Reusable audit evidence mapping and collection.
ControlFrame separates framework templates from project instances. CMS EDE is the first seeded template; HPS / MarketLink is the first project instance, with empty evidence slots until a ControlFrame collector run writes fresh screenshots, traces, payloads, and source maps.
Engagements using reusable framework templates
Log in with configured role accounts, follow deterministic route steps, capture full-page screenshots, extract page text, and write sidecar metadata.
Exercise configured endpoints, capture request/response JSON, redact sensitive fields, hash outputs, and map payloads to source-native IDs.
Index uploaded policies, SSPP/SAR/POA&M packages, configuration exports, and manual auditor artifacts with source-backed mappings.
Reference projects can guide the evidence format, but ControlFrame evidence must come from ControlFrame collector runs or explicit auditor-safe uploads. Placeholder slots stay visible and honest.
Native requirement identifiers stay first-class
First seeded template. HPS / MarketLink is a sample project instance with placeholders until ControlFrame collectors run.
Planned reusable template for control narratives, tickets, cloud configuration, access reviews, and auditor packages.
Planned reusable template for cardholder data environment scoping, access controls, logging, vulnerability evidence, and SAQ/ROC support.
Planned reusable template for administrative, physical, and technical safeguard evidence with source-backed CFR mapping.
High-value healthcare assurance template. Build after HIPAA/SOC 2 primitives so HITRUST can reuse the shared control spine.
Planned reusable template for risk governance and security operations evidence mapped to native CSF outcomes.
Global ISMS template. Strong reuse candidate across SOC 2, HITRUST, NIST, and ISO 42001 governance evidence.
Planned reusable template for AI system inventory, risk treatment, monitoring, and management review evidence.
Federal cloud-assurance template. Requires strict package fidelity, OSCAL support, and deployment isolation options.
Defense-industrial-base template. Strong reason for private deployment, appliance collectors, and careful data-residency boundaries.
Privacy-program template that should share inventory, vendor, data-flow, and security evidence with HIPAA, SOC 2, ISO, and NIST.
Financial-services cyber template. Useful for showing ControlFrame can support regulation-specific deadlines, attestations, and notification workflows.