Frequently asked questions

TractionGRC is a compliance platform for modern GRC teams. It combines framework work (ISO 27001, SOC 2, NIST CSF, ISO 42001, ISO 27701, CMMC 2.0), supplier assurance (SSPA, SIG, SIG Lite, CAIQ, HITRUST), TractionScore as a shareable 0-to-100 maturity signal, and TractionAI as an AI assistant that drafts policies, mappings, and questionnaire responses for you to review.

No. TractionAI drafts the policies, control mappings, and evidence requests that an experienced compliance person would know to produce, and you review them. The platform walks you through the Clauses 4-10 work and Annex A control selection so the sequence matches what auditors expect at Stage 1 and Stage 2.

Timelines vary based on your starting point and resources. Many organizations reach Stage 1 audit readiness in 3 to 6 months, with Stage 2 certification typically following 2 to 3 months after that. Teams starting from scratch without prior security maturity often take longer.

No. The 14-day free trial on the Starter plan begins immediately with no payment information required. You get access to Starter features including ISO 27001 support and the ability to respond to supplier assurance programs from your customers.

TractionGRC supports ISO 27001, SOC 2, NIST CSF 2.0, CIS Controls, ISO 42001 (AI governance), ISO 27701 (privacy), and CMMC 2.0 across all three levels (L1 Foundational, L2 Advanced, L3 Expert). NIST CSF, CIS Controls, and CMMC Level 1 are available on the Starter plan. ISO 27001, SOC 2, ISO 42001, and CMMC Level 2 are available on Professional. ISO 27701 and CMMC Level 3 are available on Enterprise. Supplier assurance programs like SSPA, SIG, CAIQ, and HITRUST are handled separately through our Supplier Assurance Programs catalog.

ISO 27001 is an international ISMS certification; Clauses 4-10 define the management system, Annex A lists 93 security controls. SOC 2 is a US attestation issued by a CPA firm under AICPA's SSAE 18, scored against the Trust Services Criteria you selected (Security required, plus any of Availability, Processing Integrity, Confidentiality, Privacy). Teams pursuing both run ISO 27001 Annex A as the base library and map Security TSC on top. TractionGRC ships the cross-walk, so one implementation covers both reports.

Starter is $349 per month (up to 5 users), and includes a 14-day free trial. Professional is $999 per month for growing teams. Enterprise is custom-priced based on scale and requirements. See the pricing page for full details on what each plan includes.

Yes. Annual billing is available and typically includes a discount compared to monthly pricing. Speak to our team for annual pricing details.

Yes. You can upgrade or downgrade as your needs change, with prorated billing adjustments.

The 14-day free trial is available on the Starter plan. Professional and Enterprise evaluations happen through a demo and guided trial with our team. Contact us to arrange one.

If you do not continue, your account converts to a limited read-only state. You can export your data at any time. If you continue with a paid plan, your work carries forward without interruption.

It depends on what DoD data your contracts handle. Level 1 (17 practices, annual self-assessment) covers Federal Contract Information (FCI) and applies to nearly every DoD contractor. Level 2 (110 practices aligned to NIST SP 800-171 Rev 2) is required for any contractor handling Controlled Unclassified Information (CUI), and most contracts now require C3PAO third-party certification. Level 3 (24 enhanced practices from NIST SP 800-172, on top of Level 2) targets the small subset of contractors handling the most sensitive CUI on critical programs, assessed by DCMA DIBCAC. The required level appears in your contract solicitation.

Phase 1 began November 10, 2025: contracting officers can include CMMC Level 1 or Level 2 self-assessment requirements in new DoD contracts. Phase 2 begins November 10, 2026 and adds C3PAO third-party certification requirements for Level 2 on most CUI-handling contracts. Phase 3 (November 10, 2027) brings Level 3 government-led assessments. Phase 4 (November 10, 2028) is full implementation across all applicable DoD contracts. CMMC certifications are valid for three years; if you handle CUI, plan a 6-12 month preparation runway before bidding on contracts that require Level 2 certification.

Self-assessment means your organization evaluates its own controls against the CMMC requirements and submits the score to SPRS (Supplier Performance Risk System). This is allowed for CMMC Level 1 and for Level 2 on less sensitive CUI contracts. C3PAO (CMMC Third-Party Assessment Organization) certification means an accredited external assessor evaluates your environment against the 110 Level 2 practices, and the result is a formal certification valid for three years. Starting in Phase 2 (November 2026), most Level 2 contracts will require C3PAO certification rather than self-assessment.

Yes. CMMC requirements flow down to subcontractors per DFARS 252.204-7021. If a prime contractor handles CUI at Level 2, any subcontractor that also processes, stores, or transmits that CUI must meet Level 2 requirements for that scope. If a prime holds Level 3 (DIBCAC) status, subcontractors handling the same data must hold at least Final Level 2 (C3PAO). Small DIB suppliers are squarely in scope, not just large primes.

You get a significant head start. TractionGRC cross-maps CMMC Level 2's 110 practices to ISO 27001:2022 Annex A, so an organization with a mature ISO 27001 program typically has 70 to 80 percent of CMMC Level 2 already covered. NIST CSF, NIST 800-53, and SOC 2 Trust Services Criteria also overlap substantially with 800-171. One control implemented with one piece of evidence shows up against every active framework where it applies, including CMMC.

CMMC 2.0 currently uses NIST SP 800-171 Rev 2 (110 requirements across 14 control families). NIST withdrew Rev 2 and published Rev 3 in May 2024, but the DoD has not yet updated 32 CFR Part 170 to reference Rev 3. DoD guidance explicitly states that Level 2 assessments are conducted against Rev 2 until further rulemaking. TractionGRC's CMMC Level 2 control library uses the Rev 2 baseline; if and when the DoD adopts Rev 3, we will update the library and support the transition.

Supplier assurance programs are structured questionnaires that customers send to their suppliers to review security and privacy practices. TractionGRC supports five starter libraries: Microsoft SSPA, SIG, SIG Lite, CAIQ, and HITRUST i1. You can also build custom programs for your own requirements.

SSPA (Supplier Security and Privacy Assurance) is Microsoft's annual assurance program for suppliers who process Microsoft Personal Data or Microsoft Confidential Data. Suppliers configure a Data Processing Profile (DPP) and attest to the Microsoft Supplier Data Protection Requirements (DPR). Our SSPA starter library is aligned to DPR v12, released in April 2026.

Yes. Responding to assurance programs your customers send you is included on every plan, starting with Starter at $349 per month. Pull evidence from your controls library, reuse previous responses, and let TractionAI draft answers for you to review.

Issuing programs from the catalog (SSPA, SIG, SIG Lite, CAIQ, HITRUST, or custom) is available on Professional and Enterprise plans. This lets you run your own supplier assurance programs, assign them to vendors in your network, and track responses in one view.

SIG (Shared Assessments Standardized Information Gathering) is an extended supplier assurance questionnaire recommended for higher-risk or strategic vendors. SIG Lite is a condensed version suitable for lower-risk vendor reviews. Both starter libraries are included in the Professional and Enterprise catalog.

CAIQ (Consensus Assessments Initiative Questionnaire) is a cloud-focused assurance questionnaire from the Cloud Security Alliance. TractionGRC includes a CAIQ v4.0 starter library for cloud service providers and their customers.

HITRUST i1 is the "Implemented, 1-year" assessment type from the HITRUST CSF family, focused on demonstrated implementation of foundational security controls. Our starter library covers the core controls required for i1 and is commonly used for healthcare and regulated security assurance.

Yes. The starter libraries are editable starting points. You can add requirements, remove ones that don't apply, or build custom programs from scratch to match your specific review process.

Yes. Many SSPA requirements align with ISO 27001 Annex A controls, so evidence collected for one can support the other. TractionGRC cross-maps controls across frameworks and programs to reduce duplicate work.

TractionScore is a 0-to-100 security maturity score calculated across six weighted dimensions: documentation, risk, controls, operations, audit, and connected cloud signals. Risk and controls carry the most weight because they are what auditors sample first. The score updates as evidence gets attached, cloud signals flow in, and findings close.

Yes. You can share a high-level version of your score with customers and partners through a shareable profile, while keeping detailed control information private unless you choose to disclose it.

Bands are calibrated to real audit outcomes: 0-25 Foundational (program not yet structured), 26-50 Developing (first Stage 1 audit would surface nonconformities), 51-75 Established (realistic zone for first ISO 27001 certification or SOC 2 Type II), 76-90 Advanced (surveillance audits move faster each year), 91-100 Optimized (multi-framework program in steady state). The platform ranks the actions that will move the lowest-scoring dimension first.

TractionGRC uses read-only access to collect signals from connected systems. It does not make changes to your environment.

Azure (including Entra ID), AWS, and Google Workspace integrations are supported depending on your plan.

Signals from your cloud systems can be used to confirm certain controls automatically, reducing the need for manual evidence collection.

It provides a visual view of your suppliers and their associated posture, helping you understand dependencies and potential exposure across tiers of your supply chain.

It is a unique identifier assigned to your organization that you can share with customers or partners so they can connect with you directly within the platform. It reduces repeated onboarding and manual supplier questionnaires.

You can still track them manually by entering their details, and invite them to join if you want live score syncing.

We are pursuing ISO 27001 certification and apply the same controls and practices internally that we help customers build. We use TractionGRC to manage our own compliance program, including ISO 27001 readiness, supplier assurance programs, and cloud signal monitoring.

Customer data is hosted in Microsoft Azure in US East. Additional regional options are planned as we scale. Customers with specific data residency requirements should contact us to discuss options.

Yes. You can export key information including controls, policies, evidence, and reports in standard formats at any time.

TractionGRC is designed to support GDPR requirements and operates as a data processor for customer data. A Data Processing Agreement (DPA) is available on request.