Skip to content

feat!: move baselines and evaluation planning to Layer 3 #204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jpower432 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat!: move baselines and evaluation planning to Layer 3 #204

jpower432 wants to merge 3 commits into from

Conversation

@jpower432
Copy link
Contributor

@jpower432 jpower432 commented Dec 4, 2025
edited
Loading

Description

This PR implements an architectural redesign of Layer 3 (Policy) to support policy inheritance and embed evaluation planning directly within policy documents.

Key Changes

  1. Policy Inheritance: Policies can now import other policies (including baseline policies) through the new imported-policies field, enabling organizations to build policy hierarchies (suggested baseline → organizational → department → project).

  2. Baseline Creation in Layer 3: Baseline creation has been moved from Layer 1 (Guidance) to Layer 3 (Policy), where it belongs as a risk-informed organizational decision. Baselines are now created as Layer 3 Policy documents that reference Layer 1 Guidance and Layer 2 Controls with modifications.

  3. Embedded Evaluation Planning: Evaluation planning is now embedded directly in Policy documents through ImplementationPlan.evaluators and AssessmentRequirementExtensions, eliminating the need for separate Layer 4 evaluation plan documents.

Schema Changes

Schema Changes Made

  • No schema changes
  • Layer 1 schema (schemas/layer-1.cue) changes
  • Layer 2 schema (schemas/layer-2.cue) changes
  • Layer 3 schema (schemas/layer-3.cue) changes
  • Layer 4 schema (schemas/layer-4.cue) changes

Schema Change Details

<!-- If applicable, provide a brief summary or example of schema changes -->

Layer 1 (Guidance) Changes:

  • Renamed #GuidanceDocument to #Guidance for consistency
  • Simplified #Guideline structure: removed guideline-parts field, replaced with statements field
  • Renamed #Part to #Statement to better reflect its purpose
  • Updated #Rationale structure: changed from risks/outcomes to importance/goals
  • Added extends field to #Guideline for control enhancements and supplemental guidance
  • Updated see-also to use #SingleMapping instead of plain strings

Layer 3 (Policy) Changes:

  • Renamed #PolicyDocument to #Policy for consistency
  • Added imported-policies field: Enables policy-to-policy inheritance, allowing policies to import baseline policies and other organizational policies
  • Made reference fields optional: guidance-references and control-references are now optional, as policies can be built entirely through imported-policies
  • Enhanced #PolicyMapping: Removed in-scope/out-of-scope fields, added statement-modifications for fine-grained control
  • Refactored #ControlModifier: Replaced inline fields with overrides and extensions pattern
  • Added #ControlExtensions: New structure for control-specific metadata (severity, auto-remediation-allowed, deployment-gate-allowed)
  • Added #Severity type: New enum type (Critical, High, Medium, Low, Info, Unknown) for policy-driven severity assignment
  • Refactored #AssessmentRequirementModifier: Replaced inline fields with overrides and extensions pattern
  • Added #AssessmentRequirementExtensions: New structure for evaluation planning metadata (required-evaluators, optional-evaluators, evaluation-points, resolution-strategy, evidence-requirements)
  • Added #ResolutionStrategy type: New enum type (MostSevere, ManualOverride, AuthoritativeConfirmation) for resolving conflicts between multiple evaluators
  • Simplified #GuidelineModifier: Now uses overrides pattern instead of inline fields
  • Updated #ImplementationPlan:
    • Renamed evaluation to evaluation-timeline and enforcement to enforcement-timeline
    • Added evaluators field (replacing separate evaluation plan documents)
    • Renamed noncompliance-plan to noncompliance-consequence
    • Made notes optional in #ImplementationDetails

Layer 4 (Evaluation) Changes:

  • Removed #EvaluationPlan: Evaluation plans are no longer separate documents
  • Removed #AssessmentPlan, #Assessment, and #AssessmentProcedure: These structures are no longer needed as evaluation planning is embedded in Layer 3
  • Simplified #AssessmentLog: Removed procedure field as procedures are now defined in Layer 3 policy extensions

Testing

  • Unit tests added/updated
  • Manual testing performed
  • Test data updated (if applicable)

Related Issues

Blocked by #200
Partial closes #170

Reviewer Hints

@jpower432 jpower432 changed the title Layer3 redesign feat!: move baselines and evaluation planning to Layer 3 Dec 4, 2025
@jpower432 jpower432 mentioned this pull request Dec 4, 2025
Closed
8 tasks
@jpower432 jpower432 marked this pull request as ready for review December 4, 2025 21:59
@jpower432 jpower432 requested a review from a team as a code owner December 4, 2025 21:59
@jpower432 jpower432 force-pushed the layer3-redesign branch 3 times, most recently from aebec9a to 2dbe256 Compare December 5, 2025 04:02
@jpower432
Copy link
Contributor Author

jpower432 commented Dec 5, 2025

Temporarily putting this back in draft to fix the Unverified commits.

@jpower432 jpower432 marked this pull request as draft December 5, 2025 17:46
@jpower432
feat!: move baselines and evaluation planning to Layer 3
5785574 
Moves baseline creation and evaluation planning into Layer 3 (Policy).
Adds Severity and ResolutionStrategy types, updates schemas, and removes separate
evaluation plan documents.

Moves checklist logic to a new package and updates it to use Layer 3 (Policy).

BREAKING CHANGE: Baselines now in Layer 3, evaluation planning
embedded in Policy documents, evaluation plan documents removed.

Assisted by: Composer (Cursor AI)
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
@jpower432
chore: apply feedback to checklist logic
2edf8cf 
Only requirement one function call to create a
Markdown Checklist

Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
@jpower432
docs: adds comments to layer 3 about inheritance behavior
8947b9e 
Signed-off-by: Jennifer Power <barnabei.jennifer@gmail.com>
@jpower432 jpower432 marked this pull request as ready for review December 5, 2025 18:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enhance multi-source evaluation support in Layer 4/5

1 participant

@jpower432