Compliance Posture
The DoD cyber landscape keeps growing — RMF, STIGs, CORA, Zero Trust, CMMC, FedRAMP 20x, SBOM requirements, cyber survivability. Each requires its own evidence, its own assessors, its own tooling. Spagyric produces a single OSCAL-native evidence model that satisfies all of them.
Eight integrated cyber services — orchestrated by Sigil, recorded by Assay
STIG & CIS hardening
Automated baseline compliance for every VM and container
Vulnerability management
CVE scanning, SBOM generation, and dependency analysis
Continuous monitoring
Runtime security, behavioral analysis, and anomaly detection
Supply chain security
Image provenance, signature verification, and trusted registries
Audit & evidence
Tamper-evident logging with OSCAL-native compliance artifacts
Certificate lifecycle
Automated PKI, rotation, and revocation across all services
Network segmentation
Micro-segmentation, firewall management, and zero-trust enforcement
Incident response
Automated finding-to-ticket workflows with verified remediation
For each DoD cyber requirement, here's what it demands and how Spagyric addresses it — not as a compliance overlay, but as a natural consequence of how the platform operates.
RMF / cATO
Risk Management Framework & Continuous Authorization
What it requires
NIST SP 800-37 governs how DoD systems achieve and maintain authorization to operate. Traditional ATOs take 18-24 months and cost millions. cATO enables continuous authorization but still requires manual evidence collection.
How Spagyric addresses it
Every operational action in Spagyric generates OSCAL-formatted evidence automatically. There is no separate compliance collection phase — the system of record (Assay) captures findings, remediation, and closure in real time. The ATO package assembles itself.
STIG / CIS Benchmarks
Security Technical Implementation Guides & CIS Benchmarks
What it requires
DISA STIGs and CIS Benchmarks define configuration hardening baselines for operating systems, applications, and network devices. Compliance requires regular scanning, remediation, and evidence of both.
How Spagyric addresses it
VMs are hardened at build time from STIG-compliant templates. Continuous scanning detects configuration drift. Findings create tickets automatically. Remediation agents apply fixes and record evidence of closure.
CORA
Command Cyber Operational Readiness Assessment
What it requires
DISA replaced CCRI with CORA in 2024, shifting from periodic inspection-based compliance to continuous operational readiness. Assessors need real-time data on system posture, not point-in-time snapshots.
How Spagyric addresses it
Spagyric maintains continuous readiness posture with real-time scanning, OSCAL-native records, and always-current evidence. When assessors arrive, the data is already there — not assembled after the fact.
Zero Trust (ZTA)
DoD Zero Trust Strategy — Target: FY2027
What it requires
The DoD Zero Trust Strategy requires all systems to implement zero trust architecture by FY2027. This includes identity-aware access, micro-segmentation, continuous verification, and least-privilege enforcement across all layers.
How Spagyric addresses it
Spagyric is zero trust from the ground up. Every API call flows through a policy-gated gateway with identity attribution. The default-deny policy engine (Vigil) requires explicit authorization for every action. Network segmentation, PKI-based service identity, and encrypted communications are baseline — not add-ons.
CMMC 2.0
Cybersecurity Maturity Model Certification
What it requires
CMMC 2.0 requires 220,000-300,000 Defense Industrial Base contractors to demonstrate cybersecurity maturity across 14 control families derived from NIST 800-171. Level 2 requires third-party assessment. Less than 2% are currently compliant. Phase 2 enforcement (third-party assessment in new contracts) began Q3 2025.
How Spagyric addresses it
Spagyric's OSCAL-native evidence model maps directly to NIST 800-171 control families. Continuous monitoring provides ongoing evidence of control implementation. DIB organizations running on Spagyric inherit the platform's security posture rather than building their own.
FedRAMP 20x
FedRAMP Modernization — OSCAL Mandate, September 2026
What it requires
RFC-0024 (January 2026) requires OSCAL-formatted authorization packages for all FedRAMP authorizations. As of 2025, zero OSCAL packages had been submitted to FedRAMP. 585+ marketplace products need OSCAL-capable tooling by September 2026. Only Paramify and RegScale are in the FedRAMP 20x pilot — the rest of the market is scrambling.
How Spagyric addresses it
Spagyric is OSCAL-native from the ground up — not a bolt-on converter. Every finding, evidence artifact, and authorization record is stored in OSCAL format natively. The compliance system of record (Assay) speaks OSCAL as its first language.
EO 14028 / SBOM
Executive Order 14028 — Software Supply Chain Security
What it requires
EO 14028 requires a software bill of materials (SBOM) for all software sold to the federal government. Agencies must verify software provenance, track dependencies, and respond to supply chain vulnerabilities.
How Spagyric addresses it
Spagyric generates SBOMs for every container image and application deployed through the platform. Image provenance is tracked from build through deployment. When a CVE affects a dependency, every affected deployment is identified automatically.
Cyber Survivability (CSE)
Cyber Survivability Endorsement — Operate Through Attack
What it requires
The Cyber Survivability Endorsement process requires systems to demonstrate four attributes: prevent/mitigate cyber events, detect cyber events in real time, operate in degraded mode during events, and restore capabilities after events.
How Spagyric addresses it
Spagyric's architecture directly maps to all four CSE attributes. Hardened compute and zero-trust networking prevent events. Continuous monitoring and anomaly detection identify them. The HA 5-node core cluster with no single point of failure operates through degradation. AI agents auto-remediate and restore — the platform heals itself.
NIST 800-53 / 800-171
Security and Privacy Controls for Information Systems
What it requires
NIST 800-53 defines the control catalog for federal systems (including DoD via RMF). NIST 800-171 defines a subset for protecting CUI in non-federal systems. Together they represent hundreds of individual controls across 20 control families.
How Spagyric addresses it
Spagyric doesn't just document controls — it implements them operationally. Access control, audit logging, incident response, configuration management, system integrity, and identification/authentication are built into the platform. OSCAL-native records map evidence directly to control families.
SCRM
Supply Chain Risk Management
What it requires
Section 889, FOCI requirements, and DoDI 5200.44 require supply chain risk management for all DoD systems. Organizations must verify the provenance and integrity of all hardware and software components.
How Spagyric addresses it
Every software component deployed through Spagyric has a verified chain of custody — from source code through build, scan, sign, and deploy. Container images are built from trusted base images in hardened registries. Signature verification prevents tampered artifacts from reaching production.
Cyber Survivability
Prevent
Hardened compute, zero-trust networking, default-deny policy engine
Detect
Continuous monitoring, anomaly detection, real-time scanning
React
5-node HA cluster, no SPOF, graceful degradation by design
Restore
AI agents auto-remediate, self-healing infrastructure, immutable baselines
Most platforms focus on prevention and call it security. The Cyber Survivability Endorsement process requires systems to demonstrate they can operate through a cyber event and restore afterward. Spagyric's agentic architecture — continuous monitoring, automatic remediation, HA infrastructure with no single point of failure — is designed for exactly this.
Every framework above requires evidence. Today, organizations maintain separate evidence stores for each — spreadsheets for STIGs, PDFs for ATOs, portals for CMMC, reports for FedRAMP. Spagyric produces one OSCAL-native evidence stream that satisfies all of them.
1
evidence model
10
requirements covered
0
manual evidence collection
If you're spending more time collecting evidence than operating your systems, we should talk.
Request a Demo