Skip to content
Crosswalker
🚧 Early alpha — building the foundation. See the roadmap →

For GRC teams

Updated

The evidence mapping problem

Section titled “The evidence mapping problem”

Every GRC practitioner knows this pain: you have evidence (policies, procedures, audit findings, screenshots, technical configs) scattered across wikis, SharePoint, OneNote, and email. You have frameworks (NIST, CIS, MITRE, CRI, FFIEC) in massive spreadsheets. And you need to prove to auditors that specific evidence satisfies specific controls.

This is evidence mapping — the core work of compliance — and the tools are broken. Understanding who owns what in the ontology ecosystem helps explain why.

Two worlds that don’t talk to each other

Section titled “Two worlds that don’t talk to each other”
Framework world (structured)Evidence world (unstructured)
NIST 800-53: 1000+ controls in a spreadsheetYour MFA policy lives in SharePoint
CIS v8: 153 safeguards in an Excel tabYour firewall configs are in a wiki
CRI Profile: Diagnostic statements across 8 sheetsYour audit findings are in email threads
ATT&CK: 200+ techniques in a matrixYour detection rules are in SIEM configs

The gap between these worlds is where compliance teams spend most of their time — manually searching, cross-referencing, and documenting connections in yet another spreadsheet.

Why spreadsheets fail at evidence mapping

Section titled “Why spreadsheets fail at evidence mapping”
  • No bidirectional linking — you can write “AC-2 → MFA Policy” in a cell, but the MFA Policy document doesn’t know it’s been mapped. Update the evidence and the mapping is instantly stale. This is the referential integrity gap that file-based systems face.
  • No metadata about the mapping itself — Is this evidence sufficient? Who reviewed it? When was it last validated? What type of evidence is it? Spreadsheets can’t answer these. Crosswalker solves this with typed links and edge metadata.
  • No cross-framework traceability — when an auditor asks “show me the CRI diagnostic statement, the CSF subcategory it maps to, the 800-53 control, AND the evidence” — that’s a manual detective hunt across 4+ spreadsheets. Framework crosswalks make this one click.
  • No query capability — you can’t ask a spreadsheet “which controls have zero evidence?” without formulas that break when rows shift. Obsidian Bases and Dataview solve this natively.
  • Sync is impossible — frameworks update, evidence moves, people leave. The mapping sheet becomes a graveyard of stale references. This is the ontology evolution problem — and it’s never fully solved, only managed.

The multi-framework regulatory pressure

Section titled “The multi-framework regulatory pressure”

Financial institutions using CRI Profile must simultaneously demonstrate compliance with NIST CSF, FFIEC CAT, CISA CPG, and sometimes NYDFS and SEC requirements. Each regulator uses different terminology for overlapping requirements. Without systematic crosswalking, teams map the same evidence to the same concept in 5 different spreadsheets.

This isn’t just inefficiency — it’s a compliance risk. Inconsistent mappings across frameworks signal to auditors that the organization doesn’t truly understand its control environment.

What Crosswalker does differently

Section titled “What Crosswalker does differently”

Crosswalker eliminates the gap between frameworks and evidence by putting everything in one place — your Obsidian vault — where frameworks, evidence, policies, and notes are all interlinked and queryable.

Import frameworks as navigable knowledge

Section titled “Import frameworks as navigable knowledge”
Your Vault
├── Frameworks/
│   ├── NIST-800-53/
│   │   ├── Access Control/
│   │   │   ├── AC-1.md          ← full control text, metadata, crosswalk links
│   │   │   └── AC-2.md          ← linked to CIS 5.2, CIS 6.3, PR.AC-07
│   │   └── ...
│   ├── CIS-Controls-v8/
│   └── MITRE-ATT&CK/
├── Evidence/
│   ├── MFA-Policy.md            ← links directly to AC-2, CIS 6.3, PR.AC-07
│   ├── Firewall-Audit-Q1.md     ← links to SC-7, CIS 4.4, DE.CM-01
│   └── Pen-Test-Report.md       ← links to CA-8, ATT&CK techniques
└── Reports/
    └── Compliance-Dashboard.md   ← live queries across everything

Every framework control is a note you can open, read, and link to. No more hunting through spreadsheet rows.

Map evidence with structured metadata

Section titled “Map evidence with structured metadata”

This is the breakthrough. When you link evidence to a control, you can attach metadata about the relationship itself:

# In your MFA-Policy.md evidence note:
nist_800_53.implements:: [[AC-2]] {"sufficient": true, "reviewer": "Alice", "last_validated": "2026-03-15"}
nist_800_53.implements:: [[IA-5]] {"sufficient": "partial", "gap": "missing hardware token coverage"}
cis_v8.satisfies:: [[CIS-6.3]]

Now you can query: “Show me all controls where evidence is partial and needs remediation.” That’s one query, not a spreadsheet treasure hunt.

Crosswalk between frameworks automatically

Section titled “Crosswalk between frameworks automatically”

Import NIST 800-53 and CIS Controls, and Crosswalker generates the WikiLinks between corresponding controls. The crosswalk lives in your vault as navigable, queryable connections — not a separate mapping spreadsheet.

When an auditor asks “trace from CRI diagnostic statement through CSF to 800-53 to your evidence” — you follow the links. Each hop is one click.

Query your compliance posture

Section titled “Query your compliance posture”

Use Obsidian Bases for compliance dashboards:

  • “Which controls have no evidence?” — filter by backlink count = 0
  • “Show all controls where evidence is insufficient” — filter by metadata
  • “What evidence was last validated more than 90 days ago?” — date filter
  • “How many controls in each family have evidence?” — group by folder

Use Dataview for relationship traversal:

  • “Trace the full crosswalk chain: CRI → CSF → 800-53 → evidence”
  • “Find all ATT&CK techniques our detection rules cover”
  • “Aggregate evidence sufficiency scores by control family”

Own your data

Section titled “Own your data”

Every control, every mapping, every piece of evidence metadata is a plain markdown file in a folder on your disk. No vendor database. No API dependency. Version control with git. Move between tools freely. Your compliance knowledge base is yours.

Handle framework updates without panic

Section titled “Handle framework updates without panic”

When NIST publishes CSF 3.0, re-import alongside 2.0. Your evidence links to 2.0 controls stay intact. Migrate at your own pace using the version-tagged folder approach. No more “framework update breaks everything” emergencies.

Supported frameworks

Section titled “Supported frameworks”

Crosswalker imports any structured data from CSV or XLSX. Pre-built support for:

FrameworkWhat you getCrosswalks to
NIST SP 800-53 Rev 51000+ controls + enhancements as notesCSF, ATT&CK
NIST CSF 2.0106 subcategories in function/category folders800-53, CIS, CRI
CIS Controls v8153 safeguards with IG1/IG2/IG3 metadataCSF
MITRE ATT&CK200+ techniques with tactic mappingD3FEND, 800-53
MITRE D3FEND200+ defensive countermeasuresATT&CK, 800-53
MITRE ENGAGEEngagement goals, approaches, activitiesATT&CK
CRI Profile v2.0Diagnostic statements with subject tagsCSF, FFIEC

Not on the list? If it’s in a CSV or XLSX, Crosswalker can import it. See framework data sources for technical details.

Getting started

Section titled “Getting started”
  1. Install Crosswalker
  2. Import your first framework
  3. Start creating evidence notes and linking them to controls
  4. Build compliance dashboards with Bases or Dataview
  5. When audit time comes, your evidence trail is already built

Resources

Section titled “Resources”