What you actually get inside TractionGRC
Every feature mapped to the work it replaces. Running an ISMS, responding to customer questionnaires, tracking supplier assurance, validating cloud controls, and proving the whole thing to auditors. No product-tour fluff.
Frameworks and programs covered
Core ISMS Management
9 featuresThe foundation of an ISO 27001, SOC 2, NIST CSF, or CMMC program. Scope, risk, controls, documents, audits, and reviews, all in one place instead of across six spreadsheets and a consultant's hard drive.
Context and scope
ISMS scope statement, interested parties register, legal and regulatory requirements, and security objectives. The Clause 4 work auditors trace everything back to.
Risk assessment
Asset register with owners and classification, threat and vulnerability identification, likelihood and impact scoring, treatment plans tied to control implementation.
Controls tracker
One register across ISO 27001 Annex A, SOC 2 TSC, NIST CSF, ISO 42001, and CMMC 2.0 (all three levels). Cross-mapped so a control implemented once counts for every framework that accepts it.
Document center
Version history, approval workflow, and expiry reminders for every policy and procedure. Exports a document index auditors can sample from.
KPI and monitoring
Operational measures tied to specific controls, with thresholds and owners. Feeds management review without another data pull.
Internal audit
Audit program with scope, criteria, and findings log. Links nonconformities to corrective actions with due dates so nothing drifts.
Management review
Review pack auto-assembled from current data: KPIs, incidents, audit findings, risk trends. Records decisions and actions for the next cycle.
Remediation center
One list of what needs fixing, pulled from risks, audit findings, control gaps, and supplier reviews. Sorted by impact on TractionScore and audit readiness.
Readiness tracking
Stage 1, Stage 2, and CMMC C3PAO readiness view by clause and practice. Shows what is done, what is in flight, and what is blocking your certification date.
Guided Support with TractionAI
5 featuresMost ISMS work stalls when someone has to write the policy, assess the risk, or assemble the audit pack from scratch. TractionAI drafts. Your team reviews and approves, which is where the judgment actually lives.
Policy drafting
First-draft policies written against your scope, tech stack, and the framework clauses they need to satisfy. Around 25 policies per program, drafted to edit rather than write.
Risk suggestions
Context-aware risk entries with suggested likelihood and impact scores based on your assets and environment. Accelerates the blank-register problem.
Audit checklist drafts
Internal audit checklists tied to ISO 27001 clauses and SOC 2 criteria. Pre-populated with the evidence questions your auditor will ask.
Gap analysis
Finds open issues against your target framework before Stage 1, customer questionnaires, or surveillance audits. Catches what people skip.
Management review packs
Assembles the inputs, outputs, and decision record for ISO 27001 Clause 9.3 reviews. One of the top sources of nonconformities when done last-minute.
Supplier Assurance Programs
7 features Respond on every planYour customers send SSPA, SIG, CAIQ, or HITRUST questionnaires. Your suppliers need the same from you. Both sides of that conversation run here, with shared evidence and reusable answers.
Starter libraries
Five included: Microsoft SSPA (aligned to DPR v12, April 2026), SIG, SIG Lite, CAIQ v4.0, and HITRUST i1. Editable to match your program.
Respond to customer requests
Pull evidence from your controls library, reuse previous responses, and export completed questionnaires as a PDF package. Included on every plan, starting with Starter.
Issue programs to suppliers
Pick a starter library or build a custom program. Assign to suppliers, track responses, collect evidence. Professional and Enterprise plans.
Evidence reuse
Answer once, reuse across questionnaires. The platform tracks where each answer came from for audit trails and keeps versions when controls change.
TractionAI-drafted responses
Suggested answers to questionnaire items based on your control library. Review and edit before sending, no blank-page problem.
Cross-map to frameworks
Supplier assurance work reuses ISO 27001 Annex A, SOC 2 TSC, and NIST 800-171 / CMMC L2 evidence. One answer covers the SSPA, SIG, and CMMC questionnaires that often arrive together when you sell into Microsoft and DoD primes.
Reassessment scheduling
Annual reassessments (SSPA runs yearly by default) tracked with reminders. Never get caught out by a contract anniversary you forgot.
TractionScore™ and Security Maturity
6 featuresOne number for security maturity, weighted across six dimensions of ISMS health. Backed by live signals instead of self-attested percentages. Works for leadership decks, sales conversations, and surveillance audit prep.
Six-dimension scoring
Documentation, risk, controls, operations, audit, and cloud. Each weighted by impact on real audit outcomes, not equal-weight averages.
Live signal backing
Cloud connections and control evidence update the score automatically. A policy approved this morning shows up in the score this afternoon.
Maturity bands
Baseline, Developing, Advanced, Leading. Calibrated against real ISMS maturity models so the band means something in front of an auditor.
Shareable profile
Share a public maturity view with customers and prospects without exposing control details. Drops the 200-page evidence pack from sales cycles.
Registry and requests
Customers and partners can request access to your extended profile. You approve and revoke per relationship.
Trend over time
Month-over-month and quarter-over-quarter movement per dimension. Shows leadership whether the program is actually improving or just holding.
CMMC 2.0 for DoD Contractors
3 featuresDoD's mandatory cybersecurity certification under 32 CFR Part 170. Phase 1 enforcement began November 10, 2025. Phase 2 (C3PAO third-party assessment for most CUI handlers) begins November 10, 2026. All three levels ship today, mapped against ISO 27001 so an existing ISMS gives you a 70-80% head start on Level 2.
Three-level control catalog
Level 1 (17 FAR 52.204-21 practices for FCI), Level 2 (110 NIST SP 800-171 Rev 2 practices for CUI), and Level 3 (+24 NIST SP 800-172 enhanced practices for critical CUI). All seeded, all editable, all scoped per organization.
Level 3 prerequisite guard
Activating Level 3 surfaces a soft warning if you don't yet hold Final Level 2 (C3PAO) certification for the same scope. Reflects 32 CFR 170.14(c)(5) without hard-blocking parallel readiness work, so teams can build the L3 control set while their C3PAO assessment is in flight.
Cross-mapping to ISO 27001 Annex A
Every CMMC practice ships with mappings to the matching ISO 27001:2022 Annex A controls. Implement A.5.x or A.8.x once and the platform credits the corresponding 800-171 requirements. Orgs already running ISO 27001 typically start Level 2 at 70-80% coverage.
Cloud Validation and Signal Support
5 featuresRead-only cloud connections that verify controls automatically. Stop taking screenshots every audit cycle. Stop answering 'is MFA enforced' from memory.
Azure and Entra
Conditional Access, MFA enforcement, privileged role assignments, encryption status, and audit log retention. Maps directly to ISO 27001 A.5 and A.8 controls and the matching CMMC L2 access-control practices.
Google Workspace
Admin console security posture, account protections, data access controls, and device management signals. Feeds SOC 2 CC6 evidence automatically.
AWS
IAM policy configurations, encryption-at-rest status, CloudTrail logging, and public-exposure checks. Available on Enterprise plans.
Domain surface scan
External-facing posture of your public domains. Checks TLS, email authentication (SPF, DKIM, DMARC), and exposed services. Runs monthly by default.
Automatic control verification
Live signals update control implementation status without manual evidence upload. TractionScore reflects what is actually happening in your environment.
Supplier Network and Ecosystem
5 featuresMost vendor reviews die in shared inboxes and dead spreadsheets. Supplier Network organizes them as actual relationships with status, evidence, and review schedules.
VendorConnect™ ID
Unique organization identity for connecting suppliers and customers across TractionGRC accounts. A TractionScore profile becomes shareable to contracted partners.
Network mapping
Relationship view of direct suppliers and their subprocessors. Catches fourth-party risk that most vendor review programs miss entirely.
Connected supplier visibility
When a supplier also uses TractionGRC, their TractionScore and assurance status flow into your view automatically. No email chase for their latest SOC 2 or CMMC certificate.
Interactive supplier view
Visual explorer for relationships and risk propagation. Useful for management review, board pack, and auditor walkthrough.
Manual supplier records
Track suppliers who are not connected yet. Same schedule, same evidence model, just populated by your team instead of syncing live.
Team, Audit, and Platform Operations
6 featuresThe plumbing your team needs to actually run the thing. Access control, audit-guest portals, compliance calendar, and multi-org switching for consultants and enterprise teams.
Role-based team access
Admin, Contributor, Reviewer, and Read-only roles. Scoped to modules so your dev team can update controls without seeing HR policies.
Auditor guest portal
Time-boxed auditor access to specific evidence with an activity log. Drops the 'share this folder for two weeks' chaos that every audit becomes. Works for ISO 27001 certification bodies, SOC 2 CPAs, and CMMC C3PAO assessors.
Compliance calendar
Review deadlines, audit dates, surveillance cycles, and reassessment anniversaries in one view. Syncs to your team calendar.
Multi-framework cross-mapping
One control implementation counts for ISO 27001, SOC 2, NIST CSF, ISO 42001, and CMMC 2.0. Mapping is maintained centrally so it stays current.
Multi-organization switching
Consultants and enterprise teams manage multiple organizations from one login. Scoped data and independent audit trails per org.
Partner and consultant ecosystem
Built-in connections to consultants and partner firms who know the platform, including RPOs supporting CMMC implementations. Optional, not required, but available when you want outside help.
Pick a starting point
Start a free trial of Starter and walk through Phase 1 in your first week. Book a demo if you would rather see it driven by someone who has run a few of these programs. Or skim pricing to confirm it fits.