Most of your clients don't need a third-party assessor — they need to sign an annual attestation and stand behind it. Avistar scans the machine identity controls that make or break those attestations, mapped to the exact clauses in CMMC 2.0 Level 1, FedRAMP Low, NIST SP 800-171, SOC 2, and HIPAA. You deliver the evidence, under your brand.
CMMC Level 1 requires an annual affirmation by a senior official. FedRAMP Low Impact SaaS is self-attested under the new authorization pathway. SOC 2 Type 1 and most state privacy regimes rely on management assertions. In every case the person signing is on the hook for the accuracy of the underlying controls — and the machine identities behind those controls are the part nobody has inventoried.
Six of the seventeen Level 1 practices are access-control and identification controls. Avistar produces the evidence per AC.L1-3.1.1, AC.L1-3.1.2, IA.L1-3.5.1, and IA.L1-3.5.2 without touching the client's endpoints.
Continuous monitoring evidence for AC-2, AC-6, IA-2, IA-5, and CA-7 — the controls that most often fail a 3PAO gap review when the affirmation is challenged.
SPRS-ready posture for the fourteen 800-171 families where machine identity is the failure mode — access control, identification and authentication, configuration management, audit and accountability.
Continuous evidence for CC6 (logical access), HIPAA §164.312(a) and (d), and the access-control lines in NYDFS 500 — the ones that keep coming back as findings year over year.
Every service account, IAM role, API key, OAuth client, and workload identity across AWS, Azure, and on-prem Entra ID — including the ones missing from the client's CMDB. Answers AC-2 and 3.1.1 completeness questions with a list, not an estimate.
Each identity ranked by the damage it could do. Least-privilege claims under AC-6 and 3.1.5 become defensible when the report shows which identities were scoped down and which still hold standing admin.
Key and secret age, rotation history, and orphaned credentials. Direct evidence for IA-5, 3.5.10, and the credential-management lines that most attestations gloss over.
Every identity with no login in the last N days, no assigned owner, or no reachable use — the population that fails AC-2(3) and IA.L2-3.5.6 sampling.
Rescan on your cadence, not the auditor's. Every finding carries a timestamp and a control anchor, which is what CA-7 and 3.12.3 continuous monitoring actually require.
Pick the framework and the boundary. Avistar targets the environments and identities in scope for that affirmation, nothing else.
Connect with least-privilege read access. Full inventory and scored findings the same day, mapped to the exact control clauses your client is signing.
White-label report, control crosswalk, remediation queue, and a rescan cadence that keeps the affirmation defensible for the next twelve months.
Self-attestation programs vary by framework and by contract. Avistar findings are evidence artifacts that support — and do not replace — the client's own affirmation or a 3PAO's independent assessment where one is required. Control references shown are representative anchors, not an exhaustive crosswalk.
Run a free scan on one client environment. See the control evidence Avistar produces before you commit to anything.