Architecture of Compliance Framework

This architecture represents a distributed, event-driven system designed to monitor and report real-time compliance across multiple environments, such as Azure and on-premise networks. It leverages the OSCAL model proposal and encompasses an assessment runtime for compliance checking and an event bus for communication.

The assessment runtime, capable of being deployed anywhere based on requirements, conducts compliance checks and publishes results to an event bus through an app gateway. The gateway provides an additional layer of protection and control, allowing secure and controlled communication with the event bus.

The backend API server processes these events and generates real-time dashboard reports, which are displayed through a React-based dashboard. The system is designed for scalability, resilience, and real-time processing, ensuring efficient handling of compliance monitoring tasks in various deployment environments.

Main Components of the Design

🗃️ Compliance Framework Core

2 items

🗃️ Assessment Runtime

6 items

📄️ Application Gateway

Runtime and event bus bridge

📄️ Event Bus

Event Bus serves as the primary repository for all assessment results, with data published as events. This central hub of truth for assessment outcomes plays a vital role in maintaining and managing a constant stream of information. Utilizing an event bus in this manner offers several distinct advantages:

📄️ ERD

The purpose of this diagram is to give a high-level view (with no details on fields) of the main entities in the configuration service, which should connect to OSCAL.

📄️ Diagrams

There is an issue here which is the cost to understand the scenario to properly create the metrics. This could be solved by an update on the Configuration diagrams to also include a responsibility on the configuration to generate a Metrics Plan, and a separate endpoint to add metrics according to the metrics plan.