RedCardinal.Compliance.Abstractions 2026.1.1

.NET 8.0 This package targets .NET 8.0. The package is compatible with this framework or higher. .NET Standard 2.0 This package targets .NET Standard 2.0. The package is compatible with this framework or higher. 
dotnet add package RedCardinal.Compliance.Abstractions --version 2026.1.1
                    


                    

                
NuGet\Install-Package RedCardinal.Compliance.Abstractions -Version 2026.1.1
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package. 
<PackageReference Include="RedCardinal.Compliance.Abstractions" Version="2026.1.1" />
For projects that support PackageReference, copy this XML node into the project file to reference the package. 
<PackageVersion Include="RedCardinal.Compliance.Abstractions" Version="2026.1.1" />
                    


                            Directory.Packages.props
                        

                    

                
<PackageReference Include="RedCardinal.Compliance.Abstractions" />
                    


                            Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package. 
paket add RedCardinal.Compliance.Abstractions --version 2026.1.1
                    


                    

                
#r "nuget: RedCardinal.Compliance.Abstractions, 2026.1.1"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package. 
#:package RedCardinal.Compliance.Abstractions@2026.1.1
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package. 
#addin nuget:?package=RedCardinal.Compliance.Abstractions&version=2026.1.1
                    


                            Install as a Cake Addin
                        

                    

                
#tool nuget:?package=RedCardinal.Compliance.Abstractions&version=2026.1.1
                    


                            Install as a Cake Tool

RedCardinal.Compliance.Abstractions

A .NET library providing compliance framework attributes for annotating code with control mappings. Enables static analysis and audit reporting for compliance frameworks.

Installation

dotnet add package RedCardinal.Compliance.Abstractions

Supported Frameworks

Framework Description
SOC 2 Trust Service Criteria (CC, A, PI, C, P categories)
ISO 27001 Information Security Management System controls
GDPR General Data Protection Regulation (EU)
PCI-DSS Payment Card Industry Data Security Standard
HIPAA Health Insurance Portability and Accountability Act
CCPA California Consumer Privacy Act
CMMC Cybersecurity Maturity Model Certification (DoD)
SOX Sarbanes-Oxley Act IT controls
NIST CSF NIST Cybersecurity Framework

Quick Start

Mapping Controls to Code

using RedCardinal.Compliance.Abstractions.Soc2;
using RedCardinal.Compliance.Abstractions.Iso27001;
using RedCardinal.Compliance.Abstractions.Hipaa;

[Soc2Control("CC6.1", Description = "Implements logical access controls")]
[Iso27001Control("A.8.3", Description = "Information access restriction")]
[HipaaControl("164.312(a)(1)", Safeguard = HipaaSafeguard.Technical)]
public class AuthenticationService
{
    [Soc2Control("CC6.2")]
    public bool ValidateCredentials(string username, string password)
    {
        // Implementation
    }
}

Data Classification

using RedCardinal.Compliance.Abstractions.DataClassification;

public class UserProfile
{
    [DataClassification(DataSensitivity.Pii)]
    [PersonalData(PersonalDataCategory.Contact)]
    public string Email { get; set; }

    [DataClassification(DataSensitivity.Phi, RequiresEncryptionAtRest = true)]
    public string MedicalRecordNumber { get; set; }

    [DataClassification(DataSensitivity.Pci)]
    public string CreditCardNumber { get; set; }
}

Documenting Evidence

using RedCardinal.Compliance.Abstractions.Evidence;

[ComplianceEvidence(
    EvidenceType.Encryption,
    "Uses AES-256-GCM encryption exceeding minimum requirements",
    RelatedControls = new[] { "CC6.1", "A.8.24", "PCI-DSS 3.5.1" })]
public class EncryptionService
{
    [AuditNote("Key rotation occurs every 90 days per security policy")]
    public void EncryptData(byte[] data) { }
}

Justifications and Exceptions

using RedCardinal.Compliance.Abstractions.Evidence;

[ComplianceJustification(
    "PCI-DSS 3.5.1",
    "Using AES-256 which exceeds the minimum AES-128 requirement",
    JustificationType.ExceedsRequirement,
    ApprovedBy = "Security Team")]
public class CardEncryption { }

[ComplianceJustification(
    "HIPAA",
    "Service only processes anonymized data - no PHI present",
    JustificationType.NotApplicable)]
public class AnonymousAnalyticsService { }

Framework-Specific Attributes

SOC 2

[Soc2Control("CC6.1", Category = Soc2Category.Security)]
[Soc2Control("A1.2", Category = Soc2Category.Availability)]

Categories: Security, Availability, ProcessingIntegrity, Confidentiality, Privacy

ISO 27001

[Iso27001Control("A.8.24", Theme = Iso27001Theme.Technological)]

Themes: Organizational, People, Physical, Technological

GDPR

[GdprArticle("17", Principle = GdprPrinciple.StorageLimitation, Paragraph = "1")]

Principles: LawfulnessFairnessTransparency, PurposeLimitation, DataMinimisation, Accuracy, StorageLimitation, SecurityOfProcessing, Accountability

PCI-DSS

[PciDssRequirement("3.5.1", Goal = PciDssGoal.ProtectAccountData)]

Goals: SecureNetwork, ProtectAccountData, VulnerabilityManagement, AccessControl, IdentifyAndAuthenticate, MonitorAndTest, SecurityPolicy

HIPAA

[HipaaControl("164.312(a)(1)", Safeguard = HipaaSafeguard.Technical)]
[HipaaControl("164.312(e)(1)", RequirementType = HipaaRequirementType.Addressable)]

Safeguards: Administrative, Physical, Technical, Organizational, PoliciesAndProcedures

CCPA

[CcpaRequirement("1798.105", Right = CcpaRight.RightToDelete)]
[CcpaRequirement("1798.120", Right = CcpaRight.RightToOptOut)]

Rights: RightToKnow, RightToDelete, RightToOptOut, RightToNonDiscrimination, RightToCorrect, RightToLimitUse, RightToAccess, RightToPortability

CMMC

[CmmcPractice("AC.L2-3.1.1", Level = CmmcLevel.Level2, Domain = CmmcDomain.AccessControl)]

Levels: Level1, Level2, Level3

Domains: AccessControl, AwarenessAndTraining, AuditAndAccountability, ConfigurationManagement, IdentificationAndAuthentication, IncidentResponse, Maintenance, MediaProtection, PersonnelSecurity, PhysicalProtection, RiskAssessment, SecurityAssessment, SystemAndCommunicationsProtection, SystemAndInformationIntegrity

SOX

[SoxControl("ITGC-AC-01", Category = SoxControlCategory.AccessControl, Section = "404")]

Categories: AccessControl, ChangeManagement, ProgramDevelopment, ComputerOperations, BackupAndRecovery, SegregationOfDuties, SystemSecurity, LoggingAndMonitoring

Control Types: Itgc, ApplicationControl, ItDependentManual, EntityLevel

NIST CSF

[NistCsfControl("PR.AC-1", Function = NistCsfFunction.Protect, Tier = 3)]

Functions: Govern, Identify, Protect, Detect, Respond, Recover

Common Properties

All compliance attributes support:

  • Description - How this code satisfies the control
  • Status - Implementation status (NotImplemented, InProgress, PartiallyImplemented, Implemented, NotApplicable)
  • Owner - Person or team responsible
  • LastReviewedDate - ISO 8601 date of last review

Data Sensitivity Levels

Public, Internal, Confidential, Pii, SensitivePii, Phi, Pci, Financial, Credentials, Restricted

Runtime Verification

Beyond static attributes, the library provides interfaces for runtime compliance verification and evidence collection.

Compliance Probes

Implement IComplianceProbe to create runtime verification checks that can be discovered and executed by a compliance engine:

using RedCardinal.Compliance.Abstractions.Evidence;

public class SqlLedgerIntegrityProbe : IComplianceProbe
{
    public string ProbeId => "sql-ledger-integrity";
    public string Name => "SQL Ledger Integrity Check";
    public string? Description => "Verifies SQL Server ledger tables have not been tampered with";
    public IReadOnlyCollection<string> RelatedControlIds => new[] { "CC6.1", "PI1.1" };

    public async Task<ComplianceProbeResult> VerifyAsync(CancellationToken cancellationToken = default)
    {
        var isValid = await VerifyLedgerAsync(cancellationToken);

        if (isValid)
        {
            return ComplianceProbeResult.Success(
                "Ledger integrity verified",
                new Dictionary<string, object> { { "verified_at", DateTimeOffset.UtcNow } });
        }

        return ComplianceProbeResult.Failure(
            "Ledger tampering detected",
            ProbeSeverity.Critical);
    }
}

Probe results include:

  • IsCompliant - Whether verification passed
  • Message - Description of the result
  • Timestamp - When verification occurred
  • Evidence - Additional data collected during verification
  • Severity - For failures: Info, Low, Medium, High, Critical

Evidence Providers

Implement IEvidenceProvider to collect proof-of-compliance data suitable for OSCAL reports:

using RedCardinal.Compliance.Abstractions.Evidence;

public class KeyRotationEvidenceProvider : IEvidenceProvider
{
    public string ProviderId => "key-rotation";
    public string Name => "Encryption Key Rotation Evidence";
    public string? Description => "Provides evidence of encryption key rotation compliance";
    public IReadOnlyCollection<string> RelatedControlIds => new[] { "CC6.1", "A.8.24" };

    public async Task<EvidenceRecord> GetEvidenceAsync(CancellationToken cancellationToken = default)
    {
        var lastRotation = await _keyVault.GetLastRotationDateAsync(cancellationToken);
        var hash = ComputeRotationHash(lastRotation);

        return new EvidenceRecord(
            providerId: ProviderId,
            description: "Encryption keys rotated within 90-day policy period",
            hash: hash,
            hashAlgorithm: "SHA-256")
        {
            // OSCAL-compatible fields
            ComponentUuid = Guid.Parse("550e8400-e29b-41d4-a716-446655440000"),
            ObservationMethod = "TEST",
            OscalEvidenceType = "collected"
        };
    }
}

EvidenceRecord includes OSCAL-compatible fields:

  • SubjectUuid - OSCAL assessment subject UUID
  • ComponentUuid - OSCAL component UUID
  • ObservationUuid - OSCAL observation UUID
  • ObservationMethod - Method used (TEST, EXAMINE, INTERVIEW)
  • OscalEvidenceType - Evidence categorization
  • Metadata - Additional key-value properties

Use Cases

  1. Audit Preparation - Generate reports showing which code implements which controls
  2. Gap Analysis - Identify controls without code implementation
  3. Documentation - Keep compliance evidence close to implementation
  4. Code Review - Reviewers can verify control implementations
  5. Static Analysis - Build tools to scan for compliance coverage
  6. Runtime Verification - Execute compliance probes to verify controls at runtime
  7. OSCAL Integration - Generate machine-readable evidence for automated compliance reporting

Target Frameworks

  • .NET 8.0
  • .NET Standard 2.0
  • .NET Standard 2.1

License

MIT License - see LICENSE file for details.

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 is compatible.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed.  net9.0 was computed.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 was computed.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 is compatible. 
.NET Framework net461 was computed.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

  • .NETStandard 2.0

    • No dependencies.

  • .NETStandard 2.1

    • No dependencies.

  • net8.0

    • No dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
2026.1.1 113 1/26/2026
2026.1.0 104 1/24/2026