Compliant Financial Infrastructure (CFI) is a project that exists to accelerate the development, deployment and adoption of services provided for infrastructure in a way that meets common regulatory and internal security controls.

Through our three working groups, we provide:

• Opinionated compliance documentation provided by our service approval accelerators
• Vetted infrastructure as code that is ready to import to your internal registry
• CI/CD-friendly runtime validation tests to ensure your deployed resources are compliant

This WG exists to define and document best practice and process for implementing compliant infrastructure, while streamlining the process for contributions from financial institutions in a frictionless manner.

Compliance may mean something different from one institution to the next. The goal of CFI is not to create a single solution that all firms must adhere to, instead our goal is to streamline adoption and free up security teams to focus on non-redundant activities.

Detailed documentation in the form of Service Approval Accelerators (SAAs) live within this main CFI repository.

1. Maintain a knowledge base of up-to-date compliance requirements from member financial institutions (Inputs)
2. Document how to achieve compliance for different infrastructure resources from a financial perspective (Outputs)

• Document opinionated configurations, mitigations, and decisions to accelerate compliance for infrastructure services in SAAs.
• Ensure all SAAs are informed by industry-wide experience/feedback
• Ensure CFI communication methods (both inputs and outputs) are streamlined to best serve our community and users

A template Service Approval Accelerator is maintained here.

• Work for this WG is tracked in GitHub issues on the main CFI repository.
• Approved and active work is visualized on the Policy WG project board.

This WG exists to develop, maintain, and document easily consumable infrastructure as code (IaC) which can be used as a base for deploying systems in highly-regulated environments.

Detailed documentation regarding the process for developing and delivering IaC can be found here.

1. Create and maintain IaC to deploy services that meet policies as defined by the Policy Working Group

• Review Service Accelerators and work with the Policy Working Group to agree on each approach to codify policies
• Build and maintain the IaC to meet requirements set out in the SAA
  • Where this is not possible then any policy gaps will be documented

• Work for this WG that does not yet have a dedicated repo is tracked in GitHub issues on the main CFI repository.
• Work for IaC that has already begun will be tracked on the respective repo.
• Approved and active work is visualized on the Reproducible Infrastructure WG project board.

This WG exists to maintain a suite of tools that may be used to validate that deployed infrastructure is compliant with the documentation provided by the Policy Working Group, and provide actionable information for users who are working toward compliance.

Detailed documentation regarding the process for developing and delivering runtime validation test packs can be found here.

1. Maintain tests matching each SAA to validate the compliance of any deployed resource
2. Maintain test harness to streamline approach across all services

• Execute tests that match the accelerators provided by the Policy WG (no more, no less)
• Ensure harnes is easily configurable & can be used for diverse validation purposes
• Maintain smooth logging functionality for validation and development purposes
• Ensure common human-readable output format for all test packs

• Work for this WG that does not yet have a dedicated repo is tracked in GitHub issues on the main CFI repository.
• Work on test packs that has already begun will be tracked on the respective repo.
• Approved and active work is visualized on the Reproducible Infrastructure WG project board.

For more information about how to engage with the rest of the community and contribute to the project, view the documentation and links here.

Please feel free to request changes via GitHub Issues.

Everyone is encouraged to join our public community meetings found on the FINOS community calendar, and join us on Slack.

Distributed under the Apache License, Version 2.0.

SPDX-License-Identifier: Apache-2.0

If you have any security concerns related to this project, please create an issue on this repository or create an issue on the repository associated with your concern.