Compliance Methodology¶
This document describes how the FCC framework evaluates and monitors regulatory compliance across 13 regulatory frameworks.
Evaluation Architecture¶
┌─────────────────────────────────────────────────┐
│ Compliance Engine │
├─────────────────────────────────────────────────┤
│ RegulatoryRegistry (13 regulations) │
│ ↓ │
│ ComplianceControl evaluation │
│ ↓ │
│ ComplianceGate verification │
│ ↓ │
│ ComplianceMetric measurement │
│ ↓ │
│ ComplianceSummary aggregation │
├─────────────────────────────────────────────────┤
│ Integration Points: │
│ • ConstitutionRegistry (hard-stop enforcement) │
│ • QualityGateRunner (automated checks) │
│ • TagRegistry (capability classification) │
│ • EventBus (compliance event notifications) │
└─────────────────────────────────────────────────┘
Three-Tier Evaluation Model¶
Tier 1: Controls (What must be in place)¶
Controls represent specific requirements from each regulation. Each control has:
- Control ID — Unique identifier (e.g.,
GDPR-C001) - Requirement — What the regulation mandates
- Status — Compliant, Non-Compliant, Partial, Not Assessed, In Progress
- Evidence — Where compliance is documented
- Automation — Whether the check can be automated
Tier 2: Gates (Checkpoints that must pass)¶
Gates are verification checkpoints that reference specific controls. Each gate represents a binary pass/fail check that must be satisfied before proceeding.
Gates map to the FCC quality gate system:
from fcc.governance import ComplianceGate, ComplianceStatus
gate = ComplianceGate(
gate_id="GDPR-G001",
regulation="GDPR",
control_ref="GDPR-C001",
requirement="Consent collected before data processing",
status=ComplianceStatus.COMPLIANT,
)
Tier 3: Metrics (What is measured)¶
Metrics provide quantitative measurement of compliance effectiveness:
- Target — The goal value (e.g., 100% consent rate)
- Current — The measured value
- Trend — Improving, declining, or stable
- Source — The system providing the measurement
Scoring Methodology¶
Per-Regulation Score¶
regulation_score = (
compliant_controls / total_controls * 0.50 +
passing_gates / total_gates * 0.30 +
metrics_meeting_target / total_metrics * 0.20
)
Overall Compliance Score¶
Weights are assigned by domain risk: - Privacy regulations: 1.2x weight - Security regulations: 1.1x weight - AI/Digital regulations: 1.2x weight - Government regulations: 1.0x weight - Health regulations: 1.1x weight
Status Classification¶
| Score Range | Status | Action |
|---|---|---|
| 90-100% | Compliant | Maintain and monitor |
| 70-89% | Needs Attention | Remediation plan required |
| 50-69% | At Risk | Immediate action required |
| 0-49% | Non-Compliant | Escalation to governance |
Integration with FCC Governance Stack¶
Constitution Registry¶
Constitution hard-stop rules serve as absolute compliance boundaries:
# Hard-stop rules that map to regulatory requirements
"No processing of personal data without documented legal basis" # → GDPR-C001
"No storage of unencrypted ePHI" # → HIPAA-C002
"No deployment of unclassified AI systems" # → AIACT-C001
Quality Gates¶
Quality gates provide automated compliance verification:
# Quality gate maps to compliance gate
QualityGate(id="QG-PRIVACY-001", checks=["consent_mechanism", "privacy_notice"])
# → GDPR-G001, CCPA-G001
Event Bus Integration¶
Compliance events are published to the event bus for real-time monitoring:
GOVERNANCE_GATE_PASSED— Compliance gate passedGOVERNANCE_GATE_FAILED— Compliance gate failedGOVERNANCE_COMPLIANCE_CHECK— Periodic compliance checkGOVERNANCE_VIOLATION_DETECTED— Hard-stop violation
Audit Trail¶
All compliance evaluations are recorded with:
- Timestamp of evaluation
- Evaluator identity (automated or manual)
- Previous and new status
- Evidence references
- Remediation actions (if status changed)