Framework Converter
Framework Converter lets you start a System Security Plan (SSP) for one compliance framework using the control implementations you've already written for another. Instead of starting from a blank slate, the converter finds where controls overlap between your source and target frameworks, shows you how much coverage you'll get, and carries your existing implementation statements across — so you're reviewing and refining rather than starting over.
Navigation: Open a Security Plan → SSP Author → Security Plans tab
Overview
A typical use case: you've fully authored a NIST 800-53 Rev 5 SSP and now need a SOC 2 plan. Framework Converter maps the overlapping controls and pre-populates the SOC 2 plan with your existing language, leaving you to fill only the gaps.
The converter does not guess or generate AI content for mapped controls — it carries across your own implementation statements, scoped to what each target control actually requires.
Administrator Setup
Two steps are required before end users can access Framework Converter.
1. Enable the Feature Flag
Framework Converter is gated behind the CrossFrameworkMapping feature flag, which is off by default.
- Navigate to Admin (gear icon) → Modules and Features.
- Find
CrossFrameworkMappingand toggle it on.
Once enabled, a Security Plans tab appears in the SSP Author. When the flag is off, the tab is hidden.
2. Import Both Catalogs
The source and target frameworks must both be imported into your tenant before mapping can resolve.
For example, to convert NIST 800-53 Rev 5 → SOC 2, both the NIST 800-53 Rev 5 and SOC 2 catalogs must be present in your instance.
The control-to-control mapping data ships built into the product — there is no separate mapping file to install or maintain.
Supported Framework Pairs
This release supports direct mapping, where the source and target frameworks have a published control correspondence. The following pairs are validated:
| Source Framework | Target Framework |
|---|---|
| NIST 800-53 Rev 5 | SOC 2 |
| NIST 800-53 Rev 5 | CIS Controls v8 IG3 |
| NIST 800-53 Rev 5 | CMMC 2.0 |
| SOC 2 | NIST 800-53 Rev 5 (reverse) |
Mapping is bidirectional — a supported pair works in either direction.
Converting a Plan (End User Workflow)
-
Open the SSP Author on your target plan — the framework you want to build out.
-
Go to the Security Plans tab.
-
Select a source SSP — an existing plan whose implementation statements you want to reuse. You can select up to 20 source plans.
-
Review the overlap. The converter shows the percentage of target controls covered by each source plan. When using multiple sources, each is scored independently — one source's coverage does not inflate or hide another's.
-
Accept the mappings. Use any of the following:
- Accept — bring across a single mapping
- Accept All — accept every mapped control at once
- Accept All Above — accept all mappings above the current scroll position
Use the search bar to find and spot-check specific controls before accepting.
-
Generate. The target plan is populated with the accepted, source-derived statements.
Understanding the Results
| Result | What it means |
|---|---|
| Overlap percentage | How much of the target framework is covered by the source plan. Scored per source independently. |
| Mapped controls | Pre-populated with implementation statements derived from your source plan. |
| Unmapped controls | Fall back to RegScale's standard AI-assisted authoring — the same experience as authoring without a source. |
| 0% overlap with a message | No mapping exists between that source/target pair. Expected behavior, not an error. |
Limitations
| Limitation | Detail |
|---|---|
| Custom or forked catalogs | A catalog you've customized or forked is treated as a distinct framework and won't match the built-in mappings. Convert using the original shipped catalog. |
| Self-imported OSCAL content | Catalogs imported directly from a publisher's own OSCAL files carry different identifiers and won't match the built-in mappings. |
| ISO 27001 | ISO content is not shipped with RegScale. Mappings targeting ISO 27001 only apply if you've imported your own licensed ISO catalog. |
| Source plan count | A single conversion request supports up to 20 source SSPs. |
| Transitive mapping | Not available in this release. |
FAQ
Why did I get 0% overlap?
There is no defined mapping between that specific source and target pair, or one of the catalogs is not imported. Check that both catalogs are present in your tenant and that the pair appears in the supported pairs table.
Why is the framework I need missing?
Either the catalog is not imported in your tenant, or the pair is not supported in this release.
Why didn't my customized catalog map?
Customized, forked, or self-imported catalogs are treated as separate frameworks. Use the original shipped catalog as your source or target.
The Security Plans tab is not showing up.
The CrossFrameworkMapping feature flag is off. Ask your administrator to enable it in Admin → Modules and Features.
Updated 1 day ago