# Compliance Interlynk supports multiple compliance frameworks to help organizations align SBOM practices with regulatory and industry standards. Administrators can enable frameworks, configure SBOM quality scoring, and manage compliance check rules. *** ## Supported Compliance Frameworks | Framework | Description | | ----------------------------------- | -------------------------------------------------------------------------------------------------------- | | **FDA** | U.S. Food and Drug Administration requirements for medical device software | | **NTIA** | National Telecommunications and Information Administration minimum elements for SBOMs | | **BSI TR-03183-2 v1.1** | German Federal Office for Information Security (BSI) technical guideline for SBOM content | | **BSI TR-03183-2 v2.1.0** | Updated BSI guideline (v2.1.0) with expanded SBOM quality requirements for European regulatory alignment | | **OpenChain Telco SBOM Guide v1.1** | OpenChain working group guide for telecom-sector SBOM requirements | | **PCI** | Payment Card Industry Data Security Standard | | **SOC2** | Service Organization Control 2 compliance | | **ISO 27001** | International standard for information security management systems | | **NIST** | National Institute of Standards and Technology cybersecurity framework | ### Enabling Compliance Frameworks 1. Navigate to **Settings > Organization > Compliance**. 2. Click the compliance configuration. 3. In the **Applicable Compliance** dropdown, select one or more frameworks. 4. Click **Save**. You can enable multiple frameworks simultaneously. Each framework contributes its own set of check rules to SBOM analysis. ### SBOM Quality Score One compliance framework can be designated as the primary scoring framework: 1. Navigate to the **SBOM Quality Score** configuration. 2. Select a framework from the dropdown. Options include: None, PCI, SOC2, ISO 27001, NIST, FDA, NTIA. 3. Click **Save**. {% hint style="info" %} Only one framework can be the active quality scorer at a time. BSI and Unspecified types are not available for quality scoring. {% endhint %} *** ## Mapping Vulnerabilities to Compliance Controls Compliance frameworks define check rules that evaluate SBOMs against framework-specific requirements. These checks verify: * Required SBOM fields are present (supplier, version, timestamps). * Component identification meets minimum standards (package URLs, CPE identifiers). * Vulnerability data meets disclosure and tracking requirements. * License information is complete and accurate. ### Compliance Check Rules Each framework includes a set of predefined check rules. Administrators can manage these rules: 1. Navigate to **Settings > Organization > Compliance > Checks**. 2. The checks table displays: | Column | Description | | --------------- | ------------------------------------------------------ | | **Active** | Toggle to enable or disable individual checks | | **Check ID** | Numeric identifier for the check rule | | **Description** | Short and long description of what the check evaluates | | **Severity** | Impact level: Critical, High, Medium, Low | 3. Toggle checks on or off to include or exclude them from SBOM analysis. 4. Change the severity level of a check by clicking the severity dropdown. ### Severity Levels | Level | Description | Use When | | ------------ | ------------------------------------------- | ------------------------------------------------- | | **Critical** | SBOM fails a fundamental requirement | Missing mandatory fields, no supplier information | | **High** | Significant gap in SBOM quality | Missing package identifiers for most components | | **Medium** | Moderate quality issue | Incomplete license data, missing timestamps | | **Low** | Minor issue or best-practice recommendation | Optional fields not populated | *** ## Reporting ### SBOM Compliance Reports Compliance check results are available at the SBOM level: * Each SBOM shows its compliance score as a percentage. * Individual check results (pass/fail) are listed with descriptions. * Failed checks include guidance on what is missing or incorrect. ### Organization-Level Reporting Organization dashboards aggregate compliance data across all products: * Overall compliance posture by framework. * Trend data showing compliance improvement over time. * Products with the lowest compliance scores. *** ## Audit Exports Compliance data can be exported for audit purposes: * **SBOM downloads** include compliance metadata when downloaded in CycloneDX or SPDX format. * **Vulnerability data** with VEX status, justification, and custom field values can be exported. * **Check results** provide evidence of SBOM quality for auditors. To export SBOM data with compliance information: ```bash # Download an enhanced SBOM with vulnerability data pylynk download --prod "my-app" --env "production" --ver "v1.0.0" \ --out-file audit-sbom.json \ --vuln true \ --include-support-status true ``` *** ## Evidence Collection For compliance audits, Interlynk provides evidence across several dimensions: | Evidence Type | Source | How to Access | | ------------------------ | -------------------------------------- | -------------------------------------- | | SBOM completeness | Compliance check results | SBOM detail view > Checks tab | | Vulnerability management | VEX dispositions, triage history | Vulnerability detail view | | Component provenance | Package URLs, supplier data | Component detail view | | Policy enforcement | Policy scan results, violation history | Policy dashboard | | Remediation tracking | Jira ticket status, VEX status changes | Ticketing settings, vulnerability logs | | Change history | Activity logs, component vuln logs | Activity log views | *** ## Best Practices for Audits ### Preparation * **Enable the relevant compliance framework** before generating SBOMs that will be audited. * **Run SBOM checks** on all products in scope to identify gaps before the audit. * **Address critical and high-severity check failures** — these represent the most impactful gaps. * **Use VEX dispositions** to document why specific vulnerabilities are not exploitable in your context. ### During the Audit * **Export SBOMs** in the format required by your auditor (CycloneDX or SPDX). * **Provide compliance check results** as evidence of SBOM quality. * **Show policy scan history** to demonstrate ongoing enforcement. * **Reference Jira tickets** (via the Jira integration) to show remediation progress. ### Ongoing Compliance * **Enable SBOM checks by default** in [Environment Defaults](/administration/environment-defaults.md) so all new projects are automatically evaluated. * **Create policies** that enforce compliance minimums (e.g., fail if compliance score below 80%). * **Set up notifications** for compliance check failures to catch regressions early. * **Review compliance scores monthly** and track trends. *** ## Common Misconfigurations | Issue | Symptom | Fix | | ---------------------------------------------------------- | --------------------------------------------- | ------------------------------------------------------------------------------------------- | | No compliance framework enabled | No compliance checks run, no scores displayed | Enable at least one framework in compliance settings | | SBOM checks disabled in environment defaults | Compliance checks never execute | Enable "Run SBOM Checks" in [Environment Defaults](/administration/environment-defaults.md) | | All checks set to Low severity | Compliance failures do not trigger policies | Adjust severity levels to reflect actual risk | | Multiple frameworks enabled but no quality scorer selected | No SBOM quality score displayed | Select a primary framework for quality scoring | | Critical checks disabled | Fundamental gaps not flagged | Review disabled checks and re-enable any that are required by your audit scope | *** ## Recommended Best Practices * Enable the compliance framework that matches your **regulatory requirements** (e.g., FDA for medical devices, NTIA for U.S. government). * Start with **all checks enabled** and disable only those explicitly not applicable to your context. * Set the **quality scoring framework** to match your primary compliance driver. * Use **policies with compliance-related conditions** to automate enforcement. * **Export and archive** compliance evidence regularly, not just before audits. * Align custom field usage (see [Vulnerability Custom Fields](/administration/vulnerability-custom-fields.md)) with compliance categories for richer audit evidence. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.interlynk.io/administration/compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.