Synced 16 Jun 2026 15:24 UTC Account
← Home
NIST CSF 2.0 · CMMC · NIST SP 800-171

Inventory & vulnerability management for NIST CSF & CMMC

CSF 2.0 (Identify & Protect) and CMMC / 800-171 expect a software inventory, vulnerability scanning and flaw remediation. IsItPatched delivers all three from an SBOM — a component inventory, known and actively-exploited CVEs, risk ranking, the minimum safe version, end-of-life tracking and exportable evidence.

Scan your SBOM → Monitor your components Export NIST / CMMC pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for US-government-adjacent teams

Defense contractors

Handling FCI/CUI under CMMC / 800-171? Produce the inventory, scanning and flaw-remediation evidence without new tooling.

CSF 2.0 adopters

Any organisation using the framework to structure its program — cover the Identify & Protect software pieces.

Assessors & security teams

Hand a clean component inventory, risk-ranked vulnerabilities and a remediation record as practice evidence.

CSF 2.0 / 800-171 → what IsItPatched gives you

Software inventory (ID.AM / 3.4.1)

Scan a CycloneDX/SPDX SBOM for a per-component inventory of the software you run — the baseline ID.AM and 3.4.1 expect.

Scan an SBOM →

Vulnerability identification (ID.RA / 3.11.2)

Each component's CVEs identified and risk-ranked by actively-exploited (CISA KEV) and high-EPSS status.

See actively-exploited CVEs →

Flaw remediation (PR.PS / 3.14.1)

The minimum safe version and a critical-first queue give you a documented, prioritised remediation process.

Open your dashboard →

End-of-life & evidence

End-of-life tracking flags unsupported software; export a risk register and VEX as assessment evidence.

End-of-life calendar →

Export your evidence — today, free

  • Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
  • CycloneDX VEX document (exploitability + remediation per component)
  • Software risk register (CSV / print-to-PDF) citing the exact versions you run
  • A prioritised, known-exploited-first patch queue — your flaw-remediation record

Sign in (free, no password) to sync your component stack and generate these from your dashboard.

Build your evidence →

Straight with you: CSF 2.0 is voluntary guidance spanning governance, detection, response and recovery; CMMC certification is granted by an accredited C3PAO after assessing all applicable 800-171 practices. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the software-inventory, vulnerability-identification and flaw-remediation practices specifically. It is not an assessor, not a certification, and not legal advice. Disclaimer.

NIST CSF 2.0 & CMMC — frequently asked

What are NIST CSF 2.0 and CMMC?

The NIST Cybersecurity Framework 2.0 (2024) organises cybersecurity into six functions — Govern, Identify, Protect, Detect, Respond, Recover. Software inventory and vulnerability management map onto Identify (ID.AM asset management, ID.RA risk assessment) and Protect (PR.PS platform security — maintenance & patching). CMMC is the US Department of Defense certification program built on NIST SP 800-171 for contractors handling FCI/CUI; the relevant 800-171 practices are 3.4.1 (baseline/inventory), 3.11.2 (vulnerability scanning) and 3.14.1 (flaw remediation / patching).

How does IsItPatched help with CSF 2.0 / CMMC?

It produces the asset-inventory and vulnerability evidence those practices expect: scan a CycloneDX/SPDX SBOM to inventory software components (ID.AM / 3.4.1), identify and risk-rank their known and actively-exploited (CISA KEV) vulnerabilities (ID.RA / 3.11.2), get the minimum safe version for flaw remediation (PR.PS / 3.14.1), track end-of-life, and export a risk register / VEX as evidence.

Does IsItPatched make us CSF-aligned or CMMC-certified?

No. CSF 2.0 is voluntary guidance spanning governance, detection, response and recovery; CMMC certification is granted by an accredited C3PAO after assessing all applicable 800-171 practices. IsItPatched helps with the software-inventory, vulnerability-identification and flaw-remediation practices specifically. It is informational, built on public data — not an assessor and not legal advice.

Subject to more than one regime? See all our compliance editions →