Registry Format
The CSE registry is organized as a structured file system with a manifest file that indexes all signals. This document specifies the directory structure and manifest format.
Directory Structure
The registry follows a hierarchical directory structure organized by domain and category:
cse-registry/
├── registry.json # Registry manifest (index of all signals)
├── schemas/ # JSON Schema definitions
│ ├── signal.schema.json
│ ├── registry.schema.json
│ ├── mapping.schema.json
│ ├── finding.schema.json
│ └── artifact.schema.json
├── signals/ # Signal definitions
│ ├── CMMC/ # Domain directory
│ │ ├── ACCESS/ # Category directory
│ │ │ ├── CSE-CMMC-ACCESS-MFA-001/
│ │ │ │ └── signal.json
│ │ │ └── CSE-CMMC-ACCESS-RBAC-001/
│ │ │ └── signal.json
│ │ ├── AUDIT/
│ │ ├── COMMS/
│ │ └── ...
│ ├── HIPAA/
│ │ ├── TECH/
│ │ ├── ADMIN/
│ │ └── ...
│ ├── SOC2/
│ ├── GDPR/
│ └── ...
└── mappings/ # Control framework mappings
├── CSE-CMMC-ACCESS-MFA-001.json
├── CSE-HIPAA-TECH-ENCRYPT-REST-001.json
└── ...Path Conventions
Signal files are located at predictable paths derived from the signal ID:
Signal ID: CSE-HIPAA-TECH-ENCRYPT-REST-001
Path: signals/HIPAA/TECH/CSE-HIPAA-TECH-ENCRYPT-REST-001/signal.json
Pattern: signals/{DOMAIN}/{CATEGORY}/{SIGNAL_ID}/signal.jsonRegistry Manifest
The registry.json file is the master index of the registry. It contains metadata about the registry and an index of all signals.
Manifest Schema
{
"$schema": "https://cseregistry.org/schemas/registry.schema.json",
"version": "1.0.0",
"generated": "2024-12-28T00:00:00Z",
"spec_version": "1.0.0",
"stats": {
"total_signals": 1132,
"domains": 12,
"categories": 12,
"mappings": 1308
},
"domains": [
{
"id": "CMMC",
"name": "Cybersecurity Maturity Model Certification",
"signal_count": 134,
"categories": ["ACCESS", "AUDIT", "COMMS", "CONFIG", "IDENTITY"]
},
{
"id": "HIPAA",
"name": "Health Insurance Portability and Accountability Act",
"signal_count": 75,
"categories": ["TECH", "ADMIN", "PHYS"]
}
// ... additional domains
],
"signals": [
{
"id": "CSE-CMMC-ACCESS-MFA-001",
"domain": "CMMC",
"category": "ACCESS",
"title": "Multi-Factor Authentication Not Enabled",
"severity": "high",
"path": "signals/CMMC/ACCESS/CSE-CMMC-ACCESS-MFA-001/signal.json"
}
// ... additional signal entries
]
}Manifest Fields
Root Fields
| Field | Type | Description |
|---|---|---|
| version | string (semver) | Registry version number |
| generated | string (ISO 8601) | Timestamp when manifest was generated |
| spec_version | string (semver) | CSE specification version this registry conforms to |
| stats | object | Aggregate statistics about registry contents |
| domains | array | List of domain definitions with metadata |
| signals | array | Index entries for all signals |
Signal Index Entry
Each entry in the signals array is a lightweight index entry, not the full signal definition:
| Field | Type | Description |
|---|---|---|
| id | string | Signal ID |
| domain | string | Domain code |
| category | string | Category code |
| title | string | Signal title for quick reference |
| severity | string | Default severity level |
| path | string | Relative path to full signal definition |
Domain Definitions
The domains array provides metadata about each compliance domain in the registry:
{
"id": "HIPAA",
"name": "Health Insurance Portability and Accountability Act",
"description": "U.S. regulation protecting sensitive patient health information",
"signal_count": 75,
"categories": ["TECH", "ADMIN", "PHYS"],
"framework_url": "https://www.hhs.gov/hipaa/index.html",
"version_reference": "HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)"
}Supported Domains
| ID | Name | Signals |
|---|---|---|
| CMMC | Cybersecurity Maturity Model Certification | 134 |
| FEDRAMP | Federal Risk and Authorization Management Program | 145 |
| HITRUST | HITRUST Common Security Framework | 126 |
| CIS | CIS Controls v8.1 | 120 |
| NISTCSF | NIST Cybersecurity Framework 2.0 | 106 |
| ISO27001 | ISO/IEC 27001:2022 | 93 |
| GDPR | General Data Protection Regulation | 80 |
| HIPAA | Health Insurance Portability and Accountability Act | 75 |
| CCPA | California Consumer Privacy Act | 70 |
| PCIDSS | Payment Card Industry Data Security Standard | 64 |
| SOC2 | SOC 2 Trust Services Criteria | 64 |
| GEN | General Security Signals | 55 |
Using the Registry
Fetching the Manifest
# Download the registry manifest
curl https://raw.githubusercontent.com/cse-registry/cse-registry/main/registry.json
# Parse with jq to list all HIPAA signals
curl -s https://raw.githubusercontent.com/cse-registry/cse-registry/main/registry.json | \
jq '.signals[] | select(.domain == "HIPAA") | {id, title, severity}'Fetching a Signal
# Build URL from signal ID
SIGNAL_ID="CSE-HIPAA-TECH-ENCRYPT-REST-001"
DOMAIN="HIPAA"
CATEGORY="TECH"
URL="https://raw.githubusercontent.com/cse-registry/cse-registry/main/signals/${DOMAIN}/${CATEGORY}/${SIGNAL_ID}/signal.json"
curl $URLSyncing the Registry
For offline use or caching, you can clone the entire registry:
# Clone the registry
git clone https://github.com/cse-registry/cse-registry.git
# Or download a specific release
curl -L https://github.com/cse-registry/cse-registry/archive/refs/tags/v1.0.0.tar.gz | tar xzValidation
The registry manifest can be validated against its schema:
# Validate registry manifest
ajv validate -s schemas/registry.schema.json -d registry.json