Custom Frameworks and Overlays. Your Controls. Forged with Full Rigor.

Every organization operates under requirements that extend beyond published compliance frameworks. Internal security policies developed over years of operational experience. Contractual obligations from prime contractors, partners, or customers that impose specific technical controls not found in any standard catalog. Industry-specific mandates from regulators or governing bodies that address risks unique to a sector or operating environment. These requirements exist in policy documents, contract appendices, board directives, and institutional knowledge. They carry real consequences when violated: failed audits, breached contracts, regulatory penalties, lost certifications. Yet most compliance platforms ignore them entirely or relegate them to a notes field attached to someone else's framework. Redoubt Forge treats these requirements as first-class compliance structures. Custom frameworks and organizational overlays are an Enterprise tier capability, available to organizations at the $2,499/month subscription level. This is not a feature bolt-on. It is a structural extension of the platform's compliance engine, designed for organizations whose compliance obligations extend beyond what any single published framework can address.

The use cases are concrete and widespread. A financial institution maintains internal controls stricter than SOC 2 requirements: transaction monitoring thresholds, data retention periods, access review frequencies, and segregation of duties policies that exceed any published standard because the institution's risk profile demands them. A defense contractor operates under contract-specific security requirements that go beyond CMMC Level 2: additional encryption standards for specific data categories, enhanced personnel security measures for particular programs, or physical security controls for classified-adjacent work that the standard CMMC practices do not address. A healthcare organization enforces internal standards that predate HIPAA and cover operational security areas that HIPAA's Security Rule does not reach. A multinational enterprise maintains a global security baseline that must be enforced across all subsidiaries regardless of which local frameworks apply in each jurisdiction. These are not edge cases. They represent the operational reality of mature security programs.

The platform treats custom frameworks and organizational overlays with the same rigor as published frameworks. Every custom control receives the same three-dimensional scoring used for CMMC practices, FedRAMP controls, and SOC 2 criteria: defense effectiveness, evidence coverage, and evidence freshness. Sentinel collects evidence against custom requirements using the same continuous collection infrastructure that monitors published framework controls. Rampart scores custom controls alongside published controls in a unified assessment view. Custom controls appear in Citadel dashboards, contribute to posture calculations, generate findings when they degrade, and produce POA&M items when they fail. There is no second-class treatment. There is no separate workflow. Your organization's internal requirements receive the same scoring, the same evidence chains, the same immutable audit trail, and the same assessor access through Alliance as every published framework in the catalog.

A custom framework is a complete, independent control catalog defined by your organization. Building one requires defining control families that group related requirements into logical categories: access controls in one family, encryption standards in another, monitoring requirements in a third. Within each family, individual controls specify what the organization requires, what evidence categories prove implementation, whether assessment is automated or manual or hybrid, and how heavily the control weighs in overall compliance scoring. The import process supports structured formats (JSON, CSV, OSCAL) for organizations that maintain their controls in existing systems, and guided manual entry for teams building a catalog from policy documents, contract appendices, or institutional knowledge. Each control definition includes an identifier following your organization's naming convention, a description of the requirement, the evidence types that demonstrate compliance, and the assessment methodology. Control families provide the organizational structure that makes a large catalog navigable: group all encryption requirements together so assessors can evaluate cryptographic posture in one view, group all personnel security controls together so HR and security teams can collaborate efficiently. The resulting framework behaves identically to any published framework in the platform.

The core challenge of custom frameworks is connecting them to the broader compliance ecosystem. A custom control requiring "all database connections must use TLS 1.2 or higher" clearly relates to NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SC-23 (Session Authenticity), but establishing that relationship manually across hundreds of custom controls is weeks of expert labor. A control requiring "privileged access must be reviewed quarterly by the security team" maps to AC-2 (Account Management) and AC-6 (Least Privilege), but only if someone with deep knowledge of both the custom catalog and NIST 800-53 makes the connection. Without these mappings, custom controls become orphaned: they exist in the compliance program but do not benefit from evidence already collected for published frameworks, do not contribute to cross-framework posture calculations, and do not compound the value of work done elsewhere. Maintaining evidence coverage for unmapped custom controls requires entirely separate collection workflows, duplicating effort that mapped controls would share automatically. Most organizations that attempt custom framework management in spreadsheets or GRC tools discover that the mapping maintenance burden grows faster than the catalog itself, and unmapped controls gradually become second-class citizens that receive less attention and less rigorous evidence than their published counterparts.

Once mappings are confirmed, evidence collected for published frameworks automatically flows to custom controls where relationships exist. An organization that has already collected evidence for CMMC Level 2 practice SC.L2-3.13.8 (which traces to NIST 800-53 SC-8) finds that evidence automatically mapped to their custom TLS control through the confirmed NIST 800-53 relationship. Work done for FedRAMP Moderate feeds custom framework assessments. Work done for SOC 2 feeds custom framework assessments. The cross-reference engine resolves every confirmed mapping bidirectionally: evidence collected for custom controls also flows back to published frameworks where the same NIST 800-53 lineage applies. This means custom framework work is not isolated effort. It compounds across the entire compliance portfolio. Sentinel collects evidence against custom requirements using the same infrastructure: configuration snapshots, scan results, policy approvals, access reviews, and every other evidence type that the platform supports. The custom framework does not operate in a silo. It participates in the same convergence loop that drives continuous compliance for every other framework in your catalog.

An organizational overlay modifies an existing framework rather than replacing it. Where a custom framework defines an entirely new control catalog, an overlay takes a published framework as its base and applies targeted changes. The platform supports four overlay operations. ADD introduces a new control that the base framework does not include. MODIFY changes the implementation description, evidence requirements, or assessment criteria of an existing control. REMOVE eliminates a control from the assessment scope because it does not apply to the organization's environment or operating model. PARAMETER adjusts a specific parameter value within an existing control without changing its fundamental requirement. These four operations cover the full range of organizational modifications that mature security programs require. They are the same operations defined in NIST SP 800-53B for federal overlay development, applied here to any framework in the catalog. Overlays preserve the base framework's structure while documenting precisely how and why your organization deviates from it.

Concrete examples illustrate each operation. Your organization requires 20-character minimum passwords instead of the 12-character minimum specified in your base framework's password policy control. This is a PARAMETER operation applied to IA-5 (Authenticator Management): the control remains in scope, the requirement remains enforced, but the specific threshold changes to reflect your organization's stricter standard. Your organization does not use removable media in any operational environment. This is a REMOVE operation applied to MP-7 (Media Use): the control is removed from active assessment because the underlying capability does not exist in your environment, and evidence collection for that control ceases. Your industry requires additional logging for financial transactions that no published framework addresses with sufficient specificity. This is an ADD operation: a new control is introduced into the assessment with its own evidence requirements, scoring weight, and assessment criteria. Your organization's incident response timeline requires notification within 2 hours instead of the 72-hour window specified in the base framework. This is a MODIFY operation applied to IR-6 (Incident Reporting): the control's implementation description and evidence requirements change to reflect the accelerated timeline.

Each overlay operation requires Manager approval before applying to active assessments. The approval workflow captures who requested the change, the justification for the modification, who approved it, and when the approval was granted. This is not optional. An unapproved overlay operation has no effect on active assessments, even if it has been defined in the overlay configuration. The approval requirement ensures that organizational modifications to published frameworks are deliberate, documented, and authorized. It prevents ad hoc scope reductions (removing controls to improve scores without security justification) and undocumented parameter changes (relaxing thresholds without management awareness). Every approved overlay operation is recorded as an immutable event in the platform's audit trail with full provenance: the original control state, the modification applied, the approval chain, and the effective date. Assessors reviewing your compliance posture through Alliance can see every overlay operation, its justification, and its approval history. The overlay is not a hidden modification. It is a transparent, auditable organizational decision.

Real-world compliance assessments rarely involve a single framework in isolation. An organization pursuing FedRAMP Moderate authorization also applies DISA STIGs to its operating systems, CIS Benchmarks to its container infrastructure, organizational overlays that reflect internal policies, and contract-specific overlays from its authorizing official. Each layer modifies the assessment scope: adding controls, adjusting parameters, removing inapplicable requirements, tightening thresholds. Overlay composition is the process of stacking these layers into a single unified assessment view with deterministic precedence and explicit conflict resolution. Instead of managing five separate assessments with overlapping controls and conflicting parameters, the organization works from one composed view that reflects the combined effect of every applicable overlay. Each control in the composed view shows its effective state: the base framework requirement, every overlay that modifies it, the resulting effective requirement after all overlays are applied, and the evidence needed to satisfy the composed control. The composition must be deterministic: given the same base framework and overlay stack, the result must always be identical. Precedence determines which layer wins when two overlays modify the same control parameter. Conflict resolution rules must be explicit and visible so that assessors can trace any effective requirement back to the overlay that imposed it.

The composition engine applies overlays in a defined order of precedence. The framework baseline provides the foundation: the complete control catalog with its default parameters, evidence requirements, and assessment criteria. Published overlays apply next: DISA SRGs and STIGs, CIS Benchmarks, privacy overlays, and sector-specific overlays that refine the baseline for specific technology platforms or regulatory contexts. Organizational overlays apply on top of published overlays: your institution's internal policies, your security team's parameter adjustments, your risk-based control additions. Contract-specific overlays apply last: requirements imposed by a specific contract, authorizing official, or customer that take precedence over all other layers. When overlays conflict, the higher-precedence layer wins. If your organizational overlay sets a 20-character password minimum and a contract-specific overlay sets a 24-character minimum, the contract-specific overlay's PARAMETER operation takes precedence. Conflict resolution rules are explicit, documented, and visible in the composed view. Every control displays its full overlay lineage so you can trace any effective requirement back to the overlay that imposed it.

Overlay changes propagate to active assessments through a controlled release process. When an organizational overlay is modified (a new PARAMETER value, an additional ADD operation, a revised REMOVE justification), the change does not take effect immediately on in-progress assessments. The platform creates a new overlay version, routes it through the Manager approval workflow, and applies it to active assessments only after approval. Rampart maintains version history for every overlay: what changed between versions, who approved each version, when each version was activated, and which assessments were affected. Rolling back to a previous overlay version is supported for organizations that need to revert a change that produced unintended assessment consequences. The audit trail for overlay composition is complete and immutable: every version of every overlay, every approval decision, every composition result, and every propagation to active assessments. Assessors reviewing your compliance posture see the full composition stack, the effective requirements, and the complete change history. Nothing is hidden. Nothing is approximate. The composed assessment view is a precise, auditable, version-controlled representation of your organization's complete compliance obligations.

Evidence integration for custom frameworks requires that user-defined controls participate in the same collection, scoring, and reporting infrastructure used by published frameworks. Configuration snapshots collected for CMMC practices must also serve custom controls that share the same underlying evidence requirements. Scan results generated for FedRAMP controls must flow to organizational overlay requirements where the evidence types overlap. Immutable event streams that record compliance state changes for SOC 2 criteria must extend to internal security standards without requiring separate collection workflows. This means custom controls need access to the same drift detection pipelines, the same evidence freshness monitoring, and the same notification chains that published frameworks use. When a configuration change affects a custom control, the re-evaluation process must fire with the same urgency and the same scoring methodology applied to any NIST 800-53 or CMMC control. When evidence for a custom requirement approaches its freshness threshold, expiration monitoring must trigger re-collection or escalation identically to how it handles published framework evidence. Without this parity, custom frameworks become documentation exercises rather than living compliance structures.

The persistent challenge is that custom controls receive second-class treatment in most compliance programs. Published framework controls have well-defined evidence types, established scoring methodologies, and vendor-supported collection mechanisms. Custom controls often lack all three. A custom control requiring "financial transaction logging must capture sender, recipient, amount, and timestamp for every transaction exceeding $10,000" has clear evidence requirements, but no published framework defines the collection method, the scoring rubric, or the freshness threshold. Teams default to manual evidence uploads: someone exports transaction logs quarterly, stores them in a shared drive, and marks the control as satisfied until the next review cycle. The scoring is binary (done or not done) rather than graduated across defense effectiveness, evidence coverage, and evidence freshness. Evidence gaps accumulate because no automated process monitors whether the logging is actually operational between reviews. When the custom control's evidence goes stale, no expiration mechanism flags it for re-collection. The result is a compliance program where published framework controls are continuously monitored with fresh, multi-dimensional scoring, while custom controls languish with quarterly manual attestations and no infrastructure-level verification. The inconsistency undermines the entire custom framework effort.

Custom controls appear in Citadel alongside published framework controls without visual or functional distinction. The dashboard aggregates compliance posture across all active frameworks, including custom ones. A custom control scored NOT MET appears in the action queue with the same priority ranking methodology: posture impact, cross-framework benefit, dependency chains, and remediation effort estimates. Findings generated from custom control failures appear in the same findings view as CMMC or FedRAMP findings. POA&M items for custom control gaps follow the same tracking workflow: assigned owner, target remediation date, linked evidence, escalation triggers. Alliance provides assessor access to custom framework assessments using the same time-bound, read-only access model used for published frameworks. An internal auditor, external assessor, or contract compliance reviewer can navigate your custom framework controls, review evidence chains, examine scoring methodology, and download artifacts. Every action they take is logged. The custom framework assessment is a complete, navigable, evidence-backed compliance package with the same provenance guarantees as any published framework assessment in the platform.