1---
 2layout: page
 3title: Dual-ladders Within Each Layer
 4---
 5
 6- **ADR:** 0010
 7- **Proposal Author(s):** @eddie-knight
 8- **Status:** Accepted
 9
10## Context
11
12We have been treating each layer as cumulative, with a single descriptor for the layer. In many cases, we have allowed for additional artificts with a single layer, such as a list of threats that lives alongside controls in a Layer 2 Control Catalog, or a list of Risks within a Policy Document.
13
14Here is an overview of some common phrasing we've been using:
15
16- Layer 1: Guidance (informed by known attack/negligence vectors)
17- Layer 2: Controls (catalog includes technology-specific threats)
18- Layer 3: Policy (document links to organizational risk considerations)
19- Layer 4: Sensitive Activities
20- Layer 5: Evaluation (config scans and behavior scans)
21- Layer 6: Enforcement (gates and remediation)
22- Layer 7: Audit (manual and continuous monitoring)
23
24## Decision
25
26We will allow for two primary artifacts within each layer. For current development conversations we will informally refer to these as "Red" and "Blue" until a better term is found, because these are _similar_ but not perfectly aligned with cybersecurity "Red Team" and "Blue Team" concepts.
27
28The specific phrasing or terms may be refined or adjusted, but the meaning shall be roughly as follows:
29
30| Layer | Red | Blue |
31| 1 | Vector | Guidance |
32| 2 | Threat | Control |
33| 3 | Risk | Policy |
34| 4 | Risk Actualization | Sensitive Activities |
35| 5 | Behavioral Evaluation | Intent Evaluation |
36| 6 | Remediative Enforcement | Preventive Enforcement |
37| 7 | Continuous Compliance Monitoring | Point-in-Time Audit |
38
39## Consequences
40
41- All documentation and web content must be updated
42- Adopters of previous versions will be disrupted by this change in terminology
43
44## Alternatives Considered
45
46We could not do this, but it leaves the relevant parts open to potential confusion.