Compliance Documentation Navigation Guide

Framework: Excalibur.Dispatch Purpose: Visual navigation for compliance documentation Last Updated: 2026-01-01

---

Overview

This guide provides visual diagrams to help you navigate the compliance documentation and understand the implementation workflow.

Diagrams:

1. User Journey - Choosing Your Path
2. Documentation Structure
3. Implementation Workflow
4. Evidence Collection Pipeline
5. Certification Timeline

---

1. User Journey - Choosing Your Path

---

2. Documentation Structure

---

3. Implementation Workflow

---

4. Evidence Collection Pipeline

---

5. Certification Timeline

FedRAMP Timeline (6-12 months)

GDPR Timeline (3-6 months)

SOC 2 Type I Timeline (3-6 months)

SOC 2 Type II Timeline (12-18 months)

HIPAA Timeline (6-12 months)

---

Quick Reference Table

Step	FedRAMP	GDPR	SOC 2 Type I	SOC 2 Type II	HIPAA
1. Preparation	Risk assessment, scope	DPIA, scope	Scope definition	Type I complete	Engage specialist
2. Install	2 weeks	2 weeks	2 weeks	N/A	2 weeks
3. Implement	9 weeks (14 controls)	7 weeks (Articles 17, 30, 32)	8 weeks (Security + optional)	N/A	12 weeks (§164.312)
4. Policies	SSP, SAR	Privacy policy, RoPA	System description	N/A	Security + Privacy policies
5. Tests	80 conformance tests	80 conformance tests	Automated validators	N/A	80 conformance tests
6. Evidence	SBOM, scans, audit logs	Erasure certs, RoPA	Reports, logs	Continuous	Audit logs, BAAs
7. Audit	3PAO (3 months)	External DPO (1 month)	CPA (2 months)	CPA (2 months)	External (2 months)
8. Timeline	6-12 months	3-6 months	3-6 months	12-18 months	6-12 months

---

Navigation Shortcuts

By Role

Developers:

1. Start: Quick Start Guide
2. Reference: Framework Capabilities
3. Code Examples: Individual checklists (fedramp.md, gdpr.md, soc2.md, hipaa.md)

Compliance Officers:

1. Start: Compliance Checklists
2. Evidence: Evidence Automation
3. Timeline: Certification Roadmap

Auditors:

1. Evidence: eng/compliance/collect-evidence.*
2. Conformance: 80 tests (Audit, Erasure, LegalHold, DataInventory)
3. Reports: Type I/II generation (SOC 2), SBOM artifacts (FedRAMP)

Management:

1. Overview: index.md
2. Timeline: Certification Roadmap
3. Costs: External audit fees + training + policies

By Task

"I need to get started" → Quick Start Guide

"I need FedRAMP certification" → checklists/fedramp.md

"I need GDPR compliance" → checklists/gdpr.md

"I need SOC 2 certification" → checklists/soc2.md

"I need HIPAA compliance" → checklists/hipaa.md

"I need to collect evidence" → Evidence Automation → eng/compliance/collect-evidence.*

"I need to understand what the framework provides" → Framework Capabilities

"I need help choosing" → User Journey Diagram

"I need to know the timeline" → Certification Timeline

---

Related Documentation

Within Compliance:

• index.md - Main compliance index
• quick-start.md - 30-minute getting started
• checklists/ - 4 detailed certification checklists
• fedramp/ - FedRAMP-specific documentation

Framework Documentation:

• ../security/ - Security implementation guides
• ../advanced/ - Advanced topics (deployment, testing, performance)
• ../../eng/compliance/ - Evidence automation scripts

External Standards:

• FedRAMP Program
• NIST SP 800-53 Rev 5
• GDPR Official Text
• AICPA Trust Services Criteria
• HHS HIPAA

---

Last Updated: 2026-01-01 Next Review: 2026-04-01 Framework: Excalibur 1.0.0

See Also

• Compliance Overview — Main compliance documentation index with framework capabilities and evidence automation
• Quick Start Guide — Get baseline compliance capabilities running in 30 minutes
• Audit Logging — Configure and use audit logging for compliance evidence collection