From 5a2fce162a030e147ea1d1ddb49200467455b949 Mon Sep 17 00:00:00 2001 From: Hermes Date: Sat, 23 May 2026 05:51:54 +0000 Subject: [PATCH] Inline cross-references throughout compliance reference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaced bottom-of-section 'See also' blocks with inline Org-mode file: links at the first natural mention of each concept, wiki-style. Links now live in the body text — compute-marketplace, verification-monopoly, domain-gate-packages, infrastructure-lock-in, evaluation-harness all linked at their first relevant usage per section. --- .../compliance-framework-reference.org | 44 ++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/ideas/passepartout-economics/compliance-framework-reference.org b/ideas/passepartout-economics/compliance-framework-reference.org index d00f37f..f9d4dec 100644 --- a/ideas/passepartout-economics/compliance-framework-reference.org +++ b/ideas/passepartout-economics/compliance-framework-reference.org @@ -40,13 +40,13 @@ imprisonment). State AGs can also bring civil actions. ** Why it matters for the triad HIPAA is the largest single compliance market in US healthcare — every hospital, -clinic, insurer, and health-tech vendor must comply. The gate package for HIPAA +clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]] ($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate constraints. Every PHI access attempt passes through the gate stack, producing a machine-checkable audit trail that satisfies the Security Rule's audit control -requirement automatically. No separate logging infrastructure needed. - -See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]] +requirement automatically. No separate logging infrastructure needed. Over a +five-year deployment, the accumulated fact store and proof history create +[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it. * SOC 2 (System and Organization Controls 2) @@ -85,14 +85,14 @@ enterprise customers. Misrepresentation of certification status is fraud. ** Why it matters for the triad -SOC 2 is the entry-level certification for the compute marketplace. A provider +SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider needs SOC 2 Type II to sell compute to enterprises whose procurement policy requires audited vendors. The gate stack itself maps directly to the Security criterion (access controls, audit trails) — the Passepartout instance's deterministic gate log serves as the evidence artifact for the audit. No -separate logging SIEM needed. - -See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:verification-monopoly.org][Verification monopoly]] +separate logging SIEM needed. This is the prerequisite to the larger +[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they +buy domain-specific gate packages for the same infrastructure. * GDPR (General Data Protection Regulation) @@ -132,13 +132,14 @@ of action for damages. GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that -states the purpose — the proof log is a built-in DPIA artifact. For the compute -marketplace: a provider processing proofs on EU users' gate data must maintain -DPAs with all clients. Proof logs themselves may constitute personal data if -they reference natural persons (names in access rules, etc.), creating a -demand for privacy-preserving proof techniques. - -See also: [[file:compute-marketplace.org][Compute marketplace]], [[file:domain-gate-packages.org][Domain gate packages]] +states the purpose — the proof log is a built-in DPIA artifact. For the +[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must +maintain DPAs with all clients. Proof logs themselves may constitute personal +data if they reference natural persons (names in access rules, etc.), creating +a demand for privacy-preserving proof techniques. This is why the +[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and +purpose-boundary gate rules that are independently verified by the provider's +[[file:evaluation-harness.org][evaluation harness]]. * FedRAMP (Federal Risk and Authorization Management Program) @@ -181,14 +182,17 @@ contracts. FedRAMP is a procurement gate, not a regulatory one. FedRAMP is the highest bar and the most expensive certification to obtain. Few cloud providers achieve it (fewer than 300 authorized products as of 2025). But those that do capture the US government market with minimal competition. -For the triad: a compute marketplace provider with FedRAMP Moderate or High +For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High authorization can sell to every federal agency. The gate stack's deterministic audit trail maps directly to FedRAMP's continuous monitoring requirement — producing verifiable evidence of control effectiveness on every access, not -just during the annual assessment. FedRAMP gate package: $100K/yr (highest), -reflecting the certification cost. - -See also: [[file:verification-monopoly.org][Verification monopoly]], [[file:domain-gate-packages.org][Domain gate packages]] +just during the annual assessment. This is what justifies the +[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software +package, it is the evidence pipeline for a certification that costs $1M-$5M +and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument +applies hardest here: an agency that has relied on a FedRAMP-authorized compute +provider for five years cannot switch without re-running the entire authorization +process with a new provider. * What Each Framework Means for Revenue