// Copyright 2026 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.cloudsecuritycompliance.v1;

import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.CloudSecurityCompliance.V1";
option go_package = "cloud.google.com/go/cloudsecuritycompliance/apiv1/cloudsecuritycompliancepb;cloudsecuritycompliancepb";
option java_multiple_files = true;
option java_outer_classname = "CommonProto";
option java_package = "com.google.cloud.cloudsecuritycompliance.v1";
option php_namespace = "Google\\Cloud\\CloudSecurityCompliance\\V1";
option ruby_package = "Google::Cloud::CloudSecurityCompliance::V1";
option (google.api.resource_definition) = {
  type: "cloudsecuritycompliance.googleapis.com/OrganizationLocation"
  pattern: "organizations/{organization}/locations/{location}"
};

// The responsibility type for the regulatory control.
enum RegulatoryControlResponsibilityType {
  // Default value. This value is unused.
  REGULATORY_CONTROL_RESPONSIBILITY_TYPE_UNSPECIFIED = 0;

  // Google's responsibility.
  GOOGLE = 1;

  // Your responsibility.
  CUSTOMER = 2;

  // Shared responsibility.
  SHARED = 3;
}

// The enforcement mode for the cloud control.
enum EnforcementMode {
  // Default value. This value is unused.
  ENFORCEMENT_MODE_UNSPECIFIED = 0;

  // The cloud control is enforced to prevent non-compliance.
  PREVENTIVE = 1;

  // The cloud control is enforced to detect non-compliance.
  DETECTIVE = 2;

  // The cloud control is enforced to audit for non-compliance.
  AUDIT = 3;
}

// The category for the framework.
enum FrameworkCategory {
  // Default value. This value is unused.
  FRAMEWORK_CATEGORY_UNSPECIFIED = 0;

  // An industry-defined framework.
  INDUSTRY_DEFINED_STANDARD = 1;

  // An Assured Workloads framework.
  ASSURED_WORKLOADS = 2;

  // A data security posture framework.
  DATA_SECURITY = 3;

  // A Google's best practices framework.
  GOOGLE_BEST_PRACTICES = 4;

  // A user-created framework.
  CUSTOM_FRAMEWORK = 5;
}

// The category for the cloud control.
enum CloudControlCategory {
  // Default value. This value is unused.
  CLOUD_CONTROL_CATEGORY_UNSPECIFIED = 0;

  // The infrastructure security category.
  CC_CATEGORY_INFRASTRUCTURE = 1;

  // The artificial intelligence category.
  CC_CATEGORY_ARTIFICIAL_INTELLIGENCE = 2;

  // The physical security category.
  CC_CATEGORY_PHYSICAL_SECURITY = 3;

  // The data security category.
  CC_CATEGORY_DATA_SECURITY = 4;

  // The network security category.
  CC_CATEGORY_NETWORK_SECURITY = 5;

  // The incident management category.
  CC_CATEGORY_INCIDENT_MANAGEMENT = 6;

  // The identity and access management category.
  CC_CATEGORY_IDENTITY_AND_ACCESS_MANAGEMENT = 7;

  // The encryption category.
  CC_CATEGORY_ENCRYPTION = 8;

  // The logs management and infrastructure category.
  CC_CATEGORY_LOGS_MANAGEMENT_AND_INFRASTRUCTURE = 9;

  // The HR, admin, and processes category.
  CC_CATEGORY_HR_ADMIN_AND_PROCESSES = 10;

  // The third-party and sub-processor management category.
  CC_CATEGORY_THIRD_PARTY_AND_SUB_PROCESSOR_MANAGEMENT = 11;

  // The legal and disclosures category.
  CC_CATEGORY_LEGAL_AND_DISCLOSURES = 12;

  // The vulnerability management category.
  CC_CATEGORY_VULNERABILITY_MANAGEMENT = 13;

  // The privacy category.
  CC_CATEGORY_PRIVACY = 14;

  // The business continuity and disaster recovery (BCDR) category.
  CC_CATEGORY_BCDR = 15;

  // The admin access category.
  CC_CATEGORY_ADMIN_ACCESS = 16;

  // DRZ (Data Residency).
  CC_CATEGORY_DATA_RESIDENCY = 17;

  // RUR (Resource Usage Restriction).
  CC_CATEGORY_RESOURCE_USAGE_RESTRICTION = 18;

  // SERVICE SPECIFIC
  CC_CATEGORY_SERVICE_SPECIFIC = 19;
}

// The cloud provider that's associated with the cloud control.
enum CloudProvider {
  // Default value. This value is unused.
  CLOUD_PROVIDER_UNSPECIFIED = 0;

  // Amazon Web Services (AWS).
  AWS = 1;

  // Microsoft Azure.
  AZURE = 2;

  // Google Cloud.
  GCP = 3;
}

// The severity of the finding.
enum Severity {
  // Default value. This value is unused.
  SEVERITY_UNSPECIFIED = 0;

  // A critical vulnerability is easily discoverable by an external actor,
  // exploitable, and results in the direct ability to execute arbitrary code,
  // exfiltrate data, and otherwise gain additional access and privileges to
  // cloud resources and workloads. Examples include publicly accessible
  // unprotected user data and public SSH access with weak or no
  // passwords.
  //
  // A critical threat is a threat that can access, modify, or delete data or
  // execute unauthorized code within existing resources.
  CRITICAL = 1;

  // A high-risk vulnerability can be easily discovered and exploited in
  // combination with other vulnerabilities to gain direct access and
  // the ability to execute arbitrary code, exfiltrate data, and otherwise
  // gain additional access and privileges to cloud resources and workloads.
  // An example is a database with weak or no passwords that is only
  // accessible internally. This database could easily be compromised by an
  // actor that had access to the internal network.
  //
  // A high-risk threat is a threat that can create new computational
  // resources in an environment but can't access data or execute code in
  // existing resources.
  HIGH = 2;

  // A medium-risk vulnerability can be used by an actor to gain access to
  // resources or privileges that enable them to eventually (through multiple
  // steps or a complex exploit) gain access and the ability to execute
  // arbitrary code or exfiltrate data. An example is a service account with
  // access to more projects than it should have. If an actor gains access to
  // the service account, they could potentially use that access to manipulate
  // a project the service account was not intended to.
  //
  // A medium-risk threat can cause operational impact but might not
  // access data or execute unauthorized code.
  MEDIUM = 3;

  // A low-risk vulnerability hampers a security organization's ability to
  // detect vulnerabilities or active threats in their deployment, or prevents
  // the root cause investigation of security issues. An example is monitoring
  // and logs being disabled for resource configurations and access.
  //
  // A low-risk threat is a threat that has obtained minimal access to an
  // environment but can't access data, execute code, or create resources.
  LOW = 4;
}

// The action type of the rule.
enum RuleActionType {
  // Default value. This value is unused.
  RULE_ACTION_TYPE_UNSPECIFIED = 0;

  // The rule is intended to prevent non-compliance.
  RULE_ACTION_TYPE_PREVENTIVE = 1;

  // The rule is intended to detect non-compliance.
  RULE_ACTION_TYPE_DETECTIVE = 2;

  // The rule is intended to audit non-compliance.
  RULE_ACTION_TYPE_AUDIT = 3;
}

// The type of resource that a control or framework can be applied to.
enum TargetResourceType {
  // Default value. This value is unused.
  TARGET_RESOURCE_TYPE_UNSPECIFIED = 0;

  // The target resource is a Google Cloud organization.
  TARGET_RESOURCE_CRM_TYPE_ORG = 1;

  // The target resource is a folder.
  TARGET_RESOURCE_CRM_TYPE_FOLDER = 2;

  // The target resource is a project.
  TARGET_RESOURCE_CRM_TYPE_PROJECT = 3;

  // The target resource is an application in App Hub.
  TARGET_RESOURCE_TYPE_APPLICATION = 4;
}

// A framework is a collection of cloud controls and regulatory controls
// that represent security best practices or industry-defined standards such as
// FedRAMP or NIST.
message Framework {
  option (google.api.resource) = {
    type: "cloudsecuritycompliance.googleapis.com/Framework"
    pattern: "organizations/{organization}/locations/{location}/frameworks/{framework}"
    pattern: "projects/{project}/locations/{location}/frameworks/{framework}"
    plural: "frameworks"
    singular: "framework"
  };

  // The type of framework.
  enum FrameworkType {
    // Default value. This value is unused.
    FRAMEWORK_TYPE_UNSPECIFIED = 0;

    // A framework that's provided and managed by Google.
    BUILT_IN = 1;

    // A framework that's created and managed by you.
    CUSTOM = 2;
  }

  // Required. Identifier. The name of the framework, in one of the following
  // formats:
  // `organizations/{organization}/locations/{location}/frameworks/{framework}`
  // or
  // `projects/{project}/locations/{location}/frameworks/{framework}`.
  //
  // The only supported location is `global`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IDENTIFIER
  ];

  // Output only. The major version of the framework, which is incremented in
  // ascending order.
  int64 major_revision_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The friendly name of the framework. The maximum length is 200
  // characters.
  string display_name = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The description of the framework. The maximum length is 2000
  // characters.
  string description = 5 [(google.api.field_behavior) = OPTIONAL];

  // Output only. The type of framework.
  FrameworkType type = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The cloud control details that are directly added without any
  // grouping in the framework.
  repeated CloudControlDetails cloud_control_details = 8
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. The category of the framework.
  repeated FrameworkCategory category = 9
      [(google.api.field_behavior) = OPTIONAL];

  // Output only. The cloud providers that are supported by the framework.
  repeated CloudProvider supported_cloud_providers = 10
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The target resource types that are supported by the framework.
  repeated TargetResourceType supported_target_resource_types = 11
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The supported enforcement modes of the framework.
  repeated EnforcementMode supported_enforcement_modes = 13
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The details of a cloud control.
message CloudControlDetails {
  // Required. The name of the cloud control, in one of the following formats:
  // `organizations/{organization}/locations/{location}/cloudControls/{cloud_control}`
  // or
  // `projects/{project}/locations/{location}/cloudControls/{cloud_control}`.
  //
  // The only supported location is `global`.
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The major version of the cloud control.
  int64 major_revision_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Optional. Parameters are key-value pairs that let you provide your custom
  // location requirements, environment requirements, or other settings that are
  // relevant to the cloud control. An example parameter is
  // `{"name": "location","value": "us-west-1"}`.
  repeated Parameter parameters = 4 [(google.api.field_behavior) = OPTIONAL];
}

// The reference of a framework, in one of the following formats:
// - `organizations/{organization}/locations/{location}/frameworks/{framework}`
// - `projects/{project}/locations/{location}/frameworks/{framework}`.
//
// The only supported location is `global`.
message FrameworkReference {
  // Required. The major version of the framework. If not specified, the version
  // corresponds to the latest version of the framework.
  string framework = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "cloudsecuritycompliance.googleapis.com/Framework"
    }
  ];

  // Optional. The major version of the framework. If not specified, the version
  // corresponds to the latest version of the framework.
  optional int64 major_revision_id = 2 [(google.api.field_behavior) = OPTIONAL];
}

// Parameters are key-value pairs that let you provide your custom location
// requirements, environment requirements, or other settings that are
// relevant to the cloud control.
message Parameter {
  // Required. The name or key of the parameter.
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The value of the parameter.
  ParamValue parameter_value = 2 [(google.api.field_behavior) = REQUIRED];
}

// A cloud control is a set of rules and associated metadata that you can
// use to define your organization's security or compliance intent.
message CloudControl {
  option (google.api.resource) = {
    type: "cloudsecuritycompliance.googleapis.com/CloudControl"
    pattern: "organizations/{organization}/locations/{location}/cloudControls/{cloud_control}"
    pattern: "projects/{project}/locations/{location}/cloudControls/{cloud_control}"
    plural: "cloudControls"
    singular: "cloudControl"
  };

  // The type of cloud control.
  enum Type {
    // Default value. This value is unused.
    TYPE_UNSPECIFIED = 0;

    // A cloud control that's created and managed by you.
    CUSTOM = 1;

    // A cloud control that's provided and managed by Google.
    BUILT_IN = 2;
  }

  // Required. Identifier. The name of the cloud control, in either of the
  // formats:
  // `organizations/{organization}/locations/{location}/cloudControls/{cloud_control}`
  // or
  // `projects/{project}/locations/{location}/cloudControls/{cloud_control}`.
  //
  // The only supported location is `global`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.field_behavior) = IDENTIFIER
  ];

  // Output only. The major version of the cloud control, which is incremented
  // in ascending order.
  int64 major_revision_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. A description of the cloud control. The maximum length is 2000
  // characters.
  string description = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The friendly name of the cloud control. The maximum length is 200
  // characters.
  string display_name = 5 [(google.api.field_behavior) = OPTIONAL];

  // Output only. The supported enforcement modes for the cloud control.
  repeated EnforcementMode supported_enforcement_modes = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The parameter specifications for the cloud control.
  repeated ParameterSpec parameter_spec = 8
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. The rules that you can enforce to meet your security or
  // compliance intent.
  repeated Rule rules = 9 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The severity of the findings that are generated by the cloud
  // control.
  Severity severity = 11 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The finding category for the cloud control findings. The maximum
  // length is 255 characters.
  string finding_category = 12 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The supported cloud providers.
  repeated CloudProvider supported_cloud_providers = 13
      [(google.api.field_behavior) = OPTIONAL];

  // Output only. The frameworks that include this cloud control.
  repeated string related_frameworks = 14
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The remediation steps for the cloud control findings. The
  // maximum length is 400 characters.
  string remediation_steps = 15 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The categories for the cloud control.
  repeated CloudControlCategory categories = 16
      [(google.api.field_behavior) = OPTIONAL];

  // Output only. The time that the cloud control was last updated.
  // `create_time` is used because a new cloud control is created
  // whenever an existing cloud control is updated.
  google.protobuf.Timestamp create_time = 17
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The target resource types that are supported by the cloud
  // control.
  repeated TargetResourceType supported_target_resource_types = 18
      [(google.api.field_behavior) = OPTIONAL];
}

// The parameter specification for the cloud control.
message ParameterSpec {
  // The type of parameter value.
  enum ValueType {
    // Default value. This value is unused.
    VALUE_TYPE_UNSPECIFIED = 0;

    // A string value.
    STRING = 3;

    // A boolean value.
    BOOLEAN = 4;

    // A string list value.
    STRINGLIST = 5;

    // A numeric value.
    NUMBER = 6;

    // A oneOf value.
    ONEOF = 7;
  }

  // Required. The name of the parameter.
  string name = 1 [(google.api.field_behavior) = REQUIRED];

  // Optional. The friendly name of the parameter. The maximum length is 200
  // characters.
  string display_name = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The description of the parameter. The maximum length is 2000
  // characters.
  string description = 3 [(google.api.field_behavior) = OPTIONAL];

  // Required. Whether the parameter is required.
  bool is_required = 4 [(google.api.field_behavior) = REQUIRED];

  // Required. The parameter value type.
  ValueType value_type = 5 [(google.api.field_behavior) = REQUIRED];

  // Optional. The default value of the parameter.
  ParamValue default_value = 6 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The list of parameter substitutions.
  repeated ParameterSubstitutionRule substitution_rules = 7
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. The parameter specification for `oneOf` attributes.
  repeated ParameterSpec sub_parameters = 8
      [(google.api.field_behavior) = OPTIONAL];

  // Optional. The permitted set of values for the parameter.
  Validation validation = 9 [(google.api.field_behavior) = OPTIONAL];
}

// The validation of the parameter.
message Validation {
  // Defines validators for parameter values.
  oneof constraint {
    // The permitted set of values for the parameter.
    AllowedValues allowed_values = 1;

    // The permitted range for numeric parameters.
    IntRange int_range = 2;

    // The regular expression for string parameters.
    RegexpPattern regexp_pattern = 3;
  }
}

// The allowed set of values for the parameter.
message AllowedValues {
  // Required. The list of allowed values for the parameter.
  repeated ParamValue values = 1 [(google.api.field_behavior) = REQUIRED];
}

// The regular expression (regex) validator for parameter values.
message RegexpPattern {
  // Required. The regex pattern to match the values of the parameter with.
  string pattern = 1 [(google.api.field_behavior) = REQUIRED];
}

// The number range for number parameters.
message IntRange {
  // Required. The minimum permitted value for the numeric parameter
  // (inclusive).
  int64 min = 1 [(google.api.field_behavior) = REQUIRED];

  // Required. The maximum permitted value for the numeric parameter
  // (inclusive).
  int64 max = 2 [(google.api.field_behavior) = REQUIRED];
}

// A list of strings for the parameter value.
message StringList {
  // Required. The strings in the list.
  repeated string values = 1 [(google.api.field_behavior) = REQUIRED];
}

// The possible parameter value types.
message ParamValue {
  // The list of possible parameter value types.
  oneof kind {
    // Optional. A string value.
    string string_value = 3 [(google.api.field_behavior) = OPTIONAL];

    // Optional. A boolean value.
    bool bool_value = 4 [(google.api.field_behavior) = OPTIONAL];

    // Optional. A repeated string.
    StringList string_list_value = 5 [(google.api.field_behavior) = OPTIONAL];

    // Optional. A double value.
    double number_value = 6 [(google.api.field_behavior) = OPTIONAL];

    // Optional. Sub-parameter values.
    Parameter oneof_value = 7 [(google.api.field_behavior) = OPTIONAL];
  }
}

// The parameter substitution rules.
message ParameterSubstitutionRule {
  // The type of substitution.
  oneof substitution_type {
    // The placeholder substitution rule.
    PlaceholderSubstitutionRule placeholder_substitution_rule = 1;

    // The attribute substitution rule.
    AttributeSubstitutionRule attribute_substitution_rule = 2;
  }
}

// The attribute at the given path that's substituted entirely.
message AttributeSubstitutionRule {
  // The fully qualified proto attribute path, in dot notation.
  // For example: `rules[0].cel_expression.resource_types_values`
  string attribute = 1;
}

// The placeholder that's substituted in the rendered string.
message PlaceholderSubstitutionRule {
  // The fully qualified proto attribute path, in dot notation.
  string attribute = 1;
}

// A rule in the cloud control.
message Rule {
  // The rule implementation.
  oneof implementation {
    // The rule's logic expression in Common Expression Language (CEL).
    CELExpression cel_expression = 1;
  }

  // Optional. The rule description. The maximum length is 2000 characters.
  string description = 10 [(google.api.field_behavior) = OPTIONAL];

  // Required. The functionality that's enabled by the rule.
  repeated RuleActionType rule_action_types = 16
      [(google.api.field_behavior) = REQUIRED];
}

// A Common Expression Language (CEL) expression that's used to create a rule.
message CELExpression {
  // The criteria of the CEL expression.
  oneof criteria {
    // The resource instance types on which this expression is defined.
    // The format is `<SERVICE_NAME>/<type>`.
    // For example: `compute.googleapis.com/Instance`
    StringList resource_types_values = 3;
  }

  // Required. The logical expression in CEL. The maximum length of the
  // condition is 1000 characters. For more information, see [CEL
  // expression](https://cloud.google.com/security-command-center/docs/compliance-manager-write-cel-expressions).
  string expression = 1 [(google.api.field_behavior) = REQUIRED];
}

// The metadata for the long-running operation.
message OperationMetadata {
  // Output only. The time the operation was created.
  google.protobuf.Timestamp create_time = 1
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time the operation finished running.
  google.protobuf.Timestamp end_time = 2
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The server-defined resource path for the target of the
  // operation.
  string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The name of the verb that was executed by the operation.
  string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The human-readable status of the operation, if any.
  string status_message = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Identifies whether the user has requested that the operation
  // be cancelled. If an operation was cancelled successfully, then the field
  // [google.longrunning.Operation.error][google.longrunning.Operation.error]
  // contains the value [google.rpc.Code.CANCELLED][google.rpc.Code.CANCELLED].
  bool requested_cancellation = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The API version that was used to start the operation.
  string api_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The regulatory control.
message Control {
  option (google.api.resource) = {
    type: "cloudsecuritycompliance.googleapis.com/Control"
    pattern: "organizations/{organization}/locations/{location}/controls/{control}"
    pattern: "projects/{project}/locations/{location}/controls/{control}"
    plural: "controls"
    singular: "control"
  };

  // The regulatory control family.
  enum Family {
    // Default value. This value is unused.
    FAMILY_UNSPECIFIED = 0;

    // Access control
    AC = 1;

    // Awareness and araining
    AT = 2;

    // Audit and accountability
    AU = 3;

    // Certification, accreditation, and security assessments
    CA = 4;

    // Configuration management
    CM = 5;

    // Contingency planning
    CP = 6;

    // Identification and authentication
    IA = 7;

    // Incident response
    IR = 8;

    // Maintenance
    MA = 9;

    // Media protection
    MP = 10;

    // Physical and environmental protection
    PE = 11;

    // Security planning
    PL = 12;

    // Personnel aecurity
    PS = 13;

    // Risk assessment
    RA = 14;

    // System services and acquisition
    SA = 15;

    // System and communications protection
    SC = 16;

    // System and information integrity
    SI = 17;

    // Supply chain risk management
    SR = 18;
  }

  // Output only. The name of a regulatory control, in one of the following
  // formats:
  // - `organizations/{organization}/locations/{location}/controls/{control}`
  // - `projects/{project}/locations/{location}/controls/{control}`.
  //
  // The only supported location is `global`.
  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The friendly name for the regulatory control.
  string display_name = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The description of the regulatory control.
  string description = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The regulatory group that the control belongs to.
  Family family = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The regulatory family that the control belongs to.
  ControlFamily control_family = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The entity that's responsible for the control, whether Google,
  // you as the customer, or both.
  RegulatoryControlResponsibilityType responsibility_type = 7
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A description of Google's responsibility for the regulatory
  // control.
  string google_responsibility_description = 8
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A description of Google's responsibility for implementing the
  // regulatory control.
  string google_responsibility_implementation = 9
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A description of your responsibility for the regulatory
  // control.
  string customer_responsibility_description = 10
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A description of the your responsibility for implementing the
  // regulatory control.
  string customer_responsibility_implementation = 11
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A description of the responsibility that's shared between
  // Google and you in implementing this control.
  string shared_responsibility_description = 12
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. A link to the documentation that's related to this control.
  string additional_content_uri = 13
      [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The frameworks that include this control.
  repeated string related_frameworks = 14
      [(google.api.field_behavior) = OUTPUT_ONLY];
}

// The regulatory family of the control.
message ControlFamily {
  // The identifier for the regulatory control family.
  string family_id = 1;

  // The friendly name for the regulatory control family.
  string display_name = 2;
}
