The Problem with Periodic Compliance
Traditional compliance workflows follow a painful cycle: an assessor arrives, the IT team scrambles to collect evidence, someone exports logs they have never looked at, and half the screenshots are from configurations that have since changed. The evidence package takes weeks to assemble, and by the time it reaches the assessor, it represents a snapshot of a system that no longer exists in that state.
This is not a documentation problem. It is an architecture problem. When compliance evidence is decoupled from the infrastructure that generates it, drift is inevitable. A firewall admin adds a temporary permit-any rule during a troubleshooting session and forgets to remove it. An encryption setting on a file share gets toggled off during a migration. A service account password has not been rotated in 14 months. None of these show up until someone manually looks, and by then the gap has been open for months.
The platform eliminates this disconnect by making compliance monitoring a continuous byproduct of normal infrastructure operations, not a separate activity bolted on before an audit.
How Wazuh SIEM Maps to Compliance Frameworks
At the core of the compliance engine is Wazuh, deployed on-premises as part of the VIRP appliance. Wazuh already ships with built-in compliance mapping for NIST 800-171 (which underpins CMMC Level 2), HIPAA, and PCI DSS. Every alert, file integrity event, and vulnerability finding is tagged with the specific control it relates to. The platform extends this by correlating Wazuh data with live state from FortiGate firewalls, Cisco network devices, and Proxmox hypervisors.
This means a single query can cross-reference findings across layers. When the AI identifies that a Wazuh agent reports CIS benchmark failures on a server, it simultaneously checks whether the FortiGate policy protecting that server's subnet enforces the segmentation required by CMMC practice AC.L2-3.1.3 (control information flow). The finding is not just "server X failed benchmark Y" but "server X is non-compliant with AC.L2-3.1.3 because its subnet allows unrestricted lateral movement through firewall policy 47."
[Wazuh API] Querying agent group: cui-enclave (12 agents)
[FortiGate REST] Pulling policies for VLAN 40 (CUI segment)
[Cisco SSH] Checking ACLs on core-sw-01, core-sw-02
CMMC Access Control (AC) Domain — CUI Enclave
PASS AC.L2-3.1.1 — Limit system access to authorized users
12/12 agents enforce local account policies. AD GPO verified.
PASS AC.L2-3.1.2 — Limit system access to authorized functions
Role-based access confirmed. No shared admin accounts detected.
FAIL AC.L2-3.1.3 — Control the flow of CUI
FortiGate policy 47: dst=any on VLAN 40 → VLAN 10. CUI can reach general network.
Opened by admin (10.0.10.50) on 2026-02-18 at 02:14 AM. No change ticket found.
PASS AC.L2-3.1.5 — Least privilege
No non-admin users with elevated privileges detected across 12 endpoints.
WARN AC.L2-3.1.7 — Prevent non-privileged users from executing privileged functions
CUI-WS-04: local user "vendor_support" has sudoers entry with NOPASSWD. Review required.
Summary: 8 PASS · 1 FAIL · 2 WARN · 3 N/A
Priority remediation: Policy 47 flow control violation (AC.L2-3.1.3)
Notice what happened there. The AI did not just query one system. It pulled Wazuh agent data for endpoint compliance, FortiGate policies for network segmentation, and Cisco switch ACLs for layer-2 controls. It correlated findings across all three to produce a unified compliance picture that an assessor can actually use. Every data point traces to a real source with a timestamp, consistent with the platform's anti-fabrication architecture.
CMMC Level 2: From Spreadsheet to Continuous Validation
CMMC Level 2 requires compliance with all 110 security practices from NIST SP 800-171 Rev 2. These practices span 14 domains: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
The platform provides automated evidence collection for the technical practices that can be validated through infrastructure telemetry. This covers a substantial portion of the framework, particularly in domains like Access Control, Audit and Accountability, Configuration Management, System and Communications Protection, and System and Information Integrity.
Key distinction: The platform automates the collection and correlation of compliance evidence. It does not replace the assessor's judgment. Practices related to organizational policy, personnel training, and physical security still require human documentation. What changes is that the technical evidence your assessor needs is already collected, timestamped, and waiting.
For defense contractors preparing for a C3PAO assessment, this shifts the conversation from "can you show me your access control logs?" to "here are 365 days of access control logs, correlated with firewall policy changes and endpoint configuration baselines, with every anomaly flagged and investigated." The difference between scrambling for evidence and presenting it is often the difference between a conditional and a clean assessment.
Encrypted Infrastructure Requirements
CMMC practice SC.L2-3.13.8 requires encryption of CUI at rest, and SC.L2-3.13.11 requires FIPS-validated cryptography. The platform continuously validates encryption state across monitored endpoints. Wazuh agents check disk encryption status (BitLocker, LUKS), TLS configurations on exposed services, and cipher suites negotiated on network connections. If a server's certificate expires or an endpoint's disk encryption is suspended, the system flags it immediately rather than letting it sit undiscovered until the next quarterly review.
[Wazuh API] Checking SCA results: encryption policies
[FortiGate REST] Inspecting VPN tunnel encryption settings
Encryption Status — CUI Enclave
Data at Rest:
OK CUI-FS-01 — BitLocker AES-256, TPM+PIN, protector active
OK CUI-DB-01 — LUKS2 aes-xts-plain64:sha256, key slot 0 active
FAIL CUI-WS-07 — BitLocker suspended since 2026-02-20 11:43 UTC
Reason: Windows Update triggered suspension. Auto-resume did not fire.
Data in Transit:
OK Site-to-site VPN — IKEv2 / AES-256-GCM / SHA-384 / DH Group 20
OK Remote access VPN — TLS 1.3 / AES-256-GCM
WARN Internal HTTPS (CUI-APP-02) — TLS 1.2 with TLS_RSA_WITH_AES_128_CBC_SHA
CBC mode cipher. Not FIPS-invalid but weaker than GCM alternatives.
HIPAA Infrastructure Monitoring
Healthcare organizations face a different but overlapping set of requirements under the HIPAA Security Rule. The technical safeguards under 45 CFR 164.312 require access controls, audit controls, integrity controls, person or entity authentication, and transmission security. Many of these map directly to the same infrastructure telemetry that supports CMMC.
The platform monitors HIPAA-relevant infrastructure in the same continuous manner. Access logs from Wazuh agents feed the audit control requirement (164.312(b)). File integrity monitoring satisfies the integrity control requirement (164.312(c)(2)). FortiGate VPN and firewall policy data supports the transmission security requirement (164.312(e)(1)). Rather than maintaining separate compliance tracking for each framework, the platform maps a single pool of live evidence to whichever framework the organization needs.
For organizations that must satisfy both CMMC and HIPAA, such as healthcare-adjacent defense subcontractors or medical device manufacturers with DoD contracts, this dual mapping avoids the common problem of maintaining two parallel compliance programs against overlapping technical controls.
365-Day Audit Retention
CMMC practice AU.L2-3.3.1 requires organizations to create and retain system audit logs. NIST 800-171 does not specify a minimum retention period, but C3PAO assessors routinely expect at least one year of log data to demonstrate sustained compliance rather than point-in-time snapshots.
The platform retains all compliance-relevant data for a minimum of 365 days on-premises. This includes Wazuh alerts, file integrity events, vulnerability scan results, firewall policy change logs, approval queue decisions, and infrastructure state snapshots. The data stays on your infrastructure, inside your network boundary, and is not transmitted to any external service. This matters for organizations handling CUI or ePHI, where sending compliance data to a cloud SaaS platform may itself create a compliance problem.
On-premises retention: All compliance data is stored locally on the VIRP appliance. No audit logs, CUI indicators, or ePHI metadata leave your network. Only natural-language AI queries are sent to the Anthropic API, and those never contain raw log data or protected information.
The Approval Queue as a Compliance Control
Every infrastructure change initiated through the platform passes through the approval queue. This is not just a safety mechanism for preventing accidental misconfigurations. It is a compliance control that satisfies multiple CMMC and HIPAA requirements simultaneously.
For CMMC, the approval queue directly supports CM.L2-3.4.3 (track, review, approve, or disapprove changes), CM.L2-3.4.5 (define and enforce access restrictions for change), and AU.L2-3.3.1 (create audit records for system-level activities). For HIPAA, it provides the audit trail required under 164.312(b) and the authorization controls under 164.312(a)(1).
Each approval queue entry records who requested the change (the operator's identity), what the AI recommended, the exact commands to be executed, the target device, the risk assessment, the approver's decision, and the execution result. This produces a complete chain of custody for every configuration change, from intent to execution to verification.
[Audit DB] Querying approval_queue WHERE device_type='fortigate' AND age < 30d
Firewall Change Audit — Last 30 Days (7 entries)
2026-02-18 02:14 — Policy 47 modified
Requested by: nhoward | Approved by: nhoward | Risk: HIGH
Change: set dstaddr "all" (was "CUI-Servers")
COMPLIANCE NOTE: Broke AC.L2-3.1.3 flow control. Flagged within 4 minutes.
2026-02-15 14:22 — VPN phase2 cipher updated
Requested by: jmartinez | Approved by: nhoward | Risk: MEDIUM
Change: set proposal aes256gcm (was aes128-sha256)
COMPLIANCE NOTE: Strengthened SC.L2-3.13.11 FIPS-validated cryptography.
2026-02-10 09:07 — Address object created
Requested by: nhoward | Approved by: nhoward | Risk: LOW
Change: New address "CUI-Printer-Subnet" 10.40.5.0/28
COMPLIANCE NOTE: No compliance impact. CUI enclave segmentation maintained.
This audit trail is what assessors actually want to see. Not a static screenshot of firewall rules, but a living record of who changed what, when, why, who approved it, and whether it introduced or resolved a compliance gap. The AI annotates each change with its compliance impact automatically, so the audit trail is analysis-ready from day one.
Access Controls and Identity Correlation
CMMC domains AC (Access Control) and IA (Identification and Authentication) together account for 25 of the 110 practices. The platform correlates identity data across Wazuh endpoint logs, FortiGate administrator sessions, and network device authentication to build a unified picture of who is accessing what.
When an assessor asks "show me how you enforce least privilege," the platform can produce a report showing every privileged account across every monitored system, when each account last authenticated, what actions were performed, and whether any privilege escalation events were detected. This crosses infrastructure boundaries that are traditionally siloed: the firewall admin console, the switch CLI, the server local accounts, and the domain controller are all visible in a single query.
Identifying Compliance Gaps with AI
Beyond mapping known data to known controls, the AI actively identifies gaps that static checklists miss. Compliance checklists tell you what to check. The AI tells you where you forgot to look.
[Analysis] Correlating data from 4 collectors across 38 monitored assets...
CMMC Level 2 Gap Analysis — Full Environment
CRITICAL (2 findings)
1. AC.L2-3.1.3 — CUI flow control violation (policy 47, see above)
2. IA.L2-3.5.3 — Multifactor authentication not enforced for VPN
FortiGate SSL-VPN uses LDAP auth only. No TOTP/certificate second factor.
HIGH (4 findings)
1. CM.L2-3.4.2 — 3 endpoints missing from baseline config tracking
2. SC.L2-3.13.8 — BitLocker suspended on CUI-WS-07
3. SI.L2-3.14.1 — Wazuh agent on CUI-APP-02 has not checked in for 6 days
4. AU.L2-3.3.1 — Switch core-sw-02 not sending syslog to Wazuh
MEDIUM (9 findings)
[Abbreviated — full report available via "export compliance report"]
COVERED: 89 of 110 practices validated with live evidence
MANUAL: 15 practices require organizational/policy documentation
GAPS: 6 practices with technical deficiencies requiring remediation
Finding number 4 in the HIGH category is a good example of what the AI catches that checklists do not. A switch that stopped sending syslog to Wazuh does not trigger a Wazuh alert because Wazuh only alerts on events it receives. The gap is the absence of data. The platform detects this because it knows which devices should be sending logs and notices when one goes silent. That silent device is a hole in your audit trail, and the AI flags it as a compliance gap against AU.L2-3.3.1 before an assessor discovers it.
Assessor-Ready Reporting
When assessment time arrives, the platform can export a compliance evidence package organized by domain and practice. Each practice includes the current compliance status, the data sources used for validation, the most recent evidence timestamps, any historical findings and their resolution dates, and the relevant Wazuh rule IDs and alert categories.
Reports can be scoped to specific enclaves (CUI enclave versus general enterprise), specific time ranges (show compliance posture on a given date for point-in-time validation), or specific practice subsets (show only Access Control and System and Communications Protection for a focused review).
Who Benefits
Defense Contractors
Small and mid-sized defense contractors pursuing CMMC Level 2 certification often lack dedicated compliance staff. They have a few IT generalists managing everything from desktops to firewalls. The platform gives them a compliance posture that rivals organizations with dedicated GRC teams, because the evidence collection happens automatically as a side effect of infrastructure monitoring they need regardless.
Healthcare Organizations
Clinics, hospitals, and health IT providers subject to HIPAA can use the same platform to maintain continuous compliance visibility. The Wazuh HIPAA compliance mapping is built in, and the AI correlates infrastructure data against the technical safeguards automatically. For organizations undergoing OCR audits, the 365-day retention and detailed audit trail demonstrate a compliance program that is active and continuous, not a point-in-time exercise.
Organizations with Overlapping Frameworks
Medical device manufacturers with DoD contracts, healthcare-adjacent defense subcontractors, and organizations subject to both CMMC and HIPAA benefit from the unified evidence pool. Rather than running separate compliance programs with separate tools against overlapping controls, the platform maps the same live data to both frameworks simultaneously. One infrastructure monitoring platform, multiple compliance outputs.