> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Additional Compliance Frameworks

> CaseBender's support for CMMC, FedRAMP, HIPAA, PCI DSS, Export Control, and EU AI Act compliance.

## CMMC Level 2

CaseBender supports Cybersecurity Maturity Model Certification (CMMC) Level 2, which requires implementation of 110 practices from NIST SP 800-171.

### Key Capabilities

* **Practice Management**: Track all 110 CMMC Level 2 practices across 14 domains
* **SPRS Scoring**: Calculate and track your Supplier Performance Risk System (SPRS) score over time
* **Assessment Tracking**: Manage self-assessments and third-party assessments (C3PAO)
* **POA\&M Management**: Track Plans of Action and Milestones for practices not yet fully implemented
* **Evidence Collection**: Automated collectors gather evidence mapped to specific practices

### Domain Coverage

| Domain                                    | Practices | Description                                             |
| ----------------------------------------- | --------- | ------------------------------------------------------- |
| **AC** Access Control                     | 22        | Account management, access enforcement, remote access   |
| **AT** Awareness & Training               | 3         | Security awareness, role-based training                 |
| **AU** Audit & Accountability             | 9         | Audit logging, audit review, audit protection           |
| **CM** Configuration Management           | 9         | Baseline configuration, change control                  |
| **IA** Identification & Authentication    | 11        | MFA, device authentication, credential management       |
| **IR** Incident Response                  | 3         | Incident handling, reporting, testing                   |
| **MA** Maintenance                        | 6         | System maintenance, maintenance tools                   |
| **MP** Media Protection                   | 4         | Media access, storage, transport                        |
| **PE** Physical Protection                | 6         | Physical access, monitoring, visitor control            |
| **PS** Personnel Security                 | 2         | Personnel screening, termination                        |
| **RA** Risk Assessment                    | 3         | Risk assessment, vulnerability scanning                 |
| **CA** Security Assessment                | 4         | Assessment, monitoring, system connections              |
| **SC** System & Communications Protection | 16        | Boundary protection, encryption, key management         |
| **SI** System & Information Integrity     | 7         | Flaw remediation, malicious code protection, monitoring |

***

## FedRAMP Moderate

CaseBender supports FedRAMP Moderate authorization, implementing controls from NIST SP 800-53 Rev 5.

### Key Capabilities

* **Control Management**: Track all 325 FedRAMP Moderate controls with implementation status
* **System Security Plan (SSP)**: Manage SSP documentation with version control and approval workflows
* **Continuous Monitoring (ConMon)**: Automated monthly reporting on control effectiveness
* **POA\&M Management**: Track remediation plans with OMB A-130 compliance
* **Authorization Periods**: Manage authorization boundaries, ATOs, and reauthorization schedules
* **Significant Change Management**: Track and assess significant changes that may affect authorization

### Control Families

CaseBender maps its capabilities to all 20 NIST SP 800-53 control families, with particular strength in:

* **AC** (Access Control): RBAC, MFA, session management, PAM
* **AU** (Audit and Accountability): Unified audit trail, integrity protection, SIEM forwarding
* **IA** (Identification and Authentication): Multi-factor, device trust, service authentication
* **IR** (Incident Response): Case management, playbooks, SLA tracking
* **SC** (System and Communications Protection): Encryption, TLS, network segmentation

***

## HIPAA

CaseBender supports HIPAA compliance for organizations that handle Protected Health Information (PHI) as part of security operations.

### Security Rule Safeguards

#### Administrative Safeguards (164.308)

| Safeguard                        | CaseBender Implementation                                        |
| -------------------------------- | ---------------------------------------------------------------- |
| Security Management Process      | Risk assessment, vulnerability management, security monitoring   |
| Assigned Security Responsibility | RBAC with defined security roles                                 |
| Workforce Security               | SCIM provisioning, access termination, insider threat monitoring |
| Information Access Management    | TLP-based access control, data classification, PAM               |
| Security Awareness & Training    | Compliance training module with HIPAA-specific programs          |
| Security Incident Procedures     | Case management, incident response workflows, SLA tracking       |
| Contingency Plan                 | Data retention, backup management, disaster recovery             |
| Evaluation                       | Compliance dashboards, control testing, gap analysis             |

#### Technical Safeguards (164.312)

| Safeguard             | CaseBender Implementation                                             |
| --------------------- | --------------------------------------------------------------------- |
| Access Control        | Unique user identification, emergency access, auto-logoff, encryption |
| Audit Controls        | Unified audit trail with PHI access logging                           |
| Integrity             | Data integrity verification, tamper-evident audit logs                |
| Authentication        | MFA, WebAuthn, SSO, account lockout                                   |
| Transmission Security | TLS 1.3, encrypted inter-service communication                        |

### Breach Notification Rule (164.404-408)

* **Individual Notification**: Generate and track notifications to affected individuals
* **HHS Notification**: Manage notification to the Department of Health and Human Services
* **Media Notification**: For breaches affecting 500+ individuals, manage media notifications
* **Breach Documentation**: Maintain breach records for 6 years as required

### Business Associate Agreements

* Track BAAs with all business associates
* Monitor BAA expiration dates and renewal requirements
* Document BAA terms and data handling obligations

***

## PCI DSS v4.0

CaseBender supports PCI DSS v4.0 for organizations that process payment card data in security investigations.

### Key Capabilities

* **Requirement Tracking**: All 12 PCI DSS requirements with 78 sub-requirements
* **Evidence Collection**: Automated collectors for access controls, encryption, logging, and network security
* **Control Testing**: Scheduled testing with evidence capture and result tracking
* **Incident Management**: PCI-specific incident tracking with notification requirements
* **Assessment Periods**: Manage QSA assessments and self-assessment questionnaires

### Requirement Coverage

| Requirement | Description                   | CaseBender Mapping                                 |
| ----------- | ----------------------------- | -------------------------------------------------- |
| **1**       | Network Security Controls     | Network segmentation, firewall configuration       |
| **2**       | Secure Configurations         | Container hardening, configuration management      |
| **3**       | Protect Stored Data           | Encryption at rest, key management, data retention |
| **4**       | Protect Data in Transit       | TLS 1.3, encrypted communications                  |
| **5**       | Malicious Software Protection | Container scanning, dependency scanning            |
| **6**       | Secure Development            | SAST, DAST, code review, vulnerability management  |
| **7**       | Restrict Access               | RBAC, least privilege, PAM                         |
| **8**       | Identify Users                | MFA, unique IDs, authentication management         |
| **9**       | Physical Access               | On-premise deployment documentation                |
| **10**      | Log and Monitor               | Unified audit trail, SIEM forwarding, integrity    |
| **11**      | Test Security                 | Penetration testing, vulnerability scanning        |
| **12**      | Organizational Policies       | Policy management, training, incident response     |

***

## Export Control

CaseBender includes export control compliance for organizations handling controlled technology data.

### Key Capabilities

* **ECCN/ITAR Classification**: Classify security data and tools under Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR)
* **Denied Party Screening**: Screen entities against government restricted and denied party lists before data sharing
* **Country Controls**: Enforce embargoed and restricted country rules on data access and sharing
* **License Management**: Track export licenses with expiration dates and usage limits
* **Auto-Classification Engine**: Suggest classifications based on data content and context

### Screening Lists

CaseBender screens against:

* Consolidated Screening List (CSL)
* Entity List (BIS)
* Specially Designated Nationals (OFAC SDN)
* Denied Persons List (BIS)
* Debarred List (DDTC)

***

## EU AI Act

CaseBender supports EU AI Act compliance for organizations using AI capabilities within the platform.

### Key Capabilities

* **AI System Registration**: Register and catalog AI systems used within CaseBender (AI insights, auto-enrichment, correlation engine)
* **Risk Assessment**: Evaluate AI systems against EU AI Act risk categories (minimal, limited, high, unacceptable)
* **Incident Reporting**: Report and track AI-related incidents with root cause analysis
* **Conformity Assessment**: Manage conformity assessments for high-risk AI systems
* **Human Oversight**: Document human oversight mechanisms for AI-assisted decisions
* **Transparency**: Maintain transparency records showing how AI systems make recommendations

***

## Related Documentation

* [Compliance Overview](/en/security/compliance-overview) — Framework matrix and unified compliance
* [SOC2 Type II](/en/security/compliance-soc2) — SOC2 deep dive
* [ISO 27001:2022](/en/security/compliance-iso27001) — ISO 27001 deep dive
* [GDPR & Privacy](/en/security/compliance-gdpr) — GDPR deep dive
