Predictive Mapping and Control Crosswalk Addresses Control Stacking and Audit Fatigue

Rick Tracy
Rick Tracy
August 19, 2021 • 6 min read

In the past, I have frequently discussed the benefit of controls inheritance to address the burden of compliance and reduce audit fatigue. Controls inheritance is one of several automated features in Xacta® and is used to address audit fatigue by allowing users to inherit data from control providers – both on-premises and in the cloud.  It is a massive time saver in that it reduces the number of system controls users are responsible for addressing. 

Xacta offers another automated feature to address audit fatigue called Predictive Mapping™ that works hand in hand with our newly released controls crosswalk feature.  Both of these features can significantly reduce the time and effort required to validate and map results between similar controls from different standards and frameworks.

As new security compliance standards continue to emerge, the burden on auditors and compliance teams to address these standards becomes an increasingly daunting task.  This is especially so in highly regulated industries. To compound the issue, COVID has forced many organizations to downsize at the same time that cyber risk and compliance requirements are increasing.  In short, organizations are being forced to do more with less. 

Most security frameworks have similar (if not identical) controls and policies that are often described in different ways.  That is, the overlap between different security control frameworks is significant.  This results in what’s known in the industry as “control stacking.” As new security compliance controls are added, each new control has to be addressed individually, resulting in a significant amount of redundant work. Absent some automated way of relating these stacked controls to each other, the compliance burden continues to grow.

For example, every security control framework has controls that govern password strength.  When an organization has to comply with five different security standards, why should they have to document, validate, and provide artifacts and evidence five separate times for a control that addresses the same security concern?  The goal should be to maximize each control validation procedure to address as many like-controls as possible. It is possible to crosswalk controls manually, but this also takes an inordinate amount of time. The only answer to this dilemma is automation.

This is where Xacta’s Predictive Mapping and new controls crosswalk feature comes into play. With these features, Xacta automates the crosswalk and multi-validation process as much as possible, and as new security content is introduced, the mapping library grows.

How it works

In the newest release of, we have introduced a customizable control mapping library that includes pre-mapped controls between the top regulations and frameworks used in the industry (such as NIST SP 800-53, CNSS 1253, NIST CSF, FedRAMP, ISO 27002). Additional mappings can be added by administrators, and the default mappings list will continue to grow with future releases as customer need arises – including the mapping of other international standards. collects data via a variety of native and third-party security sensors, scanners, and agents that automate the security control validation process.  These security sensors relate findings to security reference models such as Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumerations (CWEs).  These reference models are also associated with well-known security control frameworks like NIST 800-53.  These associations allow Xacta to build and maintain a network of mappings that can be used to predict controls affected by test failures even if there is no direct association. 

For example, in the diagram below, the imported scanner test that is associated with a single CVE will be applied to the Predictive Mapping Engine to determine if a control association can be found.

In the example given, the CVE associated with the scanner test (in the import file) has been found to directly map to a CWE in the Xacta mapping repository.  The CWE has also been found to directly map to a control (AC-1b from NIST 800-53).  Once the Predictive Mapping engine finds a control mapping, the predictive process stops, the “test to control” mapping is established, and the result of that test is applied to the mapped control. If the test failed, the control is marked as not met, while if it passes, the control is met.

Predictive Mapping also helps provide the user with a confidence level based on the number of paths it takes for the engine to find a mapped control.  The user has the ability to adjust the confidence level threshold to best suit their organizations policies.

In the previous example, the engine traversed two paths to find the mapped control. Each path traversed results in a 10% loss in confidence, therefore resulting in an 80% Confidence Factor (CF) for the mapping of the test to the control.

The more direct the mapping is, the higher the confidence level.  This allows the user to focus on mappings with higher confidence levels to ensure the mappings are accurate and/or relevant.

Once a test result is automatically mapped to a control via Predictive Mapping, the crosswalk library does the rest of the work. Similar controls that are also mapped to the predictively mapped control will receive the same validation result – met or not met.

In summary

Predictive and control mapping are unique forms of automation designed to address the issue of ever-increasing regulatory burden resulting in audit fatigue, which is made even worse by the cyber skills shortage.

Organizations are being forced to do more with less.  The automation that comes with these new control and Predictive Mapping features leverage rudimentary smart systems technology to make organizations more efficient.  This automation also helps relieve the burden of audit fatigue and frees up staff to focus on more high-value tasks.

If you are interested in learning more about the value of Xacta’s Predictive Mapping and controls crosswalk technology, I encourage you to watch the on-demand webinar, Simplifying the Security Audit for Highly Regulated Industries, hosted by my colleagues Hugh Barrett, Vice President of Technical Solutions, and Amit Patel, Senior Business Analyst for Telos Corporation.

Rick Tracy
Rick Tracy
Former Senior VP and Chief Security Officer
Rick Tracy is the former senior vice president and chief security officer at Telos Corporation.
Read full bio

Subscribe to Our Newsletter

Although we may use your information for targeted marketing and advertising, as described in the Privacy Policy, we will never sell your information to any third party.