Skip to content
LanternOps.io LanternOps Help Center

Compliance Frameworks

LanternOps supports 6 major compliance frameworks with 618 total controls that automatically map to your service offerings through AI-powered semantic matching.

Supported Frameworks

Section titled “Supported Frameworks”

CIS Controls v8.1

Section titled “CIS Controls v8.1”

149 controls organized into 18 Implementation Groups

Best For:

  • General cybersecurity baseline
  • Organizations of any size
  • Cyber insurance requirements
  • Security maturity improvement

Coverage Areas:

  • Asset Management
  • Data Protection
  • Access Control
  • Network Security
  • Incident Response
  • Vulnerability Management

Example Controls:

  • CIS 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
  • CIS 5.1: Establish and Maintain an Inventory of Accounts
  • CIS 10.1: Deploy and Maintain Anti-Malware Software

NIST Cybersecurity Framework 2.0

Section titled “NIST Cybersecurity Framework 2.0”

103 controls across 6 core functions

Best For:

  • Enterprise organizations
  • Risk-based approach to cybersecurity
  • Federal contractors
  • Mature security programs

Coverage Areas:

  • Govern (GV) - Organizational cybersecurity governance
  • Identify (ID) - Asset and risk management
  • Protect (PR) - Safeguards and security controls
  • Detect (DE) - Continuous monitoring
  • Respond (RS) - Incident response
  • Recover (RC) - Business continuity

Example Controls:

  • NIST ID.AM-1: Physical devices and systems are inventoried
  • NIST PR.AC-1: Identities and credentials are issued, managed, verified
  • NIST DE.CM-1: Networks are monitored to detect potential cybersecurity events

CMMC Level 2

Section titled “CMMC Level 2”

110 controls for Department of Defense contractors

Best For:

  • DoD contractors handling CUI (Controlled Unclassified Information)
  • Defense Industrial Base (DIB) companies
  • Organizations pursuing government contracts
  • DFARS 7012 compliance

Coverage Areas:

  • Access Control (AC)
  • Awareness and Training (AT)
  • Audit and Accountability (AU)
  • Configuration Management (CM)
  • Identification and Authentication (IA)
  • Incident Response (IR)
  • Maintenance (MA)
  • Media Protection (MP)
  • Personnel Security (PS)
  • Physical Protection (PE)
  • Risk Assessment (RA)
  • Security Assessment (CA)
  • System and Communications Protection (SC)
  • System and Information Integrity (SI)

Example Controls:

  • CMMC AC.2.007: Employ the principle of least privilege
  • CMMC IA.2.081: Enforce a minimum password complexity
  • CMMC SC.2.179: Use encrypted sessions for managing network devices

Special Note: CMMC requires third-party assessment for certification. LanternOps provides continuous evidence collection to stay audit-ready.

HIPAA Security Rule

Section titled “HIPAA Security Rule”

63 controls for healthcare data protection

Best For:

  • Healthcare providers
  • Health plans
  • Healthcare clearinghouses
  • Business associates handling PHI (Protected Health Information)

Coverage Areas:

  • Administrative Safeguards (20 controls)

    • Security management process
    • Workforce security
    • Information access management
    • Security awareness and training
    • Security incident procedures

  • Physical Safeguards (13 controls)

    • Facility access controls
    • Workstation use and security
    • Device and media controls

  • Technical Safeguards (30 controls)

    • Access control
    • Audit controls
    • Integrity controls
    • Transmission security

Example Controls:

  • HIPAA 164.308(a)(1)(ii)(B): Risk Management
  • HIPAA 164.312(a)(1): Access Control
  • HIPAA 164.312(e)(1): Transmission Security

SOC 2 Type II

Section titled “SOC 2 Type II”

52 controls based on Trust Services Criteria

Best For:

  • SaaS companies
  • Cloud service providers
  • Technology vendors
  • Companies storing customer data

Coverage Areas:

  • Security (Common Criteria) - Always required

    • Access controls
    • System operations
    • Change management
    • Risk mitigation

  • Availability - System uptime and performance

  • Processing Integrity - Complete, valid, accurate processing

  • Confidentiality - Protection of confidential information

  • Privacy - Collection, use, retention of personal information

Example Controls:

  • CC6.1: Logical and physical access controls restrict unauthorized access
  • CC7.2: System monitoring includes detection of security incidents
  • A1.1: Availability commitments are met based on defined SLAs

Special Note: SOC 2 Type II requires 3-12 months of evidence. LanternOps collects evidence continuously so you’re always audit-ready.

PCI DSS v4.0

Section titled “PCI DSS v4.0”

141 controls for payment card security

Best For:

  • Merchants accepting credit cards
  • Payment processors
  • Service providers storing card data
  • E-commerce platforms

Coverage Areas:

  • Build and Maintain a Secure Network (Requirements 1-2)
  • Protect Account Data (Requirements 3-4)
  • Maintain a Vulnerability Management Program (Requirements 5-6)
  • Implement Strong Access Control Measures (Requirements 7-8)
  • Regularly Monitor and Test Networks (Requirements 9-11)
  • Maintain an Information Security Policy (Requirement 12)

Example Controls:

  • PCI DSS 1.2.1: Configuration standards for firewall rules
  • PCI DSS 8.3.1: Multi-factor authentication for all access
  • PCI DSS 10.2.1: Audit logs capture all access to cardholder data

How Framework Selection Works

Section titled “How Framework Selection Works”

1. Enable Frameworks

Section titled “1. Enable Frameworks”

Choose which frameworks apply to your customers:

Settings → Compliance Frameworks → Enable/Disable

You can enable multiple frameworks simultaneously. Most MSPs enable:

  • CIS Controls (baseline for all customers)
  • Industry-specific frameworks (HIPAA for healthcare, PCI DSS for retail, etc.)

2. Automatic Service Mapping

Section titled “2. Automatic Service Mapping”

Once enabled, LanternOps’ RAG (Retrieval-Augmented Generation) system automatically maps your services to framework controls through semantic understanding.

No manual configuration required.

How It Works:

Your Service: "Complete Asset Management"
  
AI/RAG analyzes service description and features
  
Automatically maps to:
  ✅ CIS 1.1 - Asset Inventory
  ✅ CIS 1.2 - Software Inventory
  ✅ NIST ID.AM-1 - Physical device inventory
  ✅ NIST ID.AM-2 - Software platform inventory
  ✅ CMMC AC.1.001 - Authorized access control
  ✅ HIPAA 164.310(d)(1) - Device and media controls

Example Mapping:

Your ServiceAutomatically Maps To
EDR Protection (Huntress)CIS 10.1-10.7, NIST PR.PT-1, CMMC SC.2.170, PCI DSS 5.1
Advanced Email SecurityCIS 9.1-9.7, NIST PR.AC-7, HIPAA 164.312(e), SOC 2 CC6.1
Backup & DRCIS 11.1-11.5, NIST PR.IP-4, CMMC CP.2.009, HIPAA 164.308(a)(7)
Patch ManagementCIS 7.1-7.7, NIST PR.IP-12, CMMC SI.2.216, PCI DSS 6.3

3. Evidence Collection

Section titled “3. Evidence Collection”

Integrations provide automatic proof of compliance:

Asset Management Example:

Control: CIS 1.1 - Enterprise Asset Inventory


Evidence Sources:
✅ NinjaOne: 147 endpoints discovered
✅ Last Sync: 2 hours ago
✅ Coverage: 100% of network mapped
✅ Update Frequency: Every 15 minutes


Status: SATISFIED
Confidence: 95%

EDR Protection Example:

Control: CIS 10.1 - Deploy Anti-Malware Software


Evidence Sources:
✅ Huntress: 147 agents deployed
✅ Threats Blocked: 23 this month
✅ Agent Health: 100% reporting
✅ Real-time Protection: Active


Status: SATISFIED
Confidence: 98%

4. Gap Identification

Section titled “4. Gap Identification”

LanternOps automatically identifies controls NOT satisfied by current services:

Gap Report Example:

Framework: CIS Controls v8.1
Status: 42/149 controls satisfied (28%)


⚠️ Critical Gaps:


  CIS 10.1-10.7: Malware Defenses
  → Missing Service: EDR Protection
  → Impact: Vulnerable to ransomware, advanced threats
  → Recommendation: Add Huntress EDR ($735/month)


  CIS 6.1-6.8: Access Control Management
  → Missing Service: Advanced MFA
  → Impact: Password-based authentication only
  → Recommendation: Add Microsoft Entra MFA ($200/month)

Framework Crosswalks

Section titled “Framework Crosswalks”

Many controls overlap across frameworks. LanternOps automatically handles crosswalk mappings.

Example: Asset Management Service

One service satisfies multiple frameworks simultaneously:

Service: "Complete Asset Management"


Satisfies:
✅ CIS 1.1 - Asset Inventory
✅ NIST ID.AM-1 - Physical devices inventoried
✅ CMMC AC.1.001 - Authorized system access
✅ HIPAA 164.310(d)(1) - Device inventory and controls
✅ SOC 2 CC6.1 - Logical access controls
✅ PCI DSS 2.2.1 - Configuration standards


Result: ONE service → 6 framework requirements satisfied

This means:

  • Less duplicate work
  • Efficient compliance coverage
  • Clear value demonstration

Multi-Framework Compliance

Section titled “Multi-Framework Compliance”

You can pursue multiple frameworks for a single customer:

Example: Healthcare SaaS Company

Customer: Acme Health Software (SaaS platform for medical practices)


Enabled Frameworks:
✅ HIPAA (required - handles PHI)
✅ SOC 2 Type II (required - customer due diligence)
✅ CIS Controls (baseline security)


Overall Status:
  HIPAA: 49/63 controls (78%)
  SOC 2: 42/52 controls (81%)
  CIS: 87/149 controls (58%)


Total Services Required: 12
Currently Subscribed: 9
Gap Opportunities: 3 services ($1,200/month MRR)

Compliance Dashboard

Section titled “Compliance Dashboard”

Real-time visibility into framework compliance:

Framework Overview

Section titled “Framework Overview”
┌─────────────────────────────────────────────┐
│ Compliance Frameworks                       │
├─────────────────────────────────────────────┤
│ CIS Controls v8.1        [====    ] 42/149  │
│ NIST CSF 2.0            [======  ] 38/103   │
│ CMMC Level 2            [===     ] 28/110   │
│ HIPAA Security Rule     [========] 49/63    │
│ SOC 2 Type II           [========] 42/52    │
│ PCI DSS v4.0            [==      ] 22/141   │
└─────────────────────────────────────────────┘

Control Detail View

Section titled “Control Detail View”

Click any framework to see:

  • Satisfied Controls - Services implementing each control
  • Partial Controls - Need additional features/configuration
  • Gap Controls - Missing services required
  • Evidence Status - Data collection health

Customer Portal View

Section titled “Customer Portal View”

Customers see their compliance status in real-time:

Your Compliance Status


HIPAA Security Rule: 78% Compliant
✅ 49 of 63 controls satisfied through your services


Administrative Safeguards: 18/20 controls
Physical Safeguards: 10/13 controls
Technical Safeguards: 21/30 controls


Evidence Last Updated: 2 hours ago
Status: Audit-Ready

Audit Package Generation

Section titled “Audit Package Generation”

Generate comprehensive audit documentation in 5 minutes:

What’s Included:

  1. Executive Summary

    • Overall compliance percentage
    • Controls satisfied vs. gaps
    • Risk assessment

  2. Control-by-Control Assessment

    • Implementation status
    • Evidence from integrations
    • Service mappings
    • Validation results

  3. Evidence Appendix

    • Integration reports
    • Configuration screenshots
    • Policy documents
    • Audit logs

  4. Gap Analysis

    • Controls not satisfied
    • Remediation recommendations
    • Service options to close gaps

Output Format: Professional PDF ready for auditors

Time Saved: 40+ hours of manual work

Industry Use Cases

Section titled “Industry Use Cases”

Healthcare: HIPAA + CIS

Section titled “Healthcare: HIPAA + CIS”

Customer Profile: Regional medical practice (75 employees)

Frameworks:

  • HIPAA Security Rule (regulatory requirement)
  • CIS Controls (cyber insurance requirement)

Services Required:

  • Asset Management → HIPAA 164.310(d), CIS 1.1
  • Advanced Email Security → HIPAA 164.312(e), CIS 9.1
  • EDR Protection → HIPAA 164.312(b), CIS 10.1
  • Backup & DR → HIPAA 164.308(a)(7), CIS 11.1
  • MFA → HIPAA 164.312(d), CIS 6.3

Result: 63/63 HIPAA controls, 72/149 CIS controls satisfied

Manufacturing: CMMC for DoD

Section titled “Manufacturing: CMMC for DoD”

Customer Profile: Defense contractor (200 employees)

Framework:

  • CMMC Level 2 (required for DoD contracts handling CUI)

Services Required:

  • 14 services to achieve all 110 controls
  • Third-party assessment scheduled
  • Continuous evidence collection ongoing

Result: CMMC Level 2 certified, $5M DoD contract secured

Finance: SOC 2 + PCI DSS

Section titled “Finance: SOC 2 + PCI DSS”

Customer Profile: Payment processor (150 employees)

Frameworks:

  • SOC 2 Type II (customer requirement)
  • PCI DSS v4.0 (regulatory requirement)

Services Required:

  • 18 services for complete coverage
  • Quarterly PCI scans
  • Annual SOC 2 audit

Result: SOC 2 clean opinion, PCI Level 1 compliant

Professional Services: CIS Baseline

Section titled “Professional Services: CIS Baseline”

Customer Profile: Law firm (50 employees)

Framework:

  • CIS Controls (cyber insurance requirement)

Services Required:

  • 8 core services (IG1 implementation group)
  • Focus on foundational controls

Result: Cyber insurance premium reduced 30%

Framework Updates

Section titled “Framework Updates”

LanternOps maintains current versions of all frameworks:

Update Process:

  1. Framework organization releases new version
  2. LanternOps team reviews changes
  3. New controls added to database
  4. Service mappings updated automatically (via RAG)
  5. Customers notified of changes
  6. No disruption to existing compliance status

Recent Updates:

  • NIST CSF 2.0 (February 2024) - Added “Govern” function
  • PCI DSS v4.0 (March 2024) - 64 new requirements
  • CIS Controls v8.1 (May 2023) - Reorganized implementation groups

Next Steps

Section titled “Next Steps”
  1. Set Up Service Catalog - Define your MSP services
  2. Configure Integrations - Connect evidence sources
  3. Generate Audit Package - Create your first report
  4. View Revenue Opportunities - Find compliance gaps

Questions?

Section titled “Questions?”