Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

06.05 Control Mapping with the UCF Extra

The Unified Compliance Framework (UCF) Extra integrates with the UCF service to provide cross-framework control mappings. Map your operational controls once; UCF surfaces the equivalent controls across NIST, ISO, PCI, HIPAA, SOC 2, and the other authority documents UCF tracks. Useful for multi-framework compliance programs.

Requires: UCF Extra

The UCF integration, the cross-framework mapping tables, and the UCF API client all live in the UCF Extra at simplerisk/extras/ucf/. Without the Extra activated, SimpleRisk has no UCF-aware mapping; cross-framework correspondence is something you'd have to track manually.

Why this matters

Most mid-to-large compliance programs care about more than one framework. The same operational control (say, "user access reviews quarterly") satisfies NIST SP 800-53 AC-2, ISO 27001 A.5.18, PCI DSS Requirement 7, SOC 2 CC6.2, HIPAA Security Rule 164.308(a)(4)(ii), and others. Without a cross-framework mapping, the program either maintains its own spreadsheet correlating frameworks (high maintenance cost; goes stale) or claims compliance against each framework independently and accepts the duplicate audit work.

The Unified Compliance Framework (UCF) is a commercial service maintained by Network Frontiers / UCF Project that does this correlation as a business. They track thousands of authority documents (the UCF term for what most programs call "frameworks": NIST, ISO, PCI, HIPAA, SOC, regional regulations, industry standards) and produce mappings between their respective controls. The SimpleRisk UCF Extra plugs into that service: you map your operational controls to UCF's "Common Controls"; UCF then tells you which authority-document controls each Common Control satisfies.

The honest scope to know up front: UCF is a commercial service. Activating the Extra makes the integration available; using it requires a UCF Project subscription (the application talks to https://api.unifiedcompliance.com/, which requires authentication credentials from your UCF account). The cost varies by license tier; small programs typically can't justify it, and most enterprise compliance programs already have or will get a UCF subscription as part of their broader GRC tooling.

The other thing worth knowing: the value scales with framework count. A program operating against one framework gets little from UCF (the cross-framework mappings don't add anything; the program already has direct framework-to-control mappings). A program operating against five or more frameworks (typical for regulated mid-market and enterprise) gets substantial value — one operational control change propagates across every framework's view of compliance.

The third thing: UCF's mappings are opinionated. The mappings are produced by UCF's compliance research team; they reflect UCF's interpretation of which controls cross-walk to which. Auditors who use UCF themselves accept these mappings; auditors who maintain their own mappings may dispute them. Plan to have the conversation with your auditor about whose mappings authority your program defers to.

Before you start

Have these in hand:

  • Admin access to Configure → Extras → UCF Extra for activation, and to the governance UI for using the cross-framework mappings.
  • A UCF Project subscription. Contact UCF Project (https://www.unifiedcompliance.com/) for licensing. Without a subscription, the Extra activates but the mapping data isn't available.
  • The UCF API credentials that come with your subscription — typically an API key or OAuth client credentials. Store them securely; the Extra needs them configured to authenticate against UCF's API.
  • A list of your operational controls that you want to UCF-map. The mapping is per-control; programs typically start with their highest-value or most-complex controls and work outward.
  • Existing frameworks installed in SimpleRisk that UCF's mappings will cross-reference. UCF's authority documents map to controls within frameworks; the SimpleRisk-side framework needs to exist for the mapping to land somewhere.

Step-by-step

1. Activate the UCF Extra

Sidebar: Configure → Extras → UCF Extra → Activate. The activation:

  1. Sets ucf = 'true' in the settings table.
  2. Creates the database tables: ucf_ad_lists (UCF authority document lists), ucf_authority_documents (the cross-walk between UCF authority documents and SimpleRisk frameworks via simplerisk_framework_id), ucf_authority_document_controls (the cross-framework control mappings via simplerisk_control_id), ucf_audit_items.
  3. Surfaces the UCF mapping UI within the governance pages.

Activation alone doesn't pull data; you still need to configure the API credentials.

2. Configure the UCF API credentials

After activation, the Extra's settings page exposes:

  • UCF Server URL — typically https://api.unifiedcompliance.com/ (the default).
  • UCF API key / OAuth credentials — provided by your UCF subscription.

Enter the credentials and save. The Extra now authenticates against UCF for subsequent operations.

If you don't have a subscription, the connection will fail and the mapping data won't populate. There's no SimpleRisk-side workaround; UCF's data is the value the Extra delivers.

3. Sync UCF authority documents

With credentials configured, trigger a sync from UCF. The Extra pulls:

  • The list of UCF authority documents (NIST CSF, ISO 27001, PCI DSS, etc. — typically thousands of authority documents in UCF's catalog).
  • For each authority document the Extra is configured to track, the UCF Common Controls that map to it.

Programs typically don't pull every UCF authority document; the relevant ones are mapped to specific SimpleRisk frameworks. The mapping UI lets you select which UCF authority documents correspond to your installed SimpleRisk frameworks.

4. Map SimpleRisk frameworks to UCF authority documents

For each SimpleRisk framework you want UCF cross-walk for:

  1. Open the framework in the governance UI.
  2. Find the UCF mapping section (added by the Extra).
  3. Select the corresponding UCF authority document.
  4. Save.

The mapping is recorded in ucf_authority_documents with simplerisk_framework_id linking to the framework. Now UCF knows which framework SimpleRisk represents as which authority document.

5. Map controls cross-framework

With framework-level mappings in place, control-level mappings populate via UCF:

  1. For a SimpleRisk operational control, the Extra queries UCF for the Common Control(s) it maps to.
  2. UCF returns the list of authority-document controls that the Common Control satisfies (across every UCF-tracked authority document).
  3. The mapping is recorded in ucf_authority_document_controls with simplerisk_control_id linking to the SimpleRisk control.

After mapping, the SimpleRisk control's detail view shows the UCF Common Control(s) it maps to and the cross-framework controls those Common Controls satisfy.

6. Use cross-framework mappings in compliance views

Once mapping is in place, the value surfaces in:

  • Compliance dashboards — the framework-level pass/fail can include cross-framework attribution ("our user-access review process satisfies AC-2, A.5.18, Req 7, CC6.2, and 164.308(a)(4)(ii)").
  • Audit responses — when an auditor asks "where do you address ISO 27001 A.5.18?", the answer can reference your operational control plus UCF's cross-framework mapping rather than requiring per-framework duplicate work.
  • Multi-framework reports — produce a single matrix showing every operational control × every framework it satisfies.

The exact UI surfaces depend on your install's UCF Extra version; the principle is consistent.

7. Plan for UCF subscription lifecycle

Like any commercial subscription:

  • Renewal — UCF subscriptions are typically annual. Track renewal dates; expired subscriptions cause API authentication failures, which causes the Extra to operate against stale local data.
  • Credential rotation — UCF may rotate API credentials periodically. Update the SimpleRisk-side configuration when this happens.
  • Tier changes — UCF licenses by data scope; if you add an authority document not covered by your tier, queries may fail. Coordinate with UCF on tier scoping.

8. Plan for deactivation

Deactivating the UCF Extra:

  1. Sets ucf = 'false'.
  2. Optionally drops the UCF tables (depending on the Extra version's deactivation behavior; older versions preserved data).
  3. Removes the UCF mapping UI from governance pages.

Deactivation reverts your install to native framework management without cross-walk. Plan if you've come to rely on UCF mappings; without them, the multi-framework compliance work becomes manual again.

Common pitfalls

A handful of patterns recur with UCF.

  • Activating the Extra without a UCF subscription. Activation succeeds; nothing meaningful happens because the API calls have no auth. Activation is conditional on subscription; have the subscription before activating.

  • Treating UCF mappings as authoritative without auditor agreement. UCF is a commercial vendor's interpretation; auditors may have their own mapping methodology. Have the conversation with your auditor before relying on UCF mappings in audit responses.

  • Mapping every framework to UCF. UCF mapping is most valuable for the frameworks that overlap heavily; for unique-to-program frameworks, the mapping isn't there. Map selectively.

  • Forgetting to renew the subscription. Expired subscription → API failures → stale local data. The mappings appear to work because the Extra still has the cached tables, but they're not updating. Track renewals.

  • Confusing UCF Common Controls with operational controls. UCF Common Controls are an abstraction layer; your operational controls (firewall, access policy, training program) are mapped to Common Controls. Don't try to operate against UCF Common Controls directly.

  • Letting UCF mappings drift without periodic sync. Authority documents update; UCF refreshes its mappings. Trigger periodic syncs (monthly or quarterly) to pick up changes.

  • Not coordinating with the SCF Extra. The ComplianceForge SCF Extra (see The ComplianceForge SCF Extra) is a parallel cross-framework mapping system. UCF and SCF have different mappings, different licensing, and different coverage. Most programs use one, not both; pick based on your auditor's preference and the framework set you actually need.

  • Over-relying on UCF for niche or new frameworks. UCF's coverage is broad but not infinite; very new or very specialized frameworks may not be in UCF's catalog. For those, native SimpleRisk framework management is the path.

  • Storing UCF API credentials in cleartext config files outside SimpleRisk. Keep the credentials in the SimpleRisk settings (where they're at least as protected as the database itself); don't paste them into deployment scripts or environment variables that bleed into logs.

  • Treating UCF activation as low-impact. It changes how compliance reporting and control mapping work; users and auditors who relied on the prior model will see different output. Communicate the change.

Related

Reference

  • Permission required: governance (or admin) for the UCF mapping UI; check_admin for the Extra activation and API credentials configuration.
  • API endpoint(s): The Extra exposes UCF mapping data via /api/v2/governance/... endpoints; specific routes depend on the Extra version.
  • Implementing files: simplerisk/extras/ucf/index.php (enable_ucf_extra(), disable_ucf_framework($framework_id), the UCF API client and mapping logic).
  • Database tables: ucf_ad_lists (UCF authority document lists); ucf_authority_documents (UCF AD ↔ SimpleRisk framework mapping); ucf_authority_document_controls (UCF AD control ↔ SimpleRisk control mapping); ucf_audit_items (audit-related entries).
  • config_settings keys: ucf (Extra activation flag); UCF Server URL and API credentials (typically named per the Extra's settings UI).
  • External dependencies: A UCF Project subscription with API access; reachable connection to https://api.unifiedcompliance.com/ (or your UCF tenant's endpoint).