UIAO Governance Findings
Operational constraints the substrate operates around
Governance findings are operational artifacts that document constraints the UIAO substrate has identified in its environment. They are not canon (they don’t declare how UIAO works); they are not pure narrative (they carry structured evidence and ownership). They occupy a distinct artifact class established by ADR-030 §5.2.
The contract
Every finding has five mandatory sections:
- Constraint — what the substrate has identified
- Evidence — primary-source citations with URLs and access dates
- Capability gap — what the substrate cannot do because of the constraint, tied to specific UIAO_NNN capability statements
- Proposed remedy — internal vs external action paths
- Ownership trail — append-only record of who identified, escalated, and accepts responsibility
Full contract: docs/findings/README.md.
Current findings
| ID | Title | Status | Severity | Owner |
|---|---|---|---|---|
| FINDING-001 | FedRAMP GCC-Moderate — Microsoft 365 Informed Network Routing unavailable | Awaiting-External-Remediation | P2 | Michael Stratton |
FINDING-001 summary
Microsoft 365 Informed Network Routing (INR) — the feature that would let UIAO consume Microsoft-sourced M365 path-quality telemetry — is not available to GCC-Moderate tenants. Cited directly from Microsoft Learn: “Microsoft 365 informed network routing supports tenants in WW Commercial cloud but not the GCC Moderate, GCC High, DoD, Germany, or China clouds.”
Capability gap: UIAO cannot feed Microsoft-authenticated M365 path-quality signals into the evidence graph or drift engine for GCC-Moderate deployments. An agency-side SD-WAN telemetry collector is the UIAO-native substitute (scope for a future adapter).
External remedy: Microsoft deploys INR to GCC-Moderate, or FedRAMP authorizes the telemetry envelope. External to UIAO’s scope; finding stays open until that happens.
Status lifecycle
| Status | Meaning |
|---|---|
| Open | Finding documented, no remediation path agreed |
| Awaiting-External-Remediation | Remedy requires external action (agency policy, vendor roadmap, FedRAMP boundary adjustment); substrate-side mitigation documented if available |
| Resolved | Remedy landed; finding describes the historical constraint and the mechanism that now handles it |
| Withdrawn | Finding determined to be incorrect or duplicate; reason documented |
Findings persist in this directory at all statuses — they are the audit trail of what the substrate has operated around.
How findings relate to other UIAO surfaces
| Surface | Decides / declares | Example |
|---|---|---|
Canon (src/uiao/canon/) |
What UIAO does | UIAO_129 Application Identity Model |
ADR (src/uiao/canon/adr/) |
How UIAO decides | ADR-030 retires “V3” as canonical vocabulary |
Findings (docs/findings/) |
What UIAO cannot do until external conditions change | FedRAMP-INR: M365 Informed Network Routing unavailable in GCC-Moderate |
Narrative (docs/narrative/) |
Reader-facing story | Why-modernization-is-hard |
Series (docs/series/) |
Arc-level narrative | Application-Aware Networking book |
Escalation principle
Findings operate under the principle stated by the current agency CIO: “Everyone owns all problems they identify.” A finding is the substrate’s way of honoring that principle — it documents a problem the substrate has seen, names an owner, and keeps the issue in view until it is resolved or formally withdrawn.