- Created by Jay Hill , last modified on Feb 16, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 27 Next »
Introduction
The product requirements document (PRD) is a central document used to align all stakeholders (product management, engineering, QA, designers, and leadership) on how we will solve a specific problem with the proposed solution.
When creating the PRD, provide just as much information as needed and nothing more. If the document is too long and complex, it will quickly become outdated, and readers will lose interest.
Strategic Planning and Decision Making
Describe the problem we are solving, the high-level approach, and goals so that before we get too far into the details, readers will have a good understand of where we are headed.
What problem are we trying to solve?
We currently rely on a team of expert mappers to meticulously add content into the UCF. The process works well but is slow. With the advent of automation and AI, Unified Compliance risks attacks from competitors who will use technology to accelerate content acquisition.
Customers are not able keep up to date with compliance requirements in the face of the quickly evolving best practices, implementation guide, new segments, etc.
We will also find it difficult to take on new market segments without automation.
Briefly describe the approach you’re taking to solve this problem. Provide enough information for the reader to imagine possible solution directions and get a rough sense of the scope of this proposal.
The approach is to start with the “left-hand” side of the end-to-end content ingestion process focusing on compliance content through ETL for an identified list of four (4) compliance content providers.
For each content provider, Authority Documents will be identified, then Citations and Glossaries will be extracted from the Authority Documents, transformed into the Common Data Format specification, and loaded into the UC platform.
Automation tools and AI will be used to accelerate the end-to-end process with human assistance to review and approve critical steps in the process focusing on reviewing and updating AI suggestions.
Once the process is proven out, the intent is to extend the solution to many additional compliance content providers.
What does success look like? What metrics do we measure today that we can affect? What metrics should we absolutely add? Why it is important to affect those metrics?
Goal | Metric | Why Important? |
---|---|---|
Reliably extract citations from Authority Documents | When AI is not needed, 100% accuracy. When AI is utilized, greater than 80% accuracy where 20% of Citations need to be reworked (e.g., split, merged, rejected …) | If there is poor accuracy requiring extensive human correction, then there is little value. |
Reliably extract glossaries from Authority Documents | When AI is not needed, 100% accuracy. When AI is utilized, greater than 95% accuracy where only 5% of term-definition pairs need to be reworked. Glossaries are substantially easier to identify and extract than citations. | If there is poor accuracy requiring extensive human correction, then there is little value. |
Reliably automate the end-to-end process of capturing, transforming, and loading STIG, NIST 800-53, FedRAMP, eCFR compliance content into the Unified Compliance platform. | 100% of identified Authority Documents for all four compliance content contributor sources is loaded into the UCF. | All four Authority Documents sources are related to securing and hardening IT infrastructure for both the private and public sector. To provide value to customers with Security Operation's requirements, UC needs to maximize the breadth of security coverage to ensure we can provide security guidance for as many IT assets as possible. |
Ingested compliance content, including Authority Documents, Citations, and Glossaries, are available for access via the UC 4.0 API Gateway | 100% of identified Authority Documents for all four compliance content contributor sources are available for access via the UCF 4.0 API Gateway | We are in the migration phase from CCH to UC 4.0. To ensure we don’t elongate the migration process, all new content must come into UC 4.0 and out the API Gateway. |
Scope and Features
The section focusses on the details of the solution including what is in scope, what is out of scope and additional information to help in the product and engineering collaboration process.
Describe the product features that will bring value to customers and fulfill underserved need(s).
Feature | Use Case / Problem Solved |
---|---|
Automatic Citation and Glossary Extraction from Authority Documents | Out of all the ancillary information found in Authority Documents, specific passages containing Mandates (requirements) and related contextual information such as stubs, informational, and informational gathering are extracted from the Authority Documents. |
Human-in-the-loop Training for Content Extraction AI Models | Expert mappers can validate and make changes about the correctness of the AI-driven Citation and Glossary extraction helping train the AI model to produce increasingly better results. |
Automated Compliance Content Ingestion into the Common Data Format | Authority Documents (initially targeted for STIGs, NIST 800-53, FedRAMP, and eCFR) are loaded into the UCF platform with minimal human intervention. |
Monitoring and Logging | Administrators can make informed decisions and take action on the ingestion process based on meaningful information that is collected throughout compliance content ingestion process. |
Metadata and Data Change Detection | Compliance professionals are kept to up to date with changes made by compliance content providers. |
Statistical Data Capture and Reporting | Product and engineering teams can review statistical results captured during the document ingestion process to help make objective data-driven decisions about the accuracy and effectiveness off the process automation. |
List the known features that are out of scope for this project or might be revisited at a later time.
As is case with the assumptions, it is important to list these out so that architects and engineers can plan accordingly for these later updates.
Feature | Comments |
---|---|
Tagging and Mapping of content to the Common Controls. | This project ends at the AD, Citation and Glossary extraction, transformation, and load. Follow-on projects will include the tagging and mapping. |
Human-in-the-loop for content capture. | Later projects can include additional human validation. To limit scope of this project, steps such as metadata change detection can be reviewed and validated after the fact looking at logs and other information. |
Human-in-the-loop for the AD cataloging. | Same as above |
Human-in-the-loop for transformation into the common data format | Same as above |
Human-in-the-loop for loading into the UCF | Same as above |
Corpora Management and Administration | A non-production version of a corpora exists. Any work on the corpora is out of scope for this product. |
Corpora Data Loads | The focus of this PRD is to load compliance content into the UCF 4.0 application for customer consumption over the API Gateway with API Responses in the Common Data Format. Follow-on projects can tap into the pipeline and use the content for other purposes. |
Fit-for-purpose frontend for each step in the content ingestion process. | UX/UI for any other aspect of the process outside of human review and approval of suggested citations and suggested term-definition pairs. Later product updates could include additional front-end steps for tasks throughout the process. |
Dictionary term management. | For glossaries, all that is needed for the terms is the term-definition pair. Once we move into creating and managing dictionaries, we will add more details like part of speech, synonyms … |
If we have them, link to:
user journeys, process flow, or other diagrams related to the requirements.
mockups, prototypes, or screenshots related to the requirements.
If this project is a component to other areas or an update to an existing product, specifically call out where this product will interact with other areas.
List any open questions that come to mind throughout the lifecycle of this initiative.
Question | Answer | Date Answered |
---|---|---|
What do we do with deprecated authority documents? |
|
|
How do we identify and capture AD versions? |
|
|
For STIGs, how do we identify which files are authority documents? |
|
|
For NIST 800-53, how do we identify which files are authority documents? |
|
|
For FedRAMP, how do we identify which files are authority documents? |
|
|
For eCFRs, how do we identify which files are authority documents? |
|
|
Specifically, what is required to catalog an AD? |
|
|
In this first pass, what should constitute content changes? We don’t want to get too crazy and make this a massive project. Need to discuss. |
|
|
Milestones and Launch Checklist
The intent of this section is mostly focused on getting the solution “out the door” and who else is affected outside the product and engineering teams.
If applicable, identifies potential technical risks and propose mitigation strategies.
Risk | Mitigation Strategy |
---|---|
The eCFR content volume could cause multiple challenges including impact on API responses, searches, dominate other content sources … |
|
|
|
Identify any relevant milestones that people should know about. Will we “eat it” ourselves first? Will this require a beta? and what is the target launch date?
Date | Milestone | Audience | Description |
---|---|---|---|
TBD | Dogfood 🐶 | Internal employees only. | Testing internally |
TBD | Beta 🎈 | Early cohort of X customers. | Getting user feedback |
TBD | Public Launch 🚀 | Roll-out to all users. | Let’s do it! |
This section is a reminder to the product team to make sure all relevant stakeholders are involved as necessary.
Area | Question | Answer (yes/no) | Instructions if "Yes” (or unsure) |
Product | Are we introducing new functionality that requires changes to the pricing implementation. | Yes | The expectation is that these changes are part of the features in the PRD. |
Customer Success | Will new training material be needed (or updates to existing classes)? | No | Talk to the Customer Success team. |
Customer Success | Do we need a new or updated onboarding experience? | No | Talk to the Customer Success team. |
Support | Will new FAQs be required (or updates to existing ones)? API documentation? | Yes | Talk to the Customer Support team. |
Support | Will this functionality require new support processes like new HubSpot workflows or saved replies? Or training the support team on the product? | Yes | Talk to the Support team. |
Growth & Data | Do we need additional tracking in order to measure success and impact on user behavior for the new feature? Will UserFlow be used? Do we need a new Power BI report? | Yes | Review within our Product Team |
Growth & Data | Could this impact CTAs? Or new-user-experience (NUX)? | Yes | Review within our Product Team |
Growth & Data | Are we turning this product or feature on for everyone immediately or are we going to use feature flags for a slow roll-out? | Everyone | Not applicable yet until feature flags are ready to go |
Product | Are we running a Beta for this? | No | Review within our Product Team |
Marketing | Are we introducing functionality where we will want to update or create new web pages? New/updated CTAs? | Yes | Talk with Marketing |
Additional References
List and link to any other reference sites, documents … that might be important to the reader including the business model canvas (BMC).
- No labels