Getting Started with Compliance Frameworks

Compliance frameworks can feel overwhelming at first — but the starting point is simpler than most people expect. This guide explains what a compliance framework is, how Regentra organizes them, and the first steps to take when setting up your compliance program on the platform.

‍

What a compliance framework is

A compliance framework is a structured set of security and operational requirements designed to protect specific types of data or reduce risk in a specific industry context. Think of it as a checklist of security practices — written by a regulatory body or standards organization — that your organization is either legally required to follow or has chosen to adopt to meet client or partner expectations.

Each framework is organized into control areas, sometimes called domains, that represent a category of security practice: access control, incident response, data protection, risk management, and so on. Within each domain, there are specific controls — individual security measures that need to be implemented — and within each control, there are requirements that describe what implementation looks like in practice.

Regentra organizes all of this for you. When you adopt a framework, the platform loads the full control structure, maps the requirements, and gives you a clear view of what needs to be implemented, what evidence demonstrates that implementation, and where your current gaps are.

Frameworks supported in Regentra

Regentra currently supports ten compliance frameworks, covering the regulatory requirements most commonly encountered by MSPs, MSSPs, and the businesses they serve.

• HIPAA — the Health Insurance Portability and Accountability Act. Required for any organization that handles protected health information.
• HIPAA 2026 — the updated Security Rule proposed under the 2026 NPRM, which eliminates the addressable specification category and introduces prescriptive new technical requirements.
• SOC 2 — a market-driven framework demonstrating security, availability, and confidentiality controls to enterprise clients and partners.
• NIST CSF 2.0 — the National Institute of Standards and Technology Cybersecurity Framework, widely used as a foundational security baseline and referenced in federal contracts.
• ISO 27001:2022 — the internationally recognized standard for information security management systems, relevant for organizations pursuing global enterprise contracts.
• CMMC 2.0 Level 1 — the Cybersecurity Maturity Model Certification at its foundational level, required for organizations seeking certain DoD contracts.
• CMMC 2.0 Level 2 — the advanced CMMC level, required for contracts involving controlled unclassified information and aligned with NIST SP 800-171.
• PCI DSS 4.0.1 — Payment Card Industry Data Security Standard, required for any organization that processes, stores, or transmits payment card data.
• GDPR — the General Data Protection Regulation, applicable to any organization processing personal data of individuals in the European Union.
• FTC Safeguards — the Federal Trade Commission's Safeguards Rule, applicable to non-bank financial institutions including auto dealers, mortgage brokers, and financial advisors.

New frameworks are added to the platform on an ongoing basis. If a framework relevant to your clients is not yet listed, it may be in development. Check the platform roadmap or contact support for the current addition schedule.

For MSPs: Each client tenant in Regentra maintains its own independent framework selection. A healthcare client can be on HIPAA and NIST CSF while a financial services client runs FTC Safeguards — managed from the same MSP dashboard without any overlap between client environments.

How to decide which framework to start with

The right starting framework is the one that addresses your most immediate regulatory or contractual obligation — not the one that sounds most comprehensive or that you have heard mentioned most often.

Use the following questions to identify your starting point:

• Does your organization handle protected health information? If yes, HIPAA is non-negotiable and should be your first adoption.
• Do you process payment card data? PCI DSS applies regardless of your organization's size or industry.
• Do you hold or pursue DoD contracts involving controlled unclassified information? CMMC is required and should be adopted before contract pursuit begins.
• Do enterprise clients or partners require a security attestation before signing contracts? SOC 2 is the most commonly requested framework in B2B technology and services markets.
• Do you process personal data of EU residents? GDPR applies to your organization regardless of where you are based.
• Are you a financial services firm? FTC Safeguards applies to non-bank financial institutions and has specific technical requirements introduced in the 2023 update.

If more than one framework applies — which is common — start with the one that carries the highest enforcement risk or the most immediate business consequence if unaddressed, and add additional frameworks as your compliance program matures. Regentra's cross-framework control mapping means that work done for the first framework contributes directly to subsequent ones, so adoption order affects the sequence of effort, not the ultimate coverage.

Adopting a framework in Regentra

Adopting a framework in Regentra takes a few clicks. From the compliance dashboard, navigate to the framework library, select the framework you want to adopt, and confirm the adoption for the current tenant. The platform will immediately load the full control structure for that framework, populate the requirement list, and generate your initial gap assessment based on any evidence that has already been collected from connected integrations.

If you are an MSP adopting a framework on behalf of a client, make sure you are working within the correct client tenant before adopting. Framework adoption is scoped to the tenant it is applied in — adopting a framework in your own MSP tenant does not apply it to any client tenants.

Once a framework is adopted, it appears in the framework selector in the compliance navigation. You can switch between adopted frameworks at any time, and the compliance dashboard updates to reflect the selected framework's control status, score, and gap view. Controls that are shared across multiple frameworks — and their associated evidence — are automatically reflected in every framework they are mapped to, so you will not need to re-enter implementation data for controls you have already documented under a different framework.

Understanding controls, domains, and requirements

Once a framework is adopted, the compliance view organizes the work into three layers that are worth understanding before you begin.

Domains

Domains are the top-level categories that a framework uses to organize its requirements. In NIST CSF 2.0, the domains are Govern, Identify, Protect, Detect, Respond, and Recover. In HIPAA, they map to the Administrative, Physical, and Technical Safeguard categories. Domains give you a high-level view of which areas of your security program are strong and which need the most attention.

Controls

Controls sit within domains and represent individual security practices that need to be implemented. Each control has a status — Not Started, In Progress, or Implemented — that reflects how far along the implementation is. Controls are the primary unit of work in your compliance program: implementing a control, collecting evidence for it, and assigning an owner are the core activities that move your compliance score forward.

Requirements

Requirements are the specific, granular obligations that sit within each control. A single control may have multiple requirements — specific configuration standards, documentation obligations, or procedural steps — each of which needs to be satisfied for the control to be considered fully implemented. When a control is mapped across multiple frameworks, its requirements include the specific language from each framework that the control addresses, so you can see exactly which framework obligation each implementation step satisfies.

Helpful starting point: Rather than trying to address every control at once, use the domain view to identify the two or three domains with the lowest implementation percentage and start there. Concentrated progress in a few domains builds momentum and moves your overall score more visibly than scattered partial progress across all domains simultaneously.

What your compliance score means

Your compliance score is a percentage that reflects how many of your adopted framework's controls have been implemented and evidenced relative to the total number of controls in the framework. A score of 74% means that 74% of the controls in your current framework have been implemented and supported by evidence — and 26% remain as gaps.

The score updates in real time as controls are implemented, evidence is collected, and new integrations pull automated evidence from connected systems. It is not a point-in-time snapshot — it reflects the current state of your compliance program on the day you are looking at it.

A few things the score does not mean: it is not a pass or fail threshold, and it is not the same as audit readiness. Different auditors and different frameworks have different standards for what constitutes sufficient implementation, and a high score is not a guarantee of a clean audit finding. What the score does give you is a consistent, comparable measure of progress over time — a rising score means the program is improving; a falling score means controls or evidence have lapsed and need attention.

For MSPs, each client tenant has its own independent compliance score per framework. The MSP dashboard shows scores across all clients simultaneously, making it straightforward to identify which clients need the most immediate attention and to report progress to clients at review meetings.

Where to go next

Once you have adopted your first framework and reviewed the initial gap assessment, the natural next steps are:

• Connect your Microsoft 365 tenant if your organization or client runs Microsoft 365. The integration automatically collects evidence for 30+ controls — MFA status, conditional access policies, admin role assignments, device compliance, and more — and applies it immediately to your compliance score. This is the fastest way to close a meaningful portion of your initial gap without manual work.
• Assign control owners. Each control should have a named owner responsible for its implementation and ongoing currency. Controls without owners tend to stall. Assigning ownership at the start of the program is more effective than assigning it after implementation delays accumulate.
• Activate policy templates for your adopted framework. Regentra includes over 60 policy templates covering every major compliance area. Activating relevant templates and routing them through the review and approval workflow closes documentation gaps quickly and produces the audit-ready policies that most compliance programs lack at the outset.
• Review the AI Compliance Advisor's recommendations. After your initial setup, the AI Compliance Advisor analyzes your current posture and generates a prioritized remediation plan — identifying the highest-risk gaps and the most efficient path to improving your score. Use this as your working implementation roadmap rather than building one manually.

Compliance does not need to start with a complete program. It starts with a framework adopted, a gap understood, and the highest-priority controls assigned to someone responsible for implementing them. Regentra is built to make that starting point as clear and actionable as possible — from the first framework adoption to the first compliance score to the first evidence collected automatically from your existing environment.

‍