Framework coverage
Covenant maps the evidence you collect on each vendor to supply-chain control families across five frameworks, so you can show an auditor which third-party controls you have covered.
What counts as evidence
A vendor accumulates "evidence kinds" as you work:
| Evidence kind | Earned when |
|---|---|
assessment | The vendor's questionnaire has at least one answer. |
baa | The BAA status is signed or pending. |
scan | The vendor has any findings (from a scan or logged manually). |
risk_acceptance | A risk decision has been recorded. |
Each framework control declares which evidence kinds satisfy it; a control is "covered" when the vendor has at least one of those kinds.
The frameworks
| Framework | Scope | Controls |
|---|---|---|
| NIST 800-171 / 800-53 SR | Supply Chain Risk Management | 7 |
| CMMC L2 — SR family | DIB suppliers (defense supply chain) | 3 |
| HIPAA Security Rule — Business Associates | §164.308(b) / 314 | 4 |
| SOC 2 (TSC) | CC9.2 vendor risk | 2 |
| ISO/IEC 27001:2022 Annex A | A.5.19–A.5.23 supplier relationships | 5 |
Per-vendor coverage
On a vendor's detail page, the Framework coverage & evidence card lists each framework with its covered/total controls and a percentage, based on that vendor's evidence kinds.
Portfolio rollup (Coverage tab)
The Coverage tab shows a portfolio-wide rollup: each framework's controls and whether any vendor's evidence covers them, with a tooltip showing via which evidence kind.
The evidence payload
Each vendor can produce a canonical, PHI-safe evidence object:
- Preview evidence payload shows the exact JSON that would be published — structured vendor-risk facts (name, domain, tier, composite score, grade, PHI flag, BAA state, open findings, assessment %) plus control/framework references. No free-text, no PHI, no document contents.
- Publish to evidence graph sends it to the shared Dosanjh Labs graph (requires the cloud tier; consumed by Sightline and Bastion). See Cloud sign-in & Pro.