Every Framework Is a View. Your Security Posture Is the Source.

Every control in your assessment carries a computed confidence score derived from three independent dimensions: defense effectiveness, evidence coverage, and evidence freshness. Defense effectiveness measures whether the control is actually working in your environment. Evidence coverage measures what proves it: configuration snapshots, scan results, policy documents, attestation records. Evidence freshness measures how current that proof is. These three signals combine into a confidence score that updates continuously as the platform ingests new events from your connected infrastructure.

This is not binary pass/fail. It is a spectrum. A control can be fully implemented with strong defenses but carry a declining confidence score because its evidence is aging. Another control might have fresh evidence but insufficient coverage across all environments where it applies. Rampart surfaces exactly where you are strong, where evidence is thinning, and where gaps exist. The underlying compliance state is event-sourced: every status change, every evidence attachment, every re-verification is recorded as an immutable event. The confidence score you see is a derived projection from that event stream, recomputed after every relevant change across every active framework simultaneously.

Most frameworks share common ancestry. CMMC Level 2 derives its 110 practices from NIST 800-171 rev2, which itself derives from the Moderate baseline of NIST 800-53 rev5. FedRAMP baselines are overlays on NIST 800-53. SOC 2 trust service criteria map to NIST 800-53 control families. These derivation chains mean that satisfying one control often satisfies requirements in three or four frameworks at once. Rampart's cross-reference engine resolves these relationships through five strategies: native control mapping, NIST 800-53 derivation chain tracing, NIST CSF 2.0 bridging, published cross-walks from authoritative sources, and AI-suggested mappings that require human confirmation before activation.

While you pursue one framework, Rampart computes your readiness for every other framework in the catalog continuously in the background. Policies, procedures, architecture narratives, authorization boundaries, and custom organizational overlays are all processed, mapped, and woven into the same projection model alongside your technical evidence. One click activates a new assessment pre-populated from existing defenses. No duplicate work. No starting from scratch.

Security posture is layered, and Rampart's inheritance model reflects that structure. Controls propagate through three tiers: organizational, infrastructure, and system-specific. Your Access Control (AC) family policies, your incident response plans, your personnel security procedures: these apply to every system you operate. Your AWS landing zone configuration, your network segmentation, your centralized logging: these apply to every environment provisioned within that infrastructure. System-specific controls are unique to a particular system's architecture, data handling, and operational context.

When you register a new system in Rampart, it inherits applicable controls from both the organizational and infrastructure layers automatically. In practice, new systems start up to 70% assessed before you evaluate a single system-specific control. The remaining 30% covers what makes that system unique. This inheritance is not a one-time copy. If your organization updates an AC family policy, that change propagates to every system that inherits it.

Rampart generates control narratives from observed infrastructure state, not from boilerplate templates. Artificer drafts each narrative from live evidence data: what defenses satisfy the control, what evidence proves those defenses are operational, and what gaps remain. For an AC-2 (Account Management) narrative, Artificer examines your connected identity provider configuration, your role-based access policies, your account provisioning workflows, and your most recent access review evidence. The resulting narrative references specific infrastructure components, specific policy documents, and specific evidence artifacts with timestamps.

Every narrative Artificer drafts is a proposal. The platform previews the full text, highlights the evidence sources it drew from, and flags any controls where evidence is insufficient or aging. Your team reviews, edits where necessary, confirms accuracy, and attests. No narrative is finalized without human confirmation. The platform handles the mechanical 90%. Humans handle the 10% that requires judgment.

Assessments in Rampart never lock into a static document. Your team works in the live view. When your C3PAO or auditor needs to review, they access a point-in-time snapshot derived from the same event-sourced data. Because compliance state is stored as an immutable event stream, the platform can project posture to any timestamp. Fixes made during the assessment period are credited immediately through real-time event projection.

Every control carries a complete chain of provenance: what defense satisfies it, what evidence supports that defense, who verified it, and when it was last re-verified. This chain traces back to the original compliance events in the event store, each carrying a user ID, session ID, OpenTelemetry trace ID, and a SHA-256 integrity hash for tamper detection. The assessor can replay the evidence chain to any point in time. The audit trail is not a separate artifact. The events are the audit trail.

Each framework in Rampart is a module that declares its evidence requirements per control. The collection engine resolves those declarations against your discovered infrastructure and computes whether sufficient evidence exists. Add a new framework module: automatic gap analysis. Connect new infrastructure: automatic evidence collection. New frameworks require zero engine changes. The overlay engine treats frameworks, baselines, DISA SRGs, DISA STIGs, CIS Benchmarks, and organizational overlays as composable layers that stack on top of each other.

Overlays modify or extend a base framework without duplicating it. A FedRAMP High overlay adds controls on top of NIST 800-53 rev5 High. A DISA STIG overlay maps specific configuration checks to the controls they satisfy. An organizational overlay adds your company-specific policies. Rampart composes these layers into a single unified assessment view. The platform exports machine-readable compliance packages in OSCAL format for interoperability with government assessment systems.

The platform computes evidence sufficiency automatically for every control across every active framework. Each framework module declares what constitutes sufficient evidence: the types of artifacts required, the minimum freshness threshold, and the coverage scope. When evidence state changes, hash comparison detects the transition instantly. A scan result that ages past its freshness threshold triggers Sentinel to re-collect before a gap appears in your posture.

Different frameworks impose different freshness requirements: a CMMC Level 2 practice might accept quarterly vulnerability scans, while a FedRAMP High control requires continuous monitoring with daily evidence refresh. Sentinel monitors these expiration windows and initiates re-collection before evidence goes stale. Declared desired states are the policies. Controller actions are the evidence. The gap between desired and actual is the assessment. The reconciliation history is the audit trail. The platform's operation is compliance documentation.

Organizations upload their existing documents: incident response plans, access control policies, configuration management procedures, system security plans, continuity of operations plans, personnel security policies. The RAG pipeline ingests every uploaded file, extracts content, and maps it to the controls it satisfies across every active framework. Your IRP (Incident Response Plan) maps to IR-1 through IR-8 in NIST 800-53, to IR.L2-3.6.1 and IR.L2-3.6.2 in CMMC Level 2, to A.5.24 through A.5.28 in ISO 27001, and to CC7.3 through CC7.5 in SOC 2. One document. Multiple frameworks. The platform resolves the mappings automatically and surfaces gaps: "Your IRP covers incident detection and reporting but does not address incident response testing (IR-3). Three frameworks require it."

From those uploaded policies and your live infrastructure evidence, Artificer generates per-control-family narratives and per-framework compliance packages. An Access Control (AC) family package for CMMC Level 2 includes: the control narrative for each AC practice, the linked evidence artifacts (IAM policies, access review logs, MFA configuration screenshots from Sentinel), your uploaded access control policy document, and the mapping chain showing how each practice is satisfied. For FedRAMP, the same underlying data produces an SSP (System Security Plan) section with control implementation descriptions in OSCAL format. For SOC 2, it produces trust service criteria narratives with evidence cross-references. Document versioning tracks every iteration with full diff history. Weekly health checks validate that every control has a current narrative, every narrative references current evidence, and every uploaded policy is still within its review cycle. When your assessor arrives, the package is assembled from your running systems and your organizational policies woven together. Not from templates.