Controls in CALM
Controls model requirements for domains. For example, a security domain contains a series of control requirements
A control has a name and then consists of a description and the requirements of the control
Controls are made up of:
- control-requirement-url: This is a schema the specifies how the control should be defined
- control-config-url: The location of the implementation of control requirement, this defines how the control was fulfilled.
Example of control applied to a node​
{
...
"nodes": [
{
"unique-id": "example-system",
"node-type": "system",
"name": "Example System",
"description": "Example System",
"controls": {
"cbom": {
"description": "Control requirements for delivering patterns",
"requirements": [
{
"control-requirement-url": "http://calm.finos.org/controls/domains-example/security/schema/permitted-connection.json",
"control-config-url": "http://calm.finos.org/controls/domains-example/security/configuration/permitted-connection.json"
}
]
}
}
}
],
...
}
Control requirement​
A control requirement lays out what the control is and how it is expected to be enforced. We can see this here with a control for permitted connections that only allow certain protocols.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "http://calm.finos.org/controls/domains-example/security/schema/permitted-connection.json",
"title": "Permits a connection between two components in the architecture",
"type": "object",
"allOf": [
{
"$ref": "http://calm.finos.org/controls/2025-03/meta/control-requirement.json"
}
],
"properties": {
"control-id": {
"const": "security-002"
},
"name": {
"const": "Permitted Connection"
},
"description": {
"const": "Permits a connection using an approved protocol"
},
"protocol": {
"$ref": "#/defs/protocol"
}
},
"required": [
"control-id",
"name",
"description",
"protocol"
],
"defs": {
"protocol": {
"enum": [
"HTTPS",
"SFTP",
"JDBC",
"WebSocket",
"TLS",
"mTLS",
"TCP"
]
}
}
}
Control configuration​
The control configuration is the implementation of the requirement, how the requirement is fulfilled. We can see in this configurtation that it is implementing the control requirement shown above.
{
"$schema": "http://calm.finos.org/controls/domains-example/security/configuration/permitted-connection.json",
"control-id": "security-002",
"name": "Permitted Connection",
"description": "Permits a connection using an approved protocol",
"protocol": "mTLS"
}