Assessor access to the Axiom dashboard requires credentials provisioned by the system owner's Axiom administrator. Assessor accounts are read-only and cannot modify any system data. You will receive separate login credentials with the assessor role. Dashboard access is at sovereign.tenova.io/login. Contact the system owner's ISSM if you do not have assessor credentials.
Axiom Sovereign Engine is an agentless evidence-collection and deterministic-adjudication platform designed for compliance frameworks that require technical artifact validation. It operates without installing agents on target systems, relying instead on authenticated remote probes to gather evidence.
Axiom does not grant, recommend, or influence certification decisions. It is a technical evidence platform that collects, adjudicates, and preserves system-state data. The platform has no role in the assessment decision process. All PASS/FAIL verdicts reflect deterministic probe results, not compliance judgments.
Assessors receive dedicated credentials that provide scoped, read-only access to the evidence platform. These credentials are separate from the organization's administrative accounts.
| View | Path | Description |
|---|---|---|
| Dashboard | /command |
High-level posture summary with framework scores and trend data. |
| Controls | /controls |
All 216 controls with status, check type, severity, and drill-down to evidence. |
| Ledger | /ledger |
Chronological evidence log with SWT3 anchors and tamper-detection flags. |
| Families | /families |
Controls grouped by NIST 800-53 family (AC, AU, CM, etc.) with per-family metrics. |
| Anchor Verify | /verify |
Single-anchor verification interface for spot-checking witness tokens. |
Assessor accounts do not have access to system configuration, credential management, probe scheduling, or administrative functions. These restrictions ensure that assessor activity cannot alter the system under evaluation.
The Controls page lists all 216 controls in a sortable, filterable table. Each row contains:
Clicking any control row opens the detail view, which includes the full evidence payload and SWT3 anchor.
The Ledger provides a tamper-evident chronological record of every evidence collection event. Each entry includes the control ID, probe timestamp, verdict, SWT3 anchor token, and a link to the raw evidence payload. Entries flagged as TAMPERED are highlighted and should be investigated immediately.
The Families view groups controls by their NIST 800-53 family designation. This view is useful for structured walkthroughs during assessment interviews, allowing the assessor to review all controls within a domain (e.g., all Access Control or all Audit and Accountability controls) in sequence.
Each evidence observation contains:
Axiom produces four verdict types. Each verdict is deterministic: the same system state and probe configuration will always produce the same result.
| Verdict | Meaning | Assessor Action |
|---|---|---|
| PASS | The probe returned output that satisfies the adjudication rule. The technical control is in the expected state. | Review the raw evidence to confirm the probe is testing the correct condition. A PASS verdict does not preclude further examination. |
| FAIL | The probe returned output that does not satisfy the adjudication rule. The technical control is not in the expected state. | Review the raw evidence and adjudication logic. Determine whether the failure reflects a genuine deficiency or a probe-configuration issue. |
| INHERITED | The control is satisfied by an underlying provider (e.g., FedRAMP-authorized IaaS). Axiom records the inheritance source but does not independently verify the provider's authorization. | Verify that the inheritance claim is valid and that the provider's authorization covers the required control. |
| ATTESTATION | The control requires human attestation (e.g., policy review, physical security). Axiom records the attestation but cannot independently verify its accuracy. | Validate the attestation through interview or document examination. Attestation verdicts indicate areas where automated testing is not feasible. |
| Type | Description |
|---|---|
command |
A shell command executed on the target system. Output is captured and evaluated against a deterministic rule. |
attestation |
A human-provided statement recorded in the system. No automated verification is performed. |
service |
An API call to a service endpoint (e.g., cloud provider, directory service) to verify configuration state. |
policy_file |
A configuration file parsed and evaluated against expected values (e.g., sshd_config, audit.rules). |
Every evidence snapshot in Axiom is cryptographically anchored using the Sovereign Witness Token, Tier 3 (SWT3) protocol. These anchors provide tamper-evidence and allow independent verification of evidence integrity.
| Segment | Description |
|---|---|
SWT3 | Protocol identifier |
TIER | Witness tier level (T3 for sovereign) |
PROVIDER | Evidence source system |
UCT | Unified Control Taxonomy identifier |
PROCEDURE | Probe procedure reference |
VERDICT | Adjudication result |
EPOCH | Unix epoch timestamp of evidence collection |
SHA256_12 | First 12 characters of the SHA-256 hash of the evidence payload |
Navigate to /verify and paste any SWT3 anchor token. The system will:
SHA256_12 segment.The deterministic signature ensures that evidence payloads have not been modified after initial collection. If the recomputed hash does not match the anchor, the entry is flagged as TAMPERED and the assessor should treat the associated evidence as unreliable.
Assessors may verify anchors independently using the open-source SWT3 library, without relying on the Axiom platform:
This command parses the token, retrieves the evidence payload via API, recomputes the hash, and reports the verification result. The library source is publicly auditable.
Axiom generates all compliance artifacts in NIST OSCAL (Open Security Controls Assessment Language) format. These machine-readable documents support automated validation and interoperability with government assessment platforms.
| Artifact | OSCAL Model | Endpoint |
|---|---|---|
| System Security Plan | SSP | /api/v1/ssp/export |
| Plan of Action and Milestones | POA&M | /api/v1/poam/export |
| Assessment Results | AR | /api/v1/ar/export |
All generated OSCAL documents are validated against the official NIST OSCAL schemas prior to export. The validation status is included in the artifact metadata. Assessors can independently validate documents using the NIST OSCAL CLI tool.
The SSP, POA&M, and AR share a common system-id and cross-reference each other via OSCAL import-profile and back-matter links. Assessors should verify that:
system-id is consistent across all three documents.To import Axiom OSCAL artifacts into eMASS:
/api/v1/bundle/export (ZIP archive containing SSP, POA&M, and AR).Two adjustments may be required after import:
NIST SP 800-53A Rev 5 defines 2,304 assessment objectives across all control families. Axiom maps its 216 controls against these objectives and classifies coverage into three categories.
| Category | Definition |
|---|---|
| FULL | Axiom can fully satisfy the objective through automated evidence collection. All assessment methods (TEST) for the objective are addressed. |
| PARTIAL | Axiom addresses some elements of the objective but cannot satisfy it entirely. Typically, the TEST method is covered but INTERVIEW or EXAMINE methods require assessor action. |
| NONE | Axiom does not address this objective. The objective requires methods (INTERVIEW, EXAMINE of physical documents, organizational process review) that are outside the scope of automated evidence collection. |
NIST 800-53A defines three assessment methods: TEST, INTERVIEW, and EXAMINE. Axiom operates exclusively in the TEST domain, executing technical probes against live systems. It cannot conduct personnel interviews or examine physical documentation such as printed policies, signed agreements, or facility access logs. This is an inherent limitation of any automated evidence platform and is disclosed transparently.
The full coverage mapping is available through the mock assessment endpoint:
This report includes per-objective coverage classification, the associated Axiom control (if any), and the rationale for the classification. Assessors can use this artifact to plan interview and document-examination activities for objectives not covered by automation.
Evidence passes through three validation stages before a verdict is issued:
Axiom can generate a mock assessment report that simulates the structure and content of a formal assessment output. This is intended as a readiness tool for the organization and a reference for assessors during pre-assessment planning.
Supported framework values: CMMC-v2.0, NIST-800-171, NIST-800-53, NIST-800-53A, FedRAMP-MOD, DoD-RMF, NIST-AI-RMF.
The mock assessment report is a preparation aid generated by the platform. It does not represent an actual assessment finding and should not be cited as evidence. Assessors should use it as a planning tool to identify areas that may require deeper examination.
Every automated probe in Axiom traces directly to a DISA Security Technical Implementation Guide (STIG) benchmark. This provenance chain ensures that assessors can verify the authoritative source of each technical check.
Each probe entry in the provenance manifest includes:
| Field | Description |
|---|---|
| Rule ID | The DISA STIG Rule ID (e.g., SV-230221r858734_rule) that the probe implements. |
| CCI | The Control Correlation Identifier linking the STIG rule to the NIST 800-53 control. |
| SHA-256 | Hash of the STIG benchmark XML file used as the source, enabling verification that the benchmark has not been modified. |
Axiom currently includes probes derived from four DISA STIG benchmarks:
Assessors can independently validate STIG provenance by downloading the original XCCDF benchmark from the DISA STIG Library and comparing:
<Rule> element.<check-content> element.This cross-check can be performed entirely outside of the Axiom platform using standard XML tools.
A machine-readable checklist of all exportable artifacts is available at:
The following artifacts are available for export during an assessment:
| Artifact | Format | Endpoint |
|---|---|---|
| System Security Plan | OSCAL JSON | /api/v1/ssp/export |
| Plan of Action and Milestones | OSCAL JSON | /api/v1/poam/export |
| Assessment Results | OSCAL JSON | /api/v1/ar/export |
| OSCAL Bundle (SSP + POA&M + AR) | ZIP | /api/v1/bundle/export |
| Mock Assessment Report | JSON | /api/v1/mock-assessment |
| C3PAO Checklist | JSON | /api/v1/c3pao/checklist |
| C3PAO POA&M | JSON | /api/v1/c3pao/poam |
| C3PAO SSP | JSON | /api/v1/c3pao/ssp |
| Posture Summary | JSON | /api/v1/posture |
All endpoints require assessor-level authentication. Artifacts are generated on request and reflect the current system state at the time of export.
Axiom is designed with transparent boundaries. The following limitations are disclosed to support accurate assessor expectations.
Axiom classifies 1,006 of 2,304 assessment objectives (43.7%) as having no automated coverage. This classification is intentional and reflects the platform's technical-only scope. Organizations using Axiom are expected to supplement automated evidence with manual processes for uncovered objectives.
Components of the Axiom Sovereign Engine were developed with AI-assisted tooling. In accordance with NIST 800-53 SA-15 (Development Process, Standards, and Tools), this disclosure is provided for transparency. AI assistance was used in code generation, documentation, and test development. All AI-generated outputs were reviewed, validated, and approved by human engineers prior to integration.
Axiom verdicts are technical observations, not compliance determinations. The assessor retains full authority to: