For MSPs & MSSPs · Compliance scanning

Get your clients to defensible self-attestation.

Most of your clients don't need a third-party assessor — they need to sign an annual attestation and stand behind it. Avistar scans the machine identity controls that make or break those attestations, mapped to the exact clauses in CMMC 2.0 Level 1, FedRAMP Low, NIST SP 800-171, SOC 2, and HIPAA. You deliver the evidence, under your brand.

Why self-attestation is now your problem

A signature is a claim. A claim needs evidence.

CMMC Level 1 requires an annual affirmation by a senior official. FedRAMP Low Impact SaaS is self-attested under the new authorization pathway. SOC 2 Type 1 and most state privacy regimes rely on management assertions. In every case the person signing is on the hook for the accuracy of the underlying controls — and the machine identities behind those controls are the part nobody has inventoried.

Framework coverage

The frameworks your clients actually attest to.

CMMC L1

17 practices, annual affirmation

Six of the seventeen Level 1 practices are access-control and identification controls. Avistar produces the evidence per AC.L1-3.1.1, AC.L1-3.1.2, IA.L1-3.5.1, and IA.L1-3.5.2 without touching the client's endpoints.

FedRAMP Low

Self-attested SaaS pathway

Continuous monitoring evidence for AC-2, AC-6, IA-2, IA-5, and CA-7 — the controls that most often fail a 3PAO gap review when the affirmation is challenged.

NIST 800-171

DFARS 7012 supplier flow-down

SPRS-ready posture for the fourteen 800-171 families where machine identity is the failure mode — access control, identification and authentication, configuration management, audit and accountability.

SOC 2 · HIPAA

Management assertions with proof

Continuous evidence for CC6 (logical access), HIPAA §164.312(a) and (d), and the access-control lines in NYDFS 500 — the ones that keep coming back as findings year over year.

What Avistar scans

The controls a self-attestation actually rests on.

Complete machine identity inventory

Every service account, IAM role, API key, OAuth client, and workload identity across AWS, Azure, and on-prem Entra ID — including the ones missing from the client's CMDB. Answers AC-2 and 3.1.1 completeness questions with a list, not an estimate.

Privilege and blast-radius scoring

Each identity ranked by the damage it could do. Least-privilege claims under AC-6 and 3.1.5 become defensible when the report shows which identities were scoped down and which still hold standing admin.

Credential age and rotation status

Key and secret age, rotation history, and orphaned credentials. Direct evidence for IA-5, 3.5.10, and the credential-management lines that most attestations gloss over.

Stale, unowned, and inactive identities

Every identity with no login in the last N days, no assigned owner, or no reachable use — the population that fails AC-2(3) and IA.L2-3.5.6 sampling.

Continuous, timestamped evidence

Rescan on your cadence, not the auditor's. Every finding carries a timestamp and a control anchor, which is what CA-7 and 3.12.3 continuous monitoring actually require.

How you deliver it

A repeatable engagement, under your brand.

STEP 1

Scope to the attestation

Pick the framework and the boundary. Avistar targets the environments and identities in scope for that affirmation, nothing else.

STEP 2

Scan read-only, no agents

Connect with least-privilege read access. Full inventory and scored findings the same day, mapped to the exact control clauses your client is signing.

STEP 3

Deliver the evidence pack

White-label report, control crosswalk, remediation queue, and a rescan cadence that keeps the affirmation defensible for the next twelve months.

Self-attestation programs vary by framework and by contract. Avistar findings are evidence artifacts that support — and do not replace — the client's own affirmation or a 3PAO's independent assessment where one is required. Control references shown are representative anchors, not an exhaustive crosswalk.

Turn the next attestation into a scoped engagement.

Run a free scan on one client environment. See the control evidence Avistar produces before you commit to anything.

Read-only access · No agents · No credit card