APPENDIX B 6 FRAMEWORKS

Appendix B: Compliance Framework Mapping

Cross-framework control mapping showing how security domains align across CIS, NIST 800-53, PCI-DSS, HIPAA, and SOC 2 compliance requirements.

B.1 — Framework Coverage Summary

The following compliance frameworks were evaluated during this assessment across all four cloud providers.

CIS Benchmarks

AWS v3.0
Azure v2.1
Kubernetes v1.8

Primary Baseline

NIST 800-53

Revision 5
Security & Privacy
Controls Catalog

Federal Standard

PCI DSS

Version 4.0
Payment Card
Industry Standard

Industry Mandate

HIPAA

Security Rule
Technical & Admin
Safeguards

Regulatory

SOC 2 Type II

Trust Services
Criteria (TSC)
5 Domains

Audit Standard

GDPR

EU General Data
Protection
Regulation

Privacy Regulation

B.2 — Cross-Framework Control Mapping

7 Security Domains

The table below maps security domains assessed in this report to their corresponding control families and requirement IDs across each compliance framework. This mapping enables organizations to understand how remediating a single finding can satisfy requirements across multiple frameworks simultaneously.

Security Domain	CIS Benchmark	NIST 800-53 R5	PCI DSS v4.0	HIPAA	SOC 2 TSC
Identity & Access Management MFA, RBAC, root keys, least privilege	`1.1`–`1.22` `2.1.1`–`2.1.4`	`AC-2` `AC-3` `AC-6` `IA-2` `IA-5` `IA-8`	`7.1` `7.2` `7.3` `8.1` `8.2` `8.3` `8.4` `8.5`	`§164.312(a)` `§164.312(d)` `§164.308(a)(3)` `§164.308(a)(4)`	`CC6.1` `CC6.2` `CC6.3`
Data Protection Encryption at rest/transit, key management	`2.1`–`2.4` `3.1`–`3.8`	`SC-8` `SC-12` `SC-13` `SC-28` `MP-5`	`3.4` `3.5` `3.6` `3.7` `4.1` `4.2`	`§164.312(a)(2)(iv)` `§164.312(e)(1)` `§164.312(e)(2)(ii)`	`CC6.1` `CC6.7` `C1.1`
Network Security VPC, security groups, network policies	`4.1`–`4.5` `5.1`–`5.4`	`SC-7` `SC-8` `AC-4` `CA-3` `SC-22`	`1.2` `1.3` `1.4` `1.5` `2.2.1`	`§164.312(e)(1)` `§164.308(a)(4)`	`CC6.1` `CC6.6` `CC6.7`
Logging & Monitoring CloudTrail, flow logs, audit logs, SIEM	`3.1`–`3.14` `4.1`–`4.16`	`AU-2` `AU-3` `AU-6` `AU-8` `AU-12` `SI-4`	`10.1` `10.2` `10.3` `10.4` `10.5` `10.6` `10.7`	`§164.312(b)` `§164.308(a)(1)(ii)(D)` `§164.308(a)(5)(ii)(C)`	`CC7.1` `CC7.2` `CC7.3`
Incident Response Alerting, response plans, forensic readiness	`4.15`–`4.16`	`IR-1` `IR-2` `IR-4` `IR-5` `IR-6` `IR-8`	`12.10` `12.10.1`–`12.10.7`	`§164.308(a)(6)` `§164.308(a)(6)(ii)`	`CC7.3` `CC7.4` `CC7.5`
Configuration Management Hardening, baseline configs, IaC, drift	`2.1`–`2.3` `5.1`–`5.6`	`CM-2` `CM-6` `CM-7` `CM-8` `SA-22`	`2.1` `2.2` `6.3` `6.4`	`§164.310(a)(2)(iv)` `§164.312(a)(2)(i)`	`CC6.1` `CC8.1`
Vulnerability Management Scanning, patching, dependency management	`5.3`–`5.4`	`RA-5` `SI-2` `SI-5` `SA-11`	`6.1` `6.2` `6.3` `11.3`	`§164.308(a)(1)(ii)(A)` `§164.308(a)(8)`	`CC7.1` `CC3.2`

B.3 — Compliance Gap Analysis

Gaps Identified

The following summary shows the pass/fail percentage for each compliance framework based on the findings in this assessment. Gaps represent checks that failed, indicating non-compliance with the corresponding framework requirements. Note that a single remediation action can resolve gaps across multiple frameworks simultaneously.

Compliance Framework	Total Requirements	Passed	Failed	Manual Review	Pass Rate
CIS AWS Foundations v3.0 Amazon Web Services	67	41	22	4	61.2%
CIS Azure Foundations v2.1 Microsoft Azure	82	29	47	6	35.4%
CIS Kubernetes v1.8 AKS Cluster	124	109	12	3	87.9%
NIST 800-53 Rev 5 Federal Security Standard	256	178	64	14	69.5%
PCI DSS v4.0 Payment Card Industry	64	38	21	5	59.4%
HIPAA Security Rule Healthcare Compliance	45	28	14	3	62.2%
SOC 2 Type II Trust Services Criteria	38	27	9	2	71.1%
GDPR EU Data Protection	28	19	6	3	67.9%

Lowest Compliance

CIS Azure v2.1

35.4% pass rate — 47 failed requirements across storage, networking, and Defender configurations

Highest Compliance

CIS K8s v1.8

87.9% pass rate — strong baseline hardening with only 12 failed requirements, primarily RBAC related

Remediation Efficiency

Top 20 Findings

Remediating the top 20 high-impact findings resolves gaps across an estimated 73% of all failed framework requirements

Cross-Framework Efficiency: Because security controls map across multiple frameworks, many individual remediations satisfy requirements in 3–5 frameworks simultaneously. For example, enabling MFA on the root account (a single action) satisfies CIS 1.5, NIST IA-2, PCI-DSS 8.3, HIPAA §164.312(d), and SOC 2 CC6.1. The remediation roadmap in Section 10 prioritizes actions with the highest cross-framework impact.

Appendix A: Glossary Appendices Overview