One evidence engine, many audit frameworks.
ControlFrame starts with a company profile, selects framework programs, builds an audit project, connects collectors and agents, then packages source-backed evidence for auditors. CMS EDE is the first fully seeded showcase because it proves row-level, regulator-specific evidence.
Built for partner-assisted audit readiness without hardcoding any services partner into the product.
Company to audit-room flow
Capture entity facts, products, markets, data classes, systems, owners, vendors, and audit drivers.
Select reusable framework modules such as CMS EDE, PCI DSS, HITRUST, SOC 2, HIPAA, NIST, ISO 42001, and GDPR.
Create audit/readiness engagements for a company, framework, app, audit window, and evidence package.
Run browser, API, document, configuration, database, and manual evidence collectors with explicit credentials and blockers.
Review sufficiency, source mappings, stale evidence, redactions, blockers, and human approvals.
Package auditor-ready exports with manifests, screenshots, raw JSON, source-row indexes, checksums, and signoff.
Make the audit ledger the center of the product
Enterprise buyers need to see the chain from source requirement to runner execution, review decision, and package release. This is the ControlFrame object that generic GRC tools do not make precise enough for regulated app audits.
Source requirement
Keep the regulator, assessor, or framework-native row as the durable starting point.
Evidence plan
Translate the requirement into personas, target systems, credentials, expected artifacts, blockers, and gates.
Private runner job
Claim a signed job inside the customer boundary and execute browser, API, document, or connector collection.
Collected artifact
Attach source lineage, role, timestamp, environment, checksum, and raw artifact metadata.
Sufficiency review
Score completeness, freshness, persona fit, mapping strength, and redaction risk before export.
Auditor package
Release only approved evidence into an auditor room with source indexes, comments, and package hashes.
Programs are reusable templates, not one-off folders
First seeded template. HPS / MarketLink is a sample project instance with placeholders until ControlFrame collectors run.
Defense-industrial-base template. Strong reason for private deployment, appliance collectors, and careful data-residency boundaries.
Planned reusable template for administrative, physical, and technical safeguard evidence with source-backed CFR mapping.
High-value healthcare assurance template. Build after HIPAA/SOC 2 primitives so HITRUST can reuse the shared control spine.
Planned reusable template for risk governance and security operations evidence mapped to native CSF outcomes.
Planned reusable template for cardholder data environment scoping, access controls, logging, vulnerability evidence, and SAQ/ROC support.
Planned reusable template for control narratives, tickets, cloud configuration, access reviews, and auditor packages.
Federal cloud-assurance template. Requires strict package fidelity, OSCAL support, and deployment isolation options.
Privacy-program template that should share inventory, vendor, data-flow, and security evidence with HIPAA, SOC 2, ISO, and NIST.
Global ISMS template. Strong reuse candidate across SOC 2, HITRUST, NIST, and ISO 42001 governance evidence.
Planned reusable template for AI system inventory, risk treatment, monitoring, and management review evidence.
Financial-services cyber template. Useful for showing ControlFrame can support regulation-specific deadlines, attestations, and notification workflows.