Secureframe enables our clients to link their frameworks to their segregated environments by allowing users to tag assets to these frameworks. For customers that process customer data (SOC2), credit card data (PCI), or personal health data (HIPAA) there can be particular assets and personnel handling this data. Supporting the tagging of assets to frameworks enables these customers to scope down their audits to only the relevant resources and thereby reduces time to audit. In order to better evaluate the health of the company in the context of these frameworks, Secureframe also calculates framework specific statuses (shown below).

For personnel, it is often the case that only a subset of the personnel interact with segregated environments and protected data. Secureframe allows you to scope these personnel to related trainings and policies informing the specific compliance obligations with respect to these frameworks. Secureframe make it easy to ensure that only the relevant personnel see these policies and trainings by creating default groups to support each framework. To see how this works for personnel handling PHI data please see this article here. For more information on setting up custom personnel groups see here.

For all tests related to the asset inventory, you will now see framework scope tags on the resources within the evidence page on the test slideout.

You will also see these framework scopes in the asset inventory itself.

In both parts of the app, you will have the option of editing framework scope for these assets. Editing framework scope impacts how this asset is tested across ALL TESTS, not just the test that you were making these edits in.

Upload test evidence can also be scoped to a particular framework through the new upload modal. By default, upload evidence will be scoped to all active frameworks unless otherwise specified in the modal.
​

Given assets can now be scoped to specific frameworks, Secureframe will be calculating a sub-status for each framework a test is mapped to. This allows users to better understand how they are tracking with the lens of a particular framework. A sub-status differs from the overall rollup status in that it only considers assets that are tagged to that framework.

In the example above, this test is passing for PCI-SAQ-D because all assets scoped to that particular framework are passing (even though other assets are failing). The overall rollup status is still failing because assets scoped to other frameworks are still failing.

With tests having sub-statuses for each framework that test is mapped to, controls linked to those tests will also have these sub-statuses as well as a rollup status. These statuses function very similarly to the test rollups in that they will only consider the framework sub-statuses of the tests that they are mapped to. The rollup status will consider the overall status of the tests that are mapped to that control

Customers that want a more filtered view of these statuses in the context of a particular framework can do so by locating these tests and controls within the context of a framework. After clicking on a framework card on the frameworks page, the top level control status that you will see is the framework specific sub-status (rather than the overall one if viewed on the controls page).

For tests mapped to that control shown in the testing tab, these will also be filtered to the framework sub-status relevant for the framework being actively viewed.

In the example above, because the user is viewing this test in the context of the control IN PCI, then the PCI sub-status will be the one shown at the top level here. The same logic applies to the testing tab of the framework as well:
​

These examples show above are for cloud resources and cloud tests, but the same logic applies to all assets in the asset inventory and their respective tests including devices, tickets and repositories.

In addition to asset inventory resources, you will also have the ability to scope upload evidence to specific frameworks. An example below shows the workflow and what a user might do if trying to upload a network diagram if that diagram only showed customer data and customer phi data relevent to SOC2 and HIPAA.

Export evidence will now have additional columns to account for framework scoping. For all tests, when evidence/assets are scoped to a particular framework only the relevant evidence will be exported from the framework>testing tabs and the framework test evidence exports

My Tests keep switching from passing to failing and it seems to be related to the evidence uploaded and the framework scope/sub-statuses?