amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5a2fce162a030e147ea1d1ddb49200467455b949
hermes-brain/ideas/passepartout-economics/compliance-framework-reference.org
Hermes 5a2fce162a Inline cross-references throughout compliance reference 
Replaced bottom-of-section 'See also' blocks with inline Org-mode file: links
at the first natural mention of each concept, wiki-style. Links now live in
the body text — compute-marketplace, verification-monopoly, domain-gate-packages,
infrastructure-lock-in, evaluation-harness all linked at their first relevant
usage per section.
2026-05-23 05:51:54 +00:00

213 lines
11 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
:CREATED: [2026-05-23 Sat]
:END:
#+title: Compliance Framework Reference — HIPAA, SOC 2, GDPR, FedRAMP
#+filetags: :passepartout:compliance:reference:regulation:
The verification monopoly and domain gate package revenue streams depend on
selling into regulated industries. These industries buy compliance, not software.
The four frameworks below are the most commonly referenced across the triad
knowledge base. This file defines each one, the economic pressure it creates,
and where it maps to the revenue model.
* HIPAA (Health Insurance Portability and Accountability Act)
** What it is
US federal law enacted 1996. Governs how protected health information (PHI)
is stored, transmitted, and accessed. Two relevant rules:
- **Privacy Rule:** controls use and disclosure of PHI. Patients have rights
to access, amend, and request accounting of disclosures. Minimum necessary
standard — only the minimum PHI needed for the task may be used.
- **Security Rule:** administrative, physical, and technical safeguards for
electronic PHI (ePHI). Requires access controls, audit controls, integrity
controls, person/entity authentication, and transmission security.
** Who must comply
Covered entities (health plans, healthcare clearinghouses, healthcare providers
who transmit any ePHI) and business associates (any vendor handling PHI on behalf
of a covered entity). Business Associate Agreements (BAAs) are mandatory.
** Penalties
Tiered civil penalties: $100-$50,000 per violation, up to $1.5M per year per
violation category. Criminal penalties for knowing misuse (up to 10 years
imprisonment). State AGs can also bring civil actions.
** Why it matters for the triad
HIPAA is the largest single compliance market in US healthcare — every hospital,
clinic, insurer, and health-tech vendor must comply. The [[file:domain-gate-packages.org][HIPAA gate package]]
($50K/yr) encodes the Privacy Rule and Security Rule as ACL2-verifiable gate
constraints. Every PHI access attempt passes through the gate stack, producing
a machine-checkable audit trail that satisfies the Security Rule's audit control
requirement automatically. No separate logging infrastructure needed. Over a
five-year deployment, the accumulated fact store and proof history create
[[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching to a competitor means discarding all of it.
* SOC 2 (System and Organization Controls 2)
** What it is
An auditing standard developed by AICPA (American Institute of CPAs). Not a law.
Certifies that a service organization's controls over security, availability,
processing integrity, confidentiality, and privacy meet defined criteria.
Five Trust Service Criteria (TSC):
- **Security** (mandatory): protection against unauthorized access (firewall,
access control, intrusion detection)
- **Availability** (optional): system available for operation and use as
committed (uptime, redundancy, disaster recovery)
- **Processing Integrity** (optional): system processing is complete, valid,
accurate, timely, and authorized
- **Confidentiality** (optional): information designated as confidential is
protected as committed
- **Privacy** (optional): personal information is collected, used, retained,
disclosed, and disposed of in conformity with commitments
Two types:
- **Type I:** controls are suitably designed at a specific point in time
- **Type II:** controls operated effectively over a period (6-12 months)
** Who must comply
Any SaaS or cloud service provider whose enterprise customers require audited
vendors. Table stakes for B2B — most enterprise procurement contracts require
SOC 2 Type II.
** Penalties
No direct fines (not a law). But losing SOC 2 certification means losing
enterprise customers. Misrepresentation of certification status is fraud.
** Why it matters for the triad
SOC 2 is the entry-level certification for the [[file:compute-marketplace.org][compute marketplace]]. A provider
needs SOC 2 Type II to sell compute to enterprises whose procurement policy
requires audited vendors. The gate stack itself maps directly to the Security
criterion (access controls, audit trails) — the Passepartout instance's
deterministic gate log serves as the evidence artifact for the audit. No
separate logging SIEM needed. This is the prerequisite to the larger
[[file:verification-monopoly.org][verification monopoly]] play — once enterprises trust the audit trail, they
buy domain-specific gate packages for the same infrastructure.
* GDPR (General Data Protection Regulation)
** What it is
EU regulation (effective May 2018) governing the processing of personal data of
natural persons in the EU. Extraterritorial — applies to any organization
processing EU personal data regardless of where the organization is based.
Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital
interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten),
data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors
** Who must comply
Any organization that processes personal data of EU residents. Includes
controllers (determine purposes and means) and processors (process on behalf
of controller). Non-EU organizations with EU data subjects are in scope.
** Penalties
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
system. Supervisory authorities in each member state enforce. Private right
of action for damages.
** Why it matters for the triad
GDPR is the most extraterritorial and aggressively enforced privacy framework.
The gate stack's principle of least privilege maps naturally to GDPR's data
minimization requirement. Every data access is gated by a verified rule that
states the purpose — the proof log is a built-in DPIA artifact. For the
[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
maintain DPAs with all clients. Proof logs themselves may constitute personal
data if they reference natural persons (names in access rules, etc.), creating
a demand for privacy-preserving proof techniques. This is why the
[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
purpose-boundary gate rules that are independently verified by the provider's
[[file:evaluation-harness.org][evaluation harness]].
* FedRAMP (Federal Risk and Authorization Management Program)
** What it is
US federal government's standardized approach to security assessment,
authorization, and continuous monitoring for cloud services. OMB policy
mandate — federal agencies must use FedRAMP-authorized services when available.
Three impact levels based on data sensitivity:
| Level | Data type | Examples | Cost to achieve | Timeline |
|---------|-----------|---------------------------------|-----------------|----------|
| Low | Public or low-sensitivity | Public websites, unclassified comms | $500K-$1M | 6-12 months |
| Moderate | Controlled Unclassified Info (CUI) | Tax records, health data, law enforcement | $1M-$3M | 12-24 months |
| High | National security, classified | Defense, intelligence, critical infra | $3M-$5M | 18-36 months |
Two authorization paths:
- **JAB (Joint Authorization Board):** provisional authorization by DHS, GSA,
DOD. Hardest path, most reusable across agencies.
- **Agency:** authorization by a single federal agency for its own use. Faster
but less portable.
Requires continuous monitoring (monthly scans, annual assessments, POA&M
for findings).
** Who must comply
Any cloud service provider that sells to US federal agencies. Including
IaaS, PaaS, SaaS. FedRAMP Marketplace lists authorized providers — agencies
are strongly discouraged from using non-authorized services.
** Penalties
No direct fines. Non-authorized providers are simply ineligible for federal
contracts. FedRAMP is a procurement gate, not a regulatory one.
** Why it matters for the triad
FedRAMP is the highest bar and the most expensive certification to obtain.
Few cloud providers achieve it (fewer than 300 authorized products as of 2025).
But those that do capture the US government market with minimal competition.
For the triad: a [[file:compute-marketplace.org][compute marketplace]] provider with FedRAMP Moderate or High
authorization can sell to every federal agency. The gate stack's deterministic
audit trail maps directly to FedRAMP's continuous monitoring requirement —
producing verifiable evidence of control effectiveness on every access, not
just during the annual assessment. This is what justifies the
[[file:domain-gate-packages.org][FedRAMP gate package]] at $100K/yr (the highest price) — it is not a software
package, it is the evidence pipeline for a certification that costs $1M-$5M
and 12-36 months to obtain independently. The [[file:verification-monopoly.org][verification monopoly]] argument
applies hardest here: an agency that has relied on a FedRAMP-authorized compute
provider for five years cannot switch without re-running the entire authorization
process with a new provider.
* What Each Framework Means for Revenue
| Framework | Gate package price | What it buys | Buyer |
|-----------|-------------------|--------------|-------|
| HIPAA | $50K/yr | ACL2-encoded Privacy + Security Rules; auto-generated audit trail replaces SIEM | Hospitals, insurers, health-tech |
| SOC 2 | $50K/yr | Gate stack evidence artifacts for Type II auditor; no separate logging | Any B2B SaaS needing enterprise procurement |
| GDPR | $50K/yr | Purpose-bound data access gates; built-in DPIA evidence; DPA templates | Any org with EU data subjects |
| FedRAMP | $100K/yr | Deterministic continuous monitoring; control evidence on every access (not annual) | Federal contractors, defense, critical infra |
A single enterprise running all four packages generates $250K/yr in gate
package revenue. With infrastructure lock-in, that grows to $500K-$1M/yr
by year five as the fact store accumulates compliance decisions.
See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]],
[[file:verification-monopoly.org][Verification monopoly]], [[file:compute-marketplace.org][Compute marketplace]],
[[file:evaluation-harness.org][Evaluation harness]], [[file:passepartout-economics.org][Passepartout economics index]]
Reference in New Issue View Git Blame Copy Permalink