ArchRails
Control template catalog
Paste-in CALM control snippets for the most common compliance frameworks. Each template carries the requirement schemas and config shapes that ArchRails’ deterministic constraint engine evaluates at PR time. Drop the snippets onto the nodes the framework applies to, fill in your config, open a PR — the engine validates the rest.
v0.1.0-beta.
They’re unverified reference implementations — ArchRails is not a QSA,
auditor, DPA, NCA, or NYDFS-recognised advisor. The authoritative regulations
govern where the template and the regulation diverge. Engine evaluation is
deterministic regardless of beta status; the label sets expectations on the
snippet content, not on what the validator does.
Frameworks
-
GDPR Article 32 Beta
EU personal-data security.
gdpr/v0.1.0-beta -
SOC 2 Type II Beta
AICPA Trust Services Criteria.
soc2-type-ii/v0.1.0-beta -
PCI DSS v4.0 Beta
Cardholder data environment.
pci-dss-v4/v0.1.0-beta -
HIPAA Security Rule Beta
US ePHI Technical + Administrative Safeguards.
hipaa-security-rule/v0.1.0-beta -
NIST CSF 2.0 Beta
Cybersecurity Framework — Protect + Detect.
nist-csf-2/v0.1.0-beta -
ISO/IEC 27001:2022 Beta
Annex A.8 Technological controls.
iso-27001-2022/v0.1.0-beta -
DORA Beta
EU Digital Operational Resilience Act.
dora/v0.1.0-beta -
MiFID II / RTS 22 Beta
Trade reporting + clock sync.
mifid-ii/v0.1.0-beta -
NYDFS 23 NYCRR Part 500 Beta
NY licensed financial entities.
nydfs-part-500/v0.1.0-beta -
SOX 404 ITGC Beta
IT general controls for financial reporting.
sox-404-it-gc/v0.1.0-beta
Single controls
Standalone control templates for narrow, common requirements that don’t need a whole framework attached.
How to use these
-
Open the framework page and find the control you want to enforce
(each is identified by a
control-idlikegdpr-access-restrictionorsoc2-cc6.1-iam). - Copy the JSON snippet directly under the “Control snippets” heading on that page.
-
Paste it into the
controlsobject on thenode,relationship, orflowthe framework applies to in your*.calm.json. The Controls lesson covers the attach-point mechanics. -
Fill in the
configblock with your environment’s actual values (or setconfig-urlto point at a config document you maintain). The schema atrequirement-urlis what validates these. -
Open the CALM-edit PR. ArchRails runs
calm validateon the schema shape. Subsequent code PRs against any file mapped to that node will trip the constraint engine, which evaluates yourconfigagainst the requirement schema deterministically. Failures surface asAR-CTRL-001findings with the customer’s owncontrol-idon the wire.
Which framework goes on which node?
There’s no algorithmic answer. The customer reads the regulation, the template’s applicability section, and decides the scope. Common patterns:
| Framework | Typical scope |
|---|---|
| PCI DSS v4 | Cardholder data environment (CDE) nodes only. |
| GDPR Art. 32 | Any service touching EU personal data — usually most user-facing nodes. |
| HIPAA Security Rule | ePHI-touching services + databases. |
| MiFID II / RTS 22 | Trade execution, transaction-reporting, clock-sync nodes. |
| SOX 404 ITGC | Anything affecting financial reporting. |
| SOC 2 TSC | Per the chosen trust services criteria (Security mandatory; Availability / Confidentiality optional). |
| NIST CSF 2.0 | Org-wide; typically all nodes get Protect (PR) + Detect (DE) controls. |
| ISO 27001 / Annex A | Org-wide; typically all nodes get A.8 Technological controls. |
| DORA | EU financial entities — all critical or important ICT services. |
| NYDFS Part 500 | NY-licensed financial entities — all information systems. |
A single node in a regulated financial-services environment can legitimately end up with controls from 5+ frameworks. That’s normal — the constraint engine runs every attached control independently.