## Background Compliance frameworks are structured sets of guidelines, controls, and requirements that organizations follow to ensure they meet specific regulatory standards or industry best practices. Common examples include SOC 2, HIPAA, ISO 27001, and PCI DSS. In GitLab, users can create a compliance framework that is a label to identify that your project has certain compliance requirements or needs additional oversight. Compliance frameworks are created by clicking on the **New Framework** button in the compliance center page at group level: {width="1031" height="668"} After creating the compliance framework, users can attach them to projects by: 1. Navigating to the **Projects** tab in the Compliance Center; 2. Selecting all the projects they want to apply the framework against; 3. Selecting the framework they would like to apply; and 4. Clicking **Apply** # Problem There are 2 key problems with this workflow: <table> <tr> <th>Problem</th> <th>Explanation</th> </tr> <tr> <td>No guidance in creating framework workflow on what to do next</td> <td>Compliance frameworks are only valuable - only works - if it is attached to a particular project. It doesn't complete it's function if there isn't a project it isn't attached to in order to check to see whether the appropriate settings or items have been enabled/enforced. By not guiding the user, especially new Ultimate users using compliance frameworks for the first time, that they should be attaching a compliance framework to a project, this context can either get lost, confused or increases the learning curve burden for users using compliance frameworks for the first time.</td> </tr> <tr> <td>Decreases time to adoption for compliance frameworks</td> <td> We believe that adoption of compliance frameworks occurs when a framework with 1 requirement and 1 control is successfully attached to a project. We should be introducing as many guides/steps along the compliance creation workflow to encourage or show users that they should be attaching a compliance framework to a project. This is particularly in cases where the compliance team already knows which projects they want to associate a newly created compliance framework with. If we can eliminate them having to go to the 'Projects' tab at the end and, instead, bake the step of attaching projects to a compliance framework as part of creating a compliance framework, this should hypothetically speed up adoption of compliance frameworks overall. </td> </tr> </table> # Solution We should include an additional step in the compliance framework creation workflow. In light of [custom compliance frameworks MVC](https://gitlab.com/groups/gitlab-org/-/epics/13295) being released soon, we should think about this as an additional improvement/enhancement to the compliance framework creation workflow in order to encourage and guide users to attaching compliance frameworks to projects, and to remove a hypothetical friction point of having to navigate to the Projects tab after creating a compliance framework. The workflow with custom compliance frameworks MVC at the moment looks like this: 1. On the Compliance center page, navigate to the top right hand corner of the page and select **New framework**; 2. On the New framework page, the users can open the **Basic Information** tab and provide a **Name, Description** and select a **Background colour** for the compliance framework label; 3. Users can then open the **Requirements** tab and select **New Requirement;** 4. In the **New Requirement** modal, users can input the **Name and Description** of the Requirement before selecting one or multiple **Controls** that are associated with the requirement; 5. Once completed, users can select **Create Requirement**; and 6. Users click on **Add Framework**. This improvement should include a new step, something like this: 1. On the Compliance center page, navigate to the top right hand corner of the page and select **New framework**; 2. On the New framework page, the users can open the **Basic Information** tab and provide a **Name, Description** and select a **Background colour** for the compliance framework label; 3. Users can then open the **Requirements** tab and select **New Requirement;** 4. In the **New Requirement** modal, users can input the **Name and Description** of the Requirement before selecting one or multiple **Controls** that are associated with the requirement; 5. Once completed, users can select **Create Requirement**; 6. **(NEW STEP) _Users should be provided the option of attaching multiple projects to the newly created compliance framework. It should be optional and not required so that they can choose to do this at another time if they like._** 7. Users click on **Add Framework**. Even by providing an optional step in the creation workflow, users will be notified of the fact that they need to attach a project to the compliance framework. This should still work even with our current planned 'ending' screen after a compliance framework is created, which also prompts a user to attach a project. The more prompts/guidance provided, the better the user feels about the choices they made when creating the framework and have better surety about the actions they need to take next. # Persona * [Cameron (Compliance Manager)](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager) <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION --> *This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.* <!-- triage-serverless v3 PLEASE DO NOT REMOVE THIS SECTION -->