Frequently Asked Questions

Common questions about the CSE specification, registry, and integration.

General

What is CSE?

CSE (Compliance Signal Enumeration) is a public specification and registry that defines stable identifiers for recurring technical signals observed in software, infrastructure, and operational artifacts that are relevant to compliance and risk assessments. Think of it as "CVE for compliance"—a shared vocabulary for referencing what was observed without asserting compliance status.

Is CSE a compliance framework?

No. CSE is not a compliance framework, certification standard, or set of requirements. It's a neutral reference layer that helps correlate observations across different frameworks. CSE describes observable conditions; compliance assessments and remediation decisions remain contextual and human-driven.

Is CSE free to use?

Yes. The CSE specification, registry, and basic API access are free forever. The registry is open source and publicly accessible. Higher API rate limits are available for high-volume integrations.

Who maintains CSE?

CSE is maintained as an open project. Contributions are welcome via GitHub. The specification and registry are versioned and changes are documented in the changelog.

Signals

What is a signal?

A signal is the core unit of the CSE registry—a canonical definition of a specific technical condition relevant to compliance. Each signal has a unique, permanent identifier (e.g., CSE-HIPAA-TECH-ENCRYPT-REST-001) that any tool can emit and any consumer can understand.

How are signal IDs structured?

Signal IDs follow the pattern: CSE-DOMAIN-CATEGORY-NAME-SEQUENCE

  • CSE - Fixed namespace prefix
  • DOMAIN - Primary compliance domain (e.g., HIPAA, CMMC)
  • CATEGORY - Control category (e.g., TECH, ACCESS)
  • NAME - Descriptive short name
  • SEQUENCE - 3-digit sequence number

Can signal IDs change?

No. Signal IDs are permanent identifiers that never change. This stability enables long-term citation and reliable cross-system references. If a signal definition needs significant changes, a new signal is created with a new ID.

How do I request a new signal?

New signals can be proposed via GitHub. Open an issue describing the technical condition, its compliance relevance, and suggested framework mappings. Community review helps ensure quality and consistency before signals are added to the registry.

Mappings

What are mappings?

Mappings establish relationships between CSE signals and framework controls. A single signal can map to controls in multiple frameworks (e.g., HIPAA, SOC 2, and ISO 27001 simultaneously), enabling automatic cross-framework correlation.

What do the relationship types mean?

  • Primary: Signal directly addresses the control requirement
  • Supporting: Signal provides evidence that supports control compliance
  • Partial: Signal addresses only part of the control requirement

Are mappings authoritative?

CSE mappings are curated by domain experts but are informational, not authoritative. Actual compliance determinations depend on context, environment, and assessment methodology. Mappings should inform but not replace professional compliance judgment.

Integration

How do I integrate my tool with CSE?

Integration can be as simple as including CSE signal IDs in your existing output format (Level 1), or as comprehensive as emitting full CSE-format findings with artifacts (Level 3). See the Security Tools Integration Guide for details.

Does my tool need to be certified?

No certification is required. Any tool can reference CSE signals or emit CSE-format findings. Validation against JSON schemas is recommended but optional.

How do I validate my CSE output?

CSE provides JSON Schema files for all data types. You can validate your output using any JSON Schema-compatible validator:

ajv validate -s finding.schema.json -d my-findings.json

API

Do I need an API key?

Yes, API access requires a free API key. Register to get your key. Alternatively, you can fetch data directly from GitHub raw URLs without authentication.

What are the rate limits?

The free tier allows 10,000 requests per day and 60 requests per minute. Higher limits are available for production integrations. See Rate Limits for details.

Is there an SDK?

Official SDKs are planned. In the meantime, the REST API works with any HTTP client. See API Examples for code samples in Python, JavaScript, Go, and more.

Data

How often is the registry updated?

The registry is updated regularly as new signals are added and mappings are expanded. Signal definitions are stable once published. Subscribe to the GitHub repository for notifications.

Can I use CSE data in my product?

Yes. The CSE registry and specification are open for commercial and non-commercial use. Attribution is appreciated but not required. Check the license in the GitHub repository for specific terms.

How do I report an error in a signal or mapping?

Open an issue on GitHub describing the error and suggested correction. Include references to relevant framework documentation if applicable.

Compliance Domains

Which frameworks does CSE cover?

CSE currently covers 12 compliance domains:

  • CMMC (Cybersecurity Maturity Model Certification)
  • FedRAMP (Federal Risk and Authorization Management Program)
  • HITRUST (Common Security Framework)
  • CIS Controls v8.1
  • NIST CSF 2.0 (Cybersecurity Framework)
  • ISO 27001:2022
  • GDPR (General Data Protection Regulation)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • CCPA/CPRA (California Consumer Privacy Act)
  • PCI DSS v4.0 (Payment Card Industry Data Security Standard)
  • SOC 2 (Trust Services Criteria)
  • GEN (General cross-framework signals)

Will CSE add more frameworks?

Yes. New frameworks are added based on community demand. Request framework support via GitHub issues.

My framework isn't covered. Can I still use CSE?

Many signals in the GEN (General) domain apply across frameworks. You can also contribute mappings for your framework to existing signals.

Still Have Questions?

If your question isn't answered here: