Patriot 7Six // Overwatch7Six

Vigilant · Autonomous · Mission Ready

CMMC readiness built for the defense supply chain.

Overwatch7Six helps small GovCon suppliers organize evidence, map controls, track gaps, prepare SSP/POA&M material, and hold MSPs accountable, across any cloud, identity, or security stack.

In active development, every inquiry gets a direct reply from the founder, not a ticket queue.

Framework-agnostic · Vendor-neutral · Built for CMMC 2.0 Level 2 & NIST SP 800-171

Evidence Record · Sample

AC.L2-3.1.1 · Access Control

System
M365 Tenant · Conditional Access
Owner
IT Manager (Customer)
Confidence
High
Last validated
2 days ago
Validated · Assessor-ready

Illustrative example. Every evidence record traces to a source, a control, and an owner, whatever system it came from.

I. The Problem

Small defense suppliers are asked to meet serious security requirements without the staff, budget, or process maturity to manage readiness cleanly.

Regulatory update · July 13, 2026

The Department of War has suspended CMMC Phase II, the third-party C3PAO certification requirement that was due November 10, 2026, pending a 60-day review. Phase I self-assessment, NIST SP 800-171 reporting, and DFARS 252.204-7012 obligations are unchanged, self-assessed evidence still has to hold up.

Source · U.S. Department of War release, July 13, 2026

110 / 14

NIST SP 800-171 controls a Level 2 assessment covers, across 14 control families

Source · 32 CFR § 170.14(c)(2)

-203 to 110

SPRS score range. Each unmet control costs 1, 3, or 5 points, and partial credit doesn't exist

Source · NIST SP 800-171 DoD Assessment Methodology v1.2.1

180 days

To close every open POA&M item after a Conditional CMMC status, or it's revoked and the assessment restarts

Source · 32 CFR § 170.21

$52M / 9

Recovered in cybersecurity False Claims Act settlements in FY2025 alone, across nine cases

Source · DOJ Civil Division, FY2025 FCA statistics

They don't know what systems are in scope for CUI.

Evidence is scattered across email, SharePoint, tickets, screenshots, cloud portals, and MSP reports.

Their MSP says “we handle security,” but nobody can prove which controls are covered.

Their SSP is incomplete, stale, or written in consultant language nobody owns.

POA&M items exist informally, with no clear owner or deadline attached.

Executives don't know what readiness means in contract-risk terms.

Technical teams don't know what evidence an assessor will expect to see.

SPRS scoring feels disconnected from the day-to-day remediation work.

Satisfying a NIST SP 800-171 control takes evidence: a config export, a ticket, a policy document, a log, mapped to the specific control and assessment objective it supports, with an owner and a validation date attached. Most defense contractors can point to their tools. Fewer can produce that evidence on request, in the format an assessor needs.

II. What This Is

Compliance infrastructure that turns security activity into assessor-ready evidence.

Overwatch7Six doesn’t promise certification. The strongest language here is readiness, evidence, defensibility, assessment preparation, control implementation, and accountability.

Overwatch7Six is

  • A readiness operations system for CMMC 2.0 Level 2 / NIST SP 800-171
  • A contract-readiness platform for defense supply chain companies
  • An evidence organization and control accountability system
  • A bridge between executives, internal IT, MSPs, assessors, and technical operators
  • A vendor-neutral platform that can ingest evidence from any system
  • A way to convert security activity into assessor-usable artifacts

Overwatch7Six is not

  • A generic GRC dashboard
  • A one-click CMMC certification tool
  • A replacement for a C3PAO assessment
  • A cloud-only, Microsoft-only, or Defender-only product
  • A consultant marketplace with a software wrapper
  • A static spreadsheet replacement with prettier screens

III. The Federal Lifecycle

Six stages from first scope to the affirmation that keeps status current. Overwatch7Six doesn’t replace this process, it organizes the evidence you carry through every stage of it.

010203040506
  1. 01 · Scope

    Identify which systems and data touch FCI or CUI. That determines the required CMMC level.

    32 CFR § 170.19

  2. 02 · Assess

    Self-assessment for Level 1 or Level 2 (Self), or a C3PAO or DIBCAC assessment for Level 2 (C3PAO) and Level 3.

    32 CFR §§ 170.15–170.18

  3. 03 · Score

    SPRS score submitted. A POA&M can cover unmet 1- or 3-point controls, never the 5-point critical ones.

    DFARS 252.204-7019/7020

  4. 04 · Conditional

    Up to 180 days to close every open POA&M item, or the status is revoked and the assessment restarts.

    32 CFR § 170.21

  5. 05 · Final

    Certified status. Valid for 3 years for a C3PAO or DIBCAC assessment.

    32 CFR §§ 170.16–170.17

  6. 06 · Affirm

    An affirming official reaffirms continuous compliance in SPRS every year the status stays current.

    32 CFR § 170.22

IV. The Platform

Overwatch Compliance is the front door. One system for control intent, evidence, ownership, and assessment readiness.

Four operating modes carry a customer from first snapshot to a durable operating rhythm, regardless of which vendor holds the underlying data.

01

Readiness Snapshot

Where you stand

A structured starting assessment, not a full audit. Outputs initial control posture, an evidence inventory, missing-evidence list, high-risk gaps, CUI scoping concerns, MSP responsibility questions, a suggested remediation order, and an executive summary.

02

CMMC Sprint

Turning gaps into work

A guided remediation and documentation cycle. Assigns control owners, builds evidence records, produces or cleans up SSP sections, tracks POA&M items, and prepares leadership updates as the sprint runs.

03

Compliance Desk

Staying ready

The ongoing operating layer. Maintains evidence, tracks recurring control activities, captures new system changes, refreshes documentation, and reviews MSP deliverables so readiness doesn't decay after the first push.

04

MSP Partner Kit

For the providers

A packaged lane for MSPs serving defense suppliers. Maps services to CMMC/NIST responsibilities, separates customer-owned from provider-owned controls, and produces customer-ready evidence packets.

Vendors are adapters, not anchors

Azure, AWS, GCP, Entra ID, Defender, CrowdStrike, an MSP’s ticketing system: each is one evidence source among many, not a requirement. Overwatch7Six ingests screenshots, exports, API pulls, policy documents, tickets, logs, and configuration snapshots from whatever the customer actually runs. What persists is the record: what the evidence proves, which control it supports, who owns it, and when it was last validated.

Later modules · evidence-producing security capabilities

Overwatch Mail

Email security evidence, positioned as a control, not a standalone product.

Overwatch Agent

Threat hunting, endpoint visibility, and continuous control validation evidence.

Product North Star

“Show me why you believe this control is implemented.”

Whoever asks, a CEO, an IT manager, an MSP, or an assessor, Overwatch7Six should make the answer easy to find, easy to explain, and hard to fake.

V. MSP Accountability

“We handle security” is not evidence. CMMC responsibility doesn’t disappear because an MSP is involved.

Most small GovCon suppliers depend on an MSP for some or all of their IT. Overwatch7Six makes the shared responsibility model visible, control by control, instead of leaving it as a sentence in a services agreement.

Control familyResponsibilityWhy
Access Control (AC)Joint EvidenceMSP configures conditional access; customer owns the policy
Incident Response (IR)MSP-SupportedMSP runs detection and response under a signed SLA
Configuration Management (CM)MSP-SupportedMSP manages baselines and patch cadence
Awareness & Training (AT)Customer-OwnedCustomer runs annual security awareness training
Media Protection (MP)Customer-OwnedCustomer owns removable-media and sanitization policy
Audit & Accountability (AU)Joint EvidenceMSP retains logs; customer owns the review cadence
Physical Protection (PE)Not CoveredNot addressed in the current MSP contract
Personnel Security (PS)Customer-OwnedCustomer owns onboarding, offboarding, screening

Illustrative example · every organization’s split is different · Overwatch7Six maps yours

Which controls are customer-owned?

Which controls are MSP-supported?

Which controls require joint evidence?

Which controls aren't covered by the MSP contract?

What vendor deliverables are missing?

What proof has the MSP actually provided?

Is the evidence fresh, or stale?

Does the contract match the actual security responsibility?

VI. Evidence & Adapters

Evidence is the product’s most important object, never a random attachment.

Every artifact carries context, an owner, a control mapping, and a review state. Fourteen fields, applied consistently, whatever the evidence is or where it came from.

SourceDate collectedCollector / integrationRelated controlRelated system or assetControl ownerEvidence typeReview statusExpiration / review dateConfidence levelNotesAssessor-facing narrativeInternal-only notesCustomer / MSP marker

Adapter strategy

No single adapter is required for the product to work. Azure is the first reference architecture, not a dependency.

AzureAWSGCPMicrosoft 365Google WorkspaceOktaCloudflareDefenderCrowdStrikeMimecastProofpointJiraServiceNowConnectWiseAutotaskManual Evidence

AWS/GCP/hybrid-ready by design. A Microsoft-aligned deployment path is available for customers already centered on Azure and Entra ID, alongside a manual evidence adapter for customers who aren’t ready for direct API integrations.

VII. AI Doctrine

AI assists. Humans own the claim.

AI reduces friction. It doesn’t get to create unsupported claims on your behalf.

Good AI uses

  • Summarizing evidence
  • Drafting control narratives from verified inputs
  • Mapping evidence candidates to controls
  • Flagging stale or weak evidence
  • Comparing SSP language to uploaded artifacts
  • Finding contradictions between claimed and actual implementation

Bad AI uses

  • Inventing evidence
  • Claiming compliance without proof
  • Generating final SSP language without review
  • Creating fake control implementation statements
  • Replacing assessor judgment
  • Replacing customer sign-off
“Handoff rule: AI can assist, but every assessment-facing claim must trace back to evidence the customer can defend.”

VIII. Deployment

Four ways in. Zero required stack.

Best for speed

SaaS-Hosted

For small suppliers who need to move now and don't want to manage infrastructure.

Best for data control

Customer-Controlled Cloud

Runs in the customer's own Azure, AWS, GCP, or government cloud environment.

Best for providers

MSP-Managed Tenant

For MSP partners serving multiple small defense customers from one tenant.

Best for going slow

Hybrid Evidence Mode

Manual uploads and structured metadata, no direct API integrations required to start.

Future path · Azure Government or AWS GovCloud when customer requirements justify it

IX. What’s at Stake

An SPRS score that doesn’t match reality is a False Claims Act problem, with or without a breach.

01

Enforcement is active, not theoretical

DOJ's Civil Cyber-Fraud Initiative, running since October 2021, has settled fifteen cybersecurity-related False Claims Act cases. More than half closed in fiscal year 2025 alone, recovering over $52 million.

DOJ Civil Division, FY2025 FCA statistics

02

Named settlements, real numbers

Georgia Tech Research Corporation paid $875,000 in September 2025 over DFARS 252.204-7012 and NIST SP 800-171 gaps on Air Force and DARPA work. Raytheon and its successor, Nightwing, paid $8.4 million in May 2025 for the same category of failure across roughly thirty DoD contracts.

DOJ settlement announcements, 2025

03

The theory is misrepresentation

DOJ's own framing of these cases: they are not about being breached. They are about certifying something to the government that wasn't true. An inaccurate SPRS score creates the exposure, whether or not an incident ever happens.

31 U.S.C. §§ 3729–3733

Whistleblowers filed five of DOJ’s eight Initiative-related settlements in 2025 as qui tam actions and took home a rising share of the recovery. A gap between what your SSP claims and what your evidence actually shows is a liability an employee can act on, not just an assessor.

X. The Founder

Built by a compliance professional who has lived the evidence problem, not just diagrammed it.

Bradley A. Baker, Founder, Patriot 7Six LLC

Texas Veterans Commission verified veteran-owned business

Bradley A. Baker

Founder & Sole Principal, Patriot 7Six LLC

“I administer the M365 tenant and Mimecast for a clinical research organization under constant regulatory audit. Access control, retention, and evidence trails are my day job. Overwatch7Six exists because I have seen what happens when that evidence lives in someone’s inbox instead of a system built to defend it in front of an assessor. For a defense contractor, that gap is the difference between a Final CMMC status and a Conditional one that runs out the clock.”

— Bradley Baker, Founder

Service record

Rank
SGT / E-5
MOS
11B · Infantryman
Branch
U.S. Army · RA
Service
1996 – 2002
Discharge
Honorable
Status
Service-Connected Disabled Veteran

Civilian record

Tenure
2005 – Present
Role
Sr. IT Application Administrator
Domain
Clinical Research
Specialty
O365 · DLP · Compliance
Degree
B.S. Information Systems Security
Honors
Honor Graduate · NTHS

Airborne-qualified infantryman with the 82nd Airborne Division, 1996–1999, earning the Expert Infantryman’s Badge. Promoted to Sergeant with the 172nd Infantry Brigade, Fort Wainwright, Alaska, 1999–2002. Two decades in enterprise IT since 2005, including SOX and FERPA-regulated environments, before founding Patriot 7Six LLC.

XI. Stage & Posture

Bootstrapped. Building. Open to the right conversations.

Capital

Bootstrapped

Solo founder, full-time employed elsewhere, building on personal capital and earned time. No outside dilution to date.

Build state

Overwatch7Six · MVP build

In active development. Not yet live. This site describes the product being built, not a shipped platform.

Posture

Selectively open

Not actively raising. Open to mission-aligned angels, veteran-network professionals, and strategic partners: VSOs, PTACs, and government contracting consultants.

Data handling

Built on cloud-native infrastructure with encryption in transit and at rest, strict tenant isolation, and role-based access control. No customer PII, CUI, or unverified regulatory claim leaves the platform for a third-party tool without the customer’s knowledge.

XII. Contact

Request a Readiness Snapshot, or just reach out directly.

Defense contractor, MSP, assessor, or investor, every inquiry gets a direct reply from the founder, not a ticket queue.

Response window · 48 hrs · all inquiries answered personally