Citizen Data Vault Contract Profile v0.1 draft. Profile of the AI Procurement Decision Card v0.3 vault-contract surface scoped to federal / state / local government subject-of-decision data. Names what tokenized / redacted / pseudonymized / cleartext access an AI tool may have to which government-data category, under which Privacy Act / FOIA / consent basis, with what retention envelope, classification level, and aligned to OMB M-24-10 + Privacy Act 1974 + FOIA + Section 508 + FedRAMP + classified-data segregation (E.O. 13526 + 32 CFR Part 2002 CUI) + state public-records-law overlay expectations.
Part of the Kinetic Gain Protocol Suite. Closes the GovTech 6-pack.
Status: v0.1 draft. Profile at
profile.json, canonical example atexamples/prfsa-vendorg-govdecide-decision-card.json.
The repo name "citizen-data" is approximate. The profile covers all subjects of federal / state / local government action including US citizens, lawful permanent residents, immigrants, foreign nationals, and corporate entities interacting with federal services. Profile field names use neutral terms (subject, applicant, record) throughout.
GovTech-unique categories vs prior verticals:
classified-data+controlled-unclassified-information—clearance-gatedprotection level; access REQUIRESagent_clearance_levelmeeting or exceeding the data classification levelimmigration-status-record— Default: NOT a model input; specific use cases require explicit decision-card-level approvallaw-enforcement-record— Default: NOT a model input; specific law-enforcement-triage use cases require explicit decision-card-level approval + statutory authorityfoia-responsive-record—tokenized-with-foia-exemption-taggingprotection level — per-segment FOIA exemption tag (b(1) through b(9)) reaches model for exemption-recommendation purposes onlylimited-english-proficiency-data—tokenized-with-language-code-cleartext— ISO 639 language code cleartext for Title VI LEP routing per 28 CFR §42.405(d)ada-accommodation-record— Confidential medical record under ADA. NEVER a model input.
clearance-gated (REQUIRES matching agent_clearance_level) · tokenized-with-foia-exemption-tagging (per-segment FOIA exemption flagging) · tokenized-with-language-code-cleartext (ISO 639 LEP routing).
benefit-application-signed-paw-205 · federal-contractor-flow-down-far-clause · foia-request-submitted · privacy-act-routine-use-published-in-sorn · agency-personnel-employment-agreement · ada-accommodation-confidentiality-agreement · statutory-authority-named · judicial-order-or-subpoena
GovTech-unique fields:
freedom-of-information-act-readiness— per-category FOIA exemption mapping (b(1) through b(9))privacy-act-system-of-records-notice-uri— required when data is in a Privacy Act System of Recordsnational-archives-records-administration-schedule— NARA GRS schedule referenceclassification-declassification-schedule— required for classified or CUI data
vendor-soc2-type2 · vendor-fedramp-authorization-package · vendor-contract-with-audit-rights · vendor-section-508-conformance-attestation · vendor-data-residency-attestation-us-only · vendor-subprocessor-list-with-30-day-prior-notice · vendor-clearance-level-attestation · vendor-omb-m24-10-rights-or-safety-impacting-classification-attestation
The profile REQUIRES an ai_use_case_inventory_block listing the Federal AI Use Case Inventory entry URL + use-case name + is_rights_impacting + is_safety_impacting flags + OMB M-24-10 compliance status. No other vertical's vault contract has this block — it's the OMB M-24-10 §3(a) inventory-publication requirement encoded into the Decision Card.
examples/prfsa-vendorg-govdecide-decision-card.json — PRFSA's Decision Card for VendorG GovDecide v3.x. Federal AI Use Case Inventory entry block + 6 data categories mapped with explicit protection levels + consent bases + retention envelopes per category + Privacy Act SORN references + NARA GRS retention schedules. VendorG cleared to CUI level; FedRAMP Moderate hosting; FAR-clause-required AI disclosure flow-down. 4 ongoing conditions including quarterly OMB M-24-10 §5(d) impact-assessment + annual Federal AI Use Case Inventory update + annual FedRAMP recertification.
This Decision Card is referenced by the government-decision-record-audit-stream canonical example, the government-applicant-bias-coverage-lab quarterly impact-assessment bundle, and the government-ai-incident-card-profile incident. The GovTech 6-pack closes the loop — every artifact references every other via the shared Decision Card ID PRFSA-DEC-2026-GOVTECH-0017.
| Repo | Role |
|---|---|
decision-card-spec |
Base spec |
government-decision-record-audit-stream |
Audit events bound to this Decision Card |
government-applicant-bias-coverage-lab |
Bias-coverage bundle the quarterly-review condition references |
government-ai-incident-card-profile |
Incident Cards that reference this Decision Card |
omb-m24-10-readiness-evidence-bundle |
Broader OMB M-24-10 readiness bundle this Decision Card is filed under |
state-government-ai-disclosure-tracker |
Identifies which jurisdiction's obligation set applies |
| Sibling vault contract profiles across 6 prior verticals | Same architecture, different per-vertical data categories + consent doctrines |
GovTech-readiness scaffolding for AI Procurement Decision Card vault-contract evidence specific to federal / state / local government subject-of-decision data. Supports an agency's program toward OMB M-24-10 §3(a) Federal AI Use Case Inventory publication readiness, Privacy Act 5 USC §552a System of Records Notice readiness, FOIA exemption-tagging readiness, Section 508 + WCAG 2.1 AA readiness, FedRAMP authorization-coordination readiness, classified-data + CUI segregation readiness, NARA records-management readiness, Title VI LEP routing readiness, and ADA Title II accommodation-pathway readiness. Does not by itself establish compliance with any statute. Per the standing public-language guardrail: readiness · evidence · posture · controls · scaffolding — never "OMB-attested" or "FedRAMP-cleared" without an external attestation specific to each underlying regulatory regime. FedRAMP authorization is a distinct accreditation process; this profile records the authorization level claimed but does not authorize anything.
MIT — see LICENSE.