Audit evidence: SOC 2 Type II, ISO 27001, and CMMC
Static-analysis security testing is a named requirement in SOC 2 (CC7.1, CC8.1) and ISO 27001 (A.8.28, A.8.29), and supports the secure-development evidence CMMC teams need when preparing around NIST SP 800-171. SiteShadow packages that SAST evidence, in CI, on every commit. Coverage published here; the methodology lives in the detection credibility matrix.
“The mapping is published, the scope is benchmarked, the artifacts are exportable, and the CMMC support stays evidence-bounded.”
- SOC 2 Type II, Trust Services Criteria. SiteShadow generates the SAST artifacts SOC 2 examiners cite for CC7.1 (system monitoring and vulnerability identification) and CC8.1 (change management with security testing). Every scan is a timestamped, exportable artifact.
- ISO/IEC 27001:2022, Annex A. SiteShadow covers A.8.28 (secure coding) and A.8.29 (security testing in development and acceptance), in-product, on every commit. These are the two named Annex A controls that ask for a SAST tool.
- CMMC-aligned evidence packs, NIST SP 800-171 mapped. SiteShadow does not determine a contractor's CMMC status, but it helps map findings to NIST SP 800-171 families and produce monthly scan evidence, SARIF exports, adjudication records, and POA&M-ready unresolved items for vulnerability scanning and flaw remediation discussions.
- Scope that survives auditor scrutiny. 190 CWE mappings, OWASP Top 10 categories represented, ten languages, and 2,011 documented checks. Coverage is published with benchmark methodology and current limitations, not asserted as an absolute claim.
SiteShadow is the SAST inside your compliance program, not the program itself. SiteShadow does not write your policies, does not run your access reviews, and does not replace your GRC platform. SiteShadow is not a certification, not a SOC 2 or ISO 27001 attestation, and not a CMMC certification; it is SAST evidence that supports those compliance programs.