Standard
Candidate Control Families
Working draft
This page renders the current awoss working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.
This section defines first-pass candidate control families for the working draft. The requirements are intentionally written in normative style so they can be reviewed for clarity and testability, but they remain candidate requirements until a released awoss version exists.
Each family includes:
- objective
- primary layer and typical owner
- applicability notes
- candidate Level 1, Level 2, and Level 3 requirements
- minimum evidence examples
- mapping notes
- claim limits
The current candidate requirements have been revised against the completed source-first and family-first crosswalk baseline. They remain working-draft candidate requirements until a released awoss version exists, and mapping notes in this section remain informative rather than conformance, legal, or certification claims.
| ID | Family | Primary layer | Typical owner |
|---|---|---|---|
| AWOSS-SCP | Scope, inventory, and ownership | Workspace and endpoint | Business or workflow owner |
| AWOSS-DEL | Delegation, authority, and identity | Runtime platform | Identity/IAM owner and workflow approver |
| AWOSS-WSB | Workspace and execution boundaries | Workspace and endpoint | Endpoint/workspace operations or platform engineering |
| AWOSS-RUN | Runtime policy, approvals, and action control | Runtime platform | Agent runtime or platform operations |
| AWOSS-SRC | Skill, tool, and connector source trust | Skill or skill-set source | Software supply-chain or tool-source owner |
| AWOSS-CTX | Context, memory, and instruction boundary control | Runtime platform | Runtime configuration and data/context governance |
| AWOSS-SEC | Secrets, credentials, and sensitive data handling | Workspace and endpoint | Security, secrets, or data-protection owner |
| AWOSS-LOG | Logs, receipts, and traceability | Evidence and audit | Observability, audit, or evidence owner |
| AWOSS-VAL | Validation, testing, and review | Evidence and audit | Security validation, assurance, or independent review |
| AWOSS-GOV | Governance, exceptions, and change management | Organization and governance | Governance/risk owner and accountable business sponsor |