Add compliance framework reference: HIPAA, SOC 2, GDPR, FedRAMP
Each framework defined with: what it is, who must comply, penalties, relevance to the triad revenue model. Revenue table at bottom maps each to gate package price, what it buys, and the buyer segment. Cross-references the full economics knowledge base.
This commit is contained in:
Hermes
208
ideas/passepartout-economics/compliance-framework-reference.org
Normal file
208
ideas/passepartout-economics/compliance-framework-reference.org
Normal file
@@ -0,0 +1,208 @@
|
||||
:PROPERTIES:
|
||||
:ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: Compliance Framework Reference — HIPAA, SOC 2, GDPR, FedRAMP
|
||||
#+filetags: :passepartout:compliance:reference:regulation:
|
||||
|
||||
The verification monopoly and domain gate package revenue streams depend on
|
||||
selling into regulated industries. These industries buy compliance, not software.
|
||||
The four frameworks below are the most commonly referenced across the triad
|
||||
knowledge base. This file defines each one, the economic pressure it creates,
|
||||
and where it maps to the revenue model.
|
||||
|
||||
* HIPAA (Health Insurance Portability and Accountability Act)
|
||||
|
||||
** What it is
|
||||
|
||||
US federal law enacted 1996. Governs how protected health information (PHI)
|
||||
is stored, transmitted, and accessed. Two relevant rules:
|
||||
|
||||
- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
|
||||
to access, amend, and request accounting of disclosures. Minimum necessary
|
||||
standard — only the minimum PHI needed for the task may be used.
|
||||
- **Security Rule:** administrative, physical, and technical safeguards for
|
||||
electronic PHI (ePHI). Requires access controls, audit controls, integrity
|
||||
controls, person/entity authentication, and transmission security.
|
||||
|
||||
** Who must comply
|
||||
|
||||
Covered entities (health plans, healthcare clearinghouses, healthcare providers
|
||||
who transmit any ePHI) and business associates (any vendor handling PHI on behalf
|
||||
of a covered entity). Business Associate Agreements (BAAs) are mandatory.
|
||||
|
||||
** Penalties
|
||||
|
||||
Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
|
||||
violation category. Criminal penalties for knowing misuse (up to 10 years
|
||||
imprisonment). State AGs can also bring civil actions.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
HIPAA is the largest single compliance market in US healthcare — every hospital,
|
||||
clinic, insurer, and health-tech vendor must comply. The gate package for HIPAA
|
||||
($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
|
||||
constraints. Every PHI access attempt passes through the gate stack, producing
|
||||
a machine-checkable audit trail that satisfies the Security Rule's audit control
|
||||
requirement automatically. No separate logging infrastructure needed.
|
||||
|
||||
See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]]
|
||||
|
||||
* SOC 2 (System and Organization Controls 2)
|
||||
|
||||
** What it is
|
||||
|
||||
An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
|
||||
Certifies that a service organization's controls over security, availability,
|
||||
processing integrity, confidentiality, and privacy meet defined criteria.
|
||||
|
||||
Five Trust Service Criteria (TSC):
|
||||
- **Security** (mandatory): protection against unauthorized access (firewall,
|
||||
access control, intrusion detection)
|
||||
- **Availability** (optional): system available for operation and use as
|
||||
committed (uptime, redundancy, disaster recovery)
|
||||
- **Processing Integrity** (optional): system processing is complete, valid,
|
||||
accurate, timely, and authorized
|
||||
- **Confidentiality** (optional): information designated as confidential is
|
||||
protected as committed
|
||||
- **Privacy** (optional): personal information is collected, used, retained,
|
||||
disclosed, and disposed of in conformity with commitments
|
||||
|
||||
Two types:
|
||||
- **Type I:** controls are suitably designed at a specific point in time
|
||||
- **Type II:** controls operated effectively over a period (6-12 months)
|
||||
|
||||
** Who must comply
|
||||
|
||||
Any SaaS or cloud service provider whose enterprise customers require audited
|
||||
vendors. Table stakes for B2B — most enterprise procurement contracts require
|
||||
SOC 2 Type II.
|
||||
|
||||
** Penalties
|
||||
|
||||
No direct fines (not a law). But losing SOC 2 certification means losing
|
||||
enterprise customers. Misrepresentation of certification status is fraud.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
SOC 2 is the entry-level certification for the compute marketplace. A provider
|
||||
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
|
||||
requires audited vendors. The gate stack itself maps directly to the Security
|
||||
criterion (access controls, audit trails) — the Passepartout instance's
|
||||
deterministic gate log serves as the evidence artifact for the audit. No
|
||||
separate logging SIEM needed.
|
||||
|
||||
See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:verification-monopoly.org][Verification monopoly]]
|
||||
|
||||
* GDPR (General Data Protection Regulation)
|
||||
|
||||
** What it is
|
||||
|
||||
EU regulation (effective May 2018) governing the processing of personal data of
|
||||
natural persons in the EU. Extraterritorial — applies to any organization
|
||||
processing EU personal data regardless of where the organization is based.
|
||||
|
||||
Key requirements:
|
||||
- Lawful basis for processing (consent, contract, legal obligation, vital
|
||||
interests, public task, legitimate interests)
|
||||
- Data minimization — collect only what is necessary
|
||||
- Purpose limitation — do not reuse data for incompatible purposes
|
||||
- Storage limitation — delete when no longer needed
|
||||
- Right of access, rectification, erasure (right to be forgotten),
|
||||
data portability, restriction, objection
|
||||
- Data Protection Impact Assessment (DPIA) for high-risk processing
|
||||
- Breach notification within 72 hours to supervisory authority
|
||||
- Data Protection Officer (DPO) appointment for certain controllers/processors
|
||||
- Data Processing Agreements (DPAs) between controllers and processors
|
||||
|
||||
** Who must comply
|
||||
|
||||
Any organization that processes personal data of EU residents. Includes
|
||||
controllers (determine purposes and means) and processors (process on behalf
|
||||
of controller). Non-EU organizations with EU data subjects are in scope.
|
||||
|
||||
** Penalties
|
||||
|
||||
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
|
||||
system. Supervisory authorities in each member state enforce. Private right
|
||||
of action for damages.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
GDPR is the most extraterritorial and aggressively enforced privacy framework.
|
||||
The gate stack's principle of least privilege maps naturally to GDPR's data
|
||||
minimization requirement. Every data access is gated by a verified rule that
|
||||
states the purpose — the proof log is a built-in DPIA artifact. For the compute
|
||||
marketplace: a provider processing proofs on EU users' gate data must maintain
|
||||
DPAs with all clients. Proof logs themselves may constitute personal data if
|
||||
they reference natural persons (names in access rules, etc.), creating a
|
||||
demand for privacy-preserving proof techniques.
|
||||
|
||||
See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:domain-gate-packages.org][Domain gate packages]]
|
||||
|
||||
* FedRAMP (Federal Risk and Authorization Management Program)
|
||||
|
||||
** What it is
|
||||
|
||||
US federal government's standardized approach to security assessment,
|
||||
authorization, and continuous monitoring for cloud services. OMB policy
|
||||
mandate — federal agencies must use FedRAMP-authorized services when available.
|
||||
|
||||
Three impact levels based on data sensitivity:
|
||||
|
||||
| Level | Data type | Examples | Cost to achieve | Timeline |
|
||||
|---------|-----------|---------------------------------|-----------------|----------|
|
||||
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
|
||||
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
|
||||
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
|
||||
|
||||
Two authorization paths:
|
||||
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
|
||||
DOD. Hardest path, most reusable across agencies.
|
||||
- **Agency:** authorization by a single federal agency for its own use. Faster
|
||||
but less portable.
|
||||
|
||||
Requires continuous monitoring (monthly scans, annual assessments, POA&M
|
||||
for findings).
|
||||
|
||||
** Who must comply
|
||||
|
||||
Any cloud service provider that sells to US federal agencies. Including
|
||||
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
|
||||
are strongly discouraged from using non-authorized services.
|
||||
|
||||
** Penalties
|
||||
|
||||
No direct fines. Non-authorized providers are simply ineligible for federal
|
||||
contracts. FedRAMP is a procurement gate, not a regulatory one.
|
||||
|
||||
** Why it matters for the triad
|
||||
|
||||
FedRAMP is the highest bar and the most expensive certification to obtain.
|
||||
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
|
||||
But those that do capture the US government market with minimal competition.
|
||||
For the triad: a compute marketplace provider with FedRAMP Moderate or High
|
||||
authorization can sell to every federal agency. The gate stack's deterministic
|
||||
audit trail maps directly to FedRAMP's continuous monitoring requirement —
|
||||
producing verifiable evidence of control effectiveness on every access, not
|
||||
just during the annual assessment. FedRAMP gate package: $100K/yr (highest),
|
||||
reflecting the certification cost.
|
||||
|
||||
See also: [[file:verification-monopoly.org][Verification monopoly]], [[file:domain-gate-packages.org][Domain gate packages]]
|
||||
|
||||
* What Each Framework Means for Revenue
|
||||
|
||||
| Framework | Gate package price | What it buys | Buyer |
|
||||
|-----------|-------------------|--------------|-------|
|
||||
| HIPAA | $50K/yr | ACL2-encoded Privacy + Security Rules; auto-generated audit trail replaces SIEM | Hospitals, insurers, health-tech |
|
||||
| SOC 2 | $50K/yr | Gate stack evidence artifacts for Type II auditor; no separate logging | Any B2B SaaS needing enterprise procurement |
|
||||
| GDPR | $50K/yr | Purpose-bound data access gates; built-in DPIA evidence; DPA templates | Any org with EU data subjects |
|
||||
| FedRAMP | $100K/yr | Deterministic continuous monitoring; control evidence on every access (not annual) | Federal contractors, defense, critical infra |
|
||||
|
||||
A single enterprise running all four packages generates $250K/yr in gate
|
||||
package revenue. With infrastructure lock-in, that grows to $500K-$1M/yr
|
||||
by year five as the fact store accumulates compliance decisions.
|
||||
|
||||
See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]],
|
||||
[[file:verification-monopoly.org][Verification monopoly]], [[file:compute-marketplace.org][Compute marketplace]],
|
||||
[[file:evaluation-harness.org][Evaluation harness]], [[file:passepartout-economics.org][Passepartout economics index]]
|
||||
Reference in New Issue
Block a user