PolicyCortex Implementation Guide

Deploying AeoliTech's CMMC Acceleration Engine in Your Environment

Author: Leonard Esere, Senior Cybersecurity Engineer, AeoliTech

Date: April 2026

Classification: Public

Abstract

Defense Industrial Base (DIB) contractors pursuing CMMC Level 2 certification face a consistent challenge: the technical infrastructure required to implement, monitor, and evidence all 110 NIST SP 800-171 Rev. 2 controls is substantial. Building it in-house — authoring policy definitions, building CI/CD pipelines, configuring SIEM analytics rules, structuring evidence vaults, and maintaining all of it as platforms evolve — requires 12–18 months and a dedicated security engineering team that most mid-tier contractors do not have.

PolicyCortex is AeoliTech's CMMC acceleration engine: an AI-driven policy-as-code platform that deploys into your existing Azure, AWS, or GCP environment, automatically maps all 110 controls to enforced policies and continuous monitors, and populates a structured evidence vault in real time. It does not replace your cloud infrastructure — it extends it with a compliance intelligence layer. This implementation guide covers PolicyCortex's architecture, Azure-native and multi-cloud connectors, deployment steps (subscription scope, service principal setup, identity boundaries), initial baseline scan, tuning, and evidence export. It explains integration with existing SIEM and SOC workflows, the service tiers from readiness to full Evidence Vault operation, and demonstrates how PolicyCortex delivers a 60–80% reduction in time-to-assessment-ready compared to in-house builds.

Table of Contents

1. PolicyCortex Overview

2. Architecture: Connectors and Data Flows

3. Pre-Deployment Requirements

4. Deployment Step 1: Subscription Scope and Service Principal

5. Deployment Step 2: Identity Boundaries and Least Privilege

6. Deployment Step 3: Initial Baseline Scan

7. Deployment Step 4: Tuning and Customization

8. Deployment Step 5: Evidence Export Configuration

9. SIEM and SOC Integration

10. How PolicyCortex Maps 110 Controls Automatically

11. Service Tiers: Readiness to Evidence Vault

12. Build vs. Buy: The In-House Comparison

13. Conclusion

14. About the Author

15. References

1. PolicyCortex Overview

PolicyCortex is AeoliTech's purpose-built CMMC compliance automation platform. It is not a GRC tool that generates documentation — it is an enforcement and evidence engine that operates at the infrastructure layer, using native cloud provider APIs to both enforce security controls and collect proof that they are operating correctly.

Core design principles:

1. Native-first: PolicyCortex uses Azure Policy, AWS Config, and GCP Security Command Center as its enforcement substrate. It does not introduce a proprietary agent or replace your cloud controls — it orchestrates them.

2. AI-assisted mapping: PolicyCortex's control mapping engine uses AI-assisted analysis to translate NIST 800-171 control language into platform-specific policy definitions, accounting for nuance (e.g., the difference between 3.1.1 and 3.1.5 in terms of what Azure Policy definitions are most relevant) and keeping mappings current as cloud platforms evolve.

3. Evidence-first design: Every PolicyCortex function — baseline scan, ongoing monitoring, drift alert, remediation — produces structured evidence artifacts as a primary output, not as an afterthought. Evidence is the product; compliance enforcement is the mechanism.

4. Zero CUI egress: PolicyCortex operates entirely within your cloud tenant. Compliance data, evidence artifacts, and configuration assessments never leave your environment. The service principal that PolicyCortex uses has read and remediation rights within your subscriptions — not the ability to export data externally.

What PolicyCortex is not:

• A replacement for your CISO or compliance team
• A guarantee of CMMC certification (no tool can do this)
• A GRC documentation platform (it generates evidence, not policy binders)
• A managed security service provider (MSSP) — it augments your existing security operations

2. Architecture: Connectors and Data Flows

PolicyCortex's architecture consists of five layers: cloud connectors, a compliance intelligence engine, an evidence vault, a notification and orchestration layer, and a user-facing dashboard.

`

┌──────────────────────────────────────────────────────────────────────┐

│ POLICYCORTEX ARCHITECTURE │

├──────────────────────────────────────────────────────────────────────┤

│ CLOUD CONNECTORS │

│ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────────────┐ │

│ │ Azure │ │ AWS │ │ GCP │ │

│ │ ● Azure Policy │ │ ● AWS Config │ │ ● Security Command │ │

│ │ ● Sentinel │ │ ● Security Hub │ │ Center │ │

│ │ ● Defender │ │ ● CloudTrail │ │ ● Cloud Asset Inv. │ │

│ │ ● Graph API │ │ ● Audit Manager │ │ ● Policy Controller │ │

│ │ ● ARM API │ │ ● IAM Access │ │ ● VPC Service Ctrl │ │

│ └────────┬─────────┘ └────────┬─────────┘ └──────────┬───────────┘ │

│ └────────────────────┼──────────────────────┘ │

├───────────────────────────────┬┴─────────────────────────────────────┤

│ COMPLIANCE INTELLIGENCE │ │

│ ● Control-to-policy mapping │ 110 NIST 800-171 R2 controls │

│ ● AI-assisted gap analysis │ → Platform-specific policies │

│ ● Drift detection engine │ → Evidence type classification │

│ ● Remediation recommendation │ → Remediation runbook selection │

├───────────────────────────────┴──────────────────────────────────────┤

│ EVIDENCE VAULT │

│ ● Azure Blob Storage (WORM) / SharePoint │

│ ● Artifacts indexed by control ID + timestamp + SHA-256 │

│ ● C3PAO export package generator │

├──────────────────────────────────────────────────────────────────────┤

│ NOTIFICATIONS & ORCHESTRATION │

│ ● Logic Apps / Power Automate workflows │

│ ● Microsoft Teams / email alerting │

│ ● ServiceNow / Jira integration (optional) │

│ ● Azure Policy remediation task triggers │

├──────────────────────────────────────────────────────────────────────┤

│ DASHBOARD │

│ ● Power BI / Sentinel workbooks │

│ ● Role-based views: CEO / CISO / PM / Engineer │

│ ● POA&M tracker integration │

└──────────────────────────────────────────────────────────────────────┘

`

Azure-Native Connectors

PolicyCortex's Azure connector integrates with:

| Azure Service | Integration Method | Data Collected |

|---|---|---|

| Azure Policy | REST API / az policy CLI | Compliance state per policy definition, resource, and initiative |

| Microsoft Sentinel | Log Analytics Query API (KQL) | Security incidents, analytics rule alerts, hunting query results |

| Defender for Cloud | REST API + continuous export | Regulatory compliance assessments, Secure Score, security alerts |

| Microsoft Graph API | OAuth 2.0 client credentials | MFA status, Conditional Access policies, directory audit logs, user/role data |

| Azure Resource Manager | ARM API | Resource inventory, configuration state, diagnostic settings |

| Azure Monitor | Log Analytics REST API | Activity logs, diagnostic logs, metric data |

AWS Connector

| AWS Service | Integration Method | Data Collected |

|---|---|---|

| AWS Config | describe-conformance-pack-compliance | Per-rule compliance status |

| AWS Security Hub | get-findings API | Security findings mapped to NIST 800-171 |

| AWS CloudTrail | S3 log ingestion | API activity, authentication events |

| AWS Audit Manager | Assessment evidence API | Evidence per control set |

| AWS IAM Access Analyzer | Findings API | Overly permissive policies, public access |

GCP Security Command Center Connector

| GCP Service | Integration Method | Data Collected |

|---|---|---|

| Security Command Center | findings.list API | Security findings, misconfigurations |

| Policy Controller | REST API | Policy constraint violations |

| Cloud Asset Inventory | Batch export | Resource inventory, IAM policies |

| VPC Service Controls | Policy audit | Data exfiltration protection status |

3. Pre-Deployment Requirements

Before deploying PolicyCortex, the following prerequisites must be in place:

Azure requirements:

• [ ] An Azure subscription designated as the PolicyCortex management subscription (can be the same as the CUI workload subscription or a dedicated management subscription)
• [ ] A Log Analytics workspace in the same region as CUI workloads
• [ ] Microsoft Defender for Cloud enabled (at minimum, Defender CSPM plan)
• [ ] Microsoft Sentinel workspace connected to the same Log Analytics workspace
• [ ] The NIST SP 800-171 Rev. 2 initiative assigned to CUI-boundary subscriptions (PolicyCortex will configure this if not present)
• [ ] Entra ID P2 licensing (required for Conditional Access and MFA enforcement features)

AWS requirements (if applicable):

• [ ] AWS Config enabled in all in-scope regions
• [ ] AWS Security Hub enabled with NIST 800-171 standard activated
• [ ] AWS Audit Manager configured with organizational access
• [ ] An IAM role with SecurityAudit and ReadOnlyAccess managed policies for PolicyCortex service account

Network requirements:

• [ ] PolicyCortex management VMs (if used) must reach Azure management endpoints (management.azure.com, graph.microsoft.com)
• [ ] No firewall blocks on Azure Service Bus (PolicyCortex orchestration uses Service Bus internally)
• [ ] If using private endpoints exclusively, private DNS zones must be configured for PolicyCortex management service

Personnel requirements:

• [ ] A designated PolicyCortex Administrator (typically the CISO or delegated IT Security Manager)
• [ ] Control owners identified for each of the 14 NIST 800-171 control families
• [ ] CISO or designated senior official identified for annual affirmation submissions

4. Deployment Step 1: Subscription Scope and Service Principal

PolicyCortex deploys into your environment using a dedicated service principal with the minimum permissions required to read compliance state and trigger remediation. It does not require Owner or Global Administrator rights.

Step 1.1: Create the PolicyCortex Service Principal

`bash

az ad app create \

--display-name "PolicyCortex-CMMC" \

--required-resource-accesses @policycortex-api-permissions.json

az ad sp create --id $(az ad app show --id "PolicyCortex-CMMC" --query appId -o tsv)

SP_ID=$(az ad sp show --display-name "PolicyCortex-CMMC" --query id -o tsv)

CLIENT_ID=$(az ad app show --display-name "PolicyCortex-CMMC" --query appId -o tsv)

`

Step 1.2: Assign Subscription Scope

PolicyCortex operates at management group scope for enterprise deployments, or individual subscription scope for smaller organizations. Management group scope is preferred because it ensures new subscriptions added to the group are automatically in scope.

`bash

MGMT_GROUP_ID=""

az role assignment create \

--assignee $SP_ID \

--role "Security Reader" \

--scope "/providers/Microsoft.Management/managementGroups/$MGMT_GROUP_ID"

az role assignment create \

--assignee $SP_ID \

--role "Log Analytics Reader" \

--scope "/providers/Microsoft.Management/managementGroups/$MGMT_GROUP_ID"

SUB_ID=""

az role assignment create \

--assignee $SP_ID \

--role "Security Reader" \

--scope "/subscriptions/$SUB_ID"

`

Step 1.3: Configure Policy Initiative Assignment

If the NIST 800-171 Rev. 2 initiative is not already assigned, PolicyCortex will create the assignment:

`bash

az policy assignment create \

--name "policycortex-nist-800-171" \

--display-name "PolicyCortex: NIST SP 800-171 Rev 2" \

--policy-set-definition "/providers/Microsoft.Authorization/policySetDefinitions/03055927-78bd-4236-86c0-f36125a10dc9" \

--scope "/subscriptions/$SUB_ID" \

--mi-system-assigned \

--location eastus \

--params @nist-800-171-params.json

`

5. Deployment Step 2: Identity Boundaries and Least Privilege

PolicyCortex's service principal follows the principle of least privilege, with separate permission sets for read-only compliance collection and remediation execution. These are defined as separate identities to enable approval workflows for remediation actions.

Identity architecture:

| Identity | Role | Scope | Purpose |

|---|---|---|---|

| PolicyCortex-Reader | Security Reader, Log Analytics Reader, Policy Insights Reader | Management Group | Compliance state collection, evidence gathering |

| PolicyCortex-Remediator | Resource Policy Contributor, Managed Identity Contributor | Subscription | Executing remediation tasks for auto-remediable policies |

| PolicyCortex-GraphReader | Directory.Read.All, Policy.Read.All, AuditLog.Read.All | Tenant | Graph API evidence collection (MFA, CA policies, audit logs) |

| PolicyCortex-VaultWriter | Storage Blob Data Contributor | Evidence vault storage account | Writing evidence artifacts to the vault |

Graph API permissions required:

`json

{

"requiredResourceAccess": [

{

"resourceAppId": "00000003-0000-0000-c000-000000000000",

"resourceAccess": [

{"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61", "type": "Role"},

{"id": "246dd0d5-5bd0-4def-940b-0421030a5b68", "type": "Role"},

{"id": "b0afded3-3588-46d8-8b3d-9842eff778da", "type": "Role"}

]

}

]

}

`

The PolicyCortex-GraphReader application requires admin consent from a Global Administrator — this is a one-time action during deployment and does not grant any write permissions to directory objects.

Remediation approval workflow:

For actions that could disrupt service (e.g., removing a public IP from a production resource), PolicyCortex enforces a human-in-the-loop approval workflow before remediation executes:

1. Drift detected → Incident created → Severity classified

2. For Critical or High: Remediation recommendation sent to Control Owner via Teams with approve/reject buttons

3. Control Owner approves → Remediation task executes → Evidence of approval + execution logged

4. For Medium or Low: Auto-remediation proceeds without approval; notification sent post-execution

6. Deployment Step 3: Initial Baseline Scan

The initial baseline scan is the most information-dense phase of deployment. PolicyCortex evaluates all in-scope resources against all 110 NIST 800-171 Rev. 2 controls and produces a baseline report in 2–8 hours depending on environment size.

What the baseline scan does:

1. Resource discovery: Enumerate all resources in scope (VMs, storage accounts, databases, network resources, identity configurations) across all connected subscriptions and cloud accounts

2. Policy evaluation: Trigger a full compliance evaluation against the NIST 800-171 Rev. 2 initiative (Azure) and NIST 800-171 conformance pack (AWS), forcing an immediate policy evaluation rather than waiting for the next 8-hour evaluation cycle

3. Gap identification: Identify all non-compliant resources and classify gaps by control ID, severity, and remediability (auto-remediable vs. requires human action)

4. Control objective mapping: Map each gap to specific NIST 800-171A assessment objectives, not just top-level requirements

5. Evidence collection: Collect initial baseline evidence for all controls that have available automated sources, populating the first evidence vault artifacts

Baseline scan output — sample report structure:

| Section | Content |

|---|---|

| Executive Summary | Total control coverage, gap count, risk score |

| Control Family Summary | Compliance % per family (3.1.x through 3.14.x) |

| Gap Detail | Per-gap: control ID, resource, gap description, severity, remediation path |

| Evidence Inventory | Per-control: evidence artifacts collected, coverage percentage |

| POA&M Seed | Auto-generated POA&M entries for all identified gaps |

| Priority Remediation List | Top 10 highest-impact remediations ranked by CMMC score impact |

Baseline scan execution (CLI example):

`bash

policycortex baseline scan \

--subscription-id $SUB_ID \

--framework nist-800-171-r2 \

--output-format json \

--output-path ./baseline-scan-$(date +%Y%m%d).json \

--collect-evidence true \

--generate-poam true

`

Typical baseline scan results for a 200-resource Azure environment:

| Metric | Typical Range | Notes |

|---|---|---|

| Scan duration | 2–6 hours | Scales with resource count |

| Controls with evidence collected | 85–95% | Physical/procedural controls require manual collection |

| Initial compliance percentage | 55–75% | Before any remediation; lower for greenfield deployments |

| Auto-remediable gaps | 40–60% | Depending on existing policy deployment |

| POA&M items generated | 15–40 | For a typical 200-resource environment |

7. Deployment Step 4: Tuning and Customization

Not every policy definition in the NIST 800-171 initiative applies to every organization identically. PolicyCortex's tuning phase adapts the policy library to your specific environment.

Tuning activities:

Exemption management: Resources with documented compensating controls or technical constraints that prevent policy compliance should be exempted via Azure Policy exemptions — not ignored. PolicyCortex tracks exemptions, requiring a documented rationale, a CISO approval record, and an expiration date (maximum 12 months before re-review).

`bash

az policy exemption create \

--name "legacy-db-encryption-exemption" \

--policy-assignment "policycortex-nist-800-171" \

--scope "/subscriptions/$SUB_ID/resourceGroups/legacy-rg/providers/Microsoft.Sql/servers/legacy-db" \

--exemption-category Waiver \

--description "Legacy SQL Server 2016 cannot support TDE in this configuration; compensating control: network isolation and access logging" \

--expires-on "2027-04-01"

`

Threshold calibration: Analytics rule alert thresholds should be calibrated to your organization's baseline. An organization that has never had 100% MFA enrollment should not set their MFA alert threshold at 100% from day one — start at the baseline (e.g., 85%) and ratchet up by 2-3% per month.

Control owner assignment: Each of the 14 NIST 800-171 control families should have a named owner who receives drift alerts and is responsible for POA&M items in that family:

| Control Family | Typical Owner | Escalation Path |

|---|---|---|

| Access Control (3.1) | IT Security Manager | CISO |

| Audit & Accountability (3.3) | SOC Lead / IT Manager | CISO |

| Configuration Management (3.4) | Cloud Engineering Lead | CISO |

| ID & Authentication (3.5) | Identity Team Lead | CISO |

| Incident Response (3.6) | SOC Lead | CISO / Legal |

| System & Info Integrity (3.14) | Platform Engineering Lead | CISO |

Notification routing: Configure control-owner-specific routing in the Logic App playbook so that alerts for 3.1.x go to the Access Control owner, alerts for 3.3.x go to the SOC lead, and so on.

8. Deployment Step 5: Evidence Export Configuration

PolicyCortex's evidence vault must be configured for the organization's preferred storage architecture and export format before continuous collection begins.

Storage configuration:

`bash

az storage account create \

--name "cmmcevidencevault$(date +%s)" \

--resource-group "cmmc-compliance-rg" \

--location eastus \

--sku Standard_LRS \

--kind StorageV2 \

--enable-hierarchical-namespace true \

--allow-blob-public-access false \

--min-tls-version TLS1_2

az storage container immutability-policy create \

--account-name $VAULT_ACCOUNT \

--container-name evidence \

--period 2557 # 7 years (DFARS retention requirement)

`

Collection schedule configuration:

`yaml

schedules:

azure_policy_compliance:

frequency: daily

time: "02:00 UTC"

controls: all

output_format: json

graph_api_identity:

frequency: weekly

day: monday

time: "03:00 UTC"

endpoints:

• identity/conditionalAccess/policies
• reports/credentialUserRegistrationDetails
• policies/authenticationMethodsPolicy

controls: ["3.1.1", "3.5.3", "3.5.4"]

sentinel_workbooks:

frequency: weekly

day: friday

time: "23:00 UTC"

export_format: pdf

controls: all

aws_config:

frequency: daily

time: "02:30 UTC"

conformance_pack: NIST-800-171-Pack

c3pao_package:

frequency: monthly

day: 1

time: "06:00 UTC"

format: zip

include_narratives: true

destination: s3://cmmc-evidence-vault/monthly-packages/

`

C3PAO evidence package export:

PolicyCortex generates assessment-ready evidence packages on demand:

`bash

policycortex evidence export \

--package-name "CMMC-L2-Evidence-$(date +%Y%m)" \

--controls all \

--date-range "2025-10-01:2026-04-30" \

--include-narratives true \

--include-manifest true \

--format zip \

--output-path ./evidence-packages/

`

The generated package contains:

• /manifest.json — Complete index of all artifacts with control mappings and hashes
• /[control-id]/ — Folder per control with all evidence artifacts
• /narratives/ — Human-readable summaries per control family
• /poam/ — Current POA&M with evidence references
• /README.md — Assessor guide explaining package structure

9. SIEM and SOC Integration

Most organizations already have a SIEM deployment when they engage PolicyCortex. The platform integrates with existing security operations rather than replacing them.

Microsoft Sentinel integration (native):

PolicyCortex operates natively within Microsoft Sentinel. Its analytics rules are deployed as standard Sentinel scheduled analytics rules, visible in the Sentinel workspace alongside existing rules. Incidents generated by PolicyCortex follow the same triage and response workflow as other security incidents.

For organizations using Sentinel as their primary SIEM, PolicyCortex adds a compliance intelligence layer that:

• Tags incidents with NIST 800-171 control IDs for compliance-correlated reporting
• Links incidents to evidence vault artifacts (compliance exports showing the same resources)
• Provides a compliance-specific incident queue filtered to CMMC-relevant alerts

Third-party SIEM integration:

For organizations using Splunk, QRadar, or other SIEMs, PolicyCortex forwards compliance events via:

`bash

policycortex siem configure \

--type splunk \

--endpoint "https://splunk.example.com:8088/services/collector" \

--token $SPLUNK_HEC_TOKEN \

--index "cmmc-compliance" \

--event-types "drift,incident,remediation,evidence-collected"

`

Syslog forwarding is supported for SIEMs with syslog ingestion, using CEF format with custom NIST 800-171 extension fields.

SOC workflow integration:

| SOC Workflow | PolicyCortex Integration |

|---|---|

| Incident triage | Compliance incidents labeled [CMMC-3.x.x] in Sentinel/SIEM queue |

| Incident investigation | Evidence vault artifacts linked in incident context |

| Incident closure | Closure event triggers evidence collection of post-remediation state |

| Threat hunting | KQL hunting queries for compliance anomalies in Sentinel hunting experience |

| Reporting | Power BI report connected to evidence vault data model |

10. How PolicyCortex Maps 110 Controls Automatically

The core intelligence in PolicyCortex is its control mapping engine — the system that translates each of the 110 NIST 800-171 Rev. 2 requirements into a set of specific policy definitions, evidence sources, and assessment method classifications.

The mapping process works in three stages:

Stage 1: Requirements parsing

PolicyCortex parses the control text and assessment objectives from NIST SP 800-171A, extracting the specific conditions that must be demonstrated for each objective. For example, control 3.5.3 ("Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts") is parsed into:

• Objective A: All privileged accounts require MFA for local access
• Objective B: All privileged accounts require MFA for network access
• Objective C: All non-privileged accounts require MFA for network access

Stage 2: Policy-to-objective binding

Each objective is bound to one or more platform-specific policies:

| Objective | Azure Policy Definition | AWS Config Rule | GCP Policy Constraint |

|---|---|---|---|

| 3.5.3-A: Privileged MFA (local) | MFA should be enabled on accounts with owner permissions | mfa-enabled-for-iam-console-access | iam.allowedPolicyMemberTypes |

| 3.5.3-B: Privileged MFA (network) | Conditional Access: Require MFA for all privileged roles | iam-user-mfa-enabled | Cloud Identity MFA enforcement |

| 3.5.3-C: Non-privileged MFA | Conditional Access: Require MFA for all users | cognito-user-pool-mfa-enabled | — |

| 3.5.3 (Evidence) | Graph API: credentialUserRegistrationDetails | Audit Manager: IAM MFA evidence | — |

Stage 3: AI-assisted gap analysis

When a resource fails a policy evaluation, PolicyCortex's AI engine analyzes:

1. Which specific assessment objectives the failure implicates

2. Whether compensating controls in other policy definitions partially address the gap

3. The most likely remediation path and estimated remediation effort

4. Whether similar failures exist on other resources (pattern detection)

Coverage summary:

| Coverage Category | Count | Percentage |

|---|---|---|

| Fully automated (policy + evidence) | 78 controls | 71% |

| Partially automated (policy enforced; some evidence manual) | 21 controls | 19% |

| Manual only (physical, personnel, procedural) | 11 controls | 10% |

| Total | 110 controls | 100% |

The 11 manual-only controls cover physical protection (3.10.x — facility access, visitor logs, physical media), personnel security (3.9.x — background screening documentation), and awareness and training (3.2.x — training completion records). PolicyCortex tracks these controls in the vault with a "manual collection required" flag and surfaces collection due dates in the PM dashboard.

11. Service Tiers: Readiness to Evidence Vault

PolicyCortex is delivered in three service tiers that map to the organization's CMMC maturity stage:

Tier 1: Readiness Assessment

Target: Organizations with no formal CMMC program or those beginning their CMMC journey.

Deliverables:

• Scoping workshop: identify CUI data flows, in-scope systems, and assessment boundary
• PolicyCortex baseline scan across all in-scope cloud environments
• Gap analysis report: 110 controls assessed, gaps categorized by severity
• Remediation roadmap: prioritized by CMMC score impact and effort
• SSP starter template pre-populated from scan results
• POA&M seed document

Duration: 3–4 weeks

Outcome: Complete visibility into current state; prioritized remediation plan

Tier 2: Remediation Acceleration

Target: Organizations with identified gaps actively working toward CMMC readiness.

What's included (in addition to Tier 1):

• PolicyCortex continuous monitoring deployed and active
• All auto-remediable gaps addressed via policy remediation tasks
• Custom policy definitions authored for gaps not covered by built-in initiatives
• Sentinel analytics rules deployed and alert routing configured
• Control owner assignment and notification routing configured
• Weekly compliance posture briefings

Duration: 8–12 weeks to reach 90%+ compliance baseline

Outcome: Continuous policy enforcement; most gaps remediated; assessment-ready posture approaching

Tier 3: Evidence Vault (Steady State)

Target: Organizations at or near assessment-ready posture seeking to maintain it continuously.

What's included (in addition to Tiers 1 and 2):

• Evidence vault fully populated and continuously maintained
• Automated collection pipeline running on full schedule
• CEO/CISO/PM dashboards deployed and maintained
• Quarterly POA&M review facilitation
• C3PAO-ready evidence package generation on demand
• Annual affirmation preparation support
• Regulatory update monitoring (NIST Rev. 3, platform policy changes)

Duration: Ongoing

Outcome: Always-on CMMC posture; assessment prep compressed to 2–4 weeks; annual affirmation process streamlined

12. Build vs. Buy: The In-House Comparison

The most common question from engineering-led organizations is: "Can we build this ourselves?" The answer is yes — everything PolicyCortex does is possible with Azure, AWS, and open-source tools. The question is whether the investment of time, talent, and ongoing maintenance is a better use of resources than focusing on core business.

In-house build estimate:

| Component | In-House Effort | PolicyCortex |

|---|---|---|

| Azure Policy initiative assignment and tuning | 2–3 weeks | 2 days |

| AWS Config conformance pack + remediation | 2–3 weeks | 2 days |

| Control-to-policy mapping (110 controls) | 6–10 weeks | Included (pre-built) |

| Sentinel analytics rules (14 control families) | 4–6 weeks | 2 days (solution deployment) |

| Evidence collection pipeline (scripted) | 6–8 weeks | 3 days |

| Evidence vault structure and automation | 4–6 weeks | 3 days |

| Dashboard development (3 audiences) | 3–4 weeks | 1 week |

| POA&M tracker integration | 2–3 weeks | Included |

| Ongoing maintenance (platform updates) | 20–30% FTE ongoing | Included in retainer |

| Total initial build | 29–43 weeks | 6–8 weeks |

| Ongoing maintenance (annual) | 0.2–0.3 FTE | Included |

The 60–80% time savings claim explained:

The 29–43 week in-house estimate assumes a competent senior cloud security engineer. The PolicyCortex deployment timeline of 6–8 weeks (Tier 2 full deployment) represents a 75–85% reduction in calendar time. Even accounting for the retainer cost, most organizations find that the time-to-assessment-ready savings alone — measured in avoided contract delays — exceeds PolicyCortex's cost by a factor of 3–5x.

Beyond time savings:

The in-house build also carries ongoing risk: every Azure Policy definition update, every new NIST Rev. 3 control mapping requirement, every new AWS Config rule requires engineering attention. PolicyCortex's policy library is maintained by AeoliTech's CMMC engineering team as a core product function. Organizations on the Evidence Vault tier never have to track platform policy changes themselves.

13. Conclusion

PolicyCortex is the operational core of AeoliTech's CMMC service delivery. It is the engine that transforms a set of regulatory requirements — 110 controls, annual affirmations, continuous protection obligations — into a running system: enforcing, monitoring, alerting, remediating, and evidencing in real time.

For organizations pursuing CMMC Level 2, the choice is not whether to automate compliance operations — that question is settled by the regulatory mandate for continuous compliance and annual affirmation. The choice is how quickly to get there, and whether to build or deploy. For most DIB prime contractors and sub-tier suppliers who must focus on their core mission — building and delivering defense systems — deploying PolicyCortex is the answer.

The three-tier model — Readiness, Remediation Acceleration, Evidence Vault — meets organizations wherever they are and moves them to steady-state continuous monitoring as efficiently as possible. The Evidence Vault tier, in particular, represents a qualitative shift: from compliance as a periodic project to compliance as an operational state that runs in the background, always ready for assessment, always ready for affirmation, always ready to demonstrate to any stakeholder — a C3PAO, a contracting officer, a prime contractor — that controls are in place, right now.

About the Author

Leonard Esere is a Senior Cybersecurity Engineer at AeoliTech with extensive experience designing and implementing security architectures for federal contractors and national laboratory environments. He holds a DoD Secret clearance and a DoE Q clearance, has contributed to security assessments at the MITRE Corporation, and led the Authorization to Operate (ATO) evidence vault architecture for a major LANL engagement. He also served as the security engineering lead for Frontier supercomputer PCI DSS compliance. Leonard specializes in translating complex regulatory requirements — NIST 800-171, CMMC, FedRAMP — into automated, scalable technical implementations.

References

1. Microsoft. Regulatory Compliance details for NIST SP 800-171 R2 – Azure Policy. February 2026. https://learn.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-171-r2

2. Microsoft. Cloud Secure Score in Microsoft Defender for Cloud. November 2025. https://learn.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls

3. Microsoft. CMMC – Azure Compliance Offerings. https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-cmmc

4. AWS. Operational Best Practices for NIST 800-171 – AWS Config. https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html

5. AWS. NIST SP 800-171 Rev 2 – AWS Audit Manager. https://docs.aws.amazon.com/audit-manager/latest/userguide/NIST-800-171-r2-1.1.html

6. NIST. Special Publication 800-171A: Assessing Security Requirements for Controlled Unclassified Information. https://csrc.nist.gov/publications/detail/sp/800-171a/final

7. DoD CIO. About CMMC. https://dodcio.defense.gov/CMMC/about/

8. Open Policy Agent. OPA Documentation. https://www.openpolicyagent.org/docs/latest/

9. HashiCorp. Sentinel Policy-as-Code for Terraform. https://developer.hashicorp.com/sentinel/docs

10. Liam Cleary. Identifying and Scoping Systems In-Scope for CMMC: A Microsoft 365 and Azure Perspective. December 2025. https://helloitsliam.com/2025/12/05/identifying-and-scoping-systems-in-scope-for-cmmc-a-microsoft-365-and-azure-perspective/

© 2026 AeoliTech. All rights reserved. To schedule a PolicyCortex deployment engagement or request a demonstration, contact AeoliTech at www.aeolitech.com.