Why does a citation have more than one mandate?

 

Authority Documents challenge compliance professionals to decipher actionable, auditable requirements from human-readable prose. A citation (a discrete passage in an Authority Document) can have zero, one, or several mandates (auditable requirements).

UCF Compliance Mapping identifies each mandate in a citation because this level of detail is necessary to prepare for and pass audits.

To expand on this answer, this article:

  • reviews the Unified Compliance definition of citation and mandate,

  • highlights that a citation’s language determines its number of mandates, and

  • discusses why UCF Compliance Mapping must operate at this level of detail.

 

What is a Citation?

A citation is a discrete passage in an Authority Document. It is separated from an Authority Document’s other citations by a line break. It can be a paragraph or a bullet point, and it can include zero, one, or multiple mandates. For more information, see What is a Citation?

 

 
50d996e6-d6bc-4d43-853e-c30289c51a4c
Example citation: MA-1a.1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1
 

 

What is a mandate?

A mandate is a requirement to perform a specific action. It is constituted by a verb that specifies the required action, and by one or more nouns that specify the actor and/or object(s). An organization is audited for compliance with mandates, and an unfulfilled mandate is a compliance gap. For more information, see What is a Mandate?

 

Screenshot 2025-05-23 at 11.34.28 AM

Example mandates: MA-1a.1(a), NIST SP 800-53, Revision 5.1.1.

 

 

Why does a citation have more than one mandate?

A citation has more than one mandate if its language demands more than one action be taken. Some Authority Documents format citations so that each clearly specifies one mandate. Others do not. For example, the CIS Amazon Web Services Foundations Benchmark citation below requires a single action: set the S3 Bucket Policy to deny HTTP requests. Meanwhile, MA-1a.1(a), NIST SP 800-53 above uses a comma-separated list to mandate the inclusion of multiple topics in an organization’s maintenance policy.

 

a915f4b6-9c5d-4d48-88cc-220ee0e99e5c

CIS Benchmarks often specify a single mandate in each citation. From CIS Amazon Web Services Foundations Benchmark, v3.0.0, Center for Internet Security.
 

 

 

Why must UCF Compliance Mapping operate at this level of detail?

A citation’s language determines whether it has more than one mandate. If the citation requires more than one action, it has multiple mandates. But this begs the question: why must UCF Compliance Mapping operate at this level of detail?

Mandate-level Compliance Mapping provides the level of detail necessary to prepare for and pass an audit.

UCF Compliance Mapping separately identifies each mandate in a citation because an auditor separately audits each mandate in a citation. For example, compare MA-1a.1(a), NIST SP 800-53, with its assessment procedures in NIST Special Publication 800-53A, Assessing Security and Privacy Controls. The assessment procedures create a checklist of audit items from the NIST SP 800-53 citation. Organizations must prove compliance with each audit item separately, regardless of the fact that they originated from a single citation.

 

 7e592895-c1f1-4cdc-bf80-8ed94bbfd7a2
The assessment procedures for NIST 800-53 audit each mandate in MA-1a.1(a). (NIST Special Publication 800-53A, Assessing Security and Privacy Controls)