Continuous compliance. Not quarterly panic.
Compliance is a normalization problem. Eleven frameworks ask the same 60% of questions in different vocabulary. PolicyCortex builds one intermediate representation, projects it to every framework you care about, and emits hashed evidence as a byproduct of fixing the drift.
Three claims that make continuous compliance possible.
- 01CLAIM #1
ONE INTERMEDIATE REPRESENTATION
Map once. Project to every framework.Every finding is normalized into a framework-agnostic IR (resource × condition × control intent × ATT&CK technique × owner). The IR projects out to CMMC L2, NIST 800-171, NIST 800-53, CIS, FedRAMP, ISO 27001 in parallel. One scan, eleven frameworks — without writing eleven rule sets.
scan → IR → {framework_1, …, framework_N} - 02CLAIM #2
DRIFT-TO-EVIDENCE LOOP
Closed gaps emit hashed evidence.Every remediation action ships a content-hashed artifact. The artifact becomes a paragraph of the System Security Plan by construction. SSP narrative is not authored — it accrues. Audit prep stops being a workflow.
fix(target) → evidence(hash, ctrl, ts) → SSP[ctrl]++ - 03CLAIM #3
THE 5-SECOND CLOCK
Drift gets a TTL, not a backlog.Compliance drift is detected inside 5s of the change in CSP audit logs. Backlog is failure: a finding older than the median MTTR is an organizational risk signal, not a ticket. We design for the clock.
MTTD < 5s · MTTR ~30s (gated)
What a normalized finding actually looks like.
One drift event. Five framework citations. ATT&CK technique mapping. Hashed evidence. Rollback ID. This is what closes a control and writes a paragraph of the SSP — in one record.
The IR is internal; assessors get OSCAL 1.1.2 JSON, an auditor-grade ZIP, or a generated Word SSP. Pick the format. The substrate doesn't change.
{
"id": "ev-7c4a90",
"resource": "storage/cui-archive-prod-east",
"condition": "public-access:enabled",
"owner": "platform-team",
"severity": "CRITICAL",
"scoped_to": ["CUI", "fedramp-mod"],
"controls": {
"cmmc_l2": ["AC.L2-3.1.2", "AC.L2-3.1.3"],
"nist_800_171": ["3.1.2", "3.1.3"],
"nist_800_53": ["AC-3", "AC-3(7)"],
"iso_27001": ["A.5.15"],
"fedramp": ["AC-3 (M)", "AC-3(7) (M)"]
},
"att&ck": ["T1078", "T1530"],
"hash": "sha256:4b3a…ce19",
"closed_at": "2026-05-15T14:22:11.224Z",
"rollback": "rb-9f3a"
}CMMC L2CMMC L3NIST 800-171 r2NIST 800-171 r3NIST 800-53 r5CIS Benchmarks v8FedRAMP MODFedRAMP HIGHISO 27001:2022MITRE ATT&CKMITRE ATLASDFARS 252.204-7012ITARHIPAAHITRUST CSF v11SOC 2 (TSC)PCI DSS 4.0GLBAGDPRNYDFS 500DOE 205.1DOSCAL 1.1.2
Why one engine instead of separate framework modules?
Compliance frameworks share 60–80% of their requirements once normalized. Maintaining separate engines per framework is duplicated work that produces inconsistent results. The IR model means a single drift event satisfies (or violates) every framework it touches in one pass.
What happens when frameworks update?
Framework updates are a rule-mapping change against the IR, not a rebuild. NIST 800-171 r3 was a ~2-week mapping update, not a six-month roadmap item. Custom overlays (federal R&D programs, FedRAMP Rev 5 tailoring) inherit the same model.
Can the SSP actually accrue from evidence, or is that marketing?
Yes, by construction. Every closed finding ships a hashed evidence record with control linkage. The SSP narrative for each control is the ordered concatenation of evidence records for that control. You can regenerate the SSP at any timestamp and get the version that was true then.
Does PolicyCortex work multi-cloud?
Yes. AWS, Azure, GCP monitored from one IR. Cross-cloud findings (e.g., "PII accessible from a VPC peered to a cloud account without DLP") are first-class — the IR doesn't know about cloud provider boundaries until projection.
See your own posture. In every framework.
30 days, $15K flat. Connect a cloud, baseline against every framework simultaneously, walk away with C3PAO-ready evidence.