New features
Compliance Composer
One engine for every compliance framework — enroll a client, track controls, and let NEXOS CORE do the heavy lifting. Composer supports 15 frameworks (CMMC L2, HIPAA, PCI DSS v4.0, SOC 2 Type II, NIST CSF 2.0, NIST 800-53 Rev 5, NIST 800-171 Rev 2, ISO 27001:2022, HITRUST CSF v11, FedRAMP Moderate, CJIS, CIS Controls v8, FFIEC, StateRAMP, ISO 27701), auto-collects evidence from RBAC, SIEM, RMM, vulnerability scans, and helpdesk, and runs Nexie gap analysis that scores each control met / partial / gap and auto-opens POA&M items with severity, milestone, cost, and owner. Nexie can also draft policy documents to close gaps. See Compliance Composer.CMMC Level 2 workspace
A per-client workspace for CMMC Level 2 / NIST SP 800-171 across all 110 requirements and 14 control families. Track control status, auto-collect evidence, manage a POA&M, map the CUI boundary (inside / on the boundary / outside), and generate a System Security Plan plus a branded policy binder for an assessor. One-Click Connect wires a client’s devices into the compliance picture in a single guided flow — kicking off RMM and SIEM setup, scan scheduling, CUI population, and evidence collection. See CMMC.NCSR intake
Ingest a client’s completed CIS NCSR Offline Survey workbook and the state-issued Enhanced Cybersecurity Recommendations PDF, score their NIST CSF 2.0 maturity by function, and let Nexie turn each improvement area into 1–3 concrete, module-mapped actions with estimated hours. Actions land as tracked POA&M items, and the plan can be walked through with the client in a signed live review that writes decisions back onto the records. See NCSR intake.Risk acceptance registry
The single, authoritative record of every risk your organization has formally decided to accept rather than remediate. Any compliance or security module — NCSR action plans, CMMC POA&Ms, Composer, vulnerability scans, helpdesk exceptions — routes its accept decisions into one shared register. Each entry carries a written justification, residual-risk note, compensating controls, a client countersignature (in-person iPad or client portal e-sign, with signer identity, IP, and consent captured), and a review/expiry date. Lifecycle actions — Renew, Revoke, Resolve — write to an append-only audit trail, and a branded, printable Risk Acceptance binder is available for audit. See Risk acceptance registry.Live Review Engine
Host-driven, participant-attested review sessions in real time. A staff host drives a queued list of items from the console; one or more participants follow on their own device (typically an iPad reached via a QR code) and record decisions (acknowledge / modified / decline), notes, and a drawn signature per item. Multi-reviewer sessions can scope queues to different SMEs, each with their own signature block, and the host sees a live matrix of per-reviewer progress. Every transition writes to a tamper-evident audit trail; the completed session prints to a signed binder and completion hooks write decisions back to the source records. See Live Review Engine.Known limitations
- Composer — cross-framework evidence sharing is planned, not shipped; evidence is currently scoped per framework. Evidence-to-control matching is a coarse automatic match — treat it as a starting point, not a curated mapping. Live review is fully wired for NCSR / NIST CSF today; other framework seeders are being added. AI features require your tenant’s Claude API key.
- CMMC — the SSP is templated with your live numbers filled in, not AI-written. A control counts as “met” when it has current evidence — that’s presumptive evidence for an assessor, not independent proof. Some One-Click Connect steps queue work for other modules rather than running it themselves.
- NCSR intake — PDF parsing is tuned to the current (2025) state template; a substantially reformatted future template may need review. After a review, status reflects the client’s decisions, but the maturity score itself isn’t recomputed yet — it shows the surveyed state.
- Risk register — there’s no automatic “expired” state; the register surfaces due-soon items and reviewing them is a deliberate action.
- Live Review Engine — compliance reviews are the fully wired use today (HR, training, onboarding, post-mortems, and vendor attestations exist as session types but aren’t built out with domain content yet). The binder is printed to PDF from the browser, not a pre-rendered file. Participant links expire 24 hours after issue and immediately when the host ends the session.
