Annotate sensitive data for automatic encryption
public class Patient
{
public Guid Id { get; set; }
[PersonalData] // Automatically encrypted at rest
public string FirstName { get; set; }
[PersonalData]
[Sensitive]
public string SSN { get; set; }
}
// 2. Audit access using IAuditStore
public class PatientService
{
private readonly IAuditStore _auditStore;
public async Task<Patient> GetPatientAsync(Guid patientId, CancellationToken ct)
{
var patient = await _repository.GetAsync(patientId, ct);
await _auditStore.StoreAsync(new AuditEvent
{
EventId = Guid.NewGuid().ToString(),
EventType = AuditEventType.DataAccess,
Action = "Patient.Read",
ActorId = _currentUser.Id,
ResourceId = patientId.ToString(),
ResourceType = "Patient",
Outcome = AuditOutcome.Success,
Timestamp = DateTimeOffset.UtcNow
}, ct);
return patient;
}
}
Framework Capabilities vs Consumer Responsibilitiesโ
What Excalibur Provides โ โ
- Technical Controls: Encryption, audit logging, access control, erasure
- Conformance Tests: 80 automated tests (Audit, Erasure, LegalHold, DataInventory)
- Evidence Collection: Automated scripts for CI/CD artifacts
- SBOM Generation: CycloneDX format with 90-day retention
- Security Scanning: SAST, DAST, container, secrets scanning
What Consumers Must Implement โ ๏ธโ
- Organizational Policies: Risk assessments, security policies, privacy policies
- Business Processes: Consent management, incident response, breach notification
- Training: Annual security awareness, HIPAA training, GDPR training
- Documentation: System Security Plans (SSP), Records of Processing Activities (RoPA)
- Infrastructure: TLS configuration, key management, backup/recovery
Evidence Automationโ
Automated scripts for collecting compliance evidence from CI/CD pipelines:
Available Scriptsโ
| Script | Purpose | Platform |
|---|---|---|
collect-evidence.ps1 | Collect CI/CD evidence | PowerShell/Windows |
collect-evidence.sh | Collect CI/CD evidence | Bash/Linux/macOS |
generate-evidence-package.ps1 | Create ZIP archive | PowerShell/Windows |
export-audit-samples.sh | Export audit logs | Bash/Linux/macOS |
generate-ropa-template.sh | Generate RoPA template | Bash/Linux/macOS |
Location: eng/compliance/ in repository root
Evidence Types Collectedโ
- Test Results: JUnit XML, code coverage (โฅ60% enforced)
- Security Scans: SAST (CodeQL), DAST (OWASP ZAP), container (Trivy), secrets (Gitleaks)
- SBOM: CycloneDX JSON/XML (90-day retention)
- Audit Logs: Sample templates (anonymized)
- Requirements Traceability: RTM validation results
Certification Roadmapโ
Typical timelines for achieving compliance certification:
| Framework | Type | Duration | Key Milestones |
|---|---|---|---|
| FedRAMP | Moderate | 6-12 months | Risk assessment โ SSP โ 3PAO โ PMO review |
| GDPR | Full Compliance | 3-6 months | Risk assessment โ Policies โ DPIA โ Audit |
| SOC 2 Type I | Point-in-time | 3-6 months | Scope โ Implementation โ Readiness โ Audit |
| SOC 2 Type II | 6-12 month period | 12-18 months | Type I + observation + audit |
| HIPAA | Compliance | 6-12 months | Risk assessment โ Policies โ Training โ Audit |
Legacy Featuresโ
The following features were part of the original compliance module and remain available:
Data Maskingโ
Protect sensitive data (PII/PHI) in logs, responses, and error messages.
Learn more about Data Masking โ
GDPR Erasureโ
Basic GDPR erasure implementation with crypto-shredding.
Learn more about GDPR Erasure โ
Audit Loggingโ
Tamper-evident logging with hash chain integrity.
Learn more about Audit Logging โ
Recommendation
For new implementations, use the comprehensive compliance capabilities described in the Quick Start Guide and certification checklists rather than the legacy features.
Next Stepsโ
- Choose Your Framework: Review the Quick Start Guide decision tree
- Follow the Checklist: Select from FedRAMP, GDPR, SOC 2, or HIPAA
- Collect Evidence: Use automated scripts in
eng/compliance/ - Engage Auditor: 3PAO (FedRAMP), CPA (SOC 2), DPO (GDPR), or HIPAA specialist
Supportโ
Questions:
- Product Manager: Compliance scope, legal basis, privacy policies
- Software Architect: Technical implementation, architecture decisions
- Project Manager: Evidence packages, audit coordination
Escalation:
- Security incidents: Follow breach notification procedures
- Compliance gaps: Create GitHub issue with
compliancelabel - Audit requests: Contact Project Manager for evidence package
See Alsoโ
- Quick Start - 30-minute compliance setup guide
- Audit Logging - Tamper-evident audit logging with hash chain integrity
- GDPR Erasure - Right to be forgotten with cryptographic deletion
- Compliance Checklists - FedRAMP, SOC 2, GDPR, and HIPAA checklists
Framework Version: Excalibur 1.0.0 Last Updated: 2026-02-09 Status: Technical controls implemented for FedRAMP, GDPR, SOC 2, HIPAA. Full certification requires organizational policies, processes, and external audit.