Authority Documents challenge compliance professionals to decipher actionable, auditable requirements from human-readable prose. A citation (a discrete passage in an Authority Document) can have zero, one, or several mandates (auditable requirements).
UCF Compliance Mapping identifies each mandate in a citation because this level of detail is necessary to prepare for and pass audits.
To expand on this answer, this article:
-
reviews the Unified Compliance definition of citation and mandate,
-
highlights that a citation’s language determines its number of mandates, and
-
discusses why UCF Compliance Mapping must operate at this level of detail.
What is a Citation?
A citation is a discrete passage in an Authority Document. It is separated from an Authority Document’s other citations by a line break. It can be a paragraph or a bullet point, and it can include zero, one, or multiple mandates. For more information, see What is a Citation?

What is a mandate?
A mandate is a requirement to perform a specific action. It is constituted by a verb that specifies the required action, and by one or more nouns that specify the actor and/or object(s). An organization is audited for compliance with mandates, and an unfulfilled mandate is a compliance gap. For more information, see What is a Mandate?
Example mandates: MA-1a.1(a), NIST SP 800-53, Revision 5.1.1.
Why does a citation have more than one mandate?
A citation has more than one mandate if its language demands more than one action be taken. Some Authority Documents format citations so that each clearly specifies one mandate. Others do not. For example, the CIS Amazon Web Services Foundations Benchmark citation below requires a single action: set the S3 Bucket Policy to deny HTTP requests. Meanwhile, MA-1a.1(a), NIST SP 800-53 above uses a comma-separated list to mandate the inclusion of multiple topics in an organization’s maintenance policy.
Why must UCF Compliance Mapping operate at this level of detail?
A citation’s language determines whether it has more than one mandate. If the citation requires more than one action, it has multiple mandates. But this begs the question: why must UCF Compliance Mapping operate at this level of detail?
Mandate-level Compliance Mapping provides the level of detail necessary to prepare for and pass an audit.
UCF Compliance Mapping separately identifies each mandate in a citation because an auditor separately audits each mandate in a citation. For example, compare MA-1a.1(a), NIST SP 800-53, with its assessment procedures in NIST Special Publication 800-53A, Assessing Security and Privacy Controls. The assessment procedures create a checklist of audit items from the NIST SP 800-53 citation. Organizations must prove compliance with each audit item separately, regardless of the fact that they originated from a single citation.
