One Control Set, Eighty Frameworks: The Case Against Compliance Theatre
You're treating each compliance framework as a fresh project, duplicating work across SOC 2, ISO 27001, NIST CSF, CMMC, and more.
Your compliance manager just quit. In the handoff, they gave you access to 14 spreadsheets, each a control library for a different framework. SOC 2 has 312 rows. ISO 27001 has 286. NIST CSF has 108. CMMC Level 2 has 110. PCI DSS v4.0.1 has 264. Different column headers, different naming conventions, different numbering schemes.
You add up the rows: 1,080 controls tracked across five frameworks. You know many overlap, that MFA enforcement doesn't become five different things because five frameworks mention it. But the architecture you inherited treats them as five separate things, because that's what the tool assumes.
This is compliance theatre. The appearance of coverage through documentation volume, when the actual unique control intent is a fraction of the tracked total.
The math of compliance theatre
A typical mid-market organization with five active frameworks, siloed:
| Metric | Siloed Model | Unified Model |
|---|---|---|
| Total tracked controls | 1,080 | ~420 unique |
| Evidence collection events/year | 2,160 | 840 |
| Distinct audit prep cycles | 5 | 1 continuous + 5 views |
| FTE for compliance ops | 3-4 | 1.5-2 |
| Time to add a new framework | 4-6 months | 2-4 weeks |
| Cross-framework inconsistency rate | 15-30% | 0% |
The inconsistency rate is the most damaging number. When you maintain separate libraries, the same control can show "implemented" in SOC 2 and "not assessed" in CMMC. Not because anything changed, but because two analysts assessed it at different times. An auditor who sees both will question your program's credibility.
Why this happens
GRC tools built between 2005 and 2015 store controls per framework. Their data model: Framework > Control > Evidence. Adding a framework means loading a new template and starting fresh. The tool doesn't ask "do you already manage a control that satisfies this?" because it can't. The data structure doesn't support cross-framework relationships.
Vendors call this "multi-framework support" because they loaded 30 templates into the same database. Loading templates isn't reasoning across them. The result: work scales with framework count, not with unique control intents.
What a meta-framework provides
The Secure Controls Framework (SCF) inverts the relationship. Instead of starting with frameworks and deriving controls, it starts with control intents and maps outward.
SCF defines 1,470+ controls, each representing a distinct compliance intent in framework-neutral language. For each control, SCF maps which framework requirements it satisfies. A single SCF control might map to 5, 10, or 20 frameworks simultaneously.
Instead of "SOC 2 requires CC6.1, which means access control," it's "Access control is compliance intent SCF AC-01, satisfying SOC 2 CC6.1, ISO 27001 A.8.5, NIST CSF PR.AC-1, CMMC AC.L2-3.1.1, and PCI DSS 8.3.1."
Under the first model, you manage framework requirements that happen to overlap. Under the second, you manage control intents that satisfy multiple frameworks by definition.
STRM: relationship types matter
Not all cross-framework mappings are equivalent. NIST IR 8477 defines Set Theory Relationship Mapping (STRM) with five types:
| Relationship | Definition | Evidence Implication |
|---|---|---|
| Equivalent | Semantically identical in scope and intent | Collect once, full credit for both |
| Subset | A fully contained within B | Satisfying B satisfies A, not reverse |
| Superset | A fully encompasses B | Satisfying A satisfies B |
| Overlap | Shared ground, but each has unique elements | Partial credit, gap remains |
| Disjoint | No meaningful relationship | Separate collection required |
The first three enable full evidence reuse. Overlap is where precision matters most. PCI DSS 8.4.2 and SOC 2 CC6.1 overlap: both require MFA, but PCI has cardholder-data-environment specifics SOC 2 doesn't address. A generic MFA artifact gets 78% credit for PCI but 95% for SOC 2. Without typed relationships, cross-framework mapping is guessing. With them, it's quantifiable.
A concrete cross-mapping example
One control: MFA enforcement for privileged accounts via Entra ID Conditional Access.
| Framework | Requirement ID | STRM to SCF AC-07 | Strength |
|---|---|---|---|
| SOC 2 | CC6.1 | Equivalent | 95% |
| ISO 27001 | A.8.5 | Equivalent | 92% |
| NIST CSF 2.0 | PR.AA-03 | Subset | 90% |
| CMMC Level 2 | AC.L2-3.1.1 | Equivalent | 94% |
| PCI DSS v4.0.1 | 8.4.2 | Overlap | 78% |
One evidence artifact satisfies five requirements. For SOC 2, ISO, and CMMC: full credit. For NIST CSF: full credit (evidence exceeds scope). For PCI DSS: 78%, supplementary evidence needed for CDE boundary. Under the siloed model, your team collects this five times. Under unified: collected once, mapped once, reported five ways. The full evidence flow is in One Defender Alert, Seven Frameworks.
Quantifying work reduction
Overlap rates between common framework pairs:
| Framework Pair | Overlap Rate | Shared Domains |
|---|---|---|
| SOC 2 + ISO 27001 | 65-70% | Access, incident response, change mgmt, risk, vendor mgmt |
| ISO 27001 + NIST CSF | 60-65% | Nearly full, NIST less prescriptive |
| CMMC L2 + NIST 800-171 | 95%+ | CMMC derived from 800-171 |
| PCI DSS + SOC 2 | 45-55% | Operational overlap, PCI has CHD-specific controls |
| EU AI Act + ISO 42001 | 50-60% | Risk mgmt, documentation, monitoring |
Stack five frameworks: cumulative unique controls are typically 35-45% of the sum total. The other 55-65% is redundant work. An organization managing SOC 2 (312), ISO 27001 (286), NIST CSF (108), CMMC (110), and PCI DSS (264) tracks 1,080 rows in the siloed model. With SCF mapping: ~420 unique controls cover all five. A 61% reduction in control management overhead.
Evidence reduction is larger still. One encryption configuration gets uploaded five times today. In a unified model, it's one artifact mapped to every framework requiring encryption at rest.
How Kyudo implements this
Kyudo's Controls Hub is the single control registry. Every control maps to SCF via the STRM Engine, with typed relationships and strength ratings for every connected framework requirement.
The Framework Registry stores 80+ frameworks as queryable structures. Activating a new framework triggers automatic identification of existing controls that already satisfy its requirements, and at what strength. Your team focuses on the 30-40% that's genuinely new.
CMCAE (Continuous Multi-Framework Control Assessment Engine) evaluates incoming evidence against all applicable controls across all active frameworks simultaneously. One assessment event, propagated with appropriate strength weighting.
The compliance graph connects controls to evidence, evidence to source systems, controls to framework requirements, requirements to audit observations. An auditor traces from requirement to control to evidence to source in a single query.
When you mark an access control as "Operating" with fresh evidence, both SOC 2 and ISO 27001 reflect that status immediately. No reconciliation. One truth. More on this architecture in One Control, Many Frameworks.
The counter-argument: "Our auditor wants framework-specific evidence"
Valid concern. Your SOC 2 auditor expects evidence by TSC criteria. Your ISO assessor expects Annex A mapping. They don't want SCF reference numbers.
But they need evidence that a requirement is satisfied, organized traceably. Whether collected once and mapped or collected separately, the auditor doesn't care. They care about completeness, freshness, and provenance.
A unified architecture doesn't eliminate framework-specific reporting. It eliminates framework-specific collection and assessment. You collect once, assess once, report N ways. The auditor sees their framework's control IDs mapped to evidence with full chains.
Second objection: "What about non-overlapping requirements?" PCI has CHD-specific requirements no other framework shares. CMMC has CUI handling unique to DoD. These exist as non-overlapping controls, managed alongside shared ones but assessed independently. A unified model doesn't pretend everything overlaps. It quantifies exactly what does and what doesn't.
The audit calendar transformation
Five frameworks siloed means five audit cycles, each with 4-6 weeks prep, a collection sprint, remediation, and reporting. You're perpetually in prep for something.
Under continuous assessment, "audit prep" shrinks. Controls are continuously assessed. Evidence freshness is monitored. When an auditor arrives, the current state is the audit-ready state. Generate a framework-specific report from current data instead of a last-minute collection sprint.
The difference between "collect 200 artifacts in three weeks" and "answer 15 questions about evidence we already have" is the difference between a staffing crisis and a calendar event.
Your Monday morning checklist
-
Count unique controls. Pull all framework libraries side by side. Identify controls with the same operational intent across different IDs. The difference between your tracked total and your unique count is your redundancy cost.
-
Measure evidence duplication. Pick 10 artifacts at random. Count how many framework-specific records reference the same underlying proof. Average above 1.5 means substantial duplicate work.
-
Check cross-framework consistency. For controls appearing in multiple frameworks, verify status matches. "Implemented" in SOC 2 but "Gap" in CMMC for the same MFA control is a credibility problem.
-
Estimate next-framework cost. Adding EU AI Act or DORA next quarter: how many new rows vs. how many map to existing controls? The ratio tells you if your architecture scales or multiplies.
-
Test your tool. Upload one evidence artifact. Does it propagate to every control it satisfies across every framework? If not, your tool stores frameworks. It doesn't reason across them.
Compliance theatre is treating framework count as rigor. Real rigor is knowing how many unique intents you manage, how fresh the evidence is, and where genuine gaps live.
Kyudo's STRM Engine maps 1,470+ controls across 80+ frameworks with typed, strength-rated relationships. One control set. Every framework. Zero duplication.
Book a demo to see how your existing controls map across every framework you answer to.