Resources
Governance, Risk, and Compliance engineering tools and visualizations for security control mapping and analysis.
How to Use the Control Map
The Control Map is an interactive visualization that shows relationships between NIST 800-53 security controls, AWS Config rules, AWS services, and MITRE ATT&CK techniques.
Select a View
Choose from six visualization layouts: Force Graph, Cluster, Tree, Radial, Matrix, or Sankey. Each offers a different perspective on control relationships.
Search & Filter
Use the search bar to find specific controls, rules, services, or ATT&CK techniques. Apply filters to narrow the view to specific node types or categories.
Explore Connections
Click any node to highlight its direct connections. Hover for details. Drag nodes to rearrange the layout and zoom to focus on areas of interest.
Export Data
Export the current view as JSON for programmatic use, or as an Excel spreadsheet for reporting and offline analysis.
Example Scenario
See how the Control Map streamlines compliance research for system Authorization to Operate (ATO) packages.
Identifying NIST Controls for an AWS Service
A system owner is building an application on AWS and needs to determine which NIST 800-53 controls apply to the services in their architecture. Instead of manually cross-referencing spreadsheets, they use the Control Map:
- Filter by service — open the Filters panel and select an AWS service (e.g. "S3" or "Lambda") to isolate it and its connections on the graph.
- Click the service node — the visualization highlights every connected NIST control and AWS Config rule, filtering out unrelated noise.
- Review applicable controls — the connected NIST 800-53 controls show exactly which security requirements apply, along with the Config rules that can validate compliance.
- Export for your ATO package — export the filtered results as Excel to include directly in your System Security Plan or compliance documentation.
This provides a streamlined path from "which services am I using?" to "which controls do I need to address?" — reducing weeks of manual mapping to minutes of interactive exploration.
Visualization Modes
The Control Map offers six different ways to explore the same underlying data. Each mode is suited to different analytical tasks.
Force Graph
A physics-based simulation where nodes repel each other and edges act as springs. Naturally clusters related nodes together, revealing organic groupings in the data.
Cluster
Groups nodes by type into distinct clusters arranged in a circular layout. Each node type occupies its own region, making it easy to see the distribution and density of connections between categories.
Tree
Arranges nodes in a hierarchical top-down layout. Parent nodes branch into child nodes, showing the chain of relationships from high-level controls down to specific configurations.
Radial
A circular tree layout where the root sits at the center and branches radiate outward. Efficiently uses space to display large hierarchies and makes it easy to compare branch sizes.
Matrix
A grid-based adjacency matrix where rows and columns represent nodes. Cells are filled where connections exist, providing a systematic view of every relationship without visual clutter from crossing edges.
Sankey
A flow diagram where the width of each band is proportional to the quantity of connections. Traces the flow from NIST controls through Config rules to AWS services, showing where compliance effort concentrates.