ARCS-OPB: Operator Boundary

Purpose

ARCS-OPB defines the governance domain applicable to the boundary of operator responsibility. This family establishes requirements for determining which records, systems, vendors, and processing contexts fall within the operator's declared governance scope. Its purpose is to ensure that statements about retention, deletion, custody, verification, and publication are made against a clearly defined perimeter rather than an indeterminate collection of adjacent technical dependencies.

Governance focus

• Declaration of the operator-governed perimeter
• Distinction between in-scope and out-of-scope systems or processing contexts
• Treatment of vendor services, delegated functions, and adjacent environments
• Consistency between governance claims and actual boundary definition
• Exclusion logic where systems or records are not governed by the operator

Boundary

ARCS-OPB applies wherever responsibility must be distinguished from downstream, inherited, external, or third-party processing conditions. It governs the perimeter within which the operator claims governance effect and outside of which separate custody or responsibility conditions apply. This family is concerned not with whether external systems exist, but with whether the boundary between operator responsibility and adjacent environments is declared sufficiently to support meaningful governance claims.

The corresponding control statements for this family are maintained in the Controls catalog.