Skip to main content

Changelog

What's shipping in Affirmark.

A reverse-chronological log of capability changes: what's new, what changed, what's now defensible to an assessor. Month-level cadence, customer-language entries; the commit history lives on GitHub for anyone who wants it.

June 2026

  • Level 2 self-assessment, affirmed in SPRS

    The full Level 2 lifecycle closed on our own posture: a senior official signed the affirmation in SPRS on a package Affirmark produced end to end. The affirmation gate blocks submission while any finding is open, and re-affirmation and amendment flows keep the record current after the signature.

    • Affirm/submit lifecycle with a hard gate on open findings.
    • Re-affirmation and amendment workflows for posture changes after signature.
    • A background worker tier runs the recurring monitoring and re-affirmation clocks.

  • C3PAO assessment workflow

    An external-assessor workflow for the C3PAO engagement. The package walks the same gates we hold ourselves to, the certification gate names the offending controls when something blocks, and the requirements that can never be marked not-applicable are enforced as such.

  • Full CMMC Level 2 coverage

    The data model, scoring, and document pipeline now span all 110 Level 2 requirements and 320 assessment objectives: SPRS scoring on the official 110-point methodology, SSP generation with per-section review and approval, and a POA&M subsystem that tracks remediation to closure.

    • Level-aware catalog: Level 1 and Level 2 views over one data model.
    • SSP sections are individually reviewed and approved before the document composes.
    • POA&M items carry owners, milestones, and closure evidence.

May 2026

  • Grounded compliance chat

    Ask about this objective: citation-first chat over the CMMC, NIST, and STIG corpus. Every answer cites its sources, a grounding verifier rejects unsupported claims, and citations click through to the full source text. The corpus ships as ed25519-signed bundles, and a 50-question evaluation harness measures citation accuracy against the corpus.

    • Hybrid retrieval over a pgvector index of the authoritative documents.
    • Per-message grounding stats persisted and rendered alongside the answer.
    • Corpus bundles are ed25519-signed, with a CLI verify command for integrity checks.

  • Operational hardening

    The unglamorous release an assessor reads first: an operator manual, incident-response and backup/restore runbooks, performance and accessibility gates in CI, and dependency-vulnerability gating on every change.

April 2026

  • Continuous control monitoring

    Affirmark now pulls evidence directly from the tooling already in inventory — IdP exports, EDR attestations, vulnerability scans, configuration drift — so drift surfaces in near real time instead of at cycle close. Supported for several Tier-A providers today, with more wiring in continuously.

    • Mailbox ingestion: Microsoft 365, Google Workspace, Proton.
    • Direct API ingestion where the provider exposes one.
    • Manual upload remains the always-available fallback.

  • In-product audit-chain viewer

    Assessors can now inspect the verifiable audit chain directly inside Affirmark — integrity banner, per-entry inspector, filters by actor / entity / date range. Raw JSONL bundle still exports for offline review, and the signed CLI tool still ships for fully-offline verification.

    • Filter by actor (system / user), entity type (narratives, evidence, findings, …), or date.
    • Integrity banner reads OK / FAIL with the head hash and entry count.
    • Download the raw JSONL bundle from the same screen for assessor handoff.

  • IdP sign-in

    OIDC sign-in via Cognito hosted UI. SSO from Microsoft Entra ID, Okta, or Google Workspace. Every action recorded against the user account that signed in — no more shared service-account credentials.

  • Role-gated access

    Backend and frontend now enforce role-based access. Operators see and edit; reviewers see and comment; auditors see only. Role assignments live in Settings → Users, audited like every other compliance entity.

  • FedRAMP status on tooling

    Each tool in the inventory now carries its FedRAMP authorization status — Authorized, In Process, or Not Authorized. Assessors see at a glance which third-party services in the stack are FedRAMP-aligned and which need a compensating control.

Every entry above shipped the same way: agents did the work, an engineer reviewed it, and the gates held.

Request a capability briefing →