SVC—Compliance Management
Turn security findings intoaudit-ready compliance.
The ongoing GRC layer your MSSP delivers on top of security assessments. Findings from each assessment are automatically mapped to framework controls. Your team tracks evidence, closes gaps, and walks into audits with a documented posture — not a spreadsheet.
01—How It Works
Five steps. Continuous.
01
Assessment runs
Your MSSP runs a security assessment against your endpoint. Findings are collected and scored automatically.
02
Controls mapped
Each finding is mapped to one or more framework control IDs. Failed controls are flagged automatically — no manual cross-referencing.
03
Policies acknowledged
Employees receive a secure email link to review and sign off on security policies. Each acknowledgment is timestamped and automatically closes the associated compliance controls.
04
Gaps tracked
Controls without automated coverage are marked pending evidence. Your team uploads documentation or configuration exports to close them.
05
Reports generated
A framework-specific gap report shows % controls met, failed control table, evidence checklist, and remediation roadmap.
02—Client Portal
Your team sees
their own posture.
Your MSSP provisions a login for your organization's compliance contact. That person views framework dashboards, sees passing/failing controls, and uploads evidence for manual controls — without touching the MSSP operator console.
- Read-only compliance dashboard per framework
- Evidence upload for manual and hybrid controls
- Control-by-control gap view with maturity level badges
- Policy library — view and download security policies
- Separate login — no access to MSSP operator tools
// example dashboard // controls tracked across frameworks
03—Policy Management
Policies acknowledged.
Controls closed.
Your MSSP maintains a library of security policies. Employees receive a secure one-time link by email to review and acknowledge each policy. Every acknowledgment is timestamped, IP-logged, and automatically marks the associated compliance controls as passing.
- 11 policy categories covering the most-audited control domains
- Employees acknowledge via a secure email link — no account required
- Acknowledgment auto-passes mapped controls across all active frameworks
- Overdue tracking — flag employees who haven't signed within 7 days
- Timestamped, IP-logged audit trail for every acknowledgment
Acceptable Use Policy
j.smith@acme.com
May 14
Password Policy
m.jones@acme.com
May 14
Incident Response Plan
t.williams@acme.com
May 7
Password Policy
r.davis@acme.com
Apr 30
04—Audit Engagements
Hand your auditor a
prepared workspace.
When a third-party auditor engages for SOC 2, HIPAA, PCI DSS, CMMC, ISO 27001, or a cyber insurance application review, create an engagement and grant them scoped, time-limited read access. They see your controls, evidence, and policies — never your MSSP workspace. Every action is logged with a timestamp, and access expires automatically when the engagement closes.
- Magic-link access to /auditor/{engagement-id} — no auditor account creation, no IT ticket
- Scoped to one org, one framework, one date range — auditor cannot see other clients
- Auditor flags controls needing additional evidence — surfaces as a request in your MSSP queue
- Every auditor view, comment, and evidence request is timestamped in an audit trail
- Engagement close produces a sealed PDF with final control status, evidence index, and full action log
- Time-limited access — magic link expires automatically on the engagement end date
// recent activity
Sample engagement view // every action logged and exportable
05—Supported Frameworks
9 frameworks. All live.
Assessment findings map automatically to controls in each. Manual evidence closes the gaps the agent can't reach.
CIS Controls v8
IG1 & IG2
Automated mapping from assessment findings to CIS control IDs. IG1 (Essential) controls form the baseline every organization should clear first.
NIST CSF 2.0
All 6 functions
Govern, Identify, Protect, Detect, Respond, and Recover subcategories mapped to assessment findings.
HIPAA
Security Rule
Required and Addressable implementation specifications. Technical safeguards map to automated findings.
PCI DSS
v4.0
Core and Targeted requirements. Automated findings cover endpoint and network controls.
CMMC 2.0
Level 1 & 2
17 Level 1 practices and 110 Level 2 practices. DoD supply-chain requirement for contractors handling CUI.
SOC 2 Type II
CC + Availability / Confidentiality
Common Criteria (CC1–CC9) map to automated findings across access control, monitoring, and change management.
Cyber Insurance Readiness
Knockout & Enhanced
Underwriting requirements from Coalition, Chubb, Beazley, Travelers, and At-Bay — mapped to automated findings and manual evidence.
FTC Safeguards Rule
16 CFR Part 314 (2023)
GLBA safeguards for auto dealerships, tax preparers, insurance agents, mortgage brokers, and other financial institutions.
ISO 27001:2022
Annex A — 93 controls
International standard for information security management. Theme 8 technical controls map to automated findings.
Delivered through your MSSP.
A monthly subscription your MSSP sells as part of their managed services. Your team accesses the client portal directly. No MSSP partner? Contact us — we can connect you with one, or discuss a direct engagement.
