Skip to main content

Third-Party Dependencies and Licensing

Azure Review Checklists (ARC)

CYC Assess's assessment framework is built on the Azure Review Checklists, an open-source project published by Microsoft. This is the same framework used by Microsoft FastTrack engineers and Customer Solution Architects for enterprise Azure design reviews.

AttributeDetail
Repositoryhttps://github.com/Azure/review-checklists
LicenseMIT License
Checklists usedALZ, AKS, AVD, SAP, Cost, App Delivery Networking, Multitenancy (all GA state)
Items incorporated805 checklist items across 7 GA checklists
Graph queries used102 pre-built Azure Resource Graph queries
Update policyCYC syncs checklist updates on a quarterly schedule with a validation pass before deployment

MIT License Obligations

The MIT License imposes two obligations on CYC as a commercial product incorporating ARC content:

  1. Include the original MIT license text and copyright notice in the CYC codebase. This is fulfilled via a THIRD_PARTY_NOTICES.txt file distributed with the software. It does not need to appear on the website or in the client report.

  2. Do not hold Microsoft liable for damages. CYC's own product disclaimer covers this independently.

note

The MIT license does not require CYC to reproduce Microsoft's disclaimer language in client-facing materials. CYC's own assessment disclaimer — covering accuracy limitations, point-in-time scope, and professional consultation recommendations — is separate and written in CYC's own words.

Public Disclosure Strategy

CYC discloses its use of the ARC framework as a credibility signal, not a legal obligation:

ContextLanguage
Website methodology page"CYC Assess assessments are grounded in the Azure Review Checklists framework, a publicly available Microsoft resource maintained by Microsoft FastTrack engineers and the Azure community."
Report appendix"Assessment framework references: Azure Review Checklists (MIT License), Microsoft Cloud Adoption Framework, Azure Well-Architected Framework."
CodebaseTHIRD_PARTY_NOTICES.txt — full MIT license text from the ARC repository
Due diligenceFull dependency disclosure including license type, version pinning policy, and update procedure

Why ARC Rather Than Custom Checklists

The decision to use ARC rather than building a proprietary checklist from scratch was deliberate. See ADR-001: ARC Dependency for the full decision record.

Summary: ARC provides 102 pre-built Resource Graph queries that require Microsoft's internal API schema knowledge to maintain correctly. Building and maintaining equivalent queries independently would be a significant engineering investment with no customer-facing benefit. ARC's institutional credibility ("same framework used by Microsoft FastTrack") is a trust asset. AI-generated checklists were evaluated and rejected for the same reasons.

Checklist Versioning and Update Policy

CYC version-pins the checklist JSON files it has validated against. Live updates from ARC are not automatically deployed.

TriggerAction
Quarterly reviewCYC engineering reviews the ARC repository for checklist updates
Structural changesNew items, removed items, GUID changes, or schema changes trigger a full validation pass before deployment
ID mapping updatecyc_id_mapping.json updated per the rules in ID Design: Stability Contract
Item deprecationRemoved Microsoft items marked deprecated in mapping table. Clients with that item in prior assessments notified in next drift report.
Emergency updateCritical correction to a graph query producing incorrect compliance results → immediate deployment outside quarterly schedule, affected clients notified

Other Dependencies

DependencyTypeLicensePurpose
Anthropic Claude APICommercial APIProprietaryAI inference for B2 item assessment and finding narrative generation
Microsoft Azure Resource Graph APIAzure serviceMicrosoft ToSB1 item automated compliance checking
Microsoft Graph APIAzure serviceMicrosoft ToSEntra ID data collection (Phase 4)
Microsoft Defender for Cloud APIAzure serviceMicrosoft ToSSecurity posture data collection (Phase 3)