Frequently asked questions.

DFARS 252.204-7021 enforcement begins November 6, 2026. All defense contractors handling Controlled Unclassified Information (CUI) must hold a CMMC Level 2 certification or risk losing their DoD contracts.

The 30-day CMMC pilot is $15,000 flat. This includes baseline assessment, automated gap closure, SSP, POA&M, and a C3PAO-ready evidence package. Traditional consultants charge $70K-$300K and take 6-18 months.

Founder Leonard Esere holds a DoD Secret clearance and a DoE Q clearance (equivalent to DoD Top Secret). He currently consults at a DOE national laboratory.

PolicyCortex is an autonomous cloud governance platform that replaces disconnected compliance, security, cost, and AI governance tools with a single system. It continuously monitors your cloud infrastructure, detects misconfigurations and policy violations, and remediates issues automatically - all while collecting compliance evidence in real time.

PolicyCortex is designed for defense contractors preparing for CMMC assessments, national laboratories and federal agencies managing complex multi-cloud environments, and any organization that needs continuous compliance monitoring across AWS, Azure, and GCP.

Traditional GRC tools manage policies and risk registers but don't connect to your cloud infrastructure. PolicyCortex reads your actual cloud configuration via API, continuously monitors compliance posture, and can automatically remediate issues - closing the gap between documented policies and actual infrastructure state.

PolicyCortex supports AWS, Microsoft Azure, and Google Cloud Platform. It provides unified governance across all three providers from a single dashboard, with provider-specific policy engines that understand each platform's native services.

PolicyCortex supports CMMC (Levels 1-3), NIST 800-171, NIST 800-53, FedRAMP, CIS Benchmarks, DFARS 252.204-7012, MITRE ATT&CK, and MITRE ATLAS. Controls are mapped across frameworks so you don't duplicate effort when meeting multiple requirements simultaneously.

PolicyCortex continuously monitors your cloud environment against all 110 NIST 800-171 practices (CMMC Level 2). It automatically collects evidence for each control, generates System Security Plans (SSPs) and POA&Ms, and alerts you when your compliance posture drifts. This transforms CMMC preparation from a months-long manual process into continuous readiness.

No. You still need a Certified Third-Party Assessor Organization (C3PAO) for your formal CMMC assessment. PolicyCortex helps you prepare by maintaining continuous compliance and assembling the evidence your assessor will need, significantly streamlining the assessment process.

Yes. PolicyCortex maintains a cross-framework control mapping so that a single security implementation can satisfy requirements across CMMC, NIST, FedRAMP, CIS, and other frameworks simultaneously. This eliminates duplicate evidence collection and provides a unified compliance dashboard.

PolicyCortex continuously monitors your cloud configuration and automatically collects evidence as it detects compliant (or non-compliant) states. Each evidence artifact is timestamped, versioned, and mapped to the relevant control. When assessment time comes, your evidence is already assembled and current.

PolicyCortex offers multiple deployment models: SaaS (multi-tenant), single-tenant cloud, GovCloud (AWS GCC/GCC-High, Azure Government), and on-premises for air-gapped environments. Every deployment model runs the same platform with the same capabilities.

No. PolicyCortex operates agentlessly via cloud provider APIs (AWS, Azure, GCP). It reads your configuration, resource state, and event data through standard cloud APIs using read-only access where possible. Remediation actions use scoped write permissions that you control.

When PolicyCortex detects a policy violation or misconfiguration, it analyzes the root cause and determines the appropriate remediation action. Depending on your configuration, it can execute the fix automatically or present it for human approval. Every action includes a rollback ID so changes can be reversed if needed.

Yes. Most organizations start in gated mode where every remediation action requires human approval. As confidence builds, you can gradually enable autonomous remediation for specific action types and resource categories while keeping human approval for higher-risk changes.

PolicyCortex accesses cloud configuration data, metadata, and event logs through cloud provider APIs. It does not access the content of your files, databases, or application data. For CUI environments, the platform can be deployed within your own boundary so that metadata never leaves your environment.

Yes. PolicyCortex supports on-premises deployment for organizations that operate disconnected or air-gapped environments. The platform runs entirely within your infrastructure with no external connectivity required for core functionality.

PolicyCortex processes cloud configuration metadata - not your application data or CUI. Data is encrypted in transit and at rest. For the most sensitive environments, single-tenant and on-premises deployments ensure your data never leaves your boundary.

PolicyCortex is designed with FedRAMP-aligned security controls. Contact us for current authorization status and available deployment options for federal customers.

PolicyCortex implements role-based access control with scoped visibility. CISOs see organization-wide posture. Cloud architects see infrastructure details. ISSOs see evidence and control status. Each role sees only what they need - without exposing sensitive information across team boundaries.

Pricing depends on your deployment model, cloud footprint size, and the modules you need. We offer flexible models that scale with your infrastructure. Contact us for a tailored quote based on your specific requirements.

We offer guided evaluations where you can see PolicyCortex operating against your actual cloud environment. Contact us to schedule a technical evaluation.

SaaS deployments can be connected to your cloud accounts within hours. Initial compliance posture assessment is typically available within the first day. Full policy configuration and remediation setup varies by environment complexity but typically takes days, not weeks.