diff --git a/ideas/passepartout-economics/compliance-framework-reference.org b/ideas/passepartout-economics/compliance-framework-reference.org new file mode 100644 index 0000000..d00f37f --- /dev/null +++ b/ideas/passepartout-economics/compliance-framework-reference.org @@ -0,0 +1,208 @@ +:PROPERTIES: +:ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c +:CREATED: [2026-05-23 Sat] +:END: +#+title: Compliance Framework Reference — HIPAA, SOC 2, GDPR, FedRAMP +#+filetags: :passepartout:compliance:reference:regulation: + +The verification monopoly and domain gate package revenue streams depend on +selling into regulated industries. These industries buy compliance, not software. +The four frameworks below are the most commonly referenced across the triad +knowledge base. This file defines each one, the economic pressure it creates, +and where it maps to the revenue model. + +* HIPAA (Health Insurance Portability and Accountability Act) + +** What it is + +US federal law enacted 1996. Governs how protected health information (PHI) +is stored, transmitted, and accessed. Two relevant rules: + +- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights + to access, amend, and request accounting of disclosures. Minimum necessary + standard — only the minimum PHI needed for the task may be used. +- **Security Rule:** administrative, physical, and technical safeguards for + electronic PHI (ePHI). Requires access controls, audit controls, integrity + controls, person/entity authentication, and transmission security. + +** Who must comply + +Covered entities (health plans, healthcare clearinghouses, healthcare providers +who transmit any ePHI) and business associates (any vendor handling PHI on behalf +of a covered entity). Business Associate Agreements (BAAs) are mandatory. + +** Penalties + +Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per +violation category. Criminal penalties for knowing misuse (up to 10 years +imprisonment). State AGs can also bring civil actions. + +** Why it matters for the triad + +HIPAA is the largest single compliance market in US healthcare — every hospital, +clinic, insurer, and health-tech vendor must comply. The gate package for HIPAA +($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate +constraints. Every PHI access attempt passes through the gate stack, producing +a machine-checkable audit trail that satisfies the Security Rule's audit control +requirement automatically. No separate logging infrastructure needed. + +See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]] + +* SOC 2 (System and Organization Controls 2) + +** What it is + +An auditing standard developed by AICPA (American Institute of CPAs). Not a law. +Certifies that a service organization's controls over security, availability, +processing integrity, confidentiality, and privacy meet defined criteria. + +Five Trust Service Criteria (TSC): +- **Security** (mandatory): protection against unauthorized access (firewall, + access control, intrusion detection) +- **Availability** (optional): system available for operation and use as + committed (uptime, redundancy, disaster recovery) +- **Processing Integrity** (optional): system processing is complete, valid, + accurate, timely, and authorized +- **Confidentiality** (optional): information designated as confidential is + protected as committed +- **Privacy** (optional): personal information is collected, used, retained, + disclosed, and disposed of in conformity with commitments + +Two types: +- **Type I:** controls are suitably designed at a specific point in time +- **Type II:** controls operated effectively over a period (6-12 months) + +** Who must comply + +Any SaaS or cloud service provider whose enterprise customers require audited +vendors. Table stakes for B2B — most enterprise procurement contracts require +SOC 2 Type II. + +** Penalties + +No direct fines (not a law). But losing SOC 2 certification means losing +enterprise customers. Misrepresentation of certification status is fraud. + +** Why it matters for the triad + +SOC 2 is the entry-level certification for the compute marketplace. A provider +needs SOC 2 Type II to sell compute to enterprises whose procurement policy +requires audited vendors. The gate stack itself maps directly to the Security +criterion (access controls, audit trails) — the Passepartout instance's +deterministic gate log serves as the evidence artifact for the audit. No +separate logging SIEM needed. + +See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:verification-monopoly.org][Verification monopoly]] + +* GDPR (General Data Protection Regulation) + +** What it is + +EU regulation (effective May 2018) governing the processing of personal data of +natural persons in the EU. Extraterritorial — applies to any organization +processing EU personal data regardless of where the organization is based. + +Key requirements: +- Lawful basis for processing (consent, contract, legal obligation, vital + interests, public task, legitimate interests) +- Data minimization — collect only what is necessary +- Purpose limitation — do not reuse data for incompatible purposes +- Storage limitation — delete when no longer needed +- Right of access, rectification, erasure (right to be forgotten), + data portability, restriction, objection +- Data Protection Impact Assessment (DPIA) for high-risk processing +- Breach notification within 72 hours to supervisory authority +- Data Protection Officer (DPO) appointment for certain controllers/processors +- Data Processing Agreements (DPAs) between controllers and processors + +** Who must comply + +Any organization that processes personal data of EU residents. Includes +controllers (determine purposes and means) and processors (process on behalf +of controller). Non-EU organizations with EU data subjects are in scope. + +** Penalties + +Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered +system. Supervisory authorities in each member state enforce. Private right +of action for damages. + +** Why it matters for the triad + +GDPR is the most extraterritorial and aggressively enforced privacy framework. +The gate stack's principle of least privilege maps naturally to GDPR's data +minimization requirement. Every data access is gated by a verified rule that +states the purpose — the proof log is a built-in DPIA artifact. For the compute +marketplace: a provider processing proofs on EU users' gate data must maintain +DPAs with all clients. Proof logs themselves may constitute personal data if +they reference natural persons (names in access rules, etc.), creating a +demand for privacy-preserving proof techniques. + +See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:domain-gate-packages.org][Domain gate packages]] + +* FedRAMP (Federal Risk and Authorization Management Program) + +** What it is + +US federal government's standardized approach to security assessment, +authorization, and continuous monitoring for cloud services. OMB policy +mandate — federal agencies must use FedRAMP-authorized services when available. + +Three impact levels based on data sensitivity: + +| Level | Data type | Examples | Cost to achieve | Timeline | +|---------|-----------|---------------------------------|-----------------|----------| +| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months | +| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months | +| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months | + +Two authorization paths: +- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA, + DOD. Hardest path, most reusable across agencies. +- **Agency:** authorization by a single federal agency for its own use. Faster + but less portable. + +Requires continuous monitoring (monthly scans, annual assessments, POA&M +for findings). + +** Who must comply + +Any cloud service provider that sells to US federal agencies. Including +IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies +are strongly discouraged from using non-authorized services. + +** Penalties + +No direct fines. Non-authorized providers are simply ineligible for federal +contracts. FedRAMP is a procurement gate, not a regulatory one. + +** Why it matters for the triad + +FedRAMP is the highest bar and the most expensive certification to obtain. +Few cloud providers achieve it (fewer than 300 authorized products as of 2025). +But those that do capture the US government market with minimal competition. +For the triad: a compute marketplace provider with FedRAMP Moderate or High +authorization can sell to every federal agency. The gate stack's deterministic +audit trail maps directly to FedRAMP's continuous monitoring requirement — +producing verifiable evidence of control effectiveness on every access, not +just during the annual assessment. FedRAMP gate package: $100K/yr (highest), +reflecting the certification cost. + +See also: [[file:verification-monopoly.org][Verification monopoly]], [[file:domain-gate-packages.org][Domain gate packages]] + +* What Each Framework Means for Revenue + +| Framework | Gate package price | What it buys | Buyer | +|-----------|-------------------|--------------|-------| +| HIPAA | $50K/yr | ACL2-encoded Privacy + Security Rules; auto-generated audit trail replaces SIEM | Hospitals, insurers, health-tech | +| SOC 2 | $50K/yr | Gate stack evidence artifacts for Type II auditor; no separate logging | Any B2B SaaS needing enterprise procurement | +| GDPR | $50K/yr | Purpose-bound data access gates; built-in DPIA evidence; DPA templates | Any org with EU data subjects | +| FedRAMP | $100K/yr | Deterministic continuous monitoring; control evidence on every access (not annual) | Federal contractors, defense, critical infra | + +A single enterprise running all four packages generates $250K/yr in gate +package revenue. With infrastructure lock-in, that grows to $500K-$1M/yr +by year five as the fact store accumulates compliance decisions. + +See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]], +[[file:verification-monopoly.org][Verification monopoly]], [[file:compute-marketplace.org][Compute marketplace]], +[[file:evaluation-harness.org][Evaluation harness]], [[file:passepartout-economics.org][Passepartout economics index]]