The headline finding, measured — not asserted. Every control was turned into a numerical vector (TF-IDF over its title and requirement text) and compared to every other by cosine similarity. Nearly two-thirds of all controls have a semantic twin in a different framework; one in three is near-identical. Regulations do not invent new requirements — they re-word shared ones.
1 · The Commonality: Frameworks Ask for the Same Things
Searching every control for core capabilities shows how few ideas the field actually turns on. Ten capabilities recur across most of the 58 frameworks.
| Universal capability | In % of frameworks | Reading |
|---|---|---|
| Logging & monitoring | 97% | The one near-universal control |
| Access control / least privilege | 79% | Identity is the perimeter |
| Vulnerability & patch management | 67% | Hygiene, everywhere |
| Incident response | 66% | Assume breach; prove readiness |
| Third-party / supply-chain assurance | 66% | Risk crosses org boundaries |
| Encryption (transit & rest) | 60% | Data protection by default |
| Awareness & training | 53% | The human control |
| Backup & recovery | 50% | Resilience is compliance |
Risk assessment and multi-factor authentication follow at 43% each, completing the ten.
▸ Master ~10 capabilities and you answer the substance of most of 58 frameworks. The work is finite; only the paperwork multiplies.
2 · The Similarity: Which Regulations Are Really the Same
Comparing frameworks vector-to-vector (average of their control vectors) surfaces near-duplicate standards. Some pairs are versions of one document; others are genuinely different standards that have quietly converged — the ones worth a single crosswalk.
| Framework pair | Similarity | Type |
|---|---|---|
| CMMC v2.0 Level 2 ≈ NIST 800-171 | 0.94 | Cross-standard — map once, claim both |
| ISO 27799 (health) ≈ ISO/IEC 27033-1 (network) | 0.94 | Cross-standard convergence |
| ISO 19791 ≈ ISO 27799 | 0.93 | Cross-standard convergence |
| EU GDPR ≈ UK GDPR | 0.98 | Same law, two jurisdictions |
| CIS Implementation Group 2 ≈ Group 3 | 0.98 | Tiers of one framework |
| ASD Essential 8 ML2 ≈ ML3 | 0.96 | Maturity tiers of one framework |
▸ Frameworks are distinct as documents (average pairwise similarity just 0.12) yet overlap heavily control-by-control. The redundancy lives in the controls, not the framing — which is exactly why ‘comply once, report many’ works.
| 800-53 | 800-171 | CMMC | CSF | 27001 | PCI 4.0 | Azure | FSBP | GDPR | HIPAA | Ess 8 | SOC 2 | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NIST 800-53 | 1.00 | 0.53 | 0.50 | 0.29 | 0.37 | 0.32 | 0.15 | 0.13 | 0.12 | 0.15 | 0.14 | 0.22 |
| NIST 800-171 | 0.53 | 1.00 | 0.94 | 0.22 | 0.28 | 0.25 | 0.15 | 0.11 | 0.05 | 0.12 | 0.15 | 0.13 |
| CMMC L2 | 0.50 | 0.94 | 1.00 | 0.21 | 0.27 | 0.25 | 0.16 | 0.12 | 0.05 | 0.13 | 0.14 | 0.13 |
| NIST CSF | 0.29 | 0.22 | 0.21 | 1.00 | 0.35 | 0.25 | 0.07 | 0.05 | 0.09 | 0.13 | 0.08 | 0.21 |
| ISO 27001 | 0.37 | 0.28 | 0.27 | 0.35 | 1.00 | 0.30 | 0.09 | 0.09 | 0.12 | 0.17 | 0.12 | 0.25 |
| PCI DSS 4.0 | 0.32 | 0.25 | 0.25 | 0.25 | 0.30 | 1.00 | 0.14 | 0.10 | 0.09 | 0.18 | 0.11 | 0.15 |
| CIS Azure | 0.15 | 0.15 | 0.16 | 0.07 | 0.09 | 0.14 | 1.00 | 0.20 | 0.06 | 0.05 | 0.13 | 0.05 |
| AWS FSBP | 0.13 | 0.11 | 0.12 | 0.05 | 0.09 | 0.10 | 0.20 | 1.00 | 0.05 | 0.05 | 0.08 | 0.05 |
| EU GDPR | 0.12 | 0.05 | 0.05 | 0.09 | 0.12 | 0.09 | 0.06 | 0.05 | 1.00 | 0.06 | 0.04 | 0.21 |
| HIPAA | 0.15 | 0.12 | 0.13 | 0.13 | 0.17 | 0.18 | 0.05 | 0.05 | 0.06 | 1.00 | 0.04 | 0.12 |
| Essential 8 | 0.14 | 0.15 | 0.14 | 0.08 | 0.12 | 0.11 | 0.13 | 0.08 | 0.04 | 0.04 | 1.00 | 0.07 |
| SOC 2 | 0.22 | 0.13 | 0.13 | 0.21 | 0.25 | 0.15 | 0.05 | 0.05 | 0.21 | 0.12 | 0.07 | 1.00 |
3 · The Structure: Machine-Discovered Themes
Clustering the control vectors (no labels supplied) reproduces the security syllabus on its own — identity, access, incident/risk and privacy emerge as the load-bearing themes.
| Machine-discovered theme (top terms) | % of controls | % of frameworks |
|---|---|---|
| Technical safeguards, audit & records | 47% | 88% |
| Incident, risk & testing | 13% | 53% |
| Identity & authentication | 10% | 67% |
| Access control (incl. physical & privileged) | 7% | 72% |
| Privacy & personal-data processing | 4% | 55% |
4 · One Capability, Five Frameworks (worked crosswalk)
One idea — least privilege — written five different ways across five frameworks.
| Framework | Control ref. | Same idea, different words |
|---|---|---|
| NIST 800-53 rev.5 | AC-6 | Least Privilege |
| NIST 800-171 | 3.1.5 | Least Privilege |
| PCI DSS v4.0 | 7.2.1 | Access by role & least privilege |
| CIS AWS Foundations | 1.22 | No IAM policy with full '*:*' admin |
| AWS Foundational Sec. BP | EC2.18 | Security groups block unrestricted access |
Bottom line
- ~2 in 3 controls are restatements — of a control already written in another regulation.
- Logging first — present in 97% of frameworks — the highest-leverage first investment.
- Collapse the duplicates — CMMC L2 and NIST 800-171 are 94% the same; map one to the other, don’t run two programmes.
- Weight by impact — GDPR is small by control-count but carries the largest penalties — count is not consequence.
- Build once, report many — the redundancy is at the control level, so a single capability answers dozens of identifiers.
Method. Each control’s title + requirement text was vectorised with TF-IDF (1–2-word terms); twins, framework similarity and themes are derived from cosine similarity, nearest-neighbour search and k-means clustering over those vectors.