> ## Documentation Index
> Fetch the complete documentation index at: https://docs.horizonmanaged.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance Composer

> One engine for every compliance framework — enrollment, control tracking, auto-collected evidence, AI gap analysis, POA&M, and live client reviews

The Compliance Composer is NEXOS CORE's centralized compliance engine. Manage any
supported framework for any client from one place: enroll a company in a
framework, and Composer tracks that framework's controls, gathers evidence
automatically from other NEXOS CORE modules, runs AI gap analysis, tracks
remediation as a POA\&M, and drives structured live review sessions with the
client.

Open it at `/composer`.

## When to use it

* Onboard a client to a compliance framework and track control status.
* Run an AI gap analysis to score readiness and auto-generate a remediation plan.
* Track open weaknesses and remediation via POA\&M.
* Auto-collect technical evidence instead of manual screenshots.
* Run a facilitated review session to formally accept risks and sign off.

## Frameworks

Composer supports 15 frameworks, each with its own domains: CMMC L2, HIPAA,
PCI DSS v4.0, SOC 2 Type II, NIST CSF 2.0, NIST 800-53 Rev 5, NIST 800-171 Rev 2,
ISO 27001:2022, HITRUST CSF v11, FedRAMP Moderate, CJIS, CIS Controls v8, FFIEC,
StateRAMP, and ISO 27701.

## Evidence auto-collection

One action samples live NEXOS CORE data — users/MFA/admins (RBAC), SIEM events,
RMM device posture, vulnerability scans, and helpdesk incidents — and stores it as
evidence tagged to the framework's controls.

## AI gap analysis & POA\&M

Nexie runs a gap analysis that scores controls (met / partial / gap) and
automatically opens POA\&M items for gaps and partials, each with severity,
milestone, cost, and owner. It can also generate policy documents to fill gaps.

## Live client reviews

Start a facilitated [live review](/review/index) session seeded from the
framework's action plan — the client walks the findings with you, accepts or
modifies each, and signs off, producing a signed binder added back as evidence.

## Good to know

* **Cross-framework evidence sharing is planned, not shipped** — evidence is
  currently scoped per framework, so the same evidence isn't yet auto-reused
  across frameworks.
* Evidence-to-control matching is a **coarse automatic match** — review it; it's a
  starting point, not a curated mapping.
* Live review currently supports frameworks that have a review "seeder" wired —
  NCSR/NIST CSF is the reference; others are being added.
* The AI features require your tenant's Claude API key.
* (An older `compliance` module exists and overlaps — Composer is the current
  engine.)
