CMM
CMMC
A CMMC readiness program needs clear NIST 800-171 mapping, POA&M work, SPRS scoring, SSPs, and shared accountability.
MSP-native vCISO & GRC
Framework coverage that keeps up with client demand
ControlMap supports 60+ cybersecurity and compliance frameworks, so MSPs can start with the frameworks clients ask for now and keep the program adaptable as requirements change.
MANAGED FRAMEWORK LIBRARY
The frameworks your clients are already asking about
These framework records are managed in Sanity so the marketing site can stay aligned as ControlMap coverage changes. The model is ready for future framework detail routes when we want them.
NIS
NIST CSF
It is a strong starting point for client risk conversations because it connects cybersecurity outcomes to business risk management.
CIS
CIS
For MSPs, CIS is useful for packaging practical first-step compliance work without overwhelming clients.
SOC
SOC 2
Clients pursuing vendor trust, enterprise sales, or due diligence often need a clear SOC 2 readiness path.
44 of 44 frameworks
Region
Type
Priority
The frameworks MSPs are most likely to lead with when building GRC, vCISO, and compliance service motions.
CMMCUSA
Cybersecurity Maturity Model Certification
CMMC helps Defense Industrial Base suppliers demonstrate cybersecurity maturity and readiness against CMMC 2.0 expectations.
A CMMC readiness program needs clear NIST 800-171 mapping, POA&M work, SPRS scoring, SSPs, and shared accountability.
CMMC 2.0DIBSPRSSSP
NIST CSFUSA
NIST Cybersecurity Framework 2.0
NIST CSF 2.0 provides guidance that organizations can use to manage, assess, prioritize, and communicate cybersecurity risk.
It is a strong starting point for client risk conversations because it connects cybersecurity outcomes to business risk management.
CybersecurityRiskBaseline
CISGlobal
CIS Critical Security Controls v8
CIS Controls provide a prioritized set of safeguards teams can use to reduce common cybersecurity risks.
For MSPs, CIS is useful for packaging practical first-step compliance work without overwhelming clients.
ControlsSafeguardsSecurity
SOC 2USA
SOC 2 Type 1 and Type 2
SOC 2 helps organizations prove they safeguard customer data across security, availability, processing integrity, confidentiality, and privacy.
Clients pursuing vendor trust, enterprise sales, or due diligence often need a clear SOC 2 readiness path.
TrustAuditVendor due diligence
FTC SafeguardsUSA
Standards for Safeguarding Customer Information
The FTC Safeguards Rule requires covered financial institutions to develop, implement, and maintain safeguards for customer information.
It gives MSPs a practical compliance entry point for clients with financial data protection obligations under the FTC's jurisdiction.
Financial institutionsCustomer informationUSA
Security
Security control systems and assessment standards used to structure client programs and measure progress.
ISO 27001Global
ISO/IEC 27001:2022
ISO 27001 is an internationally recognized standard for implementing and maintaining an information security management system.
MSPs can use ISO 27001 to organize requirements, evidence, policies, and audit preparation around the ISMS lifecycle.
ISMSSecurityAudit
SOC 1USA
SOC 1 Type I and II
SOC 1 reports address financial controls at service organizations, with Type I and Type II reporting options.
Useful for clients that need to prove financial control design and operating effectiveness to stakeholders.
Financial controlsAuditAICPA
NIST 800-171USA
NIST SP 800-171
NIST 800-171 defines requirements for protecting Controlled Unclassified Information in non-federal systems.
It is central to CMMC Level 2 readiness and helps MSPs structure evidence, SSPs, POA&Ms, and responsibility mapping.
CUICMMCFederal
NIST 800-171USA
NIST SP 800-171 Rev. 3
NIST SP 800-171 Rev. 3 defines security requirements for protecting Controlled Unclassified Information in non-federal systems and organizations.
It is a key requirement set for organizations that handle CUI and need a path toward CMMC readiness.
CUIFederalCMMC
NIST 800-161USA
NIST SP 800-161r1
NIST SP 800-161r1 focuses on cybersecurity supply chain risk management across suppliers, relationships, and incident response.
It helps MSPs structure supplier risk conversations and supply-chain security programs.
Supply chainSupplier riskIncident response
NIST AI RMFUSA
NIST AI Risk Management Framework
NIST AI RMF provides guidance for managing risks associated with artificial intelligence systems.
It gives MSPs a credible AI governance starting point as clients adopt AI tools and workflows.
AIRiskGovernance
Baseline ControlsCanada
Baseline Cyber Security Controls for Small and Medium Organizations
Canada's baseline controls help small and medium organizations improve cyber resilience with practical, accessible safeguards.
It is a useful starting point for Canadian MSPs packaging foundational cybersecurity and compliance work.
CanadaSMBBaseline
CyberSecureCanada
CyberSecure Canada
CyberSecure Canada is a government-led certification program built around organizational and baseline cybersecurity controls.
It gives Canadian MSPs a recognizable framework for client cyber maturity and certification conversations.
CanadaCertificationBaseline controls
IASME AssuranceEurope
IASME Cyber Assurance
IASME Cyber Assurance is designed for small and medium-sized organizations that need to demonstrate protection of sensitive information.
It gives MSPs a practical assurance standard for clients that need a UK-recognized cybersecurity program.
UKSMEAssurance
IASME BaselineEurope
IASME Cyber Baseline
IASME Cyber Baseline helps small and medium-sized organizations establish a cybersecurity compliance foundation.
It supports entry-level compliance motions for UK clients before deeper assurance work.
UKCyber EssentialsSME
Cyber EssentialsEurope
UK Cyber Essentials
UK Cyber Essentials provides two levels of proactive cyber safeguards for organizations of any size.
It is a common entry point for MSPs helping UK clients reduce common attack risk.
UKCyber Essentials PlusBaseline
Essential EightAPAC
Essential Eight
The Australian Cyber Security Centre's Essential Eight defines baseline mitigation strategies against common cyber threats.
It is one of the clearest starting points for Australian client cybersecurity programs.
AustraliaACSCBaseline
CSA CCMGlobal
Cloud Controls Matrix
CSA CCM provides cloud-focused security controls and practices for cloud computing environments.
MSPs can use it to structure cloud compliance work and evidence gathering for cloud-heavy clients.
CloudControlsQuestionnaire
Privacy
Privacy and data-protection requirements that shape policies, evidence, and client reporting.
NIST PrivacyUSA
NIST Privacy Framework v1.0
NIST Privacy Framework helps organizations identify and manage privacy-related risks while building products and services.
It supports privacy program conversations for clients that need structure without beginning with a regulatory mandate.
PrivacyRiskUSA
CCPAUSA
California Consumer Privacy Act
CCPA gives California consumers rights over personal information collected by businesses.
It helps MSPs frame privacy management work for clients with California data exposure.
CaliforniaPrivacyConsumer rights
GDPREurope
General Data Protection Regulation
GDPR governs data protection and privacy requirements for organizations handling EU personal data.
MSPs supporting clients with EU data exposure need a practical way to keep privacy policies, evidence, and stakeholder responsibilities visible.
PrivacyEUPersonal data
UK ICOEurope
UK ICO
The UK ICO framework outlines essentials for privacy management programs and data protection practices.
It gives UK-focused clients a practical privacy management reference alongside GDPR needs.
UKPrivacyData protection
ISO 27018Global
ISO/IEC 27018:2019
ISO 27018 focuses on protection of personally identifiable information in public cloud environments.
It supports privacy and cloud evidence conversations for cloud service providers and cloud-heavy clients.
CloudPIIPrivacy
ISO 27701Global
ISO/IEC 27701
ISO 27701 extends information security management practices into privacy information management.
It helps clients standardize how they handle personally identifiable information across privacy obligations.
PrivacyPIIISO
Industry
Specialized requirements for clients in regulated sectors or contract-driven environments.
CJISUSA
Criminal Justice Information Services Security Policy
CJIS provides security standards for handling sensitive criminal justice information.
MSPs serving law enforcement, courts, corrections, or connected vendors need a clear way to manage CJIS obligations.
Criminal justiceLaw enforcementSensitive data
HIPAAUSA
Health Insurance Portability and Accountability Act
HIPAA guides how organizations protect personal health information and manage healthcare security obligations.
It gives MSPs a clear compliance program for healthcare clients that need policy, evidence, and recurring reporting support.
HealthcarePHIPrivacy
FFIEC CATUSA
FFIEC Cybersecurity Assessment
The FFIEC Cybersecurity Assessment helps financial institutions recognize cyber risk and assess preparedness.
It helps MSPs support regulated financial clients with structured assessment and remediation work.
Financial servicesAssessmentPreparedness
MARSUSA
Minimum Acceptable Risk Standards
MARS supports availability, confidentiality, and integrity expectations for protected health, identity, and tax information.
It is relevant for clients handling PHI, PII, or federal tax information.
PHIPIIFederal tax information
PCI DSSGlobal
Payment Card Industry Data Security Standard
PCI DSS applies to organizations that accept, process, store, or transmit payment card data.
MSPs can use it to help retail, ecommerce, and service clients organize payment-security controls and evidence.
PaymentsSecurityAudit
TISAXEurope
Trusted Information Security Assessment Exchange
TISAX is an automotive industry assessment and exchange model for information security requirements.
It helps MSPs support clients in supplier ecosystems where data security levels must be exchanged and verified.
AutomotiveSupplier securityEurope
AESCSFAPAC
Australian Energy Sector Cyber Security Framework
AESCSF is designed to support strong cybersecurity practices in Australia's energy sector.
It gives MSPs a sector-specific framework for energy clients with heightened resilience expectations.
AustraliaEnergyCybersecurity
CPS 234APAC
Prudential Standard CPS 234
CPS 234 sets information security expectations for APRA-regulated entities in Australia.
It helps MSPs support financial clients with governance, evidence, and resilience obligations.
AustraliaAPRAFinancial services
FedRAMPUSA
Federal Risk and Authorization Management Program
FedRAMP is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
For federal cloud work and CMMC-adjacent cloud service decisions, FedRAMP provides a recognized authorization baseline for cloud service providers.
FederalCloudAuthorizationModerate baseline
Microsoft DPRGlobal
Microsoft Data Protection Regulations
Microsoft DPR defines annual data protection requirements for Microsoft suppliers in the SSPA program.
It matters for clients that must prove proper handling of personal and confidential Microsoft supplier data.
MicrosoftSSPASupplier privacy
MPAGlobal
Motion Picture Association Content Security Best Practices
The MPA framework outlines content security best practices for entertainment vendor facilities.
It gives MSPs a niche but important framework for clients working in film, production, and media supply chains.
MediaEntertainmentContent security
Regional
Country or region-specific obligations that MSPs may need to map into the broader client program.
NYDFSUSA
NYDFS Cybersecurity Regulation
NYDFS Cybersecurity Regulation sets cybersecurity requirements for financial institutions under New York State jurisdiction.
It is a strong regional driver for financial-sector compliance, vendor oversight, and evidence programs.
New YorkFinancial servicesCybersecurity
TX-RAMPUSA
Texas Risk and Authorization Management Program
TX-RAMP standardizes security assessment, authorization, and monitoring for cloud services processing Texas state agency data.
MSPs supporting public-sector cloud work in Texas can use it to structure assurance and evidence conversations.
TexasCloudPublic sector
DORAEurope
Digital Operational Resilience Act
DORA establishes operational resilience requirements for financial entities and ICT risk management in the EU.
For MSPs supporting financial clients, DORA creates demand for structured evidence, risk, and vendor oversight.
EUFinancial servicesResilience
PSPFAPAC
Protective Security Policy Framework
PSPF outlines protective security policy for Australian Government organizations across personnel, physical, governance, and information security.
It supports MSP work with Australian public-sector security requirements.
AustraliaGovernmentProtective security
NZISMAPAC
New Zealand Information Security Manual
NZISM provides controls and processes for protecting New Zealand Government information and systems.
It helps MSPs orient New Zealand public-sector and security-sensitive client programs.
New ZealandGovernmentControls
International
Global frameworks that help teams standardize compliance across regions and operating models.
ISO 42001Global
ISO/IEC 42001
ISO 42001 helps organizations manage AI systems with transparency, safety, fairness, and accountability.
It gives MSPs a way to discuss AI governance as part of a broader GRC program.
AIGovernanceRisk
COBITGlobal
COBIT 2019
COBIT is a governance framework for designing and managing enterprise IT controls and objectives.
It helps connect operational IT work to board-level governance and business objectives.
GovernanceIT controlsEnterprise
ISO 27017Global
ISO/IEC 27017:2015
ISO 27017 provides cloud-specific security guidance that extends the ISO 27001 family.
It is useful for clients that need cloud control clarity across shared responsibility models.
CloudISOSecurity
SCFGlobal
Secure Controls Framework
Secure Controls Framework provides a broad cybersecurity and privacy control set across operational levels.
It helps MSPs map security and privacy requirements into a comprehensive control program.
ControlsCybersecurityPrivacy
LESS DUPLICATION
Do the work once, apply it across frameworks
The legacy frameworks page explains the core value well: rather than treating every framework as an isolated project, ControlMap helps map matching evidence and controls across requirements.
LESS DUPLICATION
ControlMap UI Placeholder
Placeholder
The legacy frameworks page explains the core value well: rather than treating every framework as an isolated project, ControlMap helps map matching evidence and controls across requirements.
24h
24h
94%
Coverage
12
Health
3x
Impact
Cross-framework evidence
Reuse evidence where requirements overlap instead of chasing the same proof repeatedly.
- Mapped controls
- Reusable evidence
- Less duplicate effort
Region and industry fit
Choose frameworks by geography, industry, client maturity, and contract requirements.
- USA
- Europe
- International
Future route-ready
Framework records already have slugs for eventual detail pages under /controlmap/frameworks/<framework>.
- Managed content
- Clean slugs
- SEO-ready structure
HOW FRAMEWORKS SCALE
Choose the framework once, then reuse the work
Frameworks are not just SEO records. They are the operating layer for assessments, controls, evidence, policy work, and audit reporting.
- 01
Choose the right framework
Start with the client's contract, industry, geography, maturity, or vendor requirement.
- 02
Map controls
Connect requirements to controls, objectives, policies, risks, and evidence expectations.
- 03
Crosswalk overlap
Reuse matching evidence and control work across frameworks where requirements align.
- 04CMS-MANAGED
Monitor changes
Keep framework records current as coverage, labels, and client demand evolve.