OSCAL-native CMMC compliance automation.
OCIC — CCV (Continuous Compliance Verification)
OCIC turns live cloud configuration into mapped, evidenced control coverage — built on an OSCAL-native foundation by a team that has audited the frameworks it automates.
Compliance doesn't break at the audit. It drifts after it.
You pass an assessment the day it's performed. Then your environment keeps moving — and each change can quietly push you out of compliance until the next audit.
A pass is a snapshot
It certifies the day it was taken — not the months of changes that follow.
Drift is invisible
No one watches 39 config types by hand, so the gap between assessed and actual widens silently.
The bill comes due
Drift accumulates for the full three years between assessments — then surfaces all at once.
A snapshot vs. continuous verification
The old way certifies a moment. OCIC verifies continuously — so compliance holds between assessments instead of decaying after them.
A snapshot in time
- Certifies only the day of assessment
- Drifts as configuration changes
- Blind between assessments
- Remediation scramble before each audit
Compliance that holds
- Verified daily against live tenant state
- Catches drift the moment it happens
- Evidence regenerated continuously
- Audit-ready every day
Between assessments, your compliance is only as current as your last audit — and your environment never stops changing.
The cost of point-in-time compliance is rising
CMMC is in the contract
Certification is flowing down from primes into active awards — a condition of doing the work, not a future concern.
Self-attestation has teeth
An SPRS score that no longer reflects your environment is a misrepresentation you signed.
Environments outpace audits
Cloud configuration shifts weekly; a cadence measured in years can't keep up. Verification has to be continuous.
OCIC ships with thousands of Microsoft proprietary cloud-config-to-CCI mappings with patent-pending Universal Parameter Identifier (UPI) mapping.
From connected tenant to continuous assurance
01 Connect
Connect your Microsoft tenant with read-only access via Microsoft Graph. No agents, no questionnaires.
02 Verify
OCIC reads live configuration and maps it to control requirements, attaching evidence at the control level with 3-tier assurance.
03 Detect
Configuration is re-checked continuously. When a setting drifts out of alignment, OCIC flags it with the affected controls.
04 Maintain
Closed-loop remediation and regenerated SSP, POA&M, and SPRS keep your authorization package current.
From live configuration to evidenced control coverage
Live tenant verification
Reads real configuration state from Microsoft Graph — not questionnaires — so coverage reflects what is actually deployed.
AI policy-to-control mapping
Maps your policies and cloud settings to control requirements, with evidence attached at the control level.
OSCAL-native architecture
Built on OSCAL from the ground up, so your compliance data is structured, portable, and machine-readable.
Point-in-time compliance assumes things that aren't true
"Configuration stays as it was on audit day."
It doesn't — every change after the assessment is unverified.
"A sample of evidence represents the whole."
Sampling misses the settings that drift between the ones that were checked.
"People will notice when something slips."
No team can continuously watch every control across every config type by hand.
CCV removes the assumptions — it verifies the whole environment against live state, continuously, instead of trusting that nothing changed.
Confidence you can sustain — not scramble for
Compliance stops being an annual event and becomes a property of your environment that holds between assessments.
Audit-ready every day
Walk into your next assessment already evidenced, not rebuilding the package from scratch.
Drift caught and closed in the loop
With evidence of the fix, not a finding to explain later.
One source of truth
OSCAL-native data feeds your SSP, POA&M, and SPRS score from the same verified state.
No fire drill
Because nothing was left to discover at the last minute.
Prove it against your own tenant
See how OCIC maps and evidences your controls from live configuration — in a walkthrough built around your framework scope.
One verification, the frameworks that matter
OCIC currently covers CMMC, NIST SP 800-171, and NIST SP 800-53 — the frameworks that matter most for the Defense Industrial Base and federal-facing organizations.
Real compliance. Honestly priced.
Full platform at every tier. No feature gates, no per-framework add-ons, no surprise renewals — built for the defense industrial base.
Startup
1–25 employees · 1 boundary
$7,188/yr · 1-year minimum
- Full OCIC platform
- Single tenant
- All frameworks
- Email support (24-hr SLA)
- Guided onboarding
Small Contractor
26–100 employees · 1–2 boundaries
$11,988/yr · 1-year minimum
- Full OCIC platform
- Up to 2 boundaries
- All frameworks
- Email + phone support
- Guided onboarding
Mid-Size
101–250 employees · 2–3 boundaries
$21,588/yr · 1-year minimum
- Full OCIC platform
- Up to 3 boundaries
- All frameworks
- Phone support (4-hr SLA)
- Guided onboarding
Large Contractor
251–500 employees · 3–5 boundaries
$35,988/yr · 1-year minimum
- Full OCIC platform
- Up to 5 boundaries
- All frameworks
- Dedicated support
- Guided onboarding
Prime / Agency
500+ employees · 5+ boundaries
$59,988/yr · 1-year minimum
- Full OCIC platform
- Unlimited boundaries
- All frameworks
- Dedicated support + CSM
- Custom onboarding
Prices are per organization. Unlimited users and frameworks on every tier.
Everything included. Every tier.
We don't charge extra for capabilities. You get the full platform from day one.
Live tenant verification
3-tier assurance — policy exists, is assigned/scoped, and is enforced. Verified reality, not checkbox compliance.
Cross-framework reciprocity
Thousands of config-to-CCI mappings. Prove once, satisfy NIST 800-171, CMMC, FedRAMP, and NIST CSF.
OSCAL-native output
Machine-readable authorization packages built on OSCAL from the architecture up — not a bolt-on.
AI policy-to-control mapping
Intelligent mapping with confidence scoring and human review. Transparent about what automates.
Cloud config coverage engine
Per-setting coverage rows, scope tracking, and gap detection across 39 Microsoft config types.
Remediation engine
Closed-loop remediation with two-person integrity, AES-256 security, and evidence of fix.
Cyber training engine
Generate compliance training as a built-in artifact tied directly to control requirements.
SSP, POA&M & SPRS
System Security Plan generation, Plan of Action tracking, and SPRS score calculation built in.
See how OCIC stacks up
Typical 3-year cost for a 50-employee contractor pursuing CMMC Level 2.
| Approach | Year 1 | Year 2 | Year 3 | 3-year total |
|---|---|---|---|---|
| CMMC consultant | $50K–$75K | $20K–$35K | $20K–$35K | $90K–$145K |
| Vanta / Drata | $15K–$25K | $20K–$35K | $25K–$45K | $60K–$105K |
| Hyperproof / ZenGRC | $24K–$48K | $24K–$48K | $24K–$48K | $72K–$144K |
| RegScale / Xacta | $75K+ | $75K+ | $75K+ | $225K+ |
| OCIC (3-year) | $8,988 | $8,988 | $8,988 | $26,964 |
Add-ons for specific needs
The full platform is already included. These extend it for special cases.
Additional auth boundary
For environments with authorization boundaries beyond your tier allocation.
Dedicated success manager
Named point of contact, quarterly compliance reviews, and priority support escalation.
C3PAO assessment prep
Pre-assessment readiness review, evidence validation, and mock assessment walkthrough.
Multi-cloud extension
Extend configuration verification to AWS and GCP environments beyond Microsoft.
MSP Partner Program: grow with us
Volume pricing for managed service providers serving defense contractors. Multi-tenant dashboard, co-branded deliverables, channel protection, and margin built from day one. Your clients are already on the platforms we verify.
Learn about the Partner Program →Price Lock Guarantee
Your contracted rate is locked for the duration of your commitment. No mid-contract increases, no surprise renewal pricing. Sign a 3-year agreement at a published rate and that rate holds for all 36 months. Unlike competitors who routinely raise pricing 30–60% at renewal, we believe transparent pricing builds the trust a compliance platform should be built on.
Common questions
We already passed our CMMC assessment — why do we need this?
A CMMC assessment certifies your environment on the day it was assessed. The moment configuration changes — a new policy, a new tenant, a disabled control — you can drift out of compliance, but the certificate doesn't change with you. OCIC verifies your live state continuously, so you stay compliant between assessments and walk into your next one (reassessment comes around every three years) already evidenced — no scramble.
What's included in every plan?
The full OCIC platform: live tenant verification, 3-tier assurance, cross-framework reciprocity, OSCAL output, AI mapping, Coverage Engine, Remediation Engine, Cyber Training Engine, SSP/POA&M generation, SPRS scoring, and all supported frameworks.
What counts as an authorization boundary?
A distinct security perimeter — typically a separate Azure / Entra ID tenant or a logically isolated environment handling CUI. Most organizations under 250 employees operate within 1–2 boundaries.
What happens if my company grows?
You stay on your current tier until renewal. If you've grown beyond it, upgrade to the published rate for the new tier. No mid-contract forced upgrades, ever.
Is there an implementation fee?
No. Onboarding is included: guided setup, tenant connection, framework configuration, and your first compliance scan — so you verify compliance on day one.
How does the 3-year pricing work?
Commit to 3 years and receive 25% off the monthly rate for the entire term. Pay monthly or upfront. The price is locked — no escalation for 36 months.
Do you charge per user or per framework?
Neither. Pricing is per organization based on size and complexity. Unlimited users. Unlimited frameworks. No per-seat or per-framework add-ons.
See OCIC against your own tenant
Tell us your framework scope and we'll walk you through how OCIC maps and evidences your controls.