awossAgentic Workspace Security Standard

Standard

Claim Language

Working draft

This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

This section defines claim language for the working draft. It is candidate normative text because overclaiming can mislead implementers, buyers, reviewers, and external stakeholders.

12.1 Current Claim Posture

awoss is currently a non-released, profile-first working draft and crosswalk effort. There is no active public conformance profile, compliance profile, certification program, validator program, auditor program, seal, badge, governance body, or external endorsement.

All claims must be bounded to:

  • the named scoped system
  • the candidate controls or families reviewed
  • the evidence artifacts available
  • the mapping sources used
  • the time period reviewed
  • the draft status of the document

12.2 Preferred Claim Verbs

Use "informed by" when a source shaped the design but no specific mapping is claimed.

Use "maps to" when a specific candidate control, family, artifact, or design choice is traceably related to an external source signal.

Use "supports evidence for" when an artifact may help demonstrate that a selected candidate control or external expectation was addressed.

Use "implements selected controls" only when a concrete scoped system, workflow, runtime, tool, connector, skill, or evidence process actually enforces or produces a named subset of candidate controls or artifacts.

Use "reviewed against candidate expectations" when a system was internally checked against draft text, but no released conformance claim exists.

12.3 Disallowed Working-Draft Claims

Working-draft users MUST NOT claim:

  • awoss compliant
  • awoss certified
  • awoss approved
  • awoss endorsed
  • passed awoss
  • meets awoss without a bounded and explained candidate-control scope
  • secure because it uses awoss
  • equivalent to an external standard
  • compliant with an external legal or certification framework because of an awoss mapping

These claim forms require maturity that does not exist in the working draft.

12.4 Allowed Working-Draft Claim Patterns

Acceptable examples:

  • " awoss is a profile-first crosswalk and evidence model for agentic workspace security."
  • " awoss is a gap-closing profile that maps candidate controls to existing standards without replacing them."
  • "This system was reviewed against selected candidate awoss Level 1 expectations."
  • "This control maps to selected awoss candidate runtime-action controls."
  • "These approval receipts support evidence for selected AWOSS-RUN and AWOSS-LOG candidate controls."
  • "This implementation produces evidence artifacts relevant to selected source-trust controls for the named scoped system."
  • "This mapping is informed by OWASP, CSA, NIST, ISO, AIUC-1, Five Eyes, and MITRE sources, with source-specific claim limits."

12.5 Stronger Future Claims

"Conforms to an awoss profile" should be allowed only if a future released profile defines:

  • normative requirements
  • applicability rules
  • minimum evidence artifacts
  • validation method
  • versioning and reassessment rules
  • allowed claim language

"Certified" or equivalent language should be allowed only if a future program defines:

  • released standard or profile
  • independent review or audit path
  • assessor qualification or validation rules
  • evidence package requirements
  • governance and appeal rules
  • revocation, expiry, or nonconformance handling

Until then, certification language is prohibited.

Previous
Governance And Change Management
Next
Future Certification Considerations