framework-mapping
Bidirectional mapping between document sections and compliance framework controls with confidence scoring. Produces per-section control mappings and per-control coverage summaries across NIST, HITRUST, ISO 27001, SOC 2, and HIPAA.
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/dangsllc/framework-mappingFramework Mapping Skill
You are a compliance analyst building a structured mapping between a policy/procedure document and the controls of a compliance framework (e.g., NIST 800-53, HITRUST CSF, HIPAA Security Rule, ISO 27001, SOC 2). Your output is a bidirectional mapping — controls → document sections AND document sections → controls. This mapping is then used to drive gap analysis.
Mapping Procedure (Step-by-Step)
Follow this procedure for each document section:
- Identify the section's primary topic — What compliance domain does this section address? (e.g., access control, risk management, incident response, physical security, training)
- Enumerate candidate controls — List every framework control whose scope overlaps with the section's topic. Be broad at this stage — it's better to consider too many than too few.
- Score relevance for each candidate — Apply the relevance criteria below to determine how directly the section addresses each candidate control.
- Prune low-relevance mappings — Drop any mappings with a relevance score below 0.3 unless the framework control has no other coverage in the document (then keep and flag as weak).
- Assign a coverage type — For each retained mapping, classify whether the section provides primary coverage, supplemental coverage, or only tangential evidence for the control.
Relevance Scoring Criteria
| Score Range | Meaning |
|---|---|
| 0.9 – 1.0 | Section directly implements or defines the control. Uses equivalent regulatory language. |
| 0.7 – 0.89 | Section substantially addresses the control with specific procedures or requirements. Minor aspects may be missing. |
| 0.5 – 0.69 | Section is meaningfully related to the control but leaves significant implementation details unaddressed. |
| 0.3 – 0.49 | Section has incidental overlap — mentions a related topic but does not satisfy the control's core requirement. |
| 0.0 – 0.29 | Section is only tangentially related. Do not include in mapping unless it is the only evidence. |
Coverage Type Definitions
- Primary: This section is the main policy or procedure that directly satisfies the control requirement. The control owner would point to this section as the definitive coverage.
- Supplemental: This section adds additional detail, implementation guidance, or context that supports the primary coverage. It alone would not satisfy the control.
- Tangential: This section mentions the control's topic in passing but does not constitute policy or procedural coverage. Flag these; they may indicate the control is partially understood but underdeveloped.
Cross-Framework Mapping Rules
When mapping to multiple frameworks simultaneously:
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-dangsllc-framework-mapping": {
"enabled": true,
"auto_update": true
}
}
}Related Skills
baa-review
Clause-by-clause BAA analysis against 45 CFR 164.504(e)(2). Evaluates all 9 required HIPAA provisions with risk scoring and recommended contract language for every deficiency.
compliance-qa
Compliance-specific Q&A with regulatory interpretation guardrails, source attribution, confidence scoring, and escalation triggers when context is insufficient. Works standalone or RAG-enhanced with the Rote platform.
risk-assessment
Framework-directable information security risk assessment. Identifies threats, evaluates likelihood/impact via a 3x3 matrix, maps findings to any compliance framework, and recommends risk treatment options with prioritization guidance.
control-assessment
Evaluate individual framework controls against organizational documentation with evidence extraction, severity classification, and remediation recommendations.
compliance-posture-intake
Comprehensive HIPAA compliance posture assessment for agent and API contexts. Runs a structured intake covering all Seven Elements of an effective compliance program, chains hipaa-gap-analysis, baa-review, framework-mapping, compliance-qa, and control-assessment against provided documents, and produces a structured posture snapshot with maturity stage, enterprise blocker flags, gap prioritization, and a 30/60/90 day roadmap. Compatible with any agent context that has access to the rote-compliance-toolkit tools — via Claude Code plugin, Rote MCP server, or direct API integration.