Unified GRC data infrastructure

Stop stitching. Start assessing.

The first API to deliver pre-resolved traceability across NIST 800-53, 800-171, CMMC, FedRAMP, CCIs, and STIGs — normalized, versioned, and query-ready.

Explore features See how it works

STIG ruleV-257777RHEL 9 vendor release

→

CCICCI-000366Essential capabilities

→

NIST 800-53CM-7Least Functionality

→

800-171§ 3.4.6Least functionality

→

CMMC L2CM.L2-3.4.6Practice satisfied

The problem

Compliance data fragmented over decades.

NIST, DISA, CMMC AB, and FedRAMP each evolved independently — incompatible formats, separate portals, different cadences. Nobody planned the mess. But every GRC team is still stuck solving the same stitching problem from scratch.

Seven silos, zero joins

NIST publishes OSCAL catalogs. DISA distributes XCCDF ZIP bundles. CMMC AB posts PDFs. FedRAMP maintains GitHub repos. None of them speak to each other, and none of them are query-ready.

The Rev 4 hangover

DISA's CCI list still references NIST 800-53 Rev 4. If you're working against Rev 5 — and you should be — every STIG-to-control trace needs a translation layer that doesn't officially exist yet.

Bookmarks are good. API access is better.

Thousands of practitioners have bookmarked StigViewer URLs for fast STIG reference — and we're not going anywhere. Those links stay live. But GRC platforms and compliance pipelines need to consume this data programmatically, at scale, without a browser in the loop.

No common format for findings

Scanner output from Tenable, OpenSCAP, and STIG Viewer all look different. There's no shared schema for findings, no standard way to import them into a GRC tool, and no agreed structure for carrying a finding through to a POA&M.

Mandates aren't machine-readable

A STIG rule, a CCI, a control statement — these are compliance mandates expressed as prose. They can be read by humans and audited by hand, but they can't be queried, asserted, or automated against. This is the foundational gap our Claimify system solves.

Every team rebuilds this

GRC platform teams, system integrators, and compliance tool vendors have all built their own internal versions of this normalization layer. It's undifferentiated infrastructure — and it's costing the industry millions of hours a year.

How it works

One query. The full chain.

StigViewer pre-resolves the entire traceability path from a scanner finding to a compliance posture. What your team currently assembles in hours is a single API call.

GET /v1/findings/V-257777/traceability

STIG

V-257777 · SV-257777r925315_rule

RHEL 9 must be a vendor-supported release

STIG ID RHEL-09-211010 · RHEL 9 STIG V1R1 · Severity: medium (Cat II)

Cat II

CCI

CCI-000366 · CCI-001230

Atomic policy requirements — 2 CCIs resolved

CCI-000366: org configures system to provide only essential capabilities · CCI-001230: system uses supported and vendor-provided software

resolved

NIST 800-53 Rev 5 · CM-7

Least Functionality

Rev 4 → Rev 5 translation applied · Family: Configuration Management · Impact levels: Low, Moderate, High

translated

171

NIST 800-171 Rev 2 · § 3.4.6

Employ the principle of least functionality

Relationship type: equivalent · SSP status: partial · 1 open POA&M item linked

partial

FedR

FedRAMP Moderate · CM-7 · CM-7(1)

Required at Moderate — base + enhancement (1)

Profile: FedRAMP-MODERATE-baseline-resolved-profile · ODP value: "functions, ports, protocols, and services not required" · Status: not assessed

not assessed

CMMC

CMMC Level 2 · CM.L2-3.4.6

Practice: Employ the principle of least functionality

Maps directly from 800-171 § 3.4.6 · C3PAO assessment required · SPRS contribution: −5 if not implemented

gap risk

Data coverage

Every source. One schema.

We ingest, normalize, version, and cross-reference all major GRC data sources — so you don't have to maintain seven different parsers and reconciliation scripts.

All sources are versioned independently. Breaking changes emit change events with affected control and rule IDs.

Authority

NIST SP 800-53 Rev 5

Full control catalog including all enhancements, ODPs, and related control links. OSCAL-native ingestion.

~1,000+ controlsOSCAL JSON

Authority

NIST SP 800-171 Rev 2

All 110 practices with resolved 800-53 mappings, relationship types, and enhancement disambiguation.

110 practicesmapping types

Baseline

FedRAMP Low / Mod / High

Pre-resolved profiles with ODP substitutions applied and all FedRAMP-specific prop extensions normalized.

3 baselinesOSCAL profiles

Baseline

CMMC 2.0 Levels 1–3

All 110 Level 2 practices with SPRS scoring weights and C3PAO assessment objective mappings.

110 + 24 practicesSPRS scores

Mapping

DISA CCI List

All ~2,400 Control Correlation Identifiers with Rev 4→Rev 5 translation applied automatically.

~2,400 CCIsRev4→Rev5

Implementation

DISA STIGs

250+ product STIGs with fully parsed rules, stable vuln_id tracking, and CCI-to-control resolution pre-computed.

250+ STIGsweekly sync

Implementation

SRGs

Technology-class Security Requirements Guides — General OS, Web Server, Database, Application Server, and more.

30+ SRGsXCCDF parsed

Policy

DoD 8500 / 8510

Legacy DIACAP controls and RMF policy references, mapped to current 800-53 Rev 5 equivalents.

legacy mappedRMF aligned

API reference

Built for how assessors actually work.

Every endpoint reflects a real workflow — finding triage, control gap analysis, POA&M generation, and cross-framework rollup. JSON responses, OpenAPI spec included.

GET

/v1/findings/{vuln_id}/traceability

Full chain: STIG rule → CCI(s) → 800-53 control(s) → 800-171 practice(s) → FedRAMP/CMMC status in one response

flagship

GET

/v1/controls/{framework}/{control_id}/mappings

All cross-framework mappings for a control — relationship type (equivalent, subset, maps-to-enhancement), source framework, and mapping rationale

mapping

GET

/v1/stigs/{benchmark_id}/diff/{v1}/{v2}

Rule-level diff between two STIG versions — new, removed, changed rules with affected vuln_ids and CCI impact

versioning

GET

/v1/baselines/{baseline_id}/controls

Resolved baseline — pre-computed profile resolution with ODP substitutions applied, FedRAMP namespace props normalized

resolved

GET

/v1/cci/{cci_id}/controls?rev=5

CCI to 800-53 control resolution with automatic Rev 4→Rev 5 translation — the bridge DISA hasn't built yet

translated

GET

/v1/resolve/{any_id}

Universal ID resolver — pass a vuln_id, rule_id, stig_id, CCI ID, or any control ID in any format and receive the normalized record

utility

Capability	Building it yourself	StigViewer API
STIG ingest + parse	✕ 3–6 weeks, double-decode trap, re-parse on every release	✓ Pre-parsed, weekly sync, stable vuln_id tracking
CCI → 800-53 Rev 5 resolution	✕ Manual spreadsheet, not machine-readable, breaks on Rev 5	✓ Rev 4→Rev 5 translation applied, queryable by CCI ID
800-171 ↔ 800-53 mapping types	✕ Flat "maps to" — loses enhancement vs base control nuance	✓ Typed relationships: equivalent, subset, maps-to-enhancement
FedRAMP profile resolution	✕ Requires OSCAL resolver, ODP substitution, namespace handling	✓ Pre-resolved, cached, all three baselines available
STIG version change detection	✕ Manual diff, orphaned finding IDs on every update	✓ Diff endpoint, change events, stable vuln_id across versions
Full traceability chain query	✕ 4+ data sources, hand-assembled, hours per finding	✓ Single API call, finding to compliance posture

Coming Q3 2026

The compliance vocabulary everyone's been missing.

Every framework uses its own terminology. The Lexicon is a master dictionary of 3,100+ authoritative terms — tagged, cross-referenced, and embedded directly into source documents so a single query surfaces every relevant passage across your entire compliance library.

Select a term from the Lexicon

3,100+ terms drawn from NIST, DISA, and other authoritative sources — each with a canonical definition, source alignment, and cross-references to related concepts.

Retrieve every tagged passage

Source PDFs are processed and every passage containing a Lexicon match is tagged at ingest. Your query doesn't search text — it retrieves pre-tagged atomic passages across all documents simultaneously.

Export in the format your toolchain needs

Results and definitions export as JSON, CSV, or via API — so the Lexicon feeds directly into your GRC platform, documentation system, or assessment workflow without copy-paste.

multi-factor authentication4 sources · 11 passages

NIST 800-53 Rev 5IA-2(1)

"Implement multi-factor authentication for access to privileged accounts."

NIST 800-171 Rev 2§ 3.5.3

"Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts."

CMMC 2.0IA.L2-3.5.3

"Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts."

FedRAMP ModerateIA-2(1)(2)(3)

"Implement multi-factor authentication for network access to privileged and non-privileged accounts, and for local access to privileged accounts."

+ 7 more passages across DISA STIGs and SRGs

Export asJSONCSVAPI

3,100+

Authoritative terms

Drawn from NIST, DISA, and primary compliance sources — not a crowd-sourced glossary

∞

Cross-referenced concepts

Each term links to related terms, parent concepts, and narrower definitions across frameworks

Export formats

JSON, CSV, and API — definitions and tagged passages go directly into your toolchain

1st

In the industry

No tool has tagged compliance source documents to a master term dictionary at this level before

Coming Q4 2026 · Research complete

Every finding mapped to the humans behind it.

Grounded in the Department of Labor's O*NET workforce science and Bloom's Taxonomy, this feature answers three questions: who owns it, how cognitively demanding is it, and can a tool do it?

V-257958Cat IIRHEL-09-232260

RHEL 9 must restrict access to the kernel message buffer.

Bloom's cognitive level

Remember

Understand

Apply

Analyze

Evaluate

Create

Verify a kernel parameter value and apply a config setting. Remember + Apply — this finding is a strong automation candidate.

Automation candidacy

88%Strong candidate

Deterministic check, single parameter, no contextual judgment required.

O*NET role ownership

15-1212.00

Information Security Analyst

Primary owner · Proficiency level 3

15-1244.00

Network & Computer Systems Admin

Contributing role · Systems configuration

Required competencies (O*NET)

Systems analysisCritical thinkingLinux administrationSecurity compliance

Who should own this finding?

O*NET occupational data maps each finding to the roles, skills, and proficiency levels needed to resolve it — giving managers a defensible, workforce-science-grounded basis for assignment, not just tribal knowledge.

How hard is it, really?

Bloom's Taxonomy scores each finding by cognitive demand. A verify-and-set task scores differently from a compensating-control assessment. Teams can finally prioritize remediation queues by actual human effort, not just severity category.

What can we automate?

Low cognitive demand + deterministic checks = strong automation candidates. High judgment requirements = human in the loop. The automation candidacy score gives engineering teams a principled framework for where to invest in tooling.

Built on DoL workforce science

Not a vendor's opinion. O*NET is the Department of Labor's authoritative occupational taxonomy, covering 1,000+ occupations with validated competency data — the same foundation used across federal workforce planning.

Get started

Join the teams building on clean compliance data.

We're onboarding a limited cohort of GRC platform teams and compliance engineers. API credentials, full documentation, and direct access to our data team.

Learn more Contact us