Framework library

Add the right audit program to the company profile.

Frameworks are reusable programs inside ControlFrame. Choose the framework, bind it to a company and target application, then run evidence collection through the same operating model.

Add framework to profileView CMS EDE framework details
01

Company profile

Confirm systems, data classes, owners, vendors, and target environments.

02

Framework program

Select CMS EDE, SOC 2, PCI, ISO, HIPAA, HITRUST, NIST, FedRAMP, CMMC, CIS, CSA CCM, GLBA, GDPR, or NYDFS.

03

Evidence plan

Map collectors, manual evidence, private runner access, and reviewer gates.

04

Audit package

Run tests, resolve findings, approve artifacts, and export the auditor package.

Available programs

Choose one framework, then configure the project.

17 framework templates
Year 9 / PY2026

CMS Enhanced Direct Enrollment

active showcase

First seeded template. HPS / MarketLink is a sample project instance with placeholders until ControlFrame collectors run.

3
Native IDs
4
Collectors
9
Seed rows
browser flowapidocumentconfiguration
Open protected command centerView CMS EDE framework details
CIS Controls v8.1

CIS Critical Security Controls

next seed

Practical security baseline template that gives teams a fast control spine before or alongside formal audits.

5
Native IDs
3
Collectors
planned
Seed rows
configurationapidocument
Start framework assessmentView template
CMMC 2.0 / 32 CFR Part 170 and DFARS rollout

Cybersecurity Maturity Model Certification

next seed

Defense-industrial-base template. Strong reason for private deployment, appliance collectors, and careful data-residency boundaries.

3
Native IDs
4
Collectors
5
Seed rows
configurationdocumentmanual uploadapi
Start framework assessmentView template
45 CFR Parts 160 and 164; Security Rule with 2025 proposed update tracked

HIPAA Security and Privacy Rules

next seed

Planned reusable template for administrative, physical, and technical safeguard evidence with source-backed CFR mapping.

2
Native IDs
3
Collectors
13
Seed rows
documentconfigurationmanual upload
Start framework assessmentView template
CSF v11.7.0

HITRUST CSF

next seed

High-value healthcare assurance template. Build after HIPAA/SOC 2 primitives so HITRUST can reuse the shared control spine.

3
Native IDs
4
Collectors
21
Seed rows
documentconfigurationapimanual upload
Start framework assessmentView template
SP 800-53 Rev. 5 / Release 5.2.0 tracked

NIST SP 800-53 Security and Privacy Controls

next seed

Broad federal-control template that underpins FedRAMP, CMS security packages, and many enterprise control crosswalks.

5
Native IDs
4
Collectors
planned
Seed rows
documentconfigurationapimanual upload
Start framework assessmentView template
NIST CSF 2.0

NIST Cybersecurity Framework

next seed

Planned reusable template for risk governance and security operations evidence mapped to native CSF outcomes.

3
Native IDs
3
Collectors
5
Seed rows
documentconfigurationapi
Start framework assessmentView template
PCI DSS v4.0.1

PCI DSS 4.0

next seed

Planned reusable template for cardholder data environment scoping, access controls, logging, vulnerability evidence, and SAQ/ROC support.

3
Native IDs
4
Collectors
9
Seed rows
configurationapidocumentmanual upload
Start framework assessmentView template
2017 TSC with revised points of focus - 2022

SOC 2 Trust Services Criteria

next seed

Planned reusable template for control narratives, tickets, cloud configuration, access reviews, and auditor packages.

3
Native IDs
3
Collectors
18
Seed rows
documentconfigurationmanual upload
Start framework assessmentView template
CCM v4.1

Cloud Security Alliance Cloud Controls Matrix

planned

Cloud assurance template for mapping shared-responsibility controls across SaaS, cloud, and private deployment boundaries.

4
Native IDs
4
Collectors
planned
Seed rows
configurationapidocumentmanual upload
Start framework assessmentView template
Regulation (EU) 2024/1689

EU Artificial Intelligence Act

planned

AI regulatory template that pairs with ISO 42001 for governance, model inventory, and lifecycle control evidence.

4
Native IDs
3
Collectors
planned
Seed rows
documentconfigurationmanual upload
Start framework assessmentView template
Rev. 5 baselines / FedRAMP 20x tracked

FedRAMP

planned

Federal cloud-assurance template. Requires strict package fidelity, OSCAL support, and deployment isolation options.

4
Native IDs
4
Collectors
5
Seed rows
configurationapidocumentmanual upload
Start framework assessmentView template
Regulation (EU) 2016/679

General Data Protection Regulation

planned

Privacy-program template that should share inventory, vendor, data-flow, and security evidence with HIPAA, SOC 2, ISO, and NIST.

3
Native IDs
4
Collectors
5
Seed rows
documentconfigurationdatabasemanual upload
Start framework assessmentView template
FTC Safeguards Rule / 16 CFR Part 314

GLBA Safeguards Rule

planned

Financial-services privacy/security template for customer-information safeguards and executive governance evidence.

4
Native IDs
4
Collectors
planned
Seed rows
documentconfigurationmanual uploadapi
Start framework assessmentView template
ISO/IEC 27001:2022

ISO/IEC 27001

planned

Global ISMS template. Strong reuse candidate across SOC 2, HITRUST, NIST, and ISO 42001 governance evidence.

3
Native IDs
3
Collectors
5
Seed rows
documentconfigurationmanual upload
Start framework assessmentView template
ISO/IEC 42001:2023

ISO/IEC 42001 AI Management System

planned

Planned reusable template for AI system inventory, risk treatment, monitoring, and management review evidence.

3
Native IDs
3
Collectors
6
Seed rows
documentmanual uploadconfiguration
Start framework assessmentView template
23 NYCRR Part 500 with Second Amendment effective 2023-11-01

NYDFS Cybersecurity Regulation

planned

Financial-services cyber template. Useful for showing ControlFrame can support regulation-specific deadlines, attestations, and notification workflows.

4
Native IDs
4
Collectors
5
Seed rows
documentconfigurationapimanual upload
Start framework assessmentView template