UCF Analyst - Phase 1 - Lean PRD

Table of Contents

Target release	Q1 2025
Epic
Document status	DRAFT
Document owner
Designer
Tech lead
AI Lead
Integration Lead
QA

🎯 Introduction

This document outlines the phased implementation of API endpoints, backend infrastructure, and preliminary user-facing components for UCF Analyst.

The aim is to ensure foundational readiness for scaling data accessibility and supporting commercial opportunities in compliance and governance systems.

🔗 References

Related PRDs

Lessons Learned

\uD83D\uDCCA Success metrics

Goal	Metric
Partner Adoption	Number of OEM partners adopting the API for AD and Control data. Target: TBD
Revenue Growth	Revenue generated from enriched AD and control data. Target: TBD

⚔️ Mission Critical Decisions

\uD83E\uDD14 Assumptions

🔗 Limitations

Lists do not exist in Nextgen at this time.

🖇️ Dependencies

\uD83C\uDF1F Milestones & Timeline

Milestones need to be scoped out in coordination with the engineers as of 12/20/24.

#	Milestone	Objective	Key Deliverables
1	API Endpoints	Develop key API endpoints to support the first focus of the Preference-Driven AI System.	Fully functional API endpoints: Glossary Endpoint Vendors/Organization Endpoint Assets Endpoint Configurable Items Endpoint Configuration Settings Endpoint Configuration Methods Endpoint Comprehensive API documentation for seamless integration. Moving data from Legacy system into NextGen for the above endpoints.

🎲 Use Cases

OEM Software Supported Coverage

Use Case	NextGen
As a GRC professional, I would like to see the Framework References I have Common Control support for, and the mandates extracted from them.	Exists ADs Endpoint Citations Endpoint- for single AD Mandates Endpoint- for single AD Common Controls Endpoint -for single AD Does not Exist UI Citations Endpoint for multiple ADs Mandates Endpoing for Multiple ADs Common Controls Endpoint for multiple ADs
As a GRC professional, I would like to select a set of Frameworks and compare the Common Control coverage - for both licensed and nonlicensed Frameworks.	Does not Exist UI Common Control to ADs Endpoint Possible Metadata only for ADs?
As a GRC professional, I would like to see how the Common Controls are mapped back to the Frameworks I am licensed to.	Does not Exist Common Controls to Tagged Mandates Endpoint Common Controls to Citations Endpoint
As a GRC professional, I would like to see a list of Control Implementations for the Common Common controls I am licensed to use.	This may be possible through the control hierarchy of Common Controls Endpoint Does not Exist Common Controls Implementations Endpoint (Children Controls of the Matched Common Control)

\uD83D\uDDD2 Functional Requirements

#	User Story & Title	Description	Notes
	AD Frameworks to Common Controls User Interface	Build an interface for users to view a list of Common Controls for all licensed Authority Documents. Considerations Ability to hide ADs and their controls from list (no save view at this time) Ability to highlight controls for specific ADs
	Common Controls to Assets User Interface	Build an interface for users to view all Assests associated with the Common Controls for all their licensed Authority Documents.
	Common Controls to Config Information User Interface	Build an interface for users to view all Configuration information for each Assets associated with the Common Controls for all their licensed Authority Documents.
	AD Frameworks to Common Controls Common Controls to unlicensed ADs interface (Compare)	Build an interface for users to view all the Unlicensed, publicly searchable, ADs overlapping with the Common Controls for all their licensed Authority Documents. Considerations Filters for unlicensed ADs (Geography, Subject Matter, Originator) May want to not show the exact common controls they unlicensed ADs map too.

📕 Non-Functional Requirements

#	User Story & Title	Description	Notes
	Implement, test, and monitor performance standards
	Support serving content via HTTP/3
	Security headers are included in every HTTP response
	Compress all HTTP responses.
	Included etags, caching, and cache busting for all HTTP API endpoint responses, webpages, and webpage assets.

🔖 API Requirements

User Story & Title	Description	Notes
Glossary Endpoint
Vendors/Organization Endpoint	Retrieves vendor-related information for assets.
Assets Endpoint	Retrieves asset information.
Configurable Items Endpoint	Retrieves of configuration items relevant to assets.
Configuration Settings Endpoint	Retrieves configuration settings tied to assets and configurable Items.
Configuration Methods Endpoint	Retrieves methods tied to configurable assets items.
Common Control to licensed ADs Endpoint	Retrieves the AD metadata tied to the Common Control.
Common Control to AD Catalog Endpoint	Retrieves AD metadata tied to the Common Control.
Common Controls to Tagged Mandates Endpoint	Retrieve Tagged Mandates tied to common control.
Common Controls Endpoint for multiple ADs
Citations Endpoint for multiple ADs
Mandates Endpoint for Multiple ADs
Bulk Mandate Endpoint
Bulk Citations Endpoint
Bulk Common Control Endpoint
Bulk Mandate Endpoint for multiple ADs
Bulk Citations Endpoint for Muliple ADs
Bulk Common Control Endpoint for Muliple
Common Controls to Citations Endpoint	Retreived Citation data tied to the Common Control.
Common Controls Implementations Endpoint	Retreived the Children Controls metadata.	Lower Priority

Flows

🖥️ User Interface

🏁 User Workflows

🗺️ Architecture

🚚 Deliverables

Open Questions

Date, Question	Answer	Date Answered, by whom

Risks and Mitigations

Risks	Mitigations

🛑 Out of Scope

🚧 Change Log

This section includes changes made to PRD after approval.

Date

[Date of Change]

Change Description

[Brief Overview of the Change]

LOE

[Estimation in Hours/Days]

Impact

[Impact on overall project timeline or resources]

Approver/

Decision Maker