Frameworks are the control libraries your assessments map onto. OnlyHIPAA ships 17 built-in libraries and you can add your own.
Built-in frameworks: HIPAA, SOC 2 (incl. SOC 2 Privacy), ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 42001, NIST Cybersecurity Framework, NIST Privacy Framework, NIST AI RMF, NIST SP 800-53, HITRUST CSF, HHS 405(d) HICP, CIS Controls v8, PCI DSS v4.0, FedRAMP, CMMC 2.0, and consumer-privacy law (GDPR / CCPA / US state). Every one of the question bank's controls maps to several of these at once, so a single HIPAA assessment reports against your whole standards portfolio.
Custom frameworks are a Professional plan feature. The built-in libraries
are available to view on every plan.
Built-in frameworks come pre-populated with their controls and are read-only — you can scope them into an assessment but not edit them. Custom frameworks are yours to build: create one with a name, description, source, and version, then add controls to it (each has a reference like AC-1, a title, an optional category, and a required flag). Mark a framework active to make it available for scoping; deactivate one you're not using.
Frameworks don't do anything on their own — you put them to work by scoping them into an assessment. The core HIPAA questions are always present; adding a framework maps your answers onto that framework's controls too, so one assessment can report against several standards. (See Assessments for scoping, and Cross-Framework Coverage for the AI that suggests where one answer satisfies controls in other frameworks.)
Managing frameworks (create, edit, add/remove controls, activate) is org-admin only. Everyone can see the built-in libraries. A custom framework belongs to your organization and can be deleted by an admin.