Signal Format
A signal is the core unit of the CSE registry, representing a canonical definition of a compliance-relevant technical condition. This document specifies the complete schema for signal definitions.
Schema Overview
Every signal is a JSON object conforming to the signal.schema.json schema. The schema defines required fields that must be present in every signal, as well as optional fields for additional context.
{
"$schema": "https://cseregistry.org/schemas/signal.schema.json",
"id": "CSE-HIPAA-TECH-ENCRYPT-REST-001",
"domain": "HIPAA",
"category": "TECH",
"title": "Data at Rest Encryption Not Enabled",
"description": "Storage resource does not have encryption at rest enabled...",
"severity": "high",
"tags": ["encryption", "storage", "data-protection"],
"detection": {
"artifact_types": ["cloud_resource", "configuration"],
"conditions": ["encryption_enabled == false"]
},
"remediation_hint": "Enable server-side encryption on the storage resource",
"references": [
{
"type": "documentation",
"url": "https://example.com/encryption-guide",
"title": "Encryption Best Practices"
}
],
"version": "1.0.0",
"created": "2024-01-15",
"updated": "2024-01-15"
}Required Fields
id
| Type | string |
| Pattern | ^CSE-[A-Z0-9]+(-[A-Z0-9]+)*-[0-9]{3}$ |
| Example | CSE-HIPAA-TECH-ENCRYPT-REST-001 |
The unique, permanent identifier for the signal. Signal IDs follow a structured format that encodes the domain, category, and a descriptive name. Once assigned, an ID never changes.
ID Structure
CSE-{DOMAIN}-{CATEGORY}-{NAME}-{SEQUENCE}
Components:
├── CSE → Fixed namespace prefix
├── DOMAIN → Compliance domain (HIPAA, SOC2, CMMC, etc.)
├── CATEGORY → Signal category (TECH, ADMIN, PHYS, etc.)
├── NAME → Descriptive short name (1-3 parts, hyphenated)
└── SEQUENCE → 3-digit sequence number (001-999)domain
| Type | string (enum) |
| Values | CMMC, HIPAA, GDPR, PCIDSS, SOC2, ISO27001, HITRUST, FEDRAMP, NISTCSF, CIS, CCPA, GEN |
The primary compliance domain this signal belongs to. A signal is assigned to one domain, but can be mapped to controls in multiple frameworks via mappings.
category
| Type | string (enum) |
| Values | TECH, ADMIN, PHYS, ORG, PROC, ACCESS, AUDIT, CONFIG, COMMS, IDENTITY, DATA, INCIDENT |
The category classifies the type of control or safeguard the signal relates to:
| Category | Description |
|---|---|
| TECH | Technical safeguards and controls |
| ADMIN | Administrative policies and procedures |
| PHYS | Physical security controls |
| ACCESS | Access control and authentication |
| AUDIT | Audit logging and monitoring |
| CONFIG | Configuration and hardening |
| COMMS | Communications and network security |
| IDENTITY | Identity management and verification |
| DATA | Data protection and privacy |
| INCIDENT | Incident response and recovery |
title
| Type | string |
| Max Length | 100 characters |
| Example | Data at Rest Encryption Not Enabled |
A concise, human-readable title describing the signal. Titles should be written in sentence case and describe the observable condition, not the remediation.
description
| Type | string |
| Max Length | 500 characters |
A detailed description of the signal, explaining what condition it represents and why it is compliance-relevant. Descriptions should be objective and avoid prescriptive language.
severity
| Type | string (enum) |
| Values | critical, high, medium, low, info |
The default severity level for the signal. This represents a general assessment; actual severity in a specific context may differ based on environment and business requirements.
| Severity | Meaning |
|---|---|
| critical | Immediate risk requiring urgent attention |
| high | Significant risk that should be addressed promptly |
| medium | Moderate risk that should be planned for remediation |
| low | Minor risk or best practice deviation |
| info | Informational finding with no direct risk |
version
| Type | string (semver) |
| Pattern | ^[0-9]+\.[0-9]+\.[0-9]+$ |
| Example | 1.0.0 |
The version of this signal definition, following semantic versioning. The version is incremented when the signal definition changes (not when findings are recorded).
Optional Fields
tags
| Type | array of strings |
| Example | ["encryption", "storage", "aws", "s3"] |
Keywords for categorization and search. Tags should be lowercase, hyphenated for multi-word terms, and focused on discoverability.
detection
| Type | object |
Metadata about how this signal can be detected. This helps tool developers understand what types of artifacts to examine.
"detection": {
"artifact_types": ["cloud_resource", "configuration", "api_response"],
"conditions": [
"encryption_enabled == false",
"sse_algorithm == null"
],
"platforms": ["aws", "azure", "gcp"],
"services": ["s3", "blob-storage", "cloud-storage"]
}remediation_hint
| Type | string |
| Max Length | 200 characters |
A brief, high-level hint about potential remediation. This is not prescriptive guidance—detailed remediation depends on context and is outside the scope of CSE.
references
| Type | array of objects |
Links to external documentation, standards, or resources:
"references": [
{
"type": "documentation",
"url": "https://docs.aws.amazon.com/...",
"title": "AWS S3 Encryption Documentation"
},
{
"type": "standard",
"url": "https://csrc.nist.gov/...",
"title": "NIST SP 800-111"
}
]created / updated
| Type | string (date) |
| Format | YYYY-MM-DD |
The dates when the signal was created and last updated. These refer to the signal definition, not observations.
extensions
| Type | object |
Custom fields added by implementers. Extension namespaces should be prefixed with x-:
"extensions": {
"x-acme-scanner": {
"rule_id": "ACM-001",
"auto_fix": true
}
}Complete Example
{
"$schema": "https://cseregistry.org/schemas/signal.schema.json",
"id": "CSE-CMMC-COMMS-UNRESTRICTED-SSH-001",
"domain": "CMMC",
"category": "COMMS",
"title": "SSH Access Unrestricted from Internet",
"description": "Security group or firewall rule allows SSH (port 22) access from any source IP address (0.0.0.0/0), exposing the resource to potential brute force attacks and unauthorized access attempts from the internet.",
"severity": "high",
"tags": [
"ssh",
"network",
"firewall",
"security-group",
"remote-access",
"aws",
"azure",
"gcp"
],
"detection": {
"artifact_types": ["cloud_resource", "configuration"],
"conditions": [
"protocol == 'tcp'",
"port == 22",
"source_cidr == '0.0.0.0/0'"
],
"platforms": ["aws", "azure", "gcp"],
"services": ["ec2", "compute", "gce"]
},
"remediation_hint": "Restrict SSH access to specific IP ranges or use a bastion host",
"references": [
{
"type": "standard",
"url": "https://www.acq.osd.mil/cmmc/",
"title": "CMMC Model Overview"
},
{
"type": "documentation",
"url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html",
"title": "AWS Security Groups Documentation"
}
],
"version": "1.0.0",
"created": "2024-01-15",
"updated": "2024-06-20"
}