ControlFrameTrusted evidence / Precise control

Audit bench

Framework-trained agents with human review gates.

ControlFrame agents organize evidence work by framework, requirement source, target system, and reviewer decision. The model is intentionally honest: GA, Beta, and Roadmap coverage are visible before evidence is collected or exported.

1GA framework

5Beta frameworks

16Roadmap frameworks

Open protected command center

Framework coverage

Coverage is explicit before agents collect evidence

FrameworkStatusVersion

CMS EDE Year 9

CMS Direct Enrollment Entity Resources

2026

HITRUST CSF

Beta

v11.7

SOC 2 Type II

AICPA Trust Services Criteria

Beta

TSC 2017/2022

HIPAA Security Rule

HHS HIPAA Security Rule

Beta

45 CFR Part 164 Subpart C

HIPAA Breach Notification Rule

HHS Breach Notification Rule

Roadmap

45 CFR 164.404-414

NIST SP 800-53

NIST CSRC SP 800-53 Rev. 5

Beta

Rev. 5

NIST Cybersecurity Framework

Roadmap

2.0

ISO/IEC 27001

ISO/IEC 27001:2022

Roadmap

2022

ISO/IEC 42001

ISO/IEC 42001:2023

Roadmap

2023

PCI DSS

PCI SSC Document Library

Roadmap

v4.0.1

FedRAMP

FedRAMP Rev. 5 Baselines

Roadmap

Rev. 5

CMMC

DoD CMMC Program

Roadmap

2.0

GDPR

EUR-Lex GDPR

Roadmap

Regulation (EU) 2016/679

UK GDPR

UK ICO Data Protection Guide

Roadmap

UK GDPR + DPA 2018

NYDFS 23 NYCRR 500

NYDFS Cybersecurity Resource Center

Roadmap

Amended 2023

CCPA/CPRA + State Privacy

California Privacy Protection Agency

Roadmap

2026 state privacy

NIS2 Directive

European Commission NIS2

Roadmap

Directive (EU) 2022/2555

Digital Operational Resilience Act

EUR-Lex DORA

Roadmap

Regulation (EU) 2022/2554

EU AI Act

European Commission AI Act

Roadmap

Regulation (EU) 2024/1689

NERC CIP

NERC Reliability Standards

Roadmap

SOX ITGC + COBIT 2019

ISACA COBIT

Roadmap

COBIT 2019

OSCAL

NIST OSCAL

Beta

1.x

Role variants

Specialized agents, not generic chat

Conformance officer

Reads CMS source rows, toolkit instructions, package gates, and auditor expectations before a run is treated as evidence.

Confirms source authority and scope

Evidence sufficiency officer

Checks screenshots, JSON, sidecars, hashes, recordings, timestamps, and review notes against the evidence request.

Marks gaps before export

Skeptical auditor

Looks for stale target URLs, unsupported claims, missing redaction, reused test people, and incomplete human review.

Challenges weak proof

Cross-framework mapper

Indexes policy, procedure, asset, GRC, SharePoint, ServiceNow, and CMDB records without duplicating source systems.

Keeps source-of-record lineage

Remediation planner

Turns failed checks into owner, evidence request, rerun, and package-readiness actions.

Routes action owners

Operating model

Evidence collection stays source-shaped

Source rows

CMS EDE, ARC-AMPE, API FIT, UI toolkit, security, and privacy requirements stay native.

Collection run

Browser, API, document, backend, and manual lanes produce source-backed artifacts.

Human review

Security engineers and evidence owners confirm accuracy before Coda or auditor use.

Scoped package

Only reviewed, redacted, source-mapped evidence is exported or shared.