Compliance

Compliance crosswalks

Every major compliance framework, mapped to NIST CSF 2.0.

SecurityStack maintains crosswalks between the compliance frameworks that matter most to mid-market security programs. Each crosswalk maps framework-specific controls to NIST CSF 2.0 categories so findings translate cleanly between your auditor, your board, and your vendor-management conversations.

NIST Cybersecurity Framework 2.0

NIST CSF 2.0 · Any U.S. organization building a risk-based security program. CSF 2.0 is the default reference in federal contracting, state regulation, and enterprise procurement questionnaires.

Read the crosswalk →

CIS Critical Security Controls v8.1

CIS v8.1 · SMB and mid-market security teams that want a prescriptive, prioritized control list without the governance overhead of a full framework.

Read the crosswalk →

Cybersecurity Maturity Model Certification 2.0

CMMC 2.0 · Defense Industrial Base (DIB) contractors handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). Effective date Dec 16, 2024.

Read the crosswalk →

ISO/IEC 27001:2022

ISO 27001:2022 · International organizations, enterprise SaaS vendors selling into European markets, and any organization pursuing formal ISMS certification.

Read the crosswalk →

SOC 2 Trust Services Criteria

SOC 2 · SaaS vendors, cloud service providers, and any organization whose enterprise customers require third-party attestation of security controls.

Read the crosswalk →

Coverage coming soon

HIPAA, PCI DSS v4, FedRAMP Moderate, and GDPR crosswalks are under active development. See the methodology hub for what's live today.

Frequently asked questions

Which compliance framework is right for my organization?

NIST CSF 2.0 is the default reference for any U.S. organization. CIS v8.1 is the most prescriptive — best if you want a specific control list. CMMC 2.0 is mandatory for DoD contractors. ISO 27001:2022 is required for many international and enterprise sales. SOC 2 is the standard for SaaS vendors selling to U.S. enterprise buyers. Most mid-market organizations need 2–3 of these simultaneously.

Why crosswalk everything to NIST CSF?

NIST CSF 2.0 is the lingua franca — every other major framework maps to it reasonably well. A control that satisfies a CMMC practice often satisfies an ISO 27001 Annex A control and a SOC 2 common criterion. Crosswalking to NIST CSF lets you see that overlap clearly instead of running five parallel audits.

Are these crosswalks authoritative?

Practitioner-authored, not official. NIST maintains OLIR (Online Informative References) but it is incomplete. The crosswalks on this site reflect 27 years of field assessment work and are updated as frameworks revise. We flag mapping strength per control ('direct', 'partial', 'related') so you can see which mappings are strong and which require judgment.