CPL-01.5: Declaration of Conformity
Mechanisms exist to generate a declaration of conformity for each conformity assessment, where the document: (1) Is concise; (2) Unambiguously reflects the current status; (3) Is physically or electronically signed; and (4) Where possible, is machine readable.
Control Question: Does the organization generate a declaration of conformity for each conformity assessment, where the document: (1) Is concise; (2) Unambiguously reflects the current status; (3) Is physically or electronically signed; and (4) Where possible, is machine readable?
General (2)
| Framework | Mapping Values |
|---|---|
| NAIC Insurance Data Security Model Law (MDL-668) | 4.I |
| SCF CORE AI Model Deployment | CPL-01.5 |
US (2)
| Framework | Mapping Values |
|---|---|
| US EO 14028 | 4e(ix) 4e(v) 4e(x) |
| US - CA CCPA 2025 | 7123(e) 7123(e)(1) 7123(e)(10) 7123(e)(2) 7123(e)(3) 7123(e)(4) 7123(e)(5) 7123(e)(6) 7123(e)(7) 7123(e)(8) 7123(e)(9) 7123(f) |
EMEA (2)
| Framework | Mapping Values |
|---|---|
| EMEA EU AI Act | 16(g) 47.1 47.2 47.3 47.4 |
| EMEA EU Cyber Resiliency Act Annexes | Annex 4 Annex 4.1 Annex 4.2 Annex 4.3 Annex 4.4 Annex 4.5 Annex 4.6 Annex 4.7 Annex 4.8 Annex 6 Module A.4 Annex 6 Module A.4.2 Annex 6 Module C.3.2 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to generate a declaration of conformity for each conformity assessment, where the document: (1) Is concise; (2) Unambiguously reflects the current status; (3) Is physically or electronically signed; and (4) Where possible, is machine readable.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to generate a declaration of conformity for each conformity assessment, where the document: (1) Is concise; (2) Unambiguously reflects the current status; (3) Is physically or electronically signed; and (4) Where possible, is machine readable.
Level 2 — Planned & Tracked
Compliance (CPL) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Compliance activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for compliance activities.
- Cybersecurity personnel use a defined set of controls to conduct cybersecurity and data privacy control assessments, as defined by the applicable statutory, regulatory and contractual requirements.
- Legal representation is consulted on an as-needed basis.
Level 3 — Well Defined
Compliance (CPL) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Ensures data/process owners understand their requirements to manage applicable cybersecurity and data protection controls through oversight and written guidance. o Provides applicable stakeholders with status reports on control execution to enable security controls oversight. o Works with data/process owners and asset custodians to document and validate the scope of cybersecurity and data protection controls to ensure statutory, regulatory and/ or contractual compliance obligations are met. o Conducts cybersecurity and data privacy control assessments, on a regular cadence that is defined by the applicable statutory, regulatory and contractual requirements.
- A Governance, Risk & Compliance (GRC) function, or similar function, provides governance oversight for the implementation of applicable statutory, regulatory and contractual cybersecurity and data protection controls to ensure compliance requirements are identified and documented.
- The GRC function, or similar function:
- Cybersecurity and data privacy controls are centrally managed through a technology solution (e.g., GRC solution) to assign controls, track control activities and report on compliance efforts.
- An Integrated Security Incident Response Team (ISIRT) is formed to analyze and respond to government investigation requests, with legal representation being a key stakeholder.
- Client or host-nation requests are formally evaluated to determine the risk impact of the request.
- The CIO/CISO collaborate on methods to prevent a host government from having unrestricted and non-monitored access to the organization's systems, applications and services which could potentially violate other applicable statutory, regulatory and/ or contractual obligations.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to generate a declaration of conformity for each conformity assessment, where the document: (1) Is concise; (2) Unambiguously reflects the current status; (3) Is physically or electronically signed; and (4) Where possible, is machine readable.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to generate a declaration of conformity for each conformity assessment, where the document: (1) Is concise; (2) Unambiguously reflects the current status; (3) Is physically or electronically signed; and (4) Where possible, is machine readable.
Assessment Objectives
- CPL-01.5_A01 a declaration of conformity is generated for each conformity assessment.