Control Mapping¶
Draft v0.1
This page is in draft. Content may change before v1.0.
Control mappings link Evidence Objects to specific controls within compliance frameworks.
Mapping Structure¶
| Field | Type | Required | Description |
|---|---|---|---|
framework | string | Yes | Framework identifier (see Framework IDs) |
control | string | Yes | Control identifier within the framework |
weight | number | No | Weight for scoring (default: 1.0) |
Framework Identifiers¶
| Framework | ID | Version |
|---|---|---|
| CIS Controls | cis-v8 | v8 |
| CMMC Level 1 | cmmc-level1 | 2.0 |
| CMMC Level 2 | cmmc-level2 | 2.0 |
| SOC 2 | soc-2 | 2017 Trust Services Criteria |
| NIST CSF | nist-csf-2 | 2.0 |
| FTC Safeguards | ftc-safeguards | 2023 |
Cross-Framework Mapping¶
A single Evidence Object can map to controls in multiple frameworks simultaneously:
"control_mappings": [
{ "framework": "cis-v8", "control": "10.1" },
{ "framework": "cmmc-level2", "control": "SI.1.210" },
{ "framework": "nist-csf-2", "control": "DE.CM-04" }
]
This eliminates redundant evidence collection — one scan result satisfies multiple frameworks.
Mapping Tables¶
Pre-built mapping tables are maintained in /mappings/ in the repository. See Examples for framework-specific walkthroughs.