Continuous Control Monitoring

JupiterOne's Continuous Control Monitoring (CCM) provides enterprise teams with automated, graph-powered validation of security control effectiveness across your entire technology ecosystem.

Designed for organizations with existing governance frameworks and dedicated compliance programs, CCM helps Platform Engineering, DevOps, and Security Architecture teams continuously validate that controls defined in your governance systems are working as intended in your actual infrastructure.

Overview

Continuous Control Monitoring enables your team to:

• Automate control validation using JupiterOne's graph-powered query engine to continuously test control effectiveness
• Monitor control status in real-time across all your integrated cloud platforms, security tools, and IT infrastructure
• Map controls to multiple frameworks including CIS benchmarks for AWS, Azure, GCP, and other standards
• Detect configuration drift automatically as your infrastructure changes
• Visualize control health through dashboards showing compliance status and control test results
• Bridge the gap between governance requirements and actual infrastructure reality

The CCM Overview Dashboard provides an at-a-glance view of your control monitoring status, showing:

• Total Controls: Complete count of all controls being monitored
• Compliant Controls: Number of controls with all tests passing
• Non-Compliant Controls: Number of controls with one or more tests failing
• Compliance trends over time: Historical view of how control compliance changes
• Failing controls by account: Breakdown of which cloud accounts or integrations have the most issues

JupiterOne's Unified Control Framework:

JupiterOne uses CIS Controls v8.0 as the unified control list for all out-of-the-box content. All mappings between different security standards (SOC 2, CIS standards, NIST etc.) and JupiterOne-managed controls follow the CIS v8.0 mapping framework. This provides a consistent, industry-standard foundation for cross-framework control reuse and ensures that a single control implementation can satisfy requirements across multiple compliance standards.

How CCM Works

CCM's core capability is continuous, automated validation of control effectiveness using JupiterOne's query engine.

Automated Control Testing

How Control Tests Work:

1. Each control has one or more test definitions
2. Each test contains a J1QL query that runs against your asset graph
3. Tests execute automatically on a regular schedule
4. Control status updates based on whether all tests pass

Example Control Test:

A control for "Centralize Account Management" might have two tests:

• Test 1 (Negative): Query for users WITHOUT SSO authentication (expects zero results)
• Test 2 (Positive): Query for users WITH verified SSO (expects results to exist)

The control is marked "Non-Compliant" if Test 1 returns any results (indicating local accounts exist), and Test 2 will return all compliant assets.

Example Test Patterns:

• Negative tests: Look for resources that violate the control (expect zero results)

  FIND aws_s3_bucket WITH encrypted = false

• Positive tests: Verify required resources or configurations exist (expect results)

  FIND aws_cloudtrail WITH enabled = true

Key Features

Control Inventory and Management

CCM provides centralized monitoring of all your security and IT controls. The Controls list page displays:

• Complete control inventory: Searchable and filterable list of all controls being monitored
• Real-time status: Current compliance state (Compliant/Non-Compliant/Not Configured) for each control
• Last evaluated timestamp: When each control was last tested
• Filtering options: Filter by status, resource group, or framework to focus on specific areas

Each control can be clicked to view detailed information including:

• Control tests: J1QL queries that validate whether the control is working
• Test results: Actual data showing what passed or failed
• Framework mappings: Which framework requirements this control satisfies

Viewing Control Test Results

When you click on a control, you can expand each test to see the J1QL query and actual results:

The control detail page shows:

• Control status: Overall status badge (Compliant/Non-Compliant)
• Test list: All tests defined for this control with individual pass/fail status
• J1QL queries: Click to expand any test to see the exact query being run
• Query results: Table view of actual assets that passed or failed the test
• Result count: Total number of resources affected (e.g., "1-41 of 41" accounts)

This detailed view enables you to:

• Investigate failures: See exactly which resources are violating the control
• Validate test logic: Review the J1QL query to ensure it's testing the right thing
• Collect evidence: Export query results for audit or remediation purposes
• Understand impact: Identify which accounts or resources need attention

Viewing Control Framework Mappings

Click the Requirements tab on any control detail page to see which framework requirements this control satisfies:

The Requirements tab shows:

• Framework name: Each framework the control maps to (e.g., "SOC 2 Trust Services Criteria", "CIS AWS Foundations Benchmark")
• Framework description: Brief overview of what the framework covers
• Specific requirement: The exact requirement within that framework (e.g., "CC6.1 | Logical and Physical Access Security")
• Edit Requirements button: Add or remove framework mappings for this control
• Remove buttons: Quickly unmap this control from a specific requirement

This view is useful for:

• Understanding control coverage: See which compliance requirements this control helps satisfy
• Managing mappings: Add this control to additional framework requirements or remove outdated mappings
• Cross-framework visibility: Identify controls that satisfy multiple standards simultaneously
• Audit preparation: Document which technical controls support each compliance requirement

Framework Management

Track control coverage across multiple security and compliance frameworks simultaneously:

The Frameworks page shows:

• All available frameworks: JupiterOne provides out-of-the-box CIS benchmarks for AWS, Azure, and GCP, with additional frameworks coming soon based on customer demand
• Total controls per framework: How many controls are defined for each framework
• Compliance percentage: What percentage of controls are currently passing
• Framework descriptions: Overview of what each framework covers

note

If you need SOC 2 or other specific frameworks, contact your Customer Success Manager to request them. JupiterOne will prioritize framework additions based on customer demand and configure controls relevant to your specific integrations.

Clicking into any framework provides detailed information about:

• Framework requirements and their hierarchical structure
• Which controls map to each requirement
• Control test status for that specific framework
• Gaps where requirements lack control coverage

Framework Details

Click on any framework from the Frameworks page to view comprehensive details:

The framework detail page shows:

• Framework overview: Description and purpose of the framework
• Compliance metrics: Total controls, passing controls, and overall compliance percentage
• Requirements list: All requirements within the framework, organized hierarchically
• Control mappings: For each requirement, see which controls provide coverage
• Control status: Current pass/fail status for each mapped control
• Gap analysis: Quickly identify requirements that lack control coverage

Framework Coverage Matrix

The Framework Coverage page provides a comprehensive matrix view showing which controls map to which frameworks:

This matrix view displays:

• Controls in rows: All controls in your control library
• Frameworks in columns: Each framework with its abbreviated name
• Checkmarks: Visual indicators showing which frameworks each control is mapped to
• Add requirements buttons: Quick action to map a control to a framework it's not currently associated with
• Status column: Current compliance status for each control
• Filter options: Search and filter controls by status, resource group, or framework

Key benefits of the Coverage Matrix:

• Cross-framework visibility: Instantly see which controls satisfy multiple standards simultaneously
• Gap identification: Quickly spot controls that aren't mapped to certain frameworks
• Control reuse optimization: Identify opportunities to map existing controls to additional frameworks
• Coverage planning: Understand which frameworks have comprehensive control coverage vs. gaps

Use cases:

1. Expanding framework coverage: When adding a new framework, use this view to identify existing controls that could map to its requirements
2. Control consolidation: Find controls that serve similar purposes across frameworks and consolidate where appropriate
3. Framework comparison: Compare control coverage across different standards to understand overlap
4. Audit preparation: Generate a comprehensive view of which controls satisfy which compliance requirements

Working with Frameworks

Understanding Control-to-Requirement Mapping

Controls in CCM can map to requirements across multiple frameworks. This allows you to:

• Reuse a single control definition across multiple compliance standards
• See which frameworks a control helps satisfy
• Understand the breadth of coverage provided by your control library
• Identify opportunities to consolidate duplicate controls

Creating and Managing Controls

Creating a New Control

To create a new control in CCM:

1. Navigate to Controls from the main navigation
2. Click New Control in the upper right
3. Define the control:
   • Name: A clear, descriptive name for the control
   • Description: What the control validates and why it matters
   • Resource Group: Restrict who has access to view/edit control
4. Map the control to framework requirements
5. Create control tests (J1QL queries) that validate the control

Creating Control Tests

Control tests are the core of CCM's automated validation. Each test:

1. Contains a J1QL query that runs against your JupiterOne asset graph
2. Defines expected outcomes are the results returned compliant assets (GOOD) or non-compliant (BAD)
3. Runs automatically on a regular schedule
4. Updates the control status based on whether expectations are met

Managing Existing Controls

From the Controls list, you can:

• Search and filter controls by status, framework, or resource group
• View control details by clicking on any control
• Edit control tests to refine validation logic
• Update framework mappings to map controls to additional requirements
• Review test results to understand why a control is failing

Getting Started

Step 1: Import a new framework

1. Navigate to Frameworks under the Controls tab in the nav bar
2. Select New Framework in the top right
3. Choose an out of the box framework under Use Common Framework or navigate to Paste Framewok JSON to import a custom framework
4. Select Continue to import

Step 2: Understand Your Control Library

1. From the Controls page, review the list of existing controls
2. Click on a control to see:
   • What it validates (control description)
   • How it validates (J1QL queries in control tests)
   • What frameworks it maps to (Requirements tab)
   • Current test results

Step 3: Create Your First Control

1. Click New Control from the Controls page
2. Define the control based on a requirement from your governance framework
3. Click New Control Test to add validation logic
4. Write a J1QL query that tests whether the control is working
5. Save and let the test run automatically

Step 4: Map Controls to Framework Requirements

1. From a control detail page, click the Requirements tab
2. Click Edit Requirements to add framework mappings
3. Select the framework and specific requirement(s) this control satisfies
4. Save your mappings

Step 5: Monitor and Refine

1. Return to the Overview Dashboard regularly to track control health
2. Investigate non-compliant controls to understand root causes
3. Refine control test queries based on false positives or misses
4. Expand your control library to cover additional requirements

Best Practices

To maximize the value of Continuous Control Monitoring:

Start with Your Governance Framework

• Begin with controls that are already defined in your IRM or governance system
• Map those controls to framework requirements in CCM
• Use CCM to automate the evidence collection and validation for those controls

Design Effective Control Tests

• Write specific queries: Focus on precise validation criteria rather than broad checks
• Use negative tests: Often easier to detect violations (what shouldn't exist) than prove compliance
• Combine multiple tests: Use both positive and negative tests for comprehensive coverage
• Test your queries first: Run J1QL queries manually in the Query Builder before adding them as control tests
• Handle exceptions: Consider using tags or properties to exclude known exceptions from test results

Organize Controls Strategically

• Group by technology domain: Separate controls for AWS, Azure, GCP, SaaS applications
• Map to multiple frameworks: Reuse controls across frameworks where applicable
• Use consistent naming: Follow a naming convention for easier management (e.g., "5.6 (AWS) | Control Name")
• Document control intent: Write clear descriptions explaining what the control validates and why

Integrate with Your Workflow

• Connect to your IRM: Use JupiterOne's API to feed control status back to ServiceNow, Archer, or other governance platforms
• Set up alerts: Configure alerts for critical control failures that need immediate attention
• Schedule reviews: Regularly review control test results with your security and platform teams
• Track trends: Monitor control compliance over time to identify systemic issues

Scale Gradually

1. Start with 10-20 critical controls for your most important framework
2. Validate that tests are accurate and provide meaningful results
3. Expand coverage to additional frameworks and control areas
4. Refine test logic based on false positives or missed violations