Compliance Management
Turn security findings intoaudit-ready compliance.
Compliance Management is the ongoing GRC layer that your MSSP delivers on top of security assessments. Findings from each assessment are automatically mapped to framework controls. Your team tracks evidence, closes gaps, and walks into audits with a documented posture — not a spreadsheet.
How it works
01
Assessment runs
Your MSSP runs a security assessment against your endpoint. Findings are collected and scored automatically.
02
Controls mapped
Each finding is mapped to one or more framework control IDs. Failed controls are flagged automatically — no manual cross-referencing.
03
Gaps tracked
Controls without automated coverage are marked pending evidence. Your team uploads documentation, policies, or configuration exports to close them.
04
Reports generated
A framework-specific gap report shows % controls met, failed control table, evidence checklist, and remediation roadmap ordered by maturity level.
Client Portal
Your team sees their own posture.
Your MSSP provisions a login for your organization's compliance contact. That person can view framework dashboards, see which controls are passing or failing, and upload evidence for manual controls — without touching the MSSP operator console.
- ✓Read-only compliance dashboard per framework
- ✓Evidence upload for manual and hybrid controls
- ✓Control-by-control gap view with maturity level badges
- ✓Separate login — no access to MSSP operator tools
Example client portal dashboard — controls tracked across frameworks
Supported frameworks
All nine frameworks are live. Assessment findings map automatically to controls in each — manual evidence closes the gaps the agent can't reach.
CIS Controls v8
IG1 & IG2
Automated mapping from assessment findings to CIS control IDs. IG1 (Essential) controls form the baseline every organization should clear first.
NIST CSF 2.0
All 6 functions
Govern, Identify, Protect, Detect, Respond, and Recover subcategories mapped to assessment findings. Foundational Tier 1 controls separate from advanced Tier 2.
HIPAA
Security Rule
Required and Addressable implementation specifications. Technical safeguard controls map to automated findings; administrative controls tracked via evidence upload.
PCI DSS
v4.0
Core and Targeted requirements. Automated findings cover endpoint and network controls; policy and configuration evidence closes the manual requirements.
CMMC 2.0
Level 1 & 2
17 Level 1 practices and 110 Level 2 practices mapped to assessment findings. DoD supply-chain requirement for contractors handling CUI.
SOC 2 Type II
CC + Availability / Confidentiality
Common Criteria (CC1–CC9) map to automated findings across access control, monitoring, and change management. A1 and C1 additional criteria tracked via evidence upload.
Cyber Insurance Readiness
Knockout & Enhanced
Underwriting requirements from Coalition, Chubb, Beazley, Travelers, and At-Bay. Knockout controls required for coverage and Enhanced controls that reduce premiums — mapped to automated findings and manual evidence.
FTC Safeguards Rule
16 CFR Part 314 (2023)
GLBA safeguards for auto dealerships, tax preparers, insurance agents, mortgage brokers, and other financial institutions. Required safeguards for all covered entities; enhanced requirements for 5,000+ consumer record holders.
ISO 27001:2022
Annex A — 93 controls
International standard for information security management. Mandatory Annex A controls required for certification; contextual controls governed by Statement of Applicability. Theme 8 technical controls map to automated findings.
Delivered through your MSSP
Compliance Management is a monthly subscription your MSSP sells as part of their managed services offering. Your MSSP manages the compliance posture on your behalf — configuring frameworks, reviewing control gaps, and ensuring evidence stays current. You and your team access the client portal directly.
Don't have an MSSP partner? Contact us and we can connect you with one, or discuss a direct engagement.