The canonical federal information system controls catalogue — the source for FedRAMP, FISMA, and most US sovereign baselines.
All federal information systems and any organisation choosing the catalogue as its security baseline.
Used as the underlying control catalogue for Safeguard's own FedRAMP authorisation.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
1,189 controls across 20 control families — selected and tailored to system impact level.
Mandatory Risk Management Framework (NIST SP 800-37) lifecycle: Categorise → Select → Implement → Assess → Authorise → Monitor.
Documented control inheritance from cloud providers and shared services.
Continuous monitoring with automated evidence wherever feasible (per OMB M-22-09).
Specific overlays for privacy (Appendix J), supply chain (800-161), and AI (800-218A draft).
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Pre-mapped to Rev 5 baselines (Low / Moderate / High) with control inheritance documented per cloud provider.
OSCAL-formatted control implementation statements exportable for any inherited control.
Automated evidence harvest for ~70% of technical controls; manual attestation pipeline for the rest.
Drift detection raises any deviation from the documented baseline as a policy-gate finding.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Full OSCAL package (catalog + profile + component + assessment).
Per-control implementation statement with linked evidence artifacts.
Continuous monitoring dashboard exportable monthly.
Control inheritance matrix per shared service.
These frameworks share substantial control overlap with NIST 800-53. Customers running one assessment typically satisfy the others with the same evidence base.
North America
Federal cloud authorisation for systems handling High-impact CUI and mission data.
North America
Cyber maturity certification for any contractor handling CUI in the US Defense Industrial Base.
North America
Supply Chain Risk Management practices for federal systems — the foundation for SBOM and software provenance requirements.
North America
The Secure Software Development Framework that backs EO 14028, the CISA attestation form, and most modern software supply-chain mandates.
North America
Federal Information Security Modernization Act — the legislative basis for the NIST RMF lifecycle in the US federal government.
Cross-jurisdictional
The NIST Cybersecurity Framework version 2.0 — six functions (Govern, Identify, Protect, Detect, Respond, Recover) with broad global adoption.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.