OpenControls Logo

STIG Viewer

Back to Blog
Insights

I Built One of the Biggest Compliance Frameworks. I Got the Shape Wrong.

Dorian Cougias
June 16, 2026
I Built One of the Biggest Compliance Frameworks. I Got the Shape Wrong.

At a glance. Compliance crosswalks die on a schedule. A mapping isn't a deliverable, it's a subscription, and the day the team behind it stops paying attention, it starts lying. The fix isn't a better hub. It's refusing to build one. The multi-lensatic methodology treats every framework as a witness instead of a judge: harmonize once, with full provenance, then let anyone enter through any lens and read the work through all the others. Translation, not conquest. I built the hub last time. Not again. Akutagawa and Douglas Adams got it right. This blog entry tells you why.

Key takeaways

  • A compliance mapping is a subscription, not a deliverable. The frameworks on both ends keep moving, so a crosswalk nobody maintains starts lying, and a stale crosswalk is worse than none because people still trust it.
  • The Unified Compliance Framework got the shape wrong, not the execution. It was a hub that asked the world to map in. I wrote its patents and watched it age into the problem it was built to solve.
  • "Which framework belongs at the center?" is the wrong question. There will never be a single authoritative standard, any more than there will be one human language.
  • The multi-lensatic methodology treats every framework as a witness, not a judge. Harmonize once with full provenance, then let anyone enter through any lens and read the work through all the others.
  • It stays out of the graveyard by absorbing other mappings as witnesses instead of competing with them, so a crosswalk can survive the team that built it.

The compliance field has a graveyard, and I can walk you through it. Mapping projects that launched with funding and a press release, then went quiet within two years and out of relevance within three. I know the walk well, because one of the headstones is mine, and it isn't a small one.

Why do compliance crosswalks keep dying?

Here’s the sentence nobody says out loud the day a crosswalk ships: a mapping is not a deliverable. It's a subscription.

The frameworks on both ends keep moving. NIST revised 800-53 to Rev 5 and is moving 800-171 to Rev 3. ISO rolled 27001 to its 2022 edition. CMMC 2.0 keeps tightening, with Phase 2 enforcement landing in November 2026. Every one of those releases quietly invalidates a row in somebody's crosswalk. And the day the team behind that crosswalk stops paying attention, the mapping starts lying. A stale crosswalk is worse than no crosswalk at all, because people trust it. And that sucks.

Sources: NIST CSRC for SP 800-53 Rev 5 and SP 800-171 Rev 3; ISO for ISO/IEC 27001:2022; U.S. DoD CIO for the CMMC program timeline. Retrieved 16 June 2026.

Walk the headstones. DISA's Control Correlation Identifiers were supposed to be the connective tissue between every STIG and the NIST controls behind them. Ask anyone who works with CCIs how current they feel. George Washington University published NIST framework mappings people still cite. Ask when they were last revised. HITRUST built its whole promise on harmonized assessment, and its founder has since sold and stepped away. Between the famous ones sit dozens of mapping teams you've never heard of, each one bright at launch and gone by the third anniversary.

None of them died because the work was bad. They died because the work was a team, and teams stop. I know this firsthand.

So what did I get wrong at the Unified Compliance Framework?

I'm not pointing at other people's graves from a safe distance. I built one of the biggest.

The Unified Compliance Framework rests on more than twenty patents and a couple hundred claims, and I wrote them. We harmonized regulatory text at a scale nobody had attempted, and for a while it was the best answer going. Then I watched it age into the same problem it was built to solve. The execution was fine. The shape was wrong. We built another hub and asked the world to map into it. One more witness standing up and claiming to be the judge.

For most of those years there was a decent excuse, and I want to be fair to my younger self about it: the technology for the right shape didn't exist. There was no query layer that let a consumer ask for exactly the slice they needed in their own words. There was no retrieval layer that could hold a thousand vocabularies and fetch the right context on demand. In 2007, if you wanted unification, you built a hub and made everyone come to you, because a hub was what the tools could build.

I made the case, before I left, that it was time to change the shape. I lost that argument to the PE folks who thought they knew better. The tools that would have made the better shape possible exist now. There's no excuse anymore, which is a more uncomfortable thing to write than it looks.

Which framework belongs at the center?

That question is the disease. Pause for a second and let that sink in.

It assumes something no evidence has ever supported, that there can be a "the." There will never be "the" standard, for the same reason there will never be a universal language. Esperanto was a beautiful idea. The world kept its eleven hundred tongues anyway, because a language isn't just a vocabulary, it's a community's way of caring about things, and communities don't surrender that. Neither do standards bodies. Nor should they. A regulation, a STIG, a workforce framework, and a proficiency model each describe the same work for a different reason, and each is right in its own room.

Every framework is a witness, not a judge

In 1922, Ryūnosuke Akutagawa published a story called "In a Grove." A samurai is dead, seven witnesses testify, and the accounts contradict each other. The story never tells you which one is true. That refusal is the point. There's no privileged account, only the discipline of holding the testimony together.

That's the epistemology underneath the multi-lensatic methodology. The regulation, the control, the role, the proficiency model, the tool catalog are witnesses. Each one is partial, biased by the purpose its author wrote it for. And each one knows something about the work the others can't see. Polanyi called it knowing more than we can tell. A twenty-year practitioner knows that "configure audit logging" in a STIG and "implement system activity monitoring" in a regulation are the same obligation, and would struggle to write the rule that proves it, because that knowledge lives below words.

Douglas Adams got the answer right in 1979, as a joke, and the field still hasn't caught up to the joke. The Hitchhiker's Guide didn't hand its galaxy a universal language. It handed out the Babel fish. Drop it in your ear and every creature keeps speaking its own tongue while you hear yours. Nobody converts. Nobody concedes. Translation, not conquest. So we read one unit of work through five lenses, regulatory mandate, technical control, workforce role, proficiency, and automation capability, and we never ask a single framework to change a word of its own language.

The part that keeps it out of the graveyard

Enough of that. A philosophy doesn't survive contact with version drift. Engineering does (Michael, our lead engineer, taught me that). So here's the engineering.

The method is two disciplines. Build-time harmonization does the slow, expensive, auditable work once: match entities across vocabularies, classify them, arbitrate the conflicts, and record the evidence for every call, then refresh as the sources move. Read-time disambiguation is the payoff. A user arrives speaking one vocabulary, with a STIG open or a job title in mind, and the system re-renders that one unit of work through every other lens. Enter through any door, see the paths to all the rooms.

Provenance is the deliverable, not the log. Every classification carries the rule or the model that produced it, its confidence, its evidence, and its revision history. A mapping that can't show its work isn't finished, it's a backlog item.

And here's the part aimed straight at the graveyard. The structure is built to absorb mappings, not compete with them. When the next ad-hoc crosswalk appears, and it will, it doesn't threaten the layer. It feeds it, ingested as one more witness, scored and sourced and held alongside the rest. When the team behind it stops contributing, and they will, their work doesn't rot in a document nobody dares trust. It's already in the record, with its dates attached, aging in plain sight instead of lying in the dark.

Not every team has stopped, and those teams matter more than the graveyard does. The Secure Controls Framework has shipped typed, scored control mappings on a quarterly cadence for years. RegGenome keeps machine-readable regulatory text flowing at a scale nobody else attempts. EC-Council has kept its certification-to-role mappings current through every revision of the DoD workforce framework. That work is exactly what the structure is built to receive, with their semantics intact and their names on their work.

What does this mean for your next crosswalk?

Two things, depending on which side of the table you're on.

If you're about to build "the" hub for your org or your product, the one everyone else will finally map into, don't. Build the translator instead. The tools exist now that didn't in 2007.

If you've been trusting a crosswalk, ask it two questions. When was it last refreshed against the current revision of both frameworks? And can it show its work? If the answer to either is a shrug, you're standing on a headstone.

The Monday move is smaller than all of this sounds. Open a STIG on STIGViewer and read it out through the role that owns it, the proficiency the work demands, and the regulation sitting above it.

Start on one role, Computer and Information Systems Managers say, and follow it straight out to the STIGs they're stuck with, the tasks they do all day, even the training they're meant to have.

Or you can start with a STIG and you can find out if any role's linked to it.

That's read-time disambiguation, running today. The shapes are open at grcschema.org, and the full methodology, witnesses and provenance and all, is written up in the paper.

I built the hub last time. This time I'm building the translator. I'm not doing it wrong again.

Frequently asked questions

What is the multi-lensatic methodology? A way of mapping compliance work so one unit of work can be read through five lenses, regulatory mandate, technical control, workforce role, proficiency, and automation capability, without forcing any framework to change its own language.

Why do compliance crosswalks go stale? Because the frameworks they connect keep being revised. When the team maintaining a crosswalk stops, the mapping silently falls out of date and starts misleading the people who trust it.

Is this just another compliance hub? No. A hub asks every other framework to map into it. The multi-lensatic methodology refuses to crown a center and translates between frameworks at read time, with provenance on every match.

What are the five lenses? Regulatory mandate (what you must do), technical control (what gets configured and graded), workforce role (whose job it is), proficiency (how hard it is), and automation capability (whether software can do it).

Where can I see it working? On STIGViewer. Open a STIG and read it through the roles, proficiency, and regulations behind it, or start from a role and follow it out to the STIGs and tasks it owns.

Where is the full methodology written up? In the published paper at doi.org/10.13140/RG.2.2.10143.11681, and the open schema shapes resolve at grcschema.org.

Last updated: 16 June 2026.

Dorian Cougias is co-founder of MoxyWolf and the original architect of the Unified Compliance Framework. The multi-lensatic methodology is in active use at GRCSchema.org and across STIGViewer.

Also published on LinkedIn: I Built One of the Biggest Compliance Frameworks. I Got the Shape Wrong.

compliance crosswalkmulti-lensatic methodologycontrols mappingprovenanceGRCNIST 800-53CMMC
Back to All Articles