Compliance Data
We maintain machine-readable compliance frameworks in compliance/ for SOC 2 prep and ongoing security posture management. This includes CIS Benchmarks (technical configuration baselines) and SOC 2 Trust Services Criteria (audit framework).
CIS Benchmarks
compliance/cis/ contains CIS Benchmarks for every platform in our stack. These are the authoritative security configuration baselines published by the Center for Internet Security — the same benchmarks that AWS Security Hub, Fleet MDM, and most compliance platforms evaluate against.
What we have
| Benchmark | Version | Recs | Use case |
|---|---|---|---|
| Apple macOS 15.0 Sequoia | v2.0.0 | 124 | Fleet MDM policies, endpoint hardening |
| AWS Foundations | v6.0.0 | 63 | AWS account security, Security Hub alignment |
| Google Workspace Foundations | v1.3.0 | 89 | Google Workspace admin settings |
| GitHub | v2.0.0 | 120 | GitHub org/repo/branch security |
| Docker | v1.9.0 | 118 | ECS container hardening |
JSON structure
Each benchmark file contains an array of recommendations with this structure:
{
"ref": "2.1.2",
"title": "Ensure ...",
"assessment_status": "Automated|Manual",
"profiles": ["Level 1"],
"description": "...",
"rationale": "...",
"audit": "How to check compliance",
"remediation": "How to fix",
"cis_controls": [{ "control": "4.1", "title": "...", "version": "v8" }],
"mitre_mapping": [{ "technique_id": "T1078", "title": "..." }],
"artifacts": [{ "title": "...", "content": "..." }]
}Key fields:
- ref — CIS control number (e.g.
2.1.2) - profiles —
Level 1(essential, broadly applicable) orLevel 2(defense-in-depth, may reduce usability) - assessment_status —
Automated(can be checked programmatically) orManual(requires human review) - audit / remediation — step-by-step instructions
- cis_controls — maps to the CIS Controls framework (v8)
- mitre_mapping — maps to MITRE ATT&CK techniques
Managing benchmarks with cis-bench
We use cis-bench (by MITRE) to download benchmarks from CIS WorkBench. This requires a CIS WorkBench account.
Setup
# Install
uv tool install cis-bench
# Authenticate (requires being logged into workbench.cisecurity.org in Chrome)
cis-bench auth login --browser chrome
# Build the searchable catalog (~2 min, 1300+ benchmarks)
cis-bench catalog refreshSearching
# Search by name
cis-bench search "macOS Sequoia"
cis-bench search "AWS Foundations"
# Search by platform
cis-bench search "docker"Note: queries with dots (e.g. 15.0) trigger an FTS5 bug — use words only.
Downloading
# If search returns a single match
cis-bench get "AWS Foundations" --format json
# If search returns multiple matches, use the benchmark ID directly
# Find IDs via: sqlite3 ~/.cis-bench/catalog.db "SELECT benchmark_id, title, version FROM catalog_benchmarks WHERE title LIKE '%Sequoia%'"
cis-bench download 23039 --format jsonOutput lands in ./benchmarks/ — move files to compliance/cis/ after downloading.
Updating benchmarks
When CIS publishes a new version:
cis-bench catalog refresh
cis-bench search "<benchmark name>"
# Download the new version by ID
cis-bench download <new-id> --format json
# Replace the old file in compliance/cis/How we use these
Fleet MDM (macOS benchmark)
The macOS Sequoia benchmark drives our Fleet MDM policies. Each Automated recommendation maps to a Fleet query or MDM profile. See TB-569 for the enforcement plan.
AWS (Foundations benchmark)
AWS Security Hub already evaluates against CIS AWS Foundations (we have CIS 1.4.0 enabled). The JSON here is the reference for understanding what each control requires and for building AWS Config rules (TB-613) and policy-as-code checks (TB-617).
GitHub (GitHub benchmark)
The GitHub benchmark covers org settings, repo defaults, branch protection, Actions security, and webhook configuration. We manage most of this via Terraform in github/.
Google Workspace (Workspace benchmark)
Covers admin console settings, Gmail, Drive, Calendar, and Meet security. We manage users and groups via Terraform in google-workspace/ — the benchmark helps validate admin console settings that aren't yet in Terraform.
Docker (Docker benchmark)
Applies to our ECS container configurations — image security, runtime settings, and network configuration. Relevant for the Fleet ECS deployment in aws/accounts/shared-services/.
SOC 2 Trust Services Criteria
compliance/soc2/ contains the AICPA Trust Services Criteria (TSC) — the framework that SOC 2 audits evaluate against — along with framework mappings.
Source: CyberRiskGuy/aicpa-soc-tsc-json — an open-source transcription of the official AICPA documents into machine-readable JSON. Not affiliated with AICPA; refer to the official AICPA page for authoritative guidance.
Version note: The "2017 Trust Services Criteria with Revised Points of Focus — 2022" is the current standard. AICPA has not published a newer version. Every SOC 2 audit happening today evaluates against this criteria set.
What we have
| File | Contents |
|---|---|
trust-services-criteria-2022.json | All 33 SOC 2 criteria (CC1.1–CC9.2) with principles and points of focus |
trust-services-criteria-2022.schema.json | JSON schema for the above |
tsc-to-nist-800-53.json | 1,436 mappings from TSC criteria to NIST 800-53 controls |
soc2-type-ii-checklist.json | Type II compliance checklist |
TSC JSON structure
The criteria are organized by category:
| Category | Criteria | Description |
|---|---|---|
| Control Environment | CC1.1–CC1.5 | Integrity, oversight, accountability |
| Information & Communication | CC2.1–CC2.3 | Internal/external communication |
| Risk Assessment | CC3.1–CC3.4 | Risk identification and analysis |
| Monitoring Activities | CC4.1–CC4.2 | Ongoing and separate evaluations |
| Control Activities | CC5.1–CC5.3 | Policies and procedures |
| Logical & Physical Access | CC6.1–CC6.8 | Access controls, authentication, encryption |
| System Operations | CC7.1–CC7.5 | Monitoring, incident detection, response |
| Change Management | CC8.1 | Change control processes |
| Risk Mitigation | CC9.1–CC9.2 | Risk mitigation and vendor management |
Each criterion includes:
- principle — what the criterion requires
- pof (points of focus) — specific items auditors evaluate, each with an
id,title, andrequirement
NIST 800-53 mapping
tsc-to-nist-800-53.json maps each TSC criterion to corresponding NIST 800-53 controls. This is useful if we ever need FedRAMP alignment or want to cross-reference with NIST frameworks. Each entry has:
{
"trust_service_criteria": "CC1.1",
"criteria_description": "...",
"nist_reference": "PS-6a",
"nist_description": "..."
}Source: NIST TSC crosswalk — maps the 2017 Trust Services Criteria (inclusive of October 2022 updates).
How we use these
The TSC data provides the structure for SOC 2 readiness:
- Gap analysis — map our existing controls (CloudTrail, GuardDuty, SCPs, Okta, etc.) to specific CC criteria
- Evidence collection — each point of focus tells us what evidence an auditor needs
- Policy writing — criteria descriptions inform the policies in TB-595
- Linear issue tagging — SOC 2 issues reference specific CC criteria (e.g., TB-614 maps to CC7.2, CC7.3)
NIST Cybersecurity Framework 2.0
compliance/nist-csf-2.0.json contains the NIST CSF 2.0 — the most widely referenced cybersecurity framework in the US. Cyber insurers, PE due diligence questionnaires, and many compliance platforms map directly to CSF functions.
Source: Converted from the official NIST CSF 2.0 Reference Tool Excel download into JSON.
Structure
6 functions, 34 categories, 185 subcategories, with 5,460 informative references cross-mapping to NIST 800-53, ISO 27001, PCI DSS, CIS Controls, and more.
| Function | Categories | Subcategories | Description |
|---|---|---|---|
| GOVERN (GV) | 6 | 31 | Risk management strategy, oversight, supply chain |
| IDENTIFY (ID) | 7 | 39 | Asset management, risk assessment, improvement |
| PROTECT (PR) | 9 | 57 | Access control, training, data security, platform security |
| DETECT (DE) | 3 | 22 | Continuous monitoring, adverse event analysis |
| RESPOND (RS) | 6 | 24 | Incident management, analysis, reporting, mitigation |
| RECOVER (RC) | 3 | 12 | Recovery planning, communication |
Each subcategory includes:
- id — CSF identifier (e.g.
GV.OC-01) - title — what the subcategory requires
- implementation_examples — concrete examples of how to implement
- informative_references — cross-references to NIST 800-53, ISO 27001, PCI DSS, CIS Controls v8, MITRE ATT&CK, etc.
Why this matters
- Cyber insurance — most insurer questionnaires map to CSF categories; having this structured data lets us systematically answer them
- PE due diligence — PE firms increasingly use CSF-aligned questionnaires for vendor assessment
- Framework unification — the informative references connect CSF to every other framework we track (SOC 2 TSC, CIS, NIST 800-53)
HIPAA Security Rule
compliance/hipaa-controls.json contains HIPAA controls in machine-readable format, relevant for our healthcare software client.
Source: VantaInc/vanta-control-set — Vanta's open-source control set mapping HIPAA requirements to actionable controls.
Structure
72 controls across 11 principles:
| Principle | Description |
|---|---|
| Administrative safeguards | Policies, training, access management, contingency planning |
| Physical safeguards | Facility access, workstation security, device controls |
| Technical safeguards | Access controls, audit controls, integrity, transmission security |
| Organizational requirements | Business associate agreements, group health plan requirements |
| Breach notification | Notification to individuals, media, Secretary, and BA requirements |
Each control has an id, name, description, and categories (Administrative/Physical/Technical).
Why this matters
If Tractorbeam is a Business Associate (handles, stores, or transmits PHI on behalf of a healthcare client), HIPAA compliance is legally required — not optional. The controls here map the Security Rule requirements to concrete actions we can validate against our infrastructure.