Evidence Engine & Control Assessments
Infracast's Evidence Engine continuously generates cryptographically signed evidence artifacts for every NIST 800-53 control it can assess. Instead of assembling audit evidence manually before each review, your evidence library grows every day — automatically.
Why It Matters
Traditional ATO evidence is collected manually:
- Screenshots of console settings taken hours before the assessor arrives
- Spreadsheet exports that don't match the current state of the environment
- Unsigned PDFs that can be modified after generation with no way to detect tampering
Infracast changes this. Every control assessment is:
- Continuous — generated on a schedule, not scrambled before audits
- Timestamped — cryptographically bound to the exact moment of assessment
- Signed — Ed25519 digital signature, verifiable by anyone with the public key
- Traceable — linked to the specific findings and assets that informed the assessment
How Evidence Is Generated
1. Control Effectiveness Assessment
Infracast evaluates each automatable NIST 800-53 control against your current infrastructure state:
| Result | Meaning |
|---|---|
| Pass | All automated checks for this control pass |
| Partial | Some checks pass, open findings exist |
| Fail | Critical checks fail — control not implemented |
| Not Assessed | No automated checks available (use GRC attestation) |
2. Artifact Creation
Each assessment creates a signed evidence artifact:
- Control ID, family, and description
- Assessment result and supporting finding IDs
- Asset references (which resources were evaluated)
- Timestamp, tenant ID, content hash
- Ed25519 signature over all fields
3. Evidence Bundles
For ATO submissions, generate a ZIP bundle:
- Signed PDF for each control
- Raw JSON evidence data
- Chain-of-custody manifest (signed separately)
Evidence Library
Access your evidence from the Evidence Library page (/evidence):
- Filter by control family, date range, assessment result
- Download individual artifacts or bulk export as ZIP
- Configure daily/weekly generation schedules
- View generation audit trail
API Reference
# Trigger evidence generation
POST /api/v1/tenants/{tenantID}/evidence/generate
{ "control_families": ["AC", "AU", "SC"], "scope": "all" }
# List artifacts
GET /api/v1/tenants/{tenantID}/evidence?control_id=AC-2&from=2026-01-01
# Download signed bundle
GET /api/v1/tenants/{tenantID}/evidence/{evidenceId}/download
# Control effectiveness summary
GET /api/v1/tenants/{tenantID}/evidence/controls
Verification
Any party can verify an evidence artifact independently:
# CLI verification
vulcan evidence verify --file evidence-AC-2-2026-04-15.pdf
✅ Signature valid
Signer: AZgardTek LLC (Infracast)
Signed at: 2026-04-15T00:00:00Z
Control: AC-2 (Account Management)
Result: PASS
Control Coverage
Evidence is generated for all automatable controls across:
| Family | Controls |
|---|---|
| AC — Access Control | AC-2, AC-3, AC-6, AC-17 |
| AU — Audit & Accountability | AU-2, AU-3, AU-9, AU-12 |
| CM — Configuration Management | CM-2, CM-6, CM-7, CM-8 |
| IA — Identification & Auth | IA-2, IA-5, IA-8 |
| SC — System & Comms Protection | SC-7, SC-8, SC-13, SC-28 |
| SI — System & Info Integrity | SI-2, SI-3, SI-7 |
Non-automatable controls are handled via POA&M and GRC questionnaire attestation.
Related Features
- POA&M Management — Partial/Fail controls auto-create POA&M items
- Continuous Monitoring — Evidence feeds monthly ConMon packages
- GRC Integrations — Evidence status syncs to eMASS, CSAM, ServiceNow GRC
Availability
| Tier | Access |
|---|---|
| Free / Pro | Not available |
| Business | Evidence generation (on-demand + scheduled) |
| Enterprise | Evidence bundles (ZIP + signed PDFs) |
| Enterprise Plus / Gov | Full ConMon integration, GRC platform sync |