← Policy gallery

cms_data_residency

ai-risk-management security pure_temporal ai-governancecmsfederalhealthcaredata-protectionrag-red

Foreign-entity AI tools are used only if deployed on CMS infrastructure with no data sent to the internet (CMS data stays in the U.S.).

Formula

G(foreign_ai → on_cms_infrastructure ∧ no_internet_egress)

Why it matters

CMS BR-AI-3: foreign-entity AI may only be used if deployed on CMS infrastructure and does not send data to the internet; CMS data must reside in the U.S.

Examples

passes the CMS AI rule's evidence is present

fails the required control is absent

Use it

ponens policies add cms_data_residency --into ./trace.json
ponens trace check ./trace.json