Compliance Frameworks

Implement once. Satisfy many.

Your organization does not comply with one framework at a time. Neither should your GRC platform. Kyudo maps controls once across 80+ frameworks simultaneously — using Compliance Graph reasoning, not spreadsheet duplication.

Request Demo Download Framework Guide

Foundation

Grounded in the Secure Controls Framework

The Secure Controls Framework (SCF) is a comprehensive meta-framework that maps 1,000+ controls across 100+ regulations and standards. Kyūdō uses SCF as its foundation, so you implement once and map to many.

Implement once

Define your controls once using SCF’s unified taxonomy. No duplicate work across frameworks.

Map to many

Automatically map your controls to SOC 2, ISO 27001, CMMC, HIPAA, and other frameworks simultaneously.

Stay current

SCF is continuously updated as regulations evolve. Your mappings stay accurate without manual intervention.

Supported Frameworks

Every framework your organization requires

Whether you're pursuing your first certification or managing multi-framework compliance, Kyūdō has you covered.

Popular

SOC 2

Type I & Type II

The gold standard for SaaS security assurance. Demonstrate security, availability, processing integrity, confidentiality, and privacy controls to enterprise customers.

Trust Service CriteriaSecurity, Availability, Confidentiality, Processing Integrity, Privacy

Typical Timeline3–6 months (Type I), 6–12 months (Type II)

Best forB2B SaaS, cloud service providers, technology companies

Kyūdō outcomes

Automated evidence collection for 80%+ of controls
Pre-mapped Microsoft security configurations
Auditor-ready evidence packages

Get Started with SOC 2

Global

ISO 27001

Information Security Management

The international standard for information security management systems (ISMS). Required for enterprise sales in Europe and increasingly expected globally.

Control domains93 controls across 4 themes (2022 version)

Typical Timeline6–12 months initial, annual surveillance

Best forGlobal enterprises, European market entry, defense supply chain

Kyūdō outcomes

Statement of Applicability (SoA) generation
Risk assessment workflows with ISO 27005 alignment
Continuous control monitoring

Get Started with ISO 27001

Foundation

NIST CSF v2.0

Cybersecurity Framework

The US government’s cybersecurity framework, now in version 2.0. A flexible, risk-based approach that serves as a foundation for many other frameworks.

Core FunctionsGovern, Identify, Protect, Detect, Respond, Recover

Implementation tiersPartial, Risk-Informed, Repeatable, Adaptive

Best forCritical infrastructure, government contractors, risk-based programs

Kyūdō outcomes

Current and target profile generation
Gap analysis with prioritized remediation
Maturity assessment across functions

Get Started with NIST CSF v2.0

Defense

CMMC 2.0

Cybersecurity Maturity Model Certification

Required for US Department of Defense contractors. Builds on NIST 800-171 with third-party assessment requirements for handling Controlled Unclassified Information (CUI).

LevelsLevel 1 (Foundational), Level 2 (Advanced), Level 3 (Expert)

Controls17 practices (L1), 110 practices (L2), 110+ (L3)

Best forDoD contractors, defense supply chain, CUI handlers

Kyūdō outcomes

NIST 800-171 SSP and POA&M generation
CUI boundary documentation
Customer-hosted deployment meets Level 2+ requirements

Get Started with CMMC 2.0

Healthcare

HIPAA

Health Insurance Portability and Accountability Act

US healthcare privacy and security regulations. Required for covered entities and business associates handling Protected Health Information (PHI).

RulesPrivacy Rule, Security Rule, Breach Notification Rule

SafeguardsAdministrative, Physical, Technical

Best forHealthcare providers, health tech, business associates

Kyūdō outcomes

Security Rule compliance mapping
Risk analysis documentation
BAA tracking and management

Get Started with HIPAA

Payments

PCI DSS v4.0

Payment Card Industry Data Security Standard

Required for organizations that store, process, or transmit cardholder data. Version 4.0 introduces customized controls and enhanced authentication requirements.

Requirements12 principal requirements, 250+ sub-requirements

ValidationSAQ, ROC, or QSA assessment based on volume

Best forE-commerce, payment processors, financial services

Kyūdō outcomes

Cardholder data environment (CDE) scoping
Compensating control documentation
Quarterly scan and assessment tracking

Get Started with PCI DSS v4.0

Privacy

GDPR

General Data Protection Regulation

The European Union’s comprehensive data protection regulation. Applies to any organization processing EU resident data, regardless of location.

PrinciplesLawfulness, Purpose limitation, Data minimization, Accuracy, Storage limitation, Security

RightsAccess, Rectification, Erasure, Portability, Objection

Best forAny organization with EU customers or employees

Kyūdō outcomes

Records of processing activities (RoPA)
Data subject request tracking
DPA and transfer impact assessments

Get Started with GDPR

Additional Frameworks

And many more supported

Kyūdō's SCF foundation enables support for dozens of additional frameworks. Contact us if you don't see your requirements listed.

NIST 800-171 / 800-53

FedRAMP

HITRUST CSF

CIS Controls

StateRAMP

CCPA / CPRA

CSA STAR

ISO 27017 / 27018

Ask About Your Framework

Efficiency

Implement once, satisfy many

Kyūdō's Compliance Graph understands how controls map across frameworks. Implement a control once, and see it automatically satisfy requirements in SOC 2, ISO 27001, and CMMC simultaneously.

100+

Frameworks mapped

1,000+

SCF controls

60%

Typical control overlap

Ready to simplify multi-framework compliance?

See how Kyūdō's unified control framework can accelerate your certification journey.

Request Demo Book Framework Assessment