/composer.
When to use it
- Onboard a client to a compliance framework and track control status.
- Run an AI gap analysis to score readiness and auto-generate a remediation plan.
- Track open weaknesses and remediation via POA&M.
- Auto-collect technical evidence instead of manual screenshots.
- Run a facilitated review session to formally accept risks and sign off.
Frameworks
Composer supports 15 frameworks, each with its own domains: CMMC L2, HIPAA, PCI DSS v4.0, SOC 2 Type II, NIST CSF 2.0, NIST 800-53 Rev 5, NIST 800-171 Rev 2, ISO 27001:2022, HITRUST CSF v11, FedRAMP Moderate, CJIS, CIS Controls v8, FFIEC, StateRAMP, and ISO 27701.Evidence auto-collection
One action samples live NEXOS CORE data — users/MFA/admins (RBAC), SIEM events, RMM device posture, vulnerability scans, and helpdesk incidents — and stores it as evidence tagged to the framework’s controls.AI gap analysis & POA&M
Nexie runs a gap analysis that scores controls (met / partial / gap) and automatically opens POA&M items for gaps and partials, each with severity, milestone, cost, and owner. It can also generate policy documents to fill gaps.Live client reviews
Start a facilitated live review session seeded from the framework’s action plan — the client walks the findings with you, accepts or modifies each, and signs off, producing a signed binder added back as evidence.Good to know
- Cross-framework evidence sharing is planned, not shipped — evidence is currently scoped per framework, so the same evidence isn’t yet auto-reused across frameworks.
- Evidence-to-control matching is a coarse automatic match — review it; it’s a starting point, not a curated mapping.
- Live review currently supports frameworks that have a review “seeder” wired — NCSR/NIST CSF is the reference; others are being added.
- The AI features require your tenant’s Claude API key.
- (An older
compliancemodule exists and overlaps — Composer is the current engine.)
