Skip to main content

Controls in CALM

Controls model requirements for domains. For example, a security domain contains a series of control requirements

A control has a name and then consists of a description and the requirements of the control

Controls are made up of:

  • control-requirement-url: This is a schema the specifies how the control should be defined
  • control-config-url: The location of the implementation of control requirement, this defines how the control was fulfilled.

Example of control applied to a node

{
    ...
    "nodes": [
        {   
            "unique-id": "example-system",
            "node-type": "system",
            "name": "Example System",
            "description": "Example System",
            "controls": {
                "cbom": {
                    "description": "Control requirements for delivering patterns",
                    "requirements": [
                        {
                            "control-requirement-url": "http://calm.finos.org/controls/domains-example/security/schema/permitted-connection.json",
                            "control-config-url": "http://calm.finos.org/controls/domains-example/security/configuration/permitted-connection.json"
                        }
                    ]
                }
            }
        }
    ],
    ...
}

Control requirement

A control requirement lays out what the control is and how it is expected to be enforced. We can see this here with a control for permitted connections that only allow certain protocols.

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "http://calm.finos.org/controls/domains-example/security/schema/permitted-connection.json",
  "title": "Permits a connection between two components in the architecture",
  "type": "object",
  "allOf": [
    {
      "$ref": "http://calm.finos.org/controls/2025-03/meta/control-requirement.json"
    }
  ],
  "properties": {
    "control-id": {
      "const": "security-002"
    },
    "name": {
      "const": "Permitted Connection"
    },
    "description": {
      "const": "Permits a connection using an approved protocol"
    },
    "protocol": {
      "$ref": "#/defs/protocol"
    }
  },
  "required": [
    "control-id",
    "name",
    "description",
    "protocol"
  ],
  "defs": {
    "protocol": {
      "enum": [
        "HTTPS",
        "SFTP",
        "JDBC",
        "WebSocket",
        "TLS",
        "mTLS",
        "TCP"
      ]
    }
  }
}

Control configuration

The control configuration is the implementation of the requirement, how the requirement is fulfilled. We can see in this configurtation that it is implementing the control requirement shown above.

{
  "$schema": "http://calm.finos.org/controls/domains-example/security/configuration/permitted-connection.json",
  "control-id": "security-002",
  "name": "Permitted Connection",
  "description": "Permits a connection using an approved protocol",
  "protocol": "mTLS"
}