Skip to main content
The Compliance Composer is NEXOS CORE’s centralized compliance engine. Manage any supported framework for any client from one place: enroll a company in a framework, and Composer tracks that framework’s controls, gathers evidence automatically from other NEXOS CORE modules, runs AI gap analysis, tracks remediation as a POA&M, and drives structured live review sessions with the client. Open it at /composer.

When to use it

  • Onboard a client to a compliance framework and track control status.
  • Run an AI gap analysis to score readiness and auto-generate a remediation plan.
  • Track open weaknesses and remediation via POA&M.
  • Auto-collect technical evidence instead of manual screenshots.
  • Run a facilitated review session to formally accept risks and sign off.

Frameworks

Composer supports 15 frameworks, each with its own domains: CMMC L2, HIPAA, PCI DSS v4.0, SOC 2 Type II, NIST CSF 2.0, NIST 800-53 Rev 5, NIST 800-171 Rev 2, ISO 27001:2022, HITRUST CSF v11, FedRAMP Moderate, CJIS, CIS Controls v8, FFIEC, StateRAMP, and ISO 27701.

Evidence auto-collection

One action samples live NEXOS CORE data — users/MFA/admins (RBAC), SIEM events, RMM device posture, vulnerability scans, and helpdesk incidents — and stores it as evidence tagged to the framework’s controls.

AI gap analysis & POA&M

Nexie runs a gap analysis that scores controls (met / partial / gap) and automatically opens POA&M items for gaps and partials, each with severity, milestone, cost, and owner. It can also generate policy documents to fill gaps.

Live client reviews

Start a facilitated live review session seeded from the framework’s action plan — the client walks the findings with you, accepts or modifies each, and signs off, producing a signed binder added back as evidence.

Good to know

  • Cross-framework evidence sharing is planned, not shipped — evidence is currently scoped per framework, so the same evidence isn’t yet auto-reused across frameworks.
  • Evidence-to-control matching is a coarse automatic match — review it; it’s a starting point, not a curated mapping.
  • Live review currently supports frameworks that have a review “seeder” wired — NCSR/NIST CSF is the reference; others are being added.
  • The AI features require your tenant’s Claude API key.
  • (An older compliance module exists and overlaps — Composer is the current engine.)