One Security Posture. Twenty Frameworks. Zero Duplicated Effort.

Consider an organization that must comply with CMMC Level 2, FedRAMP Moderate, SOC 2 Type II, and ISO 27001. Each framework requires access control. CMMC practice AC.L2-3.1.1 requires limiting system access to authorized users. FedRAMP Moderate requires NIST 800-53 control AC-2 (Account Management) with FedRAMP-specific parameters. SOC 2 criterion CC6.1 requires logical and physical access controls. ISO 27001 control A.8.2 requires privileged access rights management. These are not four different security requirements. They are four different expressions of the same underlying requirement: manage who has access to what. The organization implements one set of access controls. It operates one identity provider. It enforces one set of privilege policies. But it assesses that implementation four times, collects evidence four times, writes narratives four times, and presents the results to four different assessors in four different formats.

The duplication extends beyond individual controls. Each framework requires a system description, an authorization boundary definition, a risk assessment, an incident response plan, a change management process, a vulnerability management program, and an evidence collection methodology. These organizational controls are largely identical across frameworks. The incident response plan that satisfies CMMC practice IR.L2-3.6.1 also satisfies NIST 800-53 control IR-1, FedRAMP's IR-1 requirement, SOC 2 criterion CC7.3, and ISO 27001 control A.5.24. But because each framework assessment is treated as an independent project, the incident response plan is reviewed, updated, and formatted separately for each. The same document is repackaged four times. The same control owner answers the same questions from four different assessors. The same evidence is collected into four different repositories.

The scale of duplication is measurable. CMMC Level 2 contains 110 practices. FedRAMP Moderate contains 325 controls. SOC 2 contains 33 Trust Service Criteria (though each maps to dozens of underlying control points). ISO 27001 contains 93 Annex A controls. The total across all four frameworks appears to be over 560 distinct requirements. But when you trace each requirement back through the NIST 800-53 derivation chain, the number of unique underlying security capabilities is far smaller. Estimates based on published cross-walk analysis place the overlap between these four frameworks at 60-80%, depending on how parameter differences are counted. An organization that treats each framework independently performs 560 assessments. An organization that recognizes the structural overlap performs closer to 200 assessments plus framework-specific parameter adjustments. The difference is hundreds of hours of engineering time, compliance analyst effort, and assessor cost that produces no additional security value.

Multi-framework duplication is not just an efficiency problem. It creates inconsistency. When the same control is assessed independently for different frameworks, the assessments often produce different results. The CMMC team rates access control as "implemented" because the policy exists and IAM roles are configured. The FedRAMP team rates the same access control as "partially implemented" because the automated account review mechanism required by the FedRAMP-specific parameter for AC-2 is not operational. The SOC 2 auditor evaluates the same access control over a twelve-month operating period and identifies three months where access reviews were not completed on schedule. The ISO 27001 assessor evaluates the same capability and notes that privileged access is not reviewed at the frequency specified in the organization's own policy. Same control. Same infrastructure. Four different assessments. Four different conclusions. None of them wrong. All of them incomplete.

Siloed assessment teams compound the inconsistency. In many organizations, CMMC compliance is managed by the security team, SOC 2 is managed by the compliance or legal team, FedRAMP is managed by a dedicated authorization team, and ISO 27001 is managed by the quality or operations team. Each team maintains its own evidence repository, its own assessment schedule, its own relationship with its assessor, and its own understanding of what "implemented" means for the controls they manage. When the security team remediates a gap discovered during CMMC preparation, the remediation is not automatically reflected in the SOC 2 evidence repository. When the FedRAMP team updates a control narrative to address an assessor finding, the CMMC narrative for the same control is not updated. Drift between framework assessments accumulates silently. The organization maintains four separate, increasingly divergent descriptions of the same security posture.

The financial cost of duplication is substantial but often invisible because it is distributed across multiple budgets. Assessment fees are the most visible: each framework assessment carries its own engagement cost. But assessment fees represent a fraction of the total. The larger cost is internal: engineering hours spent collecting duplicate evidence, compliance analyst hours spent writing duplicate narratives, management hours spent in duplicate governance reviews, and opportunity cost of security engineers maintaining compliance artifacts instead of improving security posture. An organization spending 2,000 hours per year on CMMC compliance, 1,500 hours on FedRAMP, 1,000 hours on SOC 2, and 800 hours on ISO 27001 invests 5,300 hours annually in compliance work. If 65% of that work is duplicated across frameworks, 3,445 hours per year produce no unique security value. This does not include assessment fees, tooling costs, or the opportunity cost of security improvements deferred because the team was busy re-collecting evidence.

The duplication problem has a structural answer because the frameworks themselves are structurally related. NIST Special Publication 800-53 revision 5 defines a catalog of over 1,000 security and privacy controls organized into 20 control families. This catalog is the root of the compliance framework tree for United States federal and defense requirements. Every other major US compliance framework either selects controls from this catalog directly, derives requirements from it through a published mapping, or maps to it through an intermediary. The derivation chain works in layers. At the root sits NIST 800-53, the comprehensive control catalog. FedRAMP selects specific controls from this catalog and adds agency-specific parameters. One layer above, NIST 800-171 derives its 110 security requirements from the 800-53 Moderate baseline. CMMC Level 2 adopts those same 110 requirements. At each layer, the derivation is documented, traceable, and maintained by the issuing authority.

Organizations that do not understand the derivation chain treat each framework as an independent body of requirements. They miss the structural relationships that connect CMMC practices to NIST 800-171 requirements to NIST 800-53 controls to FedRAMP baselines. They miss the bridging mechanisms that connect international frameworks like ISO 27001 through the NIST Cybersecurity Framework. They miss the published cross-walks that map SOC 2 Trust Service Criteria to NIST controls. Without this understanding, every framework appears to be a standalone compliance program requiring standalone effort. The derivation chain is not approximate. It is published, deterministic, and maintained by the framework authorities themselves. NIST publishes the mappings between 800-53 and 800-171. NIST publishes the control baselines that FedRAMP selects from. The AICPA publishes the mapping between SOC 2 Trust Service Criteria and NIST frameworks. These are not interpretive alignments created by consultants. They are structural relationships published by the organizations that created the frameworks.

Rampart implements a cross-reference engine that resolves the full derivation chain through five fidelity-ranked mapping strategies. AUTHORITATIVE mappings are published by the framework authority itself: CMMC to NIST 800-171, NIST 800-171 to NIST 800-53, FedRAMP baselines as 800-53 selections. PUBLISHED mappings come from recognized standards bodies: the AICPA's SOC 2 to NIST cross-walk, NIST's CSF 2.0 to 800-53 mappings, ISO and NIST joint mappings. DERIVED mappings trace through the 800-53 derivation chain when two frameworks both derive from 800-53 but have no direct mapping between them. AI_SUGGESTED mappings handle frameworks without published cross-walks, flagged for human confirmation before participating in scoring. Every mapping records its full resolution path: the source control, every intermediate mapping, the fidelity rank, and the destination control. Sentinel produces evidence events continuously, and Rampart distributes each event across the full derivation chain, updating freshness scores for every control in every framework that the evidence supports. A single evidence event can refresh coverage across dozens of controls spanning multiple frameworks simultaneously.

NIST 800-53 control AC-2 (Account Management) requires organizations to define and manage system accounts, including establishing conditions for group and role membership, specifying authorized users, and requiring approvals for account creation. This single control appears across frameworks under different names with different parameters. In CMMC Level 2, it manifests as practice AC.L2-3.1.1 through the NIST 800-171 derivation (requirement 3.1.1: "Limit information system access to authorized users, processes acting on behalf of authorized users, or devices"). In FedRAMP Moderate, AC-2 appears directly as a required control with FedRAMP-specific parameter values: accounts must be reviewed at least annually, privileged accounts must be reviewed at least every 90 days, and automated mechanisms must disable inactive accounts after 90 days. In SOC 2, the same underlying capability maps to CC6.1 under the Common Criteria category. In ISO 27001:2022, it maps to control A.8.2 (Privileged Access Rights).

The security implementation for AC-2 is singular. The organization operates one identity provider. It configures one set of role-based access policies. It runs one access review process. It collects one set of access logs. The technical reality is one implementation. But in a siloed compliance program, this single implementation generates five separate assessment activities: one for CMMC, one for FedRAMP, one for SOC 2, one for ISO 27001, and one for the underlying NIST 800-53 authorization if the organization maintains an ATO. Five assessors ask five sets of questions about the same access controls and receive five separately compiled evidence packages. The parameter differences between frameworks are real but narrowly scoped. FedRAMP requires 90-day privileged account reviews. CMMC does not specify a frequency but requires "periodic" review. SOC 2 requires demonstration of operating effectiveness over the audit period. ISO 27001 requires adherence to the organization's own stated policy frequency. These are not different controls. They are different parameter values applied to the same control.

Rampart resolves the full chain for AC-2 in a single traversal. Starting from a DISA STIG check result, the mapping path traces: V-257844 (the STIG rule ID for account management verification) to CCI-000015 (the Control Correlation Identifier linking STIG checks to NIST controls) to AC-2 (the NIST 800-53 control) to CMMC AC.L2-3.1.1 (through the 800-171 derivation) to SOC 2 CC6.1 (through the AICPA cross-walk) to ISO 27001 A.8.2 (through the CSF bridge). One assessment. One evidence stream. Five frameworks satisfied. Per-control scoring operates independently for each framework because the parameter thresholds differ: FedRAMP's 90-day privileged review requirement produces a different evidence_freshness threshold than CMMC's annual interpretation. Sentinel collects the access review evidence once and Rampart evaluates it against each framework's specific parameter, scoring each independently while consuming the same underlying proof. The organization implements to the strictest parameter across all frameworks. It proves once. It scores everywhere.

The first framework an organization tackles requires full effort: every control must be assessed, every defense must be implemented or documented, every evidence artifact must be collected, and every narrative must be written from scratch. If that first framework is CMMC Level 2, the organization assesses 110 practices, implements the required security controls, collects evidence for each, and writes narratives describing how each practice is satisfied. This represents 100% of the effort for the first framework. The second framework leverages the first. If the organization next pursues FedRAMP Moderate, it encounters 325 controls. But 110 of those controls overlap with work already completed for CMMC through the NIST 800-53 derivation chain. The incremental effort for FedRAMP is the 215 controls that do not overlap with CMMC, plus parameter adjustments for controls that overlap but require stricter FedRAMP-specific values.

Without automation, evidence cannot compound. The access review completed for CMMC sits in the CMMC evidence repository. The FedRAMP team does not know it exists or where to find it. Even if they find it, they cannot determine whether it satisfies FedRAMP's stricter parameter requirements without manual analysis. The compounding effect is theoretically available in every multi-framework program. In practice, it is realized only when a system can trace evidence through the derivation chain automatically, evaluate it against each framework's parameters independently, and surface the results in a unified view. Without that system, each framework team operates independently, collecting overlapping evidence into separate repositories, unaware that the work has already been done. The theoretical 60-80% overlap produces zero actual efficiency because no mechanism connects the evidence streams across frameworks.

Sentinel collects evidence once from the connected infrastructure. When an access review completes, the evidence event enters the event-sourced stream with a SHA-256 integrity hash and OpenTelemetry W3C trace ID. Rampart receives the event, traces it through the full derivation chain, and projects it across every active framework assessment. The access review evidence updates freshness scores for CMMC AC.L2-3.1.1, FedRAMP AC-2, SOC 2 CC6.1, ISO 27001 A.8.2, and every other control in every other framework that maps to AC-2 through the derivation chain. Framework readiness is materialized in real time: as evidence events accumulate, readiness percentages across all active frameworks update simultaneously. The per-control score (defense_effectiveness x evidence_coverage x evidence_freshness, producing confidence 0.0-1.0) is computed independently per framework because parameter thresholds differ, but the underlying evidence is shared. One collection. Every framework advanced. The compounding effect is not theoretical. It is the default behavior of the evidence architecture.

Frameworks do not exist in isolation. They are modified by overlays: additional requirements that adjust, extend, or constrain the base framework for a specific context. DISA SRGs add implementation guidance and verification checks to NIST 800-53 controls for specific technology categories. DISA STIGs further refine SRG requirements for specific products and versions. CIS Benchmarks overlay platform-specific hardening requirements onto the same control families. FedRAMP adds parameters and additional requirements to the 800-53 baseline. DoD Impact Levels (IL2 through IL6) add progressively stricter data handling and isolation requirements. Each overlay modifies the base framework in a specific, documented way. The base control remains the same. The overlay changes how it must be implemented, what evidence is required, or what parameter thresholds apply in a particular context.

Manual overlay stacking creates conflicts. When an organization applies a DISA STIG overlay, a CIS Benchmark overlay, and a FedRAMP parameter overlay to the same base NIST 800-53 control, the three overlays may specify different values for the same parameter. The STIG may require password minimum length of 15 characters. The CIS Benchmark may require 14. FedRAMP may require 12. Without a deterministic precedence model, the organization must manually identify every parameter conflict across every overlay for every control in every framework. For an organization with four frameworks, three overlay types, and 200 unique controls, the combinatorial analysis is prohibitive. Organizations either resolve conflicts on an ad hoc basis (introducing inconsistency) or apply the strictest parameter globally (which may violate the specific requirements of a less strict overlay that mandates a particular value rather than a minimum).

Rampart implements a composition engine that processes overlays through four operations: ADD introduces a new requirement not present in the base framework, MODIFY changes a parameter value or implementation requirement for an existing control, REMOVE exempts a control from the assessment scope (used for tailoring baselines), and PARAMETER sets a specific value for a control parameter such as review frequency or password length. Each operation carries a precedence rank derived from the overlay's authority level. DISA STIG requirements with AUTHORITATIVE fidelity outrank CIS Benchmark recommendations with PUBLISHED fidelity when they conflict on the same parameter. Conflicts are resolved deterministically: the highest-precedence overlay wins, and the resolution is recorded with full provenance showing which overlays competed and which prevailed. Sentinel evaluates the composed control definition (base framework plus all applicable overlays) when assessing each resource, ensuring that the assessment reflects the full overlay stack rather than just the base requirement. The composition is reproducible: given the same base framework and overlay set, the engine produces the same composed requirements every time.

Adding a new compliance framework to an existing program should be an incremental operation. The organization already has a security posture. It already collects evidence. It already maintains control narratives and assessment records. A new framework introduces its own control structure, its own parameter requirements, and its own assessment methodology. But if the new framework derives from the same NIST 800-53 root as the existing frameworks, the majority of its controls map to controls already assessed. The incremental effort consists of three categories: controls that are genuinely new (not present in any existing framework), controls that overlap but require stricter parameters (requiring implementation adjustments), and controls that overlap completely (requiring no additional work beyond activating the mapping).

Without a derivation engine, each new framework adds full effort. The compliance team must manually analyze every control in the new framework, determine which existing controls it maps to, identify parameter differences, assess gap coverage, and build a remediation plan. This analysis takes weeks for a framework with 100 or more controls. The team must then collect evidence for the new framework's assessment, even though most of the required evidence already exists in the repositories maintained for other frameworks. They must write narratives formatted for the new assessor, even though the underlying implementations are the same ones described in existing narratives. Each new framework adds nearly linear cost because the manual process cannot leverage the structural overlap that the derivation chain provides. Organizations defer new frameworks not because the security work is prohibitive, but because the compliance overhead of adding another independent assessment program is prohibitive.

Rampart pre-computes readiness across all frameworks in its catalog, including frameworks the organization has not yet activated. When a new framework is activated, it arrives pre-populated: every control that maps through the derivation chain to work already completed is marked with its current posture score. The organization immediately sees which controls are already satisfied, which require parameter tightening, and which represent genuinely new requirements. Artificer generates a gap analysis showing precisely what incremental work remains, ranked by the pre-computed action queue: (score_impact x urgency) / estimated_effort. The gap analysis is specific: not "you need to improve access control" but "AC-2 parameter adjustment required: current review frequency is annual, new framework requires quarterly, affecting 3 controls across 2 overlays." The organization knows the exact scope before committing resources. The tenth framework costs a fraction of the first because the underlying security posture, evidence stream, and control implementations were built correctly from the start: rooted in the comprehensive NIST 800-53 catalog that every subsequent framework draws from.

The economics of multi-framework compliance invert when duplication is eliminated. An organization that spends 2,000 hours achieving its first framework certification has built the security posture, evidence infrastructure, and control narratives that support every subsequent framework in the derivation chain. The second framework requires incremental effort for its unique controls and parameter adjustments. The third framework adds less. The fourth framework adds less still. The effort curve flattens because the underlying security posture is framework-agnostic: it was built from the comprehensive NIST 800-53 catalog, and every framework that derives from that catalog inherits the work already completed. The organization does not pursue four compliance programs. It maintains one security posture and expresses it through four framework lenses. The distinction is fundamental. Four programs multiply cost. One posture divides it.

The assessment experience transforms in parallel. Instead of preparing separate evidence packages for separate assessors on separate timelines, the organization maintains a single evidence stream that is continuously current. When the CMMC assessor arrives, the evidence for all 110 practices is current because evidence has been produced continuously. When the SOC 2 auditor requests evidence of operating effectiveness over twelve months, the evidence stream contains twelve months of continuous records. When the FedRAMP assessor checks parameter compliance, the scoring dimensions already account for FedRAMP-specific thresholds. No scramble. No re-collection. No re-narrating. Every compliance event in the system carries a SHA-256 integrity hash and OpenTelemetry W3C trace ID, so any assessor can verify evidence authenticity independently. The evidence was not assembled for their assessment. It was produced by the environment as a continuous byproduct of operations.

Citadel provides the unified view: one dashboard showing the organization's security posture expressed through every active framework simultaneously. Per-control scores (defense_effectiveness x evidence_coverage x evidence_freshness, producing confidence 0.0-1.0) are computed independently per framework but rendered in a single view. The pre-computed action queue ranks remediation tasks by cross-framework impact: closing a gap in AC-2 improves posture across CMMC, FedRAMP, SOC 2, ISO 27001, and every other framework that maps to the same root control. Rampart resolves the derivation chain, composes overlays, and scores every control against every framework from a single evidence stream. PostureFunction(system, framework, timestamp) computes the exact compliance state at any point, for any framework, from the event-sourced record. The duplication is gone. The silos are gone. The inconsistency is gone. One security posture, forged from actual defenses, proven through immutable evidence, expressed through every framework the organization needs. The fourth framework at a fraction of the first. The tenth at less.