# Compliance

Interlynk supports multiple compliance frameworks to help organizations align SBOM practices with regulatory and industry standards. Administrators can enable frameworks, configure SBOM quality scoring, and manage compliance check rules.

***

## Supported Compliance Frameworks

| Framework     | Description                                                                           |
| ------------- | ------------------------------------------------------------------------------------- |
| **FDA**       | U.S. Food and Drug Administration requirements for medical device software            |
| **NTIA**      | National Telecommunications and Information Administration minimum elements for SBOMs |
| **BSI**       | German Federal Office for Information Security (TR-03183) technical guidelines        |
| **PCI**       | Payment Card Industry Data Security Standard                                          |
| **SOC2**      | Service Organization Control 2 compliance                                             |
| **ISO 27001** | International standard for information security management systems                    |
| **NIST**      | National Institute of Standards and Technology cybersecurity framework                |

### Enabling Compliance Frameworks

1. Navigate to **Settings > Organization > Compliance**.
2. Click the compliance configuration.
3. In the **Applicable Compliance** dropdown, select one or more frameworks.
4. Click **Save**.

You can enable multiple frameworks simultaneously. Each framework contributes its own set of check rules to SBOM analysis.

### SBOM Quality Score

One compliance framework can be designated as the primary scoring framework:

1. Navigate to the **SBOM Quality Score** configuration.
2. Select a framework from the dropdown. Options include: None, PCI, SOC2, ISO 27001, NIST, FDA, NTIA.
3. Click **Save**.

{% hint style="info" %}
Only one framework can be the active quality scorer at a time. BSI and Unspecified types are not available for quality scoring.
{% endhint %}

***

## Mapping Vulnerabilities to Compliance Controls

Compliance frameworks define check rules that evaluate SBOMs against framework-specific requirements. These checks verify:

* Required SBOM fields are present (supplier, version, timestamps).
* Component identification meets minimum standards (package URLs, CPE identifiers).
* Vulnerability data meets disclosure and tracking requirements.
* License information is complete and accurate.

### Compliance Check Rules

Each framework includes a set of predefined check rules. Administrators can manage these rules:

1. Navigate to **Settings > Organization > Compliance > Checks**.
2. The checks table displays:

| Column          | Description                                            |
| --------------- | ------------------------------------------------------ |
| **Active**      | Toggle to enable or disable individual checks          |
| **Check ID**    | Numeric identifier for the check rule                  |
| **Description** | Short and long description of what the check evaluates |
| **Severity**    | Impact level: Critical, High, Medium, Low              |

3. Toggle checks on or off to include or exclude them from SBOM analysis.
4. Change the severity level of a check by clicking the severity dropdown.

### Severity Levels

| Level        | Description                                 | Use When                                          |
| ------------ | ------------------------------------------- | ------------------------------------------------- |
| **Critical** | SBOM fails a fundamental requirement        | Missing mandatory fields, no supplier information |
| **High**     | Significant gap in SBOM quality             | Missing package identifiers for most components   |
| **Medium**   | Moderate quality issue                      | Incomplete license data, missing timestamps       |
| **Low**      | Minor issue or best-practice recommendation | Optional fields not populated                     |

***

## Reporting

### SBOM Compliance Reports

Compliance check results are available at the SBOM level:

* Each SBOM shows its compliance score as a percentage.
* Individual check results (pass/fail) are listed with descriptions.
* Failed checks include guidance on what is missing or incorrect.

### Organization-Level Reporting

Organization dashboards aggregate compliance data across all products:

* Overall compliance posture by framework.
* Trend data showing compliance improvement over time.
* Products with the lowest compliance scores.

***

## Audit Exports

Compliance data can be exported for audit purposes:

* **SBOM downloads** include compliance metadata when downloaded in CycloneDX or SPDX format.
* **Vulnerability data** with VEX status, justification, and custom field values can be exported.
* **Check results** provide evidence of SBOM quality for auditors.

To export SBOM data with compliance information:

```bash
# Download an enhanced SBOM with vulnerability data
pylynk download --prod "my-app" --env "production" --ver "v1.0.0" \
  --out-file audit-sbom.json \
  --vuln true \
  --include-support-status true
```

***

## Evidence Collection

For compliance audits, Interlynk provides evidence across several dimensions:

| Evidence Type            | Source                                 | How to Access                          |
| ------------------------ | -------------------------------------- | -------------------------------------- |
| SBOM completeness        | Compliance check results               | SBOM detail view > Checks tab          |
| Vulnerability management | VEX dispositions, triage history       | Vulnerability detail view              |
| Component provenance     | Package URLs, supplier data            | Component detail view                  |
| Policy enforcement       | Policy scan results, violation history | Policy dashboard                       |
| Remediation tracking     | Jira ticket status, VEX status changes | Ticketing settings, vulnerability logs |
| Change history           | Activity logs, component vuln logs     | Activity log views                     |

***

## Best Practices for Audits

### Preparation

* **Enable the relevant compliance framework** before generating SBOMs that will be audited.
* **Run SBOM checks** on all products in scope to identify gaps before the audit.
* **Address critical and high-severity check failures** — these represent the most impactful gaps.
* **Use VEX dispositions** to document why specific vulnerabilities are not exploitable in your context.

### During the Audit

* **Export SBOMs** in the format required by your auditor (CycloneDX or SPDX).
* **Provide compliance check results** as evidence of SBOM quality.
* **Show policy scan history** to demonstrate ongoing enforcement.
* **Reference Jira tickets** (via the Jira integration) to show remediation progress.

### Ongoing Compliance

* **Enable SBOM checks by default** in [Environment Defaults](https://docs.interlynk.io/administration/environment-defaults) so all new projects are automatically evaluated.
* **Create policies** that enforce compliance minimums (e.g., fail if compliance score below 80%).
* **Set up notifications** for compliance check failures to catch regressions early.
* **Review compliance scores monthly** and track trends.

***

## Common Misconfigurations

| Issue                                                      | Symptom                                       | Fix                                                                                                               |
| ---------------------------------------------------------- | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
| No compliance framework enabled                            | No compliance checks run, no scores displayed | Enable at least one framework in compliance settings                                                              |
| SBOM checks disabled in environment defaults               | Compliance checks never execute               | Enable "Run SBOM Checks" in [Environment Defaults](https://docs.interlynk.io/administration/environment-defaults) |
| All checks set to Low severity                             | Compliance failures do not trigger policies   | Adjust severity levels to reflect actual risk                                                                     |
| Multiple frameworks enabled but no quality scorer selected | No SBOM quality score displayed               | Select a primary framework for quality scoring                                                                    |
| Critical checks disabled                                   | Fundamental gaps not flagged                  | Review disabled checks and re-enable any that are required by your audit scope                                    |

***

## Recommended Best Practices

* Enable the compliance framework that matches your **regulatory requirements** (e.g., FDA for medical devices, NTIA for U.S. government).
* Start with **all checks enabled** and disable only those explicitly not applicable to your context.
* Set the **quality scoring framework** to match your primary compliance driver.
* Use **policies with compliance-related conditions** to automate enforcement.
* **Export and archive** compliance evidence regularly, not just before audits.
* Align custom field usage (see [Vulnerability Custom Fields](https://docs.interlynk.io/administration/vulnerability-custom-fields)) with compliance categories for richer audit evidence.