Deep Fathom /Use Cases /Assessors

For C3PAOs and lead assessors

Assess clients who are actually ready.

When clients arrive with scoped boundaries, mapped controls, and traceable evidence, your expertise goes where it belongs: judgment, not reconstruction.

01/Reality

Bad handoffs burn your review time.

You can't render a clean finding on a mess, so the engagement drags while you chase what the client should have brought.

02/What changes

You're here to verify. Not to untangle.

Clients arrive with evidence already structured the way you assess. So you verify it, instead of untangling it.

Structure, not storage

Source, date, owner, control and objective mapping, review status. Every artifact carries its own context, so the package is reviewable instead of just uploaded.

Objective-level mapping

Evidence ties to the 320 NIST 800-171A objectives you test against, not just the 110 controls. Organized the way you score it.

Scope clarity

CUI boundaries, inherited controls, and customer responsibility land documented and verified to 32 CFR 170.19. What's in scope is settled before you walk in.

POA&M integrity

Implemented, planned, and pending sit separated to the letter of 170.21. Nothing to read between the lines.

Proof, not claims

Each item separates the readiness claim from the artifact behind it. You check the source yourself instead of taking a vendor's word.

Your judgment stays yours

AI organizes and traces evidence, never renders the determination. Every output is human-reviewable, so you never trust a model over your own read.

Step 1 · Receive

A package you can actually open.

No folder dump. Boundaries align to 32 CFR 170.19, controls map to the 320 objectives, and artifacts sort into examine, interview, and test.

  • Boundaries verified to 170.19 upfront
  • Evidence mapped to the 320 objectives
  • Artifacts sorted by examine / interview / test

Step 2 · Verify

Evidence with receipts.

Tasks link to controls and evidence links to tasks, each with source, owner, date, and history. POA&Ms follow 170.21. You verify instead of chase.

  • Every artifact carries source, date, and owner
  • POA&Ms structured per 170.21
  • Full history behind each item

Step 3 · Certify

Clean closeout.

Versioned SSPs, POA&Ms, and SPRS scores with mapping intact. The package matches how findings get issued, so sign-off is fast and the record holds after you leave.

  • Versioned SSPs, POA&Ms, SPRS scores
  • Mapping and references intact
  • Package matches how findings issue

03/The Platform

Modules under the fabric.

What clients use to build the package — not assessor tooling.

01 Scoping

Onramp Kit

Audit boundary baseline clients build from. Inheritance and system maps documented to 32 CFR § 170.19.

02 Boundary

Boundary Advisor

Continuous boundary mapping so what clients hand you matches what's implemented.

03 Collection

Outpost

The evidence agent that fills the package clients hand you. Multi-cloud collection with source traceability preserved.

04 Capture

Scout

Browser-side capture for the artifacts no API exposes, structured at the source.

+ More under the surface