CMMC Evidence Module

Verifiable Evidence for CMMC Readiness

Upload artifacts, map to NIST 800-171 controls, and export evidence packages your C3PAO can verify independently. Part of ProlixoTech Evidence Vault.

Get Started Try Verification
CMMC Level 2 NIST 800-171 DFARS 7012

CMMC Rollout Timeline: Requirements are phasing into DoD contracts starting November 2025, with full implementation expected by late 2028. Learn more at DoD CMMC site

What You Get Today

Production-ready capabilities with cryptographic verification built in.

Upload Artifacts

Upload policy documents, screenshots, configurations, and audit log exports via the dashboard or API.

Auto-Map Controls

Artifacts auto-map to NIST 800-171 controls by evidence type. Manual override available for fine-tuning.

KMS Signing + Merkle Chain

Every artifact hashed (SHA-256), signed (AWS KMS ECDSA P-256), and linked to a daily Merkle chain.

Evidence Index Export

Export evidence grouped by control family, with a public verification URL per artifact.

Public Verification API

Assessors verify artifact signatures without logging in. No vendor dependency for verification.

Self-Contained Exports

Export bundles verify offline using standard cryptographic libraries (Python, OpenSSL). No ProlixoTech API or account required after export.

Control Coverage Dashboard

Dashboard with control coverage view across all 110 NIST 800-171 requirements.

What You Upload

You choose which artifacts to upload. Do not upload CUI, classified data, or credentials.

You Upload (Non-CUI Only)

  • Policy documents, procedures, and screenshots
  • Access control configurations (Entra ID, Okta)
  • Audit logs and retention proofs
  • Vulnerability scans and patch status
  • Incident response plans and training records
  • Asset inventory and CMDB exports

We Don't Collect

  • CUI or controlled unclassified information
  • Classified or export-controlled data
  • API keys, passwords, or credentials
  • CUI-containing audit logs (upload sanitized exports only)
  • Anything not explicitly mapped to controls

Data Boundary Model

ProlixoTech does not require or accept CUI. Here's what you upload and what we sign.

Your Environment
CUI Data
Stays Here
Classified Data
Stays Here
Credentials
Stays Here
What you upload to ProlixoTech:
Artifact files (non-CUI only) • Control mappingsMetadata tags
ProlixoTech Evidence Vault
KMS Sign
ECDSA P-256
Merkle Chain
Daily Roots
Export
Verify URLs

Important: Upload only non-CUI artifacts (policies, screenshots, configurations). Do not upload CUI, classified data, or credentials. Each uploaded file is hashed, KMS-signed, and stored encrypted (SSE-KMS).

Evidence Collection Workflow

From artifact upload to assessor-verifiable receipt.

Upload Artifacts

Drag-drop policies, screenshots, configs. Upload via dashboard or API.

Auto-Map Controls

Artifacts auto-map to NIST 800-171 controls. Override or refine manually.

KMS Sign

SHA-256 hash signed with AWS KMS ECDSA P-256. Keys stay in HSM.

Chain Link

Evidence linked to daily Merkle shard. Tampering is mathematically detectable.

Export Package

Generate evidence index with verification URLs for each artifact.

C3PAO Verifies

Assessor verifies signatures offline using export bundle. No API required.

110 Controls. One Dashboard.

Real-time visibility into your NIST 800-171 compliance posture.

NIST 800-171 Rev 2 Control Status Live dashboard
Control Requirement Status Evidence
3.1.1 Limit system access to authorized users Met 47 artifacts
3.1.2 Limit system access to transaction types Met 23 artifacts
3.5.1 Identify system users and processes Partial 12 artifacts
3.5.2 Authenticate users and processes Met 89 artifacts
3.13.1 Monitor organizational systems Met 156 artifacts

Verify Any Artifact

Your C3PAO verifies receipts directly from the export package.

Verify an Artifact

Enter an artifact ID or event ID to verify its cryptographic signature.

Clear Boundaries

What the CMMC Evidence Module is and isn't.

What We Do

  • Collect and map evidence to NIST 800-171 controls
  • Sign every artifact with AWS KMS (ECDSA P-256)
  • Chain evidence in daily Merkle trees for tamper-detection
  • Export evidence index with verification URLs per artifact
  • Provide public verification API for assessors
  • Export self-contained bundles C3PAOs verify offline

What We Don't Do

  • Guarantee CMMC certification (your C3PAO makes that call)
  • Store or process CUI or classified data
  • Replace your compliance program or ISSO
  • Provide legal opinions or regulatory advice
  • Modify or delete evidence after creation
  • Act as a C3PAO or certification body

Frequently Asked Questions

Common questions from defense contractors.

No. Certification is determined by your C3PAO assessor, not by any tool. The CMMC Evidence Module provides audit-ready evidence with cryptographic verification, but your assessor evaluates whether your implementation meets CMMC requirements. We give you the evidence trail; you own the compliance program.
Yes. Export packages are self-contained—they include the receipt, cryptographic signature, Merkle proof, daily root, public key, and verification instructions. Your C3PAO can verify mathematically using standard libraries (Python cryptography, OpenSSL) without calling any ProlixoTech API. The bundle works offline and remains verifiable as long as the ECDSA P-256 algorithm and SHA-256 hash function are considered secure.
You should not upload CUI to ProlixoTech. When you upload an artifact (a policy document, screenshot, or configuration export), the file is stored encrypted (SSE-KMS) in our evidence vault. We hash and sign the file contents for verification purposes. Only upload non-CUI evidence artifacts—policies, procedures, screenshots, and scan reports that do not contain controlled unclassified information. ProlixoTech currently operates on AWS commercial (us-east-1). Enterprise customers requiring GovCloud or GCC High environments should contact sales.
Our primary focus is CMMC Level 2, which maps to NIST 800-171 (110 controls). We also support Level 1 (15 practices) and provide visibility into Level 3 requirements for organizations planning ahead. Control mappings are based on NIST 800-171 Rev 2, with Rev 3 support in progress.
Most organizations start uploading evidence within minutes of creating an account. Select the CMMC module, upload your first artifact, and the platform handles hashing, signing, and control mapping automatically. The platform is designed for continuous use, not a one-time export.
Yes. While CMMC Level 2 is our primary focus, we support NIST 800-53-based frameworks including FedRAMP, StateRAMP, and GovRAMP. Control mappings cross-reference between frameworks, so evidence uploaded for CMMC can often satisfy FedRAMP controls as well.

Start Building Your CMMC Evidence Trail

Create an account, select the CMMC module, and upload your first artifact.

Get Started View Pricing