Controls library · 7 frameworks · 14 control domains
Every product we sell is mapped to NIST 800-53, ISO 27001, SOC 2, NIS2, CMMC, and CIS Controls v8. Use this library to justify hardware purchases against your audit requirements or build a compliant stack from scratch.
Supported frameworks
Browse controls by framework, or scroll down to see the full cross-framework mapping.
NIST SP 800-53 Rev 5
Security and privacy controls for federal information systems. Baseline for FedRAMP, DoD, and regulated US industries. The most granular US control catalog.
Federal agencies, defense contractors, FedRAMP ISVs
View 14 controlsNIST Cybersecurity Framework 2.0
Voluntary risk management framework widely adopted by US enterprises. Updated in 2024 to add a Govern function and expand supply chain guidance.
All US organizations, increasingly global
View 14 controlsISO/IEC 27001:2022
International standard for information security management systems. Globally recognized certification. 2022 revision reorganized Annex A controls around four themes.
Global enterprises, EU market, APAC, financial services
View 14 controlsSOC 2 (AICPA Trust Services Criteria)
AICPA audit standard for service organizations. Enterprise buyers increasingly require SOC 2 Type II. Five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy.
SaaS providers, cloud services, B2B service organizations
View 14 controlsEU NIS2 Directive (2022/2555)
EU mandatory cybersecurity directive for essential and important entities. Effective October 2024. Covers endpoint security, supply chain, incident response, and management accountability.
EU-operating organizations in energy, transport, health, finance, digital infrastructure
View 14 controlsCybersecurity Maturity Model Certification 2.0
DoD certification required for all prime and sub-contractors handling CUI. Level 2 maps to NIST 800-171. Hardware controls are a key differentiator in assessments.
US defense industrial base, DoD prime and sub-contractors
View 14 controlsCIS Critical Security Controls v8
Prioritized set of cybersecurity best practices. Three implementation groups mapped to organization size. Widely used as a practical baseline independent of regulatory requirement.
All organizations, security teams, SMBs
View 14 controlsCross-framework control mapping
One security concern, mapped across every framework we support.
Each row is a security domain our hardware addresses. Columns show the equivalent control ID in each framework. Use this to satisfy multiple audit requirements with a single hardware purchase.
| Control domain | NIST 800-53 | NIST CSF 2.0 | ISO 27001 | SOC 2 | NIS2 | CMMC 2.0 | CIS Controls v8 | Products |
|---|---|---|---|---|---|---|---|---|
| Multi-factor authentication — hardware-bound Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly … | IA-2(6) | PR.AA-03 | A.8.5 | CC6.1 | Art.21(2)(i) | IA.L2-3.5.3 | CIS-6.3 | NK 3C NFCNK 3A NFCNK HSM 2 +5 |
| Cryptographic key management Hardware-bound key generation and storage. Private keys generated and stored inside a cert… | SC-12 | PR.DS-02 | A.8.24 | CC6.1 | Art.21(2)(h) | SC.L2-3.13.10 | CIS-3.11 | NK 3C NFCNK 3A NFCNK HSM 2 +9 |
| Mobile device access control Hardened mobile OS with per-app sensor controls, verified boot, and no background telemetr… | AC-19 | PR.AC-3 | A.8.1 | CC6.8 | Art.21(2)(e) | AC.L2-3.1.18 | CIS-4.4 | NP 10 ProNP 10 Pro XLNP 5a +5 |
| Endpoint software and firmware integrity Measured boot chain verified on every power-on. Any firmware modification — supply chain i… | SI-7 | DE.CM-09 | A.8.8 | CC7.1 | Art.21(2)(e) | SI.L2-3.14.6 | CIS-2.3 | NPad V54 (14")NPad V56 (16")NPC Pro 2 +7 |
| Workstation security isolation VM-level compartmentalization means a compromise of one domain (e.g. browser) cannot reach… | SC-3 | PR.AC-5 | A.8.22 | CC6.6 | Art.21(2)(e) | SC.L2-3.13.3 | CIS-12.2 | NPad V54 (14")NPad V56 (16")NPC Pro 2 +4 |
| Network boundary protection and monitoring Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspecte… | SC-7 | PR.AC-5 | A.8.22 | CC6.7 | Art.21(2)(e) | SC.L2-3.13.1 | CIS-12.3 | NWall V1410 |
| Data protection at rest Hardware-encrypted storage and self-hosted file servers replace cloud storage with hardwar… | SC-28 | PR.DS-01 | A.8.24 | CC6.1 | Art.21(2)(h) | SC.L2-3.13.16 | CIS-3.11 | NPad V54 (14")NPad V56 (16")NextBox NAS +9 |
| Supply chain risk — hardware and firmware Open-source firmware is publicly auditable and reproducibly built. EU jurisdiction hardwar… | SR-3 | GV.SC-06 | A.5.19 | CC9.2 | Art.21(2)(d) | CM.L2-3.4.1 | CIS-15.1 | NPad V54 (14")NPad V56 (16")NK 3C NFC +21 |
| Hardware attack-surface reduction Intel Management Engine disabled at the firmware level across every open-firmware machine … | SC-42 | PR.PS-01 | A.8.9 | CC6.8 | Art.21(2)(e) | CM.L2-3.4.6 | CIS-4.8 | NPad V54 (14")NPad V56 (16")NPad T480 +7 |
| Physical access and asset protection Rated safes and vaults protect physical assets, documents, and hardware backups with UL-ce… | PE-3 | PR.AC-2 | A.7.1 | CC6.4 | Art.21(2)(i) | PE.L1-3.10.1 | CIS-11.5 | Safe / vaultST V54ST V56 |
| Records, media and backup fire protection UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace expo… | MP-4 | PR.IR-02 | A.7.5 | A1.2 | Art.21(2)(c) | MP.L2-3.8.1 | CIS-11.3 | Safe / vault |
| Resilient and alternate communications Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no c… | CP-11 | RC.CO-04 | A.5.30 | A1.3 | Art.21(2)(j) | IR.L2-3.6.1 | CIS-17 | Mesh radios |
| Emanations security and signal isolation MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio… | PE-19 | PR.IR-01 | A.8.12 | CC6.7 | Art.21(2)(i) | PE.L2-3.10.6 | CIS-3 | Faraday bags |
| Transmission confidentiality and integrity Verified boot ensures the TLS stack is unmodified before communication. VPN gateway encryp… | SC-8 | PR.DS-02 | A.8.26 | CC6.7 | Art.21(2)(h) | SC.L2-3.13.8 | CIS-3.10 | NP 10 ProNP 10 Pro XLNP 5a +6 |
Control domain details
What each domain covers and which products satisfy it.
Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.
Products that satisfy this control:
Hardware-bound key generation and storage. Private keys generated and stored inside a certified secure element (EAL 6+) and are non-exportable by design — for login credentials (Nitrokey) and crypto-asset custody (Ledger) alike.
Products that satisfy this control:
Hardened mobile OS with per-app sensor controls, verified boot, and no background telemetry. Satisfies mobile device management and bring-your-own-device security requirements.
Products that satisfy this control:
Measured boot chain verified on every power-on. Any firmware modification — supply chain implant, evil-maid attack, or malicious update — fails attestation before the OS loads.
Products that satisfy this control:
VM-level compartmentalization means a compromise of one domain (e.g. browser) cannot reach another (e.g. keys, vault). No other consumer laptop provides this by default.
Products that satisfy this control:
Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.
Products that satisfy this control:
Hardware-encrypted storage and self-hosted file servers replace cloud storage with hardware you control. Encryption keys never leave your environment.
Products that satisfy this control:
Open-source firmware is publicly auditable and reproducibly built. EU jurisdiction hardware is not subject to US National Security Letters. Directly addresses hardware supply chain risk in CMMC and NIS2.
Products that satisfy this control:
Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.
Products that satisfy this control:
Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.
Products that satisfy this control:
UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).
Products that satisfy this control:
Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.
Products that satisfy this control:
MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.
Products that satisfy this control:
Verified boot ensures the TLS stack is unmodified before communication. VPN gateway encrypts all remote access traffic. Hardware-backed keys prevent interception even if endpoints are observed.
Products that satisfy this control: