Skip to main content
Controls are the building blocks of your compliance program. Each control represents a specific security or operational requirement that your organization must implement to satisfy one or more framework requirements.

What Controls Are

A control in Regentra is an organizational requirement that maps to specific clauses, sections, or criteria within compliance frameworks. For example:
  • “Enforce Multi-Factor Authentication” might map to HIPAA § 164.312(d), SOC 2 CC6.1, and NIST CSF PR.AC-7
  • “Maintain an Incident Response Plan” might map to HIPAA § 164.308(a)(6), SOC 2 CC7.3, and ISO 27001 A.16.1.1
Controls are seeded when you adopt a framework and are linked across frameworks through the Common Control Framework (CCF).

Control Statuses

Every control has a status that reflects its current implementation state:
StatusMeaning
Not StartedNo work has been done on this control yet
In ProgressImplementation is underway but not complete
ImplementedThe control is fully in place and operational
Needs ReviewThe control was previously implemented but requires review — due to expiring evidence, policy changes, or a scheduled review cycle
N/AThe control does not apply to this organization’s environment
The HHS SRA Tool’s “Flag for later” semantic is exposed separately on the assessment workflow (see Risk Assessment → Control assessments) — assessment statuses include FLAGGED_FOR_REVIEW, distinct from the implementation status on the control itself.
Controls default to Not Started when a framework is adopted. Updating statuses is how you track progress toward full compliance.

The Control Detail Page

Click on any control to open its detail page. This is where you do the actual implementation work.

How to Satisfy

Each control includes a How to Satisfy section with practical guidance on what is required. This section explains:
  • What the framework requirement actually asks for
  • Common implementation approaches
  • What evidence auditors expect to see

Policy Documentation

Link relevant policies to the control. If you have a “Password Management Policy” that supports an access control requirement, attach it here so auditors can trace the connection.

Implementation Notes

Free-form text field where you document how your organization specifically implements this control. Be detailed — this is what you will reference during audits.

Evidence

Attach evidence that proves the control is implemented. Evidence can be:
  • Files — screenshots, configuration exports, signed documents
  • Links — URLs to dashboards, monitoring tools, or external systems
  • Automated signals — evidence pulled automatically from connected integrations

Assignment

Assign the control to a specific team member who is responsible for implementation and ongoing maintenance.

Framework Mappings

The right sidebar of the control detail page shows Framework Mappings — a list of every framework requirement this control satisfies. If a control maps to three different frameworks, you will see all three listed with their specific clause or section references. This visibility is key for understanding how a single implementation effort contributes to multiple compliance programs.

Cross-framework citations (NIST CSF, HPH CPG, HICP)

Below the Framework Mappings, each control card shows an Also referenced as panel sourced from the HHS/ONC SRA Tool v3.6.1. For every HIPAA §ref the control covers, the panel lists:
  • NIST CSF 2.0 subcategory IDs (e.g., ID.RA, PR.AC-7, DE.CM-7)
  • HPH CPG numeric references (Health and Public Health Critical Performance Goals)
  • HICP Technical Volume references (Health Industry Cybersecurity Practices)
These cross-references mean a customer reviewing a control sees every external framework that probes the same HIPAA §ref in one place. Useful when preparing for cross-framework audits or when an auditor asks “show me the NIST CSF equivalent.”

SRA Tool question reference

For each control whose hipaaRef matches a question in the HHS/ONC SRA Tool v3.6.1 workbook, the control card shows a collapsible HHS SRA Tool questions for §164.xxx panel listing every SRA question that probes that §ref. Each question renders:
  • The question text and its SRA-S{section}-Q{n} code
  • HHS’s Required / Addressable flag (when present)
  • The full multi-choice answer set with HHS’s per-answer markers (✓ compliant per HHS, ! risk indicated, · skip)
This is a read-only reference — Regentra does not currently track which answers operators select. Operators running the SRA Tool workbook in parallel use this panel to see “for this control, here are the HHS questions to answer” alongside Regentra’s control checklist + evidence. See Risk Assessment → Alignment with the HHS/ONC SRA Tool for the broader picture.

Gap Analysis

The gap analysis view shows you where your compliance program stands and where the gaps are.
1

Open gap analysis

Navigate to the Compliance Dashboard or select Gap Analysis from the sidebar. Choose a framework or view all frameworks.
2

Review gaps by status

Controls are grouped by status. Focus on Not Started and In Progress controls to understand your remaining work.
3

Prioritize remediation

Sort by risk level or framework criticality. High-risk controls and those that map to multiple frameworks should typically be addressed first.
4

Assign and track

Assign each gap to a team member with a target completion date. Track progress from the dashboard.
Use the gap analysis before client meetings or audit prep sessions. It gives you a clear picture of what has been done, what remains, and where to focus effort for the biggest compliance impact.
Setting a control to N/A removes it from your compliance score calculation. Only mark controls as N/A when the requirement genuinely does not apply to the organization’s environment — auditors will ask for justification.