Frameworks

Framework coverage that keeps up with client demand

ControlMap supports 63+ cybersecurity and compliance frameworks, so MSPs can start with the frameworks clients ask for now and keep the program adaptable as requirements change.

Book a Demo Explore CMMC

LESS DUPLICATION

Do the work once, apply it across frameworks

ControlMap maps matching evidence and controls across framework requirements so teams do not have to treat every framework as an isolated project.

Acme Corp

Search controls, policies...

Acme Corp / Frameworks

CMMC 2.0 Assessment

SPRS Score: -192

Compliance Overview

26%

14 / 53compliant

Not assessed6 of 53

Compliant14 of 53

Partially compliant29 of 53

In review0 of 53

Not compliant4 of 53

Not applicable100 of 153

Overall Progress

142 of 320 assessment questions answered.

44% Answered

Completion

44%

+13%

since Apr 06

Yes

Partial

178

Open

Progress History

Assessment completion over time.

+13%

42%

Apr

54%

May

68%

Jun

Domain Readiness

Priority areas for the CMMC Level 2 assessment.

AC: Access Control

3 gaps remaining

72%

15 yes4 partial3 no

AT: Awareness Training

2 gaps remaining

58%

7 yes2 partial2 no

AU: Audit Logging

1 gaps remaining

84%

11 yes1 partial1 no

CM: Configuration

4 gaps remaining

64%

9 yes3 partial4 no

IA: Identification

2 gaps remaining

76%

12 yes2 partial2 no

IR: Incident Response

5 gaps remaining

42%

5 yes2 partial5 no

RA: Risk Assessment

1 gaps remaining

91%

14 yes1 partial1 no

SC: System Comms

3 gaps remaining

68%

10 yes3 partial3 no

Cross-framework evidence

Reuse evidence where requirements overlap instead of chasing the same proof repeatedly.

Mapped controls
Reusable evidence
Less duplicate effort

Region and industry fit

Choose frameworks by geography, industry, client maturity, and contract requirements.

USA
Europe
International

Change without rework

Add new frameworks, versions, and regional requirements while preserving the control and evidence work your team already mapped.

Version updates
Regional requirements
Reusable mappings

MANAGED FRAMEWORK LIBRARY

The frameworks your clients are already asking about

Find the right starting point for each client by filtering frameworks by region, industry, and compliance motion, then use ControlMap to carry that structure into assessments, evidence, policies, and reporting.

PriorityUSA

CMMC 2.0

CMMC 2.0 helps MSPs turn CUI protection and defense supply chain requirements into a repeatable client program with mapped controls, evidence, and reporting.

PriorityGlobal

NIST CSF 2.0

NIST CSF 2.0 helps MSPs turn risk-based cybersecurity program structure into a repeatable client program with mapped controls, evidence, and reporting.

PriorityGlobal

CIS Controls v8.1

CIS Controls v8.1 helps MSPs turn updated control implementation and prioritization into a repeatable client program with mapped controls, evidence, and reporting.

PriorityGlobal

SOC 2

SOC 2 helps MSPs turn trust-based assurance for IT services into a repeatable client program with mapped controls, evidence, and reporting.

63 of 63 frameworks

Type

Region

FrameworkTypeRegionBest Fit

CMMC 2.0USA

CMMC 2.0

Cybersecurity maturity certification model for the U.S. defense industrial base supply chain.

CMMC 2.0 helps MSPs turn CUI protection and defense supply chain requirements into a repeatable client program with mapped controls, evidence, and reporting.

USADefenseCMMC

NIST CSF 2.0Global

NIST Cybersecurity Framework 2.0

Current NIST cybersecurity framework for managing, communicating, and reducing organizational cyber risk.

NIST CSF 2.0 helps MSPs turn risk-based cybersecurity program structure into a repeatable client program with mapped controls, evidence, and reporting.

GlobalGeneralNIST

CIS Controls v8.1Global

CIS Critical Security Controls v8.1

Updated CIS safeguards for modern enterprise security programs.

CIS Controls v8.1 helps MSPs turn updated control implementation and prioritization into a repeatable client program with mapped controls, evidence, and reporting.

GlobalGeneralCIS

SOC 2Global

System and Organization Controls 2

Controls framework for service organizations across security, availability, confidentiality, processing integrity, and privacy.

SOC 2 helps MSPs turn trust-based assurance for IT services into a repeatable client program with mapped controls, evidence, and reporting.

GlobalGeneralSOC

ISO 27001:2022Global

ISO 27001:2022

International standard for establishing and operating an information security management system (ISMS).

ISO 27001:2022 helps MSPs turn certifiable information security management practices into a repeatable client program with mapped controls, evidence, and reporting.

GlobalInternationalISO 27001

FTC SafeguardsUSA

FTC Safeguards Rule

Data security requirements for covered non-banking financial institutions.

FTC Safeguards helps MSPs turn financial customer data protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

USAFinanceFTC

GDPREurope

General Data Protection Regulation

EU data protection regulation governing personal data privacy, rights, and accountability.

GDPR helps MSPs turn data privacy and personal information protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

EuropePrivacyGDPR

HIPAA Security RuleUSA

HIPAA Security Rule

Federal security standards for protecting electronic protected health information (ePHI).

HIPAA Security Rule helps MSPs turn healthcare data protection and PHI security requirements into a repeatable client program with mapped controls, evidence, and reporting.

USAHealthcareHIPAA

NIST SP 800-171 R2USA

NIST SP 800-171 Revision 2

Security requirements for protecting Controlled Unclassified Information in non-federal systems.

NIST SP 800-171 R2 helps MSPs turn CUI protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

USADefenseNIST

PCI DSS v4.0.1Global

PCI DSS v4.0.1

Current payment card security requirements for protecting cardholder data and payment environments, with SAQ filtering and tagging to help narrow requirements by client SAQ type.

PCI DSS v4.0.1 helps MSPs turn payment security obligations into a repeatable client program with SAQ-aware scoping, mapped controls, evidence, and reporting.

GlobalPaymentsPCISAQ

Showing 1-10 of 63 frameworks

Page 1 of 7

Priority / USA

CMMC 2.0

Cybersecurity maturity certification model for the U.S. defense industrial base supply chain.

CMMC 2.0 helps MSPs turn CUI protection and defense supply chain requirements into a repeatable client program with mapped controls, evidence, and reporting.

Priority / Global

NIST Cybersecurity Framework 2.0

Current NIST cybersecurity framework for managing, communicating, and reducing organizational cyber risk.

NIST CSF 2.0 helps MSPs turn risk-based cybersecurity program structure into a repeatable client program with mapped controls, evidence, and reporting.

Priority / Global

CIS Critical Security Controls v8.1

Updated CIS safeguards for modern enterprise security programs.

CIS Controls v8.1 helps MSPs turn updated control implementation and prioritization into a repeatable client program with mapped controls, evidence, and reporting.

Priority / Global

System and Organization Controls 2

Controls framework for service organizations across security, availability, confidentiality, processing integrity, and privacy.

SOC 2 helps MSPs turn trust-based assurance for IT services into a repeatable client program with mapped controls, evidence, and reporting.

Priority / Global

ISO 27001:2022

International standard for establishing and operating an information security management system (ISMS).

ISO 27001:2022 helps MSPs turn certifiable information security management practices into a repeatable client program with mapped controls, evidence, and reporting.

Priority / USA

FTC Safeguards Rule

Data security requirements for covered non-banking financial institutions.

FTC Safeguards helps MSPs turn financial customer data protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

Priority / Europe

General Data Protection Regulation

EU data protection regulation governing personal data privacy, rights, and accountability.

GDPR helps MSPs turn data privacy and personal information protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

Priority / USA

HIPAA Security Rule

Federal security standards for protecting electronic protected health information (ePHI).

HIPAA Security Rule helps MSPs turn healthcare data protection and PHI security requirements into a repeatable client program with mapped controls, evidence, and reporting.

Priority / USA

NIST SP 800-171 Revision 2

Security requirements for protecting Controlled Unclassified Information in non-federal systems.

NIST SP 800-171 R2 helps MSPs turn CUI protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

Priority / Global

PCI DSS v4.0.1

Current payment card security requirements for protecting cardholder data and payment environments, with SAQ filtering and tagging to help narrow requirements by client SAQ type.

PCI DSS v4.0.1 helps MSPs turn payment security obligations into a repeatable client program with SAQ-aware scoping, mapped controls, evidence, and reporting.

Security / Global

NIST AI Risk Management Framework

Risk management framework for designing, deploying, and governing trustworthy AI systems.

NIST AI RMF helps MSPs turn AI governance and trustworthy-AI controls into a repeatable client program with mapped controls, evidence, and reporting.

Security / Global

NIST Cybersecurity Framework v1.1

Original NIST Cybersecurity Framework organized around identify, protect, detect, respond, and recover.

NIST CSF v1.1 helps MSPs turn foundational cybersecurity program structure into a repeatable client program with mapped controls, evidence, and reporting.

Security / Global

NIST SP 800-161 Revision 1

Guidance for managing cybersecurity supply chain risk across suppliers, systems, and services.

NIST SP 800-161 R1 helps MSPs turn supply chain risk management for ICT into a repeatable client program with mapped controls, evidence, and reporting.

Security / USA

NIST SP 800-171 Revision 3

Updated requirements for protecting Controlled Unclassified Information in non-federal systems.

NIST SP 800-171 R3 helps MSPs turn revised CUI protection controls into a repeatable client program with mapped controls, evidence, and reporting.

Security / USA

Minimum Acceptable Risk Standards for Exchanges

Baseline security and risk controls for health data flowing through federal exchange systems.

MARS-E helps MSPs turn federal health-data exchange baselines into a repeatable client program with mapped controls, evidence, and reporting.

Security / Europe

Cyber Baseline Aylard

Practical baseline question set for smaller organizations to assess and improve cybersecurity posture.

Cyber Baseline Aylard helps MSPs turn SMB cybersecurity self-assessment into a repeatable client program with mapped controls, evidence, and reporting.

Privacy / Global

ISO 27701

Privacy management extension to ISO 27001 for PII controllers and processors.

ISO 27701 helps MSPs turn privacy information management requirements into a repeatable client program with mapped controls, evidence, and reporting.

Privacy / Europe

UK ICO Accountability Framework

UK Information Commissioner's Office framework for demonstrating data protection accountability.

UK ICO Framework helps MSPs turn UK data protection accountability into a repeatable client program with mapped controls, evidence, and reporting.

Privacy / Global

NIST Privacy Framework

Privacy risk management framework for identifying, assessing, and managing privacy obligations.

NIST Privacy Framework helps MSPs turn privacy risk management into a repeatable client program with mapped controls, evidence, and reporting.

Privacy / USA

HIPAA Privacy Rule

Federal privacy standards for protected health information, including permitted uses and disclosures.

HIPAA Privacy Rule helps MSPs turn patient privacy and PHI disclosure requirements into a repeatable client program with mapped controls, evidence, and reporting.

Privacy / USA

California Consumer Privacy Act

California privacy law giving consumers rights over personal information collected by businesses.

CCPA helps MSPs turn California consumer privacy obligations into a repeatable client program with mapped controls, evidence, and reporting.

Industry / Global

Microsoft Supplier Data Protection Requirements

Microsoft's data protection requirements for suppliers and vendors handling Microsoft data.

Microsoft DPR helps MSPs turn Microsoft supplier data protection requirements into a repeatable client program with mapped controls, evidence, and reporting.

Industry / Global

MPA Content Security Program

Content protection best practices for organizations handling film, media, and entertainment assets.

MPA Content Security helps MSPs turn media supply chain content protection into a repeatable client program with mapped controls, evidence, and reporting.

Industry / Global

System and Organization Controls 1 Type 2

SOC 1 report variant that evaluates controls effectiveness over a defined period.

SOC 1 Type 2 helps MSPs turn period-of-time financial controls assurance into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

CJIS Security Policy 2026

FBI security standards for protecting criminal justice information, mapped forward from the previous CJIS version for current client programs.

CJIS 2026 helps MSPs support agencies and contractors handling criminal justice information with mapped controls, evidence, and reporting.

Industry / USA

FedRAMP Low Rev 4

Low-impact FedRAMP baseline (Rev 4) for U.S. federal cloud service providers.

FedRAMP Low (Rev 4) helps MSPs turn federal cloud authorization for low-impact systems into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FedRAMP Moderate Rev 4

Moderate-impact FedRAMP baseline (Rev 4) for U.S. federal cloud service providers.

FedRAMP Moderate (Rev 4) helps MSPs turn federal cloud authorization for moderate-impact systems into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FedRAMP High Rev 4

High-impact FedRAMP baseline (Rev 4) for U.S. federal cloud environments with sensitive workloads.

FedRAMP High (Rev 4) helps MSPs turn federal cloud authorization for high-impact systems into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FedRAMP Low Rev 5

Revised low-impact FedRAMP baseline aligned to NIST SP 800-53 Revision 5.

FedRAMP Low (Rev 5) helps MSPs turn current federal cloud authorization for low-impact systems into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FedRAMP Moderate Rev 5

Revised moderate-impact FedRAMP baseline aligned to NIST SP 800-53 Revision 5.

FedRAMP Moderate (Rev 5) helps MSPs turn current federal cloud authorization for moderate-impact systems into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FedRAMP High Rev 5

Revised high-impact FedRAMP baseline aligned to NIST SP 800-53 Revision 5.

FedRAMP High (Rev 5) helps MSPs turn current federal cloud authorization for high-impact systems into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

HIPAA Breach Notification Rule

Federal requirements for notifying affected individuals and regulators following PHI breaches.

HIPAA Breach Notification helps MSPs turn healthcare breach response obligations into a repeatable client program with mapped controls, evidence, and reporting.

Industry / Global

System and Organization Controls 1

Audit standard for evaluating controls at service organizations relevant to financial reporting.

SOC 1 helps MSPs turn service organization financial-reporting assurance into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FFIEC Cybersecurity Assessment Tool

Assessment guidance for measuring cybersecurity maturity and inherent risk in financial institutions.

FFIEC CAT helps MSPs turn financial sector cyber maturity assessment into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

FINRA Small Firm Cybersecurity Checklist

Cybersecurity checklist for small broker-dealers and financial firms managing regulatory expectations.

FINRA Checklist helps MSPs turn broker-dealer cybersecurity readiness into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

NYDFS 23 NYCRR 500

Cybersecurity requirements for financial services organizations licensed in New York.

NYDFS 23 NYCRR 500 helps MSPs turn New York financial sector cybersecurity requirements into a repeatable client program with mapped controls, evidence, and reporting.

Industry / Europe

Digital Operational Resilience Act

EU regulation harmonizing operational resilience and ICT risk management requirements across financial entities.

DORA helps MSPs turn EU financial sector operational resilience requirements into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

Maritime Security 33 CFR Part 101

33 CFR Part 101 covers general maritime security requirements for applicable U.S.-flagged vessels, facilities, and Outer Continental Shelf facilities.

MSPs supporting maritime clients can use it to organize applicable security requirements, evidence, owners, progress, and review activity in a repeatable compliance motion.

Industry / Global

GTIA Cybersecurity Trustmark

Cybersecurity certification program for IT service providers and managed service providers.

GTIA Trustmark helps MSPs turn verified MSP cybersecurity posture into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

CMMC 2.13 Level 1

Foundational CMMC level for organizations handling Federal Contract Information (FCI).

CMMC 2.13 Level 1 helps MSPs turn FCI protection and basic cyber hygiene into a repeatable client program with mapped controls, evidence, and reporting.

Industry / USA

CMMC 2.13 Level 2

Advanced CMMC level for organizations protecting Controlled Unclassified Information (CUI) in the defense supply chain.

CMMC 2.13 Level 2 helps MSPs turn CUI protection in the defense supply chain into a repeatable client program with mapped controls, evidence, and reporting.

Industry / Global

Cyber Risk Institute Profile

Financial sector cyber risk profile that harmonizes multiple frameworks and regulatory expectations.

CRI Profile helps MSPs turn financial sector cyber risk harmonization into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Canada

CyberSecure Canada

Canadian government-backed cybersecurity certification program for small and medium organizations.

CyberSecure Canada helps MSPs turn Canadian SMB cybersecurity certification into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Canada

CCCS Baseline Cyber Security Controls v1.2

Canadian Centre for Cyber Security baseline controls for small and medium organizations.

CCCS Baseline Controls helps MSPs turn Canadian SMB cybersecurity baselines into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Canada

Canada Cybersecurity for Small and Medium Businesses

Canadian cybersecurity guidance designed for small and medium business resilience.

Canada SMB Cybersecurity helps MSPs turn baseline cyber resilience for Canadian SMBs into a repeatable client program with mapped controls, evidence, and reporting.

Regional / USA

Texas Risk and Authorization Management Program

Texas cloud security assessment program for public-sector cloud services.

TX-RAMP helps MSPs turn Texas state-level cloud authorization requirements into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Europe

IASME Cyber Assurance Standard

UK cybersecurity and privacy assurance standard for small and medium businesses.

IASME Cyber Assurance helps MSPs turn UK SMB cyber assurance certification into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Europe

IASME Cyber Baseline Standard

Entry-level UK cyber hygiene standard for small and medium businesses.

IASME Cyber Baseline helps MSPs turn entry-level UK cyber hygiene into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Europe

TISAX ISA 6.0

Current TISAX assessment criteria for automotive supply-chain information security.

TISAX 6 helps MSPs turn automotive supply chain information security assessments into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Europe

UK Cyber Essentials v3.2 (Willow)

UK government-backed cybersecurity certification baseline, updated for the v3.2 Willow question set that has been live since March.

Cyber Essentials v3.2 helps MSPs guide UK clients through the Willow baseline with mapped controls, evidence, and reporting.

Regional / Europe

NIS2 Directive

EU cybersecurity requirements for essential and important entities across critical sectors.

NIS2 Directive helps MSPs turn EU essential-services cyber resilience requirements into a repeatable client program with mapped controls, evidence, and reporting.

Regional / APAC

Australian Energy Sector Cyber Security Framework

Sector-specific cybersecurity framework for the Australian energy industry.

AESCSF helps MSPs turn energy sector cyber resilience requirements into a repeatable client program with mapped controls, evidence, and reporting.

Regional / APAC

Essential Eight Maturity Model 2023

Current ASD/ACSC baseline mitigation strategies for reducing common, high-impact cyber threats.

Essential Eight helps MSPs turn Australian mitigation-strategy baselines into a repeatable client program with mapped controls, evidence, and reporting.

Regional / APAC

APRA CPS 234

Australian financial sector standard for information security capability and incident response.

CPS 234 helps MSPs turn Australian financial sector information security requirements into a repeatable client program with mapped controls, evidence, and reporting.

Regional / APAC

Protective Security Policy Framework

Australian government protective security framework spanning governance, personnel, physical, and information security.

PSPF helps MSPs turn Australian government protective security requirements into a repeatable client program with mapped controls, evidence, and reporting.

Regional / APAC

New Zealand Information Security Manual

New Zealand government information security manual for public agencies and connected systems.

NZISM helps MSPs turn New Zealand government information security requirements into a repeatable client program with mapped controls, evidence, and reporting.

Regional / Global

SMB 1001 Cybersecurity Standard

Practical cybersecurity baseline designed for small and midsize businesses.

SMB 1001 helps MSPs turn pragmatic cybersecurity readiness for SMB clients into a repeatable client program with mapped controls, evidence, and reporting.

International / Global

COBIT 2019

Enterprise IT governance and management framework.

COBIT 2019 helps MSPs turn IT governance and value management into a repeatable client program with mapped controls, evidence, and reporting.

International / Global

CSA Cloud Controls Matrix v4.0.3

Cloud-specific control framework and assessment standard for cloud security.

CSA-CCM v4.0.3 helps MSPs turn cloud security controls and provider assurance into a repeatable client program with mapped controls, evidence, and reporting.

International / Global

ISO 27017:2015

Guidance for applying information security controls to cloud services.

ISO 27017 helps MSPs turn cloud-specific information security controls into a repeatable client program with mapped controls, evidence, and reporting.

International / Global

ISO 27018:2019

Privacy-focused guidance for protecting personal data in public cloud environments.

ISO 27018 helps MSPs turn cloud-based PII protection into a repeatable client program with mapped controls, evidence, and reporting.

International / Global

ISO 42001

Management system standard for responsible artificial intelligence governance.

ISO 42001 helps MSPs turn AI governance and responsible AI controls into a repeatable client program with mapped controls, evidence, and reporting.

International / Global

Secure Controls Framework v2025.1

Unified control catalog mapping cybersecurity and privacy requirements across multiple compliance regimes.

SCF v2025.1 helps MSPs turn unified control mapping across compliance regimes into a repeatable client program with mapped controls, evidence, and reporting.

HOW FRAMEWORKS SCALE

Choose the framework once, then reuse the work

Turn each framework into a reusable service motion: map the requirements once, align the evidence, and keep every client conversation grounded in the same source of truth.

01
Choose the right framework
Start with the client's contract, industry, geography, maturity, or vendor requirement.
02
Map controls
Connect requirements to controls, objectives, policies, risks, and evidence expectations.
03
Crosswalk overlap
Reuse matching evidence and control work across frameworks where requirements align.
04ALWAYS CURRENT
Stay current
Adjust as frameworks, client obligations, and audit expectations evolve, without rebuilding the motion each time.

READY?

Start with the framework your client needs most.

Book a Demo

Framework coverage that keeps up with client demand

Do the work once, apply it across frameworks

CMMC 2.0 Assessment

Compliance Overview

Domain Readiness

Cross-framework evidence

Region and industry fit

Change without rework

The frameworks your clients are already asking about

CMMC 2.0

NIST CSF 2.0

CIS Controls v8.1

SOC 2

CMMC 2.0

NIST Cybersecurity Framework 2.0

CIS Critical Security Controls v8.1

System and Organization Controls 2

ISO 27001:2022

FTC Safeguards Rule

General Data Protection Regulation

HIPAA Security Rule

NIST SP 800-171 Revision 2

PCI DSS v4.0.1

Choose the framework once, then reuse the work

Choose the right framework

Map controls

Crosswalk overlap

Stay current

Start with the framework your client needs most.