tm-compliance

# Compliance Mapping

## Purpose

Map your threat model to compliance frameworks to:

- Calculate compliance coverage percentages
- Identify compliance gaps
- Generate audit-ready documentation
- Track requirements across multiple frameworks

## Usage

```
/tm-compliance [--framework <name>] [--policy <path>] [--gaps-only]
```

**Arguments**:
- `--framework`: Framework(s) to map: owasp, soc2, pci-dss, hipaa, gdpr, custom
- `--policy`: Path to custom policy document
- `--gaps-only`: Only show gaps/non-compliance

## Supported Frameworks

### OWASP Top 10 2021
| ID | Name |
|----|------|
| A01 | Broken Access Control |
| A02 | Cryptographic Failures |
| A03 | Injection |
| A04 | Insecure Design |
| A05 | Security Misconfiguration |
| A06 | Vulnerable and Outdated Components |
| A07 | Identification and Authentication Failures |
| A08 | Software and Data Integrity Failures |
| A09 | Security Logging and Monitoring Failures |
| A10 | Server-Side Request Forgery (SSRF) |

### SOC2 Trust Services Criteria
| Category | Description |
|----------|-------------|
| CC6.1 | Logical and Physical Access Controls |
| CC6.2 | System Access Authentication |
| CC6.3 | Access Restriction and Privileges |
| CC6.6 | System Boundaries |
| CC6.7 | Transmission Integrity |
| CC6.8 | Data Integrity |
| CC7.1 | Configuration Management |
| CC7.2 | Change Management |

### PCI-DSS v4.0
| Requirement | Description |
|-------------|-------------|
| 1 | Install and maintain network security controls |
| 2 | Apply secure configurations |
| 3 | Protect stored account data |
| 4 | Protect cardholder data during transmission |
| 5 | Protect from malicious software |
| 6 | Develop and maintain secure systems |
| 7 | Restrict access by business need |
| 8 | Identify users and authenticate access |
| 9 | Restrict physical access |
| 10 | Log and monitor access |
| 11 | Test security regularly |
| 12 | Support information security with policies |

## Mapping Process

### For Each Framework Requirement