SecNumCloud — Dossier d'Homologation
Get Started with This SkillOverview
Draft the Dossier d’Homologation for ANSSI SecNumCloud certification. Map infrastructure to the Référentiel (ISO 27001 Annex A / 27002), validate EEA data sovereignty for sub-processors, and structure evidence for France’s public-sector cloud qualification. Includes anssi_compliance_mapper to map your architecture to control domains and data_sovereignty_enforcer to flag sub-processors outside the EEA.
Example conversation
You: We’re preparing the Dossier d’Homologation for our IaaS offering. We have an architecture doc and a sub-processor list — can you map the architecture to the Référentiel and check data sovereignty?
Agent: I’ll run anssi_compliance_mapper on your architecture document to get the SecNumCloud domain mapping (A.5–A.18), then data_sovereignty_enforcer on the sub-processor list. That will show which domains to cover in the dossier and which sub-processors, if any, are outside the EEA and need to be moved or justified.
You: One sub-processor is in the UK — we have a transfer agreement. Can you still draft the dossier structure?
Agent: data_sovereignty_enforcer will flag the UK as hors EEE. I’ll draft the dossier using the structure in the skill (context, architecture mapping, sub-processors, measures per domain, risks). In the sub-processor section I’ll note the UK entry and the need to document the transfer/derogation for the homologation.
You: Run the mapper on
docs/architecture.mdand the enforcer ondocs/subprocessors.txt, then give me the first two sections of the dossier.Agent: (Runs both tools.) The mapper shows applicable domains: A.9 (contrôle d’accès), A.10 (cryptographie), A.11 (sécurité physique), A.12 (opérations), A.13 (communications), A.15 (fournisseurs). The enforcer reports 4 sub-processors in the EEA and 1 in the UK — I’ll list that one in the dossier with a note to attach the transfer agreement. Here are the opening sections of the Dossier d’Homologation: (drafts context and architecture mapping as below).
Excerpt of a draft Dossier d’Homologation
The agent structures the dossier so each section can be backed by evidence and tool outputs. Example opening:
# Dossier d'Homologation — [Nom du service]
## 1. Contexte et périmètre
- **Service** : IaaS (calcul, stockage, réseau) à destination des OIV et acteurs publics.
- **Périmètre** : Région France ; datacenters en France (Île-de-France, Bretagne).
- **Acteurs** : Prestataire titulaire ; sous-traitants listés en section 3.
## 2. Architecture et cartographie au Référentiel
Cartographie des domaines du Référentiel SecNumCloud applicables (issue de l’analyse de l’architecture) :
| Domaine | Thème | Applicable | Preuves / remarques |
|---------|--------|------------|---------------------|
| A.9 | Contrôle d'accès | Oui | SSO, MFA, gestion des droits |
| A.10 | Cryptographie | Oui | TLS 1.3, chiffrement at-rest |
| A.11 | Sécurité physique | Oui | Datacenters France, accès contrôlé |
| A.12 | Sécurité des opérations | Oui | Sauvegardes, logs, gestion des vulnérabilités |
| A.13 | Communications | Oui | Segmentation, firewall |
| A.15 | Relations fournisseurs | Oui | Liste sous-traitants, cf. section 3 |
## 3. Sous-traitance et souveraineté des données
- **Dans l’EEE** : [Noms et pays — conforme].
- **Hors EEE** : [Nom], Royaume-Uni — transfert encadré (accord signé) ; à joindre en annexe pour homologation.
The agent uses anssi_compliance_mapper to populate the domain mapping and data_sovereignty_enforcer to separate in-EEA vs outside-EEA sub-processors before writing this section.
Extension tools and validations
The skill provides two tools: one for mapping architecture to the Référentiel, one for validating sub-processor locations.
anssi_compliance_mapper
Purpose: Map an architecture or infrastructure description to Référentiel SecNumCloud control domains (A.5–A.18, ISO 27001 Annex A / 27002).
| What it does | Detail |
|---|---|
| Input | Path to a document (Markdown, YAML, or text) describing infrastructure (datacenters, network, access control, crypto, backups, sub-processors, etc.). |
| Logic | Scans the document for keywords aligned to each domain (e.g. “datacenter”, “TLS”, “backup”, “sous-traitant”) and marks which domains are suggested as applicable. |
| Output | A report listing each domain (A.5–A.18) with a checkmark when the content suggests applicability. Use this to structure the dossier and collect evidence by domain. |
Not a strict validator — it suggests which domains to address; the author remains responsible for completeness and accuracy.
data_sovereignty_enforcer
Purpose: Ensure sub-processors are in the EEA (EU 27 + Iceland, Liechtenstein, Norway) for SecNumCloud / data sovereignty.
| Check | Requirement |
|---|---|
| Country per sub-processor | Each line (name + country) is parsed; country is normalised and matched against the EEA list (full names or ISO 3166-1 alpha-2, e.g. France, FR, Germany, DE). |
| In EEA | Sub-processors in an EEA country are listed under “Dans l’EEE (conforme)”. |
| Outside EEA | Sub-processors in UK, US, Switzerland, or any other non-EEA country are listed under “Hors EEE (à traiter ou justifier)”. |
| Pass/fail | Report passes when no sub-processor is outside the EEA; otherwise it recommends remediation or documented derogation (e.g. transfer agreement) for the dossier. |
Input format: One sub-processor per line, e.g. Name, Country or Name | Country or Name: Country. Comments (lines starting with #) are ignored.
Getting Started
Add your architecture description and sub-processor list to the project workspace, then activate the SecNumCloud — Dossier d’Homologation skill. The agent will map architecture to the Référentiel, validate EEA data sovereignty, and help structure the homologation dossier with references to the ANSSI control domains.