Skip to content

Compliance

Salient maps your exercise results, twin intelligence, and connector data to five compliance frameworks, producing confidence-weighted scores and evidence-backed reports.

Supported Frameworks

Framework Controls Focus
NIST CSF 2.0 23 categories Cybersecurity maturity across Identify, Protect, Detect, Respond, Recover
CIS Controls v8 18 controls Implementation-level security priorities
CMMC 2.0 14 domains Defense contractor cybersecurity maturity
HIPAA 8 safeguard areas Healthcare data protection
SOC 2 Type II 7 trust service criteria Service organization controls

Total: 70 mapped controls across all five frameworks.

How Scoring Works

Compliance scores are not self-assessed checkboxes. They are derived from actual evidence:

Evidence Sources

  1. Exercise scores — how the team performed on questions mapped to each control
  2. Twin facts — tools, processes, and capabilities the twin has verified
  3. Connector data — real telemetry from Okta, Entra ID confirming control implementation
  4. Artifact content — policies, plans, and configurations uploaded to the platform

Confidence Weighting

Not all evidence is equal. Scores are weighted by confidence:

Confidence Weight Source
Verified 1.0x Connector data, uploaded evidence
Observed 0.8x Seen in multiple exercises
Declared 0.6x Stated once in exercises or profile
Uncertain 0.3x Single mention, unconfirmed

Contradiction Penalties

When the twin detects contradictions (e.g., "IR plan is current" but last update was 18 months ago), the affected controls receive a score penalty. Contradictions signal that declared posture does not match reality.

Source Diversity Bonus

Controls supported by multiple independent sources receive a small bonus. MFA coverage confirmed by both Okta connector data and exercise responses is more reliable than either alone.

Viewing Compliance Scores

posture_assessment()    # Includes compliance scores
posture_report()        # Board-ready report with compliance section

GET /api/compliance/frameworks/
GET /api/compliance/frameworks/{framework_id}/scores/
GET /api/compliance/report/{framework_id}/

Compliance as a byproduct

You do not need to do separate compliance work. Running exercises, connecting tools, and building the twin automatically generates compliance evidence. The compliance engine reads the same data the rest of the platform uses.

Evidence Exports · Scoring Framework