Compliance Roadmap Guide

Plan a structured, multi-phase path from your current compliance posture to your target state. Compliance Roadmaps help security teams prioritize remediation, track progress over time, and present a credible remediation plan to auditors and executive stakeholders.

What Is a Compliance Roadmap?

A Compliance Roadmap is a time-bound remediation plan that organizes failing and unreviewed compliance controls into a sequence of phases. Each phase has a defined duration, a set of controls to address, and optional MSP billing information for quoting remediation engagements.

Roadmaps are designed to answer the question auditors and executives consistently ask: "You have failing controls — what's your plan to fix them, and by when?" A roadmap gives you a defensible, documented answer backed by real scan data.

Key uses for roadmaps include:

• Internal remediation planning: Prioritize your security team's work over the next 6–18 months, starting with the highest-risk failures.
• Audit preparation: Provide auditors with written evidence of a structured remediation plan, including phase timelines.
• Board reporting: Translate technical compliance gaps into a business timeline with estimated completion dates.
• MSP engagements: Quote a remediation project to a client with estimated hours, billing rates, and total project cost per phase.
• Framework transitions: Plan the adoption of a new framework (e.g., moving from CIS Level 1 to Level 2) in manageable stages.

Navigating to Roadmaps

Access the Roadmap feature from the sidebar under Compliance > Roadmap. The Roadmap list page shows all roadmaps for the current organization, sorted by creation date. Each card displays the roadmap name, target framework, start date, number of phases, and overall completion percentage.

Creating a Roadmap

Click New Roadmap on the Roadmap list page. The creation dialog collects:

Field	Description
Name	A descriptive title for this roadmap (e.g., "CIS M365 Remediation 2026" or "CISA SCuBA Adoption")
Description	Optional narrative context — useful for audit packages
Target Framework	The primary compliance framework this roadmap addresses (CIS, SCuBA, DISA STIG, etc.)
Start Date	When Phase 1 begins. All subsequent phase dates are computed from this anchor.
Include Discovery Phase	Check this to add a Phase 0 (Discovery) before remediation begins. Recommended for organizations that have unreviewed Manual controls.

After filling in the fields, click Create. TATER creates the roadmap with a default phase structure and opens it in the editing view. If you checked "Include Discovery Phase," Phase 0 appears first with all Manual Review controls pre-populated.

Generating a Roadmap from a Scan

The fastest way to populate a roadmap is to generate it automatically from your most recent scan results. On the Roadmap list page or inside an existing (empty) roadmap, click Generate from Scan.

TATER analyzes the latest scan and distributes controls across phases using the following logic:

Phase	Controls Assigned
Phase 0 (Discovery)	All Manual Review / Unknown controls — if discovery phase is enabled
Phase 1	Failing controls with Critical or High risk score
Phase 2	Failing controls with Medium risk score
Phase 3	Failing controls with Low risk score plus configuration improvements
Phase 4	Documentation, evidence collection, and policy updates
Phase 5	Ongoing maintenance — runs concurrently with phases 2–4, not sequentially

Phase Structure

A typical TATER roadmap uses the following phase model. Each phase is a card in the roadmap editing view.

Phase 0: Discovery

The Discovery Phase is optional and must be enabled at roadmap creation time. It is designed for organizations that have significant numbers of Manual Review controls — controls that require a human to evaluate whether they pass or fail before any remediation can begin.

When Phase 0 is enabled:

• All Manual Review and unscanned controls are placed in Phase 0 first.
• Phase 0 shows a Controls to Review count in the phase card header. This reflects the actual total count of manual controls, not capped at the 200 controls shown in the list view.
• Phases 1 through 4 display a disclaimer note indicating that Phase 0 discovery must be completed before remediation phases begin.
• Phase 0 is marked with an isDiscovery: true flag and appears before Phase 1 in both the editing view and exported roadmap reports.

Phase 1: Critical and High Priority

Phase 1 addresses the most urgent failing controls — those with Critical or High risk scores. These typically include controls around multi-factor authentication, privileged access, email authentication (DMARC/DKIM/SPF), and data protection. The goal of Phase 1 is to eliminate the highest-impact exposure as quickly as possible, typically within 30–60 days of the roadmap start date.

Phase 2: Medium Priority

Phase 2 addresses Medium-risk failing controls. These often include configuration hardening steps, audit logging, and policy enforcement settings that carry meaningful but not immediate risk. Phase 2 typically runs 60–90 days after Phase 1 completion.

Phase 3: Low Priority and Configuration Improvements

Phase 3 covers Low-risk failing controls and optional configuration improvements — settings that are not strictly failing but represent best-practice hardening. These tend to be lower-urgency changes such as fine-tuning sharing settings, additional audit log retention, or minor policy adjustments.

Phase 4: Documentation and Evidence Collection

Phase 4 is dedicated to completing policy documentation, gathering audit evidence, writing control narratives, and ensuring that all manual controls have documented justification. This phase often overlaps with the final weeks of Phase 3 and typically concludes before the target audit date.

Phase 5: Ongoing Maintenance

Phase 5 represents the steady-state maintenance program — scheduled scans, regular review of overrides, renewal of expiring risk acceptances, and ongoing monitoring. Unlike Phases 1–4, Phase 5 is concurrent with earlier phases (it begins at the same time as Phase 2) and continues indefinitely after all other phases complete.

Cascading Phase Durations

Each phase card has a Duration (months) input field. When you change the duration of any phase, TATER automatically recalculates the start dates of all subsequent phases in a cascade. The computed date ranges are shown as read-only text beneath each phase card (e.g., "Apr 2026 – Jun 2026").

This ensures that roadmap dates stay internally consistent at all times — you never have to manually update start dates when a phase runs longer than planned.

Adding and Moving Controls

Controls are listed within each phase card. Each control entry shows:

• Control ID and title — e.g., M365_Defender-001 with full title
• Current status — Pass, Fail, Manual, or Skip from the latest scan
• Risk score — 0–10 badge colored by severity
• MITRE ATT&CK techniques — relevant technique tags based on control keywords
• Framework mappings — which frameworks this control satisfies (CIS, SCuBA, NIST, etc.)

To move a control from one phase to another:

1. Locate the control in its current phase card.
2. Click the Move button (or use the phase selector dropdown) next to the control.
3. Select the destination phase.
4. The control moves immediately and the control counts on both phase cards update.

To add a control to a phase that was not auto-populated by the generator:

1. Click Add Controls at the bottom of the target phase card.
2. Search or browse the control catalog. Filters by framework, application, and status are available.
3. Select one or more controls and click Add to Phase.

Editing Phase Details

Click the phase card header to expand the editing panel for that phase. You can:

• Rename the phase — click the phase title and type a new name. Custom names like "Identity Hardening" or "Email Security Sprint" can be more meaningful than generic numbered phases.
• Edit the description — add a narrative explaining the goals and scope of this phase. This text appears in the printed roadmap report.
• Adjust duration — use the Duration (months) field. All downstream phases cascade automatically.
• Mark phase complete — once all controls in a phase are resolved, mark the phase complete. The phase card receives a completion indicator and the roadmap's overall percentage updates.

MSP Billing Columns

If your organization has the MSP Portal enabled (set by a SuperAdmin in the Organization detail panel), or if your user has the ServiceProvider role, additional billing columns appear in each phase's control list:

Column	Description
Est. Hours	Estimated hours to remediate this control for the client. Editable per-control.
Billing Rate	Hourly billing rate in USD. Defaults to the organization-level rate if set.
Control Cost	Computed as Est. Hours × Billing Rate. Read-only.

Phase cards display a Phase Total row at the bottom summarizing estimated hours and total cost for all controls in the phase. The roadmap header card shows a Project Total spanning all phases.

These figures are used to generate a client-facing engagement quote as part of the Roadmap Report. The quote includes a per-phase breakdown of scope, timeline, and estimated cost.

Using Multiple Roadmaps

An organization can have multiple active roadmaps simultaneously. Common patterns include:

• One roadmap per framework: A CIS M365 roadmap and a separate CISA SCuBA adoption roadmap, each with its own phases and timeline.
• One roadmap per audit cycle: A 2026 roadmap and a 2027 roadmap, letting you archive completed work while planning the next cycle.
• One roadmap per audit engagement: MSPs can create a separate roadmap for each client project or engagement scope.
• One roadmap per product area: Separate roadmaps for M365 cloud controls versus endpoint security controls if different teams own those areas.

All roadmaps for an organization are listed on the Roadmap index page. Archived or completed roadmaps can be collapsed to keep the view clean.

Roadmap Calendar Integration

Roadmap phase milestones automatically appear in the GRC Calendar (accessible from the GRC navigation group). Each phase start date and end date is published as a calendar event with the phase name and roadmap name. This gives a unified view of all active phases across multiple roadmaps alongside audit dates, training deadlines, and regulatory change windows.

Printing the Roadmap Report

Click Print Report from the roadmap header actions menu to generate a printable roadmap document. The report includes:

• Cover section with organization name, roadmap name, target framework, and generation date
• Executive summary — total controls, phase count, start and projected completion date
• Per-phase table listing all controls with status, risk score, and (for MSP users) hours and cost
• Phase narratives (if descriptions were entered for each phase)
• Estimated completion timeline bar chart

The report renders as a printable HTML page. Use your browser's Print dialog (Ctrl+P / Cmd+P) to save it as a PDF for sharing with auditors or executives.

Tips for Using Roadmaps with Clients (MSPs)

• Enable the Discovery Phase for new clients who have never had a compliance audit. Phase 0 makes the "unknown surface area" visible and creates a deliverable for the first month of an engagement (reviewing manual controls).
• Use Phase 5 for your ongoing retainer: Document the monthly recurring tasks (re-scanning, override review, report generation) in Phase 5. The hours entered here represent your monthly management fee.
• Create one roadmap per client: Even if you manage the same organization under multiple frameworks, a single roadmap with clear phase descriptions is easier to present to a client than multiple overlapping plans.
• Share the Roadmap Report with clients quarterly: As controls are resolved and phases complete, the report reflects real progress against the original plan. This is compelling evidence of value delivered.
• Coordinate with the GRC Calendar: Schedule Phase milestones around the client's existing audit calendar so remediation work is complete before evidence collection deadlines.

Troubleshooting