Compliance & Risk
Linking specifications to regulatory requirements and security controls
Integrate compliance and risk management into your BDD specifications using standardized control tagging.
Overview
This section covers:
- Risk Controls - Linking specifications to OSCAL security controls and compliance requirements
- GxP Tagging - Pharmaceutical and medical device regulatory compliance
- Automated Evidence - Generating compliance evidence from test results
Compliance isn't separate from development - it's integrated through tags that link test scenarios to standardized control frameworks.
In This Section
| Topic | Description |
|---|---|
| Risk Controls | OSCAL control tagging and automated evidence generation |
| GxP Tagging | Pharmaceutical/medical device regulatory compliance |
Key Concepts
1. Control Tags Link Tests to Requirements
@ov @control:ac-2
Scenario: Account creation requires approval
Given a user registration request
When an administrator reviews the request
Then the account should require approval
And the approval should be logged
The @control:ac-2 tag links this scenario to NIST 800-53 Access Control requirement AC-2 (Account Management).
2. OSCAL Integration
OSCAL Catalog (NIST 800-53)
↓
OSCAL Profile (Selected controls for your system)
↓
BDD Specifications (@control: tags)
↓
Test Results (Pass/Fail evidence)
↓
OSCAL Assessment Results (Compliance evidence)
3. Automated Evidence Collection
# Run tests
r2r eac test acceptance
# Generate compliance evidence
r2r create risk-assess --profile specs/.risk-controls/profile.json
# Output: out/risk/<module>/assessment-results.json
# Contains: Controls mapped to test results with pass/fail status
Common Use Cases
Security Compliance
NIST 800-53 Controls:
- Access Control (
@control:ac-2,@control:ac-3) - Account management, least privilege - Audit (
@control:au-2,@control:au-3) - Audit events, audit record content - Authentication (
@control:ia-2,@control:ia-5) - Identification, authenticator management
Regulatory Compliance
GxP Requirements:
- 21 CFR Part 11 - Electronic records and signatures (pharmaceutical)
- ISO 13485 - Medical device quality management
- EU GMP Annex 11 - Computerized systems validation
Quality Standards
ISO 9001 - Quality management system requirements
Quick Start
Tag Scenarios with Controls
- Identify applicable controls from your OSCAL profile
- Add control tags to relevant scenarios
- Run tests to verify control satisfaction
- Generate evidence with assessment results
Example Workflow
# specs/auth-service/login/specification.feature
@L3 @ov @control:ia-2 @control:au-2
Feature: auth-service_user-authentication
Rule: Users authenticate with valid credentials
@ov @control:ia-2
Scenario: Valid credentials grant access
Given a registered user account
When the user provides valid credentials
Then access should be granted
And the login event should be logged
@ov @control:ia-2 @control:au-2
Scenario: Failed login attempts are audited
Given audit logging is enabled
When a login attempt fails
Then an audit record must be created
And the record must include timestamp and user ID
Run and generate evidence:
# Execute tests
r2r eac test auth-service --suite acceptance
# Generate OSCAL assessment results
r2r create risk-assess --profile specs/.risk-controls/auth-service.profile.json
# Output: out/risk/auth-service/assessment-results.json
Control Tag Formats
Single Control
Control with Enhancement
Multiple Controls
OSCAL Document Types
Catalog
What: Standard control definitions (e.g., NIST 800-53, ISO 27001)
Location: templates/specs/risk-catalog/controls.catalog.json
Created by: Standards organizations or imported
Profile
What: Selected controls applicable to your system
Location: specs/.risk-controls/<module>.profile.json
Created by: r2r create risk-profile
Assessment Results
What: Evidence linking controls to test results
Location: out/risk/<module>/assessment-results.json
Generated by: r2r create risk-assess
Validation Commands
# Validate control tags reference valid catalog controls
r2r eac validate control-tags
# Validate OSCAL catalog schema
r2r eac validate risk-catalog
# Validate OSCAL profile schema
r2r eac validate risk-profile
Benefits
For Development Teams
- No separate compliance documentation
- Requirements traced to tests automatically
- Compliance validated on every commit
For Compliance Teams
- Real-time compliance status
- Automated evidence collection
- Audit-ready documentation
For Auditors
- Standardized OSCAL format
- Traceability from requirement to test result
- Version-controlled evidence
Common Control Families
| Family | Description | Example Tags |
|---|---|---|
| AC | Access Control | @control:ac-2, @control:ac-3 |
| AU | Audit and Accountability | @control:au-2, @control:au-3 |
| IA | Identification and Authentication | @control:ia-2, @control:ia-5(1) |
| SC | System and Communications Protection | @control:sc-7, @control:sc-8(1) |
| SI | System and Information Integrity | @control:si-2, @control:si-10 |
See Risk Controls for complete reference.
Best Practices
DO
- ✅ Tag security and compliance scenarios with controls
- ✅ Use standardized OSCAL control IDs
- ✅ Validate control tags against catalog regularly
- ✅ Generate assessment results from CI/CD pipeline
- ✅ Version control OSCAL profiles with specifications
DON'T
- ❌ Use custom control naming schemes
- ❌ Skip control tag validation
- ❌ Manually create compliance documentation
- ❌ Store evidence separately from test results
- ❌ Forget to update controls when requirements change
Related Documentation
Core Concepts
- BDD Fundamentals - Behavior-Driven Development
- Three-Layer Approach - Rules/Scenarios/Unit Tests
Taxonomy
- Control Tags - Detailed @control: tag reference
- Verification Tags - @ov, @iv, @pv tags
- Test Levels - L0-L4 test environments
Organization
- File Structure - Where to put specifications
- Organizing Rules - Structuring acceptance criteria
Tutorials | How-to Guides | Explanation | Reference
You are here: Explanation — understanding-oriented discussion that clarifies concepts.