Compliance Framework Coverage

SPNT's governance module maps substrate findings, control health records, and telemetry events to compliance obligations across 35 frameworks and 3,144 individual obligations as of v6.3.

This page summarises the major frameworks. The full per-framework obligation mapping is available to pilot and contracted customers through the platform.

Frameworks covered

General security management

• SOC 2 (Trust Services Criteria) — Type II reports supported through continuous evidence accumulation.
• ISO/IEC 27001:2022 — Annex A controls mapped to substrate findings and telemetry evidence.

Payment and financial services

• PCI DSS v4.0 — Continuous evidence for all PCI requirement areas applicable to in-scope assets.
• DORA (Digital Operational Resilience Act) — ICT risk management, incident management, digital operational resilience testing, and ICT third-party risk obligations mapped to substrate.

Privacy and data protection

• GDPR — Particular emphasis on Articles 25 (data protection by design) and 32 (security of processing), with related requirements mapped to substrate findings on personal-data-handling assets.

EU operational security

• NIS2 Directive — Article 21 measures across network and information system security, incident handling, business continuity, supply chain security, and access control.

US federal and defence

• CMMC 2.0 — Cybersecurity Maturity Model Certification practices and processes.
• NIST Cybersecurity Framework 2.0 — Functions mapped to substrate evidence.
• NIST SP 800-53 Rev. 5 — Security and privacy controls for federal information systems.
• NIST SP 800-171 Rev. 3 — Controlled Unclassified Information protection requirements.

Healthcare

• HIPAA Security Rule — Administrative, physical, and technical safeguards for ePHI.

Plus 24 additional frameworks

Covering regional regulations, sector-specific requirements, and baseline security standards. The full list is provided during pilot scoping.

Versioning

Obligations are versioned to specific framework releases. When a framework publishes a new version — a PCI DSS minor update, a new NIST 800-53 revision — the obligation dataset is updated to the new version. Existing finding-to-obligation links migrate automatically where the obligation identifier is stable. Obligations that are added, removed, or significantly changed are flagged for review.

How obligation status updates

Every time a substrate entity changes — a finding is written, a control health record updates, a telemetry event is classified, a verification verdict arrives — the applicability engine re-evaluates the obligations that entity affects. Compliance status is a live function of current substrate state.

Read more → Governance (REGULATIVA)

Audit and evidence packets

Evidence packets are generated from the substrate on demand. For a given obligation, the packet contains the obligation reference, every linked finding with current status, the evidence chains for each finding, the relevant control health records, telemetry events that validate or invalidate the linked controls, verification records where available, and the remediation history over the audit period.

Packets are structured for auditor review — organised by obligation with citations to source records.