Turning regulations into executable tests: the Compliance Test Registry
How we built a machine-readable compliance library covering 40+ frameworks — NERC CIP, CMMC, NIST 800-171, HIPAA, GDPR — using the Regulatory Decomposition Framework.
Compliance work has a structural problem: it lives in Word documents and spreadsheets that rot the moment the regulation changes or the person who wrote them leaves.
We built the Compliance Test Registry to fix that. The premise is simple: every regulation can be treated like a software requirement — broken down, tested automatically, and tracked in version control.
The Regulatory Decomposition Framework
Every requirement in the registry has been passed through a four-stage process:
- Parse — extract the four elements of any regulatory requirement: Subject (who), Condition (when), Obligation (what), Evidence (how you prove it)
- Classify — assign an ambiguity tier:
DETERMINISTIC— testable with a yes/no queryPARAMETERIZED— testable given specific context (system type, org size)CONTESTED— interpretation varies; human determination required
- Specify — express as a YAML spec with confidence score, assumptions, and signed reviewer
- Implement — generate a Python test stub that can run against your environment
The result: a compliance library where every requirement has a known confidence level, every assumption is documented, and every audit response can be generated from the version history.
What’s covered
The registry currently covers 40+ frameworks including:
| Framework | Controls | Status |
|---|---|---|
| NERC CIP (v5/v6/v7) | CIP-002 through CIP-015 | Active |
| CMMC 2.0 (Level 1–3) | All practice domains | Active |
| NIST SP 800-171 | All 110 requirements | Active |
| NIST SP 800-53 | Selected control families | Active |
| HIPAA Security Rule | All safeguards | Active |
| GDPR | Articles 5, 6, 25, 32, 33 | Active |
| ISO 27001:2022 | Annex A controls | Active |
| ITAR/EAR | Key export control provisions | Active |
What it’s not
The registry is an engineering artifact, not a compliance determination. A DETERMINISTIC
test passing doesn’t mean you’re compliant — it means one specific, scoped requirement
has evidence that can be verified. Compliance still requires qualified assessors, scoped
system inventories, and organizational context the registry cannot know.
We’re very explicit about this in the disclaimer. The registry makes the mechanical parts faster and more auditable. The judgment calls stay with humans.
Using it
The registry is open source under CC BY 4.0. Each framework is organized under
compliance_entities/{framework}/ with YAML specs and Python test stubs.
git clone https://github.com/Enthropic-Data-LLC/compliance-test-registry
cd compliance-test-registry
# View a specific control
cat compliance_entities/nerc/cip/CIP-007-6.md
# Run tests for a framework
pytest tests/nerc/ -vPull requests welcome — especially for frameworks not yet covered (OSHA PSM, FERC, state privacy laws) and for contested interpretations where you have assessor-validated rulings to contribute.
The repo is at github.com/Enthropic-Data-LLC/compliance-test-registry.