GRC Store

Search / finos-ccc/ccc.vector.cn / v2026.06-rc3

Release · v2026.06-rc3

FINOS-CCC/CCC.Vector.CN Control Catalog

FINOS-CCC/CCC.Vector.CN

Controls for Managed Vector Store technologies, as defined by the FINOS Common Cloud Controls project.

Published by FINOS Common Cloud Controls

Install

OCI v1.1
$grcli unpack --repository finos-ccc/ccc.vector.cn --tag v2026.06-rc3
Coordinate
oci.grc.store/finos-ccc/ccc.vector.cn:v2026.06-rc3
Manifest digest
sha256:d7b0090311c50d8745735f70ca4c9a4edd8ec52f9d5b3ec461d4351c46f961bd

Provenance

1 layer
Digest Media type Size
87819195a09b… application/vnd.gemara.artifact.v1+yaml 11.2 KiB
Bundle config blob 
{
  "bundle-version": "1.0",
  "gemara-version": "v1.2.0",
  "metadata": {
    "provenance": {
      "buildDefinition": {
        "buildType": "https://grc.store/grcli/buildtype/v0",
        "externalParameters": {
          "artifact": {
            "id": "CCC.Vector.CN",
            "type": "ControlCatalog"
          },
          "target": {
            "registry": "oci.grc.store",
            "repository": "finos-ccc/ccc.vector.cn",
            "tag": "v2026.06-rc3"
          }
        },
        "internalParameters": {
          "CI": "true",
          "GITHUB_ACTIONS": "true",
          "GITHUB_ACTOR": "eddie-knight",
          "GITHUB_REF": "refs/heads/main",
          "GITHUB_REPOSITORY": "eddie-knight/common-cloud-controls",
          "GITHUB_RUN_ATTEMPT": "2",
          "GITHUB_RUN_ID": "26768391088",
          "GITHUB_SHA": "24594e28430c12318cacffe7fdda6a3ea272d975",
          "GITHUB_WORKFLOW": "Batch Release All Catalogs",
          "RUNNER_OS": "Linux"
        },
        "resolvedDependencies": [
          {
            "name": "artifacts/database/vector/controls.yaml",
            "uri": "file://artifacts/database/vector/controls.yaml",
            "digest": {
              "sha256": "87819195a09b1e3389ceb7b02f8e945ef7a9970f4c3f7acc49205ab835bdabbe"
            }
          },
          {
            "name": "source",
            "uri": "git+https://github.com/eddie-knight/common-cloud-controls@24594e28430c12318cacffe7fdda6a3ea272d975",
            "digest": {
              "gitCommit": "24594e28430c12318cacffe7fdda6a3ea272d975"
            }
          }
        ]
      },
      "runDetails": {
        "builder": {
          "id": "https://github.com/eddie-knight/common-cloud-controls/actions/runs/26768391088",
          "version": {
            "go": "go1.25.0",
            "go-arch": "amd64",
            "go-os": "linux",
            "grcli": "v0.2.2"
          }
        },
        "metadata": {
          "invocationId": "26768391088-2",
          "startedOn": "2026-06-01T16:44:17.882576113Z",
          "finishedOn": "2026-06-01T16:44:17.973548715Z"
        },
        "byproducts": [
          {
            "name": "controls.yaml",
            "digest": {
              "sha256": "87819195a09b1e3389ceb7b02f8e945ef7a9970f4c3f7acc49205ab835bdabbe"
            }
          }
        ]
      }
    }
  },
  "artifacts": [
    {
      "name": "controls.yaml",
      "type": "ControlCatalog",
      "id": "CCC.Vector.CN",
      "role": "artifact"
    }
  ]
}

CCC Managed Vector Store Controls

Controls for Managed Vector Store technologies, as defined by the FINOS Common Cloud Controls project.

ID
CCC.Vector.CN
Version
v2026.06-rc3
Gemara version
v1.2.0
Author
FINOS Common Cloud Controls

Ingestion

The Ingestion group covers entries related to how a service receives or retrieves data, inputs, or commands for processing. This includes both active (pull-based) and passive (push-based) ingestion patterns.

  1. CCC.Vector.CN01 Validate Embeddings Before Indexing

    Objective

    Ensure all incoming embeddings are structurally and statistically validated before indexing to prevent poisoning or corruption.

    Assessment requirements

    1. When a vector embedding is submitted for indexing, the system MUST validate that it matches expected schema, dimension, and format profiles.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • FINOS-AIGF
      • AIR-PREV-002Data Filtering From External Knowledge Bases
    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH02Embedding and Index Poisoning
      • CCC.Vector.TH05Embedding Format or Dimension Attacks
    • CCC.Core.Threats
      • CCC.Core.TH12Resource Constraints are Exhausted

  2. CCC.Vector.CN04 Enforce Ingestion Quotas and Throttling

    Objective

    Prevent ingestion-based DoS or index pollution by rate-limiting vector submissions and enforcing quotas.

    Assessment requirements

    1. When ingestion exceeds pre-defined thresholds, the service MUST throttle or reject excess vector write operations.

      Applicability: tlp-green, tlp-amber, tlp-red

    Guidelines
    • FINOS-AIGF
      • AIR-PREV-008Quality of Service (QoS) and DDoS Prevention for AI Systems
    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH02Embedding and Index Poisoning
    • CCC.Core.Threats
      • CCC.Core.TH12Resource Constraints are Exhausted

  3. CCC.Vector.CN06 Enforce Dimensional and Format Constraints

    Objective

    Reject embeddings that do not conform to expected model specifications (dimensions, format, etc).

    Assessment requirements

    1. When an embedding is submitted, the service MUST validate that its format and dimensionality match allowed profiles.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • FINOS-AIGF
      • AIR-PREV-002Data Filtering From External Knowledge Bases
    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH05Embedding Format or Dimension Attacks
    • CCC.Core.Threats
      • CCC.Core.TH06Data is Lost or Corrupted

Access Control

The Access Control group covers entries related to authentication, authorization, and trust perimeter enforcement. This includes multi-factor authentication, least privilege access, network access rules, and prevention of unauthorized access or reconnaissance.

  1. CCC.Vector.CN02 Enforce Role-Based Index Lifecycle Management

    Objective

    Restrict index lifecycle operations (create, delete, rollback) to privileged identities using fine-grained access controls.

    Assessment requirements

    1. When an index lifecycle event is triggered, the service MUST verify that the actor has explicit permissions for the operation type.

      Applicability: tlp-clear, tlp-green, tlp-amber, tlp-red

    Guidelines
    • FINOS-AIGF
      • AIR-PREV-012Role-Based Access Control for AI Data
    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH02Embedding and Index Poisoning
      • CCC.Vector.TH04Index Corruption or Downgrade
    • CCC.Core.Threats
      • CCC.Core.TH01Access Control is Misconfigured

  2. CCC.Vector.CN03 Enforce Metadata-Level Access Controls

    Objective

    Apply access control policies to metadata fields used in filtering to prevent unauthorized exposure or inference.

    Assessment requirements

    1. When a metadata filter is applied to a query, the service MUST verify the requester is authorized to access that field.

      Applicability: tlp-amber, tlp-red

    Guidelines
    • FINOS-AIGF
      • AIR-DET-001AI Data Leakage Prevention and Detection
      • AIR-PREV-012Role-Based Access Control for AI Data
      • AIR-DET-016Preserving Source Data Access Controls in AI Systems
    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH03Cross-modal or Metadata Leakage
    • CCC.Core.Threats
      • CCC.Core.TH01Access Control is Misconfigured

Resource Management

The Resource Management group covers entries related to the lifecycle, configuration, and operational integrity of cloud resources. This includes resource exhaustion, tag manipulation, version rollback, scaling, and cost management.

  1. CCC.Vector.CN05 Enforce Index Versioning with Rollback Protection

    Objective

    Ensure vector indexes are versioned and that rollback operations are authorized and auditable.

    Assessment requirements

    1. When a rollback is attempted, the system MUST log the action and verify rollback authorization.

      Applicability: tlp-amber, tlp-red

    Guidelines
    • AIR-DET-004
      • AIR-PREV-008AI System Observability
    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH04Index Corruption or Downgrade
    • CCC.Core.Threats
      • CCC.Core.TH09Logs or Monitoring Data are Read by Unauthorized Users
      • CCC.Core.TH04Data is Replicated to Untrusted or External Locations

Data Processing

The Data Processing group covers entries related to transforming, enriching, and moving data through pipelines. This includes ETL/ELT, stream and batch processing, data lineage, schema evolution, and workflow orchestration for data workloads.

  1. CCC.Vector.CN07 Support Explicit ANN vs. Exact Search Configuration

    Objective

    Provide clients with the option to enforce exact-match (non-ANN) search where search fidelity is critical.

    Assessment requirements

    1. When a search request is issued, clients MUST be allowed to declare their requirement for exact vs approximate results.

      Applicability: tlp-amber, tlp-red

    Threats
    • CCC.Vector.Threats
      • CCC.Vector.TH06Search Result Manipulation via ANN Bias