Compliance Labs independently evaluates cybersecurity software against IT, OT and AI regulations and frameworks. Our evaluation process is built on the NIST IR (Internal Report) series and the NIST OLIR mapping methodology. Assessments follow the procedures defined in NIST SP (Special Publication).
25+ years of compliance practice
1000+ software solutions evaluated
Detailed methodology available on request.
Compliance Labs reviews proprietary vendor documentation and maps each software capability to specific regulatory articles and framework controls, assessing whether controls are suitably designed to address the targeted requirements following the examine method defined in NIST SP. Every mapping is documented with a relationship type, a source authority, and a written rationale. Delivered as a CAE report covering control coverage, gap analysis, configuration dependencies, and a shareable compliance badge.
The EEE extends the CAE with direct testing in a controlled environment. Compliance Labs installs, configures, and operates the software to verify that controls function as designed, applying the examine, interview, and test methods defined in NIST SP. Where a control does not operate as documented, the gap is recorded with expected behavior, observed behavior, and regulatory impact. Delivered as an EEE report covering test results per control, structured evidence pack, complete audit trail, and a verified effectiveness badge.
Custom Testing extends the CAE and EEE methodology to software requiring evaluation in a specific environment: pre-release versions, internally developed applications, integration services, and off-the-shelf solutions in custom configurations. Compliance Labs applies the same NIST SP assessment procedures (examine, interview, and test) with scope and testing depth adapted to the target environment and its operational constraints. Delivered as a custom evaluation report covering scope-specific test results, gap analysis, and regulatory impact assessment.
OUR EVALUATION PROCESS
Every Compliance Labs evaluation follows a structured mapping process built on the NIST IR series and the NIST OLIR methodology. Every relationship between a software capability and a regulatory control is documented, traceable, and reproducible.
Step 1
The evaluation starts with the regulation or framework the software must address. It determines the scope of every mapping that follows. Nothing is evaluated outside its scope.
Step 2
Compliance Labs maps software capabilities against three shared control frameworks: NIST CSF 2.0, NIST SP (Special Publication), and ISO/IEC 27001. These frameworks provide the structured control language that connects software capabilities to regulatory requirements.
Step 3
Each mapping uses set-theory relationships to describe how the software capability relates to the regulatory control. Five relationship types are used: subset of (the capability covers part of the control), intersects with (the capability and the control share common elements), superset of (the capability exceeds the control), equal to (the capability fully corresponds to the control), and not related to (no meaningful connection). This eliminates ambiguity.
Step 4
A cybersecurity software doesn't address regulatory requirements on its own. It delivers technical capabilities that can be verified directly, and it contributes to organizational practices that people operate. Our evaluation measures the two separately, so a compliance officer can see exactly where the software ends and organizational work begins.
Step 5
Every mapping includes a written rationale explaining why this capability addresses this control, and what the limitations are. The rationale gives auditors, compliance officers, and security architects the context they need to make decisions.
Regulatory mapping shows what controls exist. Threat mapping shows what they prevent.
Compliance Labs maps every evaluated software against MITRE ATT&CK to connect regulatory coverage to real-world attack techniques. You see not only which controls a software addresses, but which threats it detects or prevents.
Enterprise IT attack tactics
Industrial control systems
Mobile attack vectors
AI-specific threats
When Compliance Labs evaluates a software’s access control capabilities against DORA Art. 9, the MITRE mapping shows which credential theft, privilege escalation, and lateral movement techniques those controls would detect or prevent. The compliance map tells you the software addresses the regulation. The threat map tells you what that means against real adversary behavior.
Regulations, standards and frameworks across IT, OT and AI security covered by Compliance Labs evaluations.
The expertise and principles behind every compliance map and report.
Every evaluation follows the same methodology regardless of the vendor.
Every mapping includes its source, relationship type, and rationale.
25+ years of compliance and cybersecurity experience, structured into a methodology.
