Patriot 7Six // Overwatch7Six
Vigilant · Autonomous · Mission ReadyCMMC readiness built for the defense supply chain.
Overwatch7Six helps small GovCon suppliers organize evidence, map controls, track gaps, prepare SSP/POA&M material, and hold MSPs accountable, across any cloud, identity, or security stack.
In active development, every inquiry gets a direct reply from the founder, not a ticket queue.
Framework-agnostic · Vendor-neutral · Built for CMMC 2.0 Level 2 & NIST SP 800-171
Evidence Record · Sample
AC.L2-3.1.1 · Access Control
- System
- M365 Tenant · Conditional Access
- Owner
- IT Manager (Customer)
- Confidence
- High
- Last validated
- 2 days ago
Illustrative example. Every evidence record traces to a source, a control, and an owner, whatever system it came from.
Find your path
GovCon supplier
Need to prove CMMC 2.0 / NIST SP 800-171 readiness to keep or win a contract.
Request a Readiness Snapshot →
MSP
Support defense customers and need to show which controls you actually cover.
See the MSP Accountability Model →
Investor
Mission-aligned angels, veteran-network professionals, or strategic partners.
Reach the founder directly →
I. The Problem
Small defense suppliers are asked to meet serious security requirements without the staff, budget, or process maturity to manage readiness cleanly.
Regulatory update · July 13, 2026
The Department of War has suspended CMMC Phase II, the third-party C3PAO certification requirement that was due November 10, 2026, pending a 60-day review. Phase I self-assessment, NIST SP 800-171 reporting, and DFARS 252.204-7012 obligations are unchanged, self-assessed evidence still has to hold up.
Source · U.S. Department of War release, July 13, 2026
110 / 14
NIST SP 800-171 controls a Level 2 assessment covers, across 14 control families
Source · 32 CFR § 170.14(c)(2)
-203 to 110
SPRS score range. Each unmet control costs 1, 3, or 5 points, and partial credit doesn't exist
Source · NIST SP 800-171 DoD Assessment Methodology v1.2.1
180 days
To close every open POA&M item after a Conditional CMMC status, or it's revoked and the assessment restarts
Source · 32 CFR § 170.21
$52M / 9
Recovered in cybersecurity False Claims Act settlements in FY2025 alone, across nine cases
Source · DOJ Civil Division, FY2025 FCA statistics
They don't know what systems are in scope for CUI.
Evidence is scattered across email, SharePoint, tickets, screenshots, cloud portals, and MSP reports.
Their MSP says “we handle security,” but nobody can prove which controls are covered.
Their SSP is incomplete, stale, or written in consultant language nobody owns.
POA&M items exist informally, with no clear owner or deadline attached.
Executives don't know what readiness means in contract-risk terms.
Technical teams don't know what evidence an assessor will expect to see.
SPRS scoring feels disconnected from the day-to-day remediation work.
Satisfying a NIST SP 800-171 control takes evidence: a config export, a ticket, a policy document, a log, mapped to the specific control and assessment objective it supports, with an owner and a validation date attached. Most defense contractors can point to their tools. Fewer can produce that evidence on request, in the format an assessor needs.
II. What This Is
Compliance infrastructure that turns security activity into assessor-ready evidence.
Overwatch7Six doesn’t promise certification. The strongest language here is readiness, evidence, defensibility, assessment preparation, control implementation, and accountability.
Overwatch7Six is
- A readiness operations system for CMMC 2.0 Level 2 / NIST SP 800-171
- A contract-readiness platform for defense supply chain companies
- An evidence organization and control accountability system
- A bridge between executives, internal IT, MSPs, assessors, and technical operators
- A vendor-neutral platform that can ingest evidence from any system
- A way to convert security activity into assessor-usable artifacts
Overwatch7Six is not
- A generic GRC dashboard
- A one-click CMMC certification tool
- A replacement for a C3PAO assessment
- A cloud-only, Microsoft-only, or Defender-only product
- A consultant marketplace with a software wrapper
- A static spreadsheet replacement with prettier screens
III. The Federal Lifecycle
Six stages from first scope to the affirmation that keeps status current. Overwatch7Six doesn’t replace this process, it organizes the evidence you carry through every stage of it.
01 · Scope
Identify which systems and data touch FCI or CUI. That determines the required CMMC level.
32 CFR § 170.19
02 · Assess
Self-assessment for Level 1 or Level 2 (Self), or a C3PAO or DIBCAC assessment for Level 2 (C3PAO) and Level 3.
32 CFR §§ 170.15–170.18
03 · Score
SPRS score submitted. A POA&M can cover unmet 1- or 3-point controls, never the 5-point critical ones.
DFARS 252.204-7019/7020
04 · Conditional
Up to 180 days to close every open POA&M item, or the status is revoked and the assessment restarts.
32 CFR § 170.21
05 · Final
Certified status. Valid for 3 years for a C3PAO or DIBCAC assessment.
32 CFR §§ 170.16–170.17
06 · Affirm
An affirming official reaffirms continuous compliance in SPRS every year the status stays current.
32 CFR § 170.22
IV. The Platform
Overwatch Compliance is the front door. One system for control intent, evidence, ownership, and assessment readiness.
Four operating modes carry a customer from first snapshot to a durable operating rhythm, regardless of which vendor holds the underlying data.
01
Readiness Snapshot
Where you stand
A structured starting assessment, not a full audit. Outputs initial control posture, an evidence inventory, missing-evidence list, high-risk gaps, CUI scoping concerns, MSP responsibility questions, a suggested remediation order, and an executive summary.
02
CMMC Sprint
Turning gaps into work
A guided remediation and documentation cycle. Assigns control owners, builds evidence records, produces or cleans up SSP sections, tracks POA&M items, and prepares leadership updates as the sprint runs.
03
Compliance Desk
Staying ready
The ongoing operating layer. Maintains evidence, tracks recurring control activities, captures new system changes, refreshes documentation, and reviews MSP deliverables so readiness doesn't decay after the first push.
04
MSP Partner Kit
For the providers
A packaged lane for MSPs serving defense suppliers. Maps services to CMMC/NIST responsibilities, separates customer-owned from provider-owned controls, and produces customer-ready evidence packets.
Vendors are adapters, not anchors
Azure, AWS, GCP, Entra ID, Defender, CrowdStrike, an MSP’s ticketing system: each is one evidence source among many, not a requirement. Overwatch7Six ingests screenshots, exports, API pulls, policy documents, tickets, logs, and configuration snapshots from whatever the customer actually runs. What persists is the record: what the evidence proves, which control it supports, who owns it, and when it was last validated.
Later modules · evidence-producing security capabilities
Overwatch Mail
Email security evidence, positioned as a control, not a standalone product.
Overwatch Agent
Threat hunting, endpoint visibility, and continuous control validation evidence.
Product North Star
“Show me why you believe this control is implemented.”
Whoever asks, a CEO, an IT manager, an MSP, or an assessor, Overwatch7Six should make the answer easy to find, easy to explain, and hard to fake.
V. MSP Accountability
“We handle security” is not evidence. CMMC responsibility doesn’t disappear because an MSP is involved.
Most small GovCon suppliers depend on an MSP for some or all of their IT. Overwatch7Six makes the shared responsibility model visible, control by control, instead of leaving it as a sentence in a services agreement.
| Control family | Responsibility | Why |
|---|---|---|
| Access Control (AC) | Joint Evidence | MSP configures conditional access; customer owns the policy |
| Incident Response (IR) | MSP-Supported | MSP runs detection and response under a signed SLA |
| Configuration Management (CM) | MSP-Supported | MSP manages baselines and patch cadence |
| Awareness & Training (AT) | Customer-Owned | Customer runs annual security awareness training |
| Media Protection (MP) | Customer-Owned | Customer owns removable-media and sanitization policy |
| Audit & Accountability (AU) | Joint Evidence | MSP retains logs; customer owns the review cadence |
| Physical Protection (PE) | Not Covered | Not addressed in the current MSP contract |
| Personnel Security (PS) | Customer-Owned | Customer owns onboarding, offboarding, screening |
Illustrative example · every organization’s split is different · Overwatch7Six maps yours
Which controls are customer-owned?
Which controls are MSP-supported?
Which controls require joint evidence?
Which controls aren't covered by the MSP contract?
What vendor deliverables are missing?
What proof has the MSP actually provided?
Is the evidence fresh, or stale?
Does the contract match the actual security responsibility?
VI. Evidence & Adapters
Evidence is the product’s most important object, never a random attachment.
Every artifact carries context, an owner, a control mapping, and a review state. Fourteen fields, applied consistently, whatever the evidence is or where it came from.
Adapter strategy
No single adapter is required for the product to work. Azure is the first reference architecture, not a dependency.
AWS/GCP/hybrid-ready by design. A Microsoft-aligned deployment path is available for customers already centered on Azure and Entra ID, alongside a manual evidence adapter for customers who aren’t ready for direct API integrations.
VII. AI Doctrine
AI assists. Humans own the claim.
AI reduces friction. It doesn’t get to create unsupported claims on your behalf.
Good AI uses
- Summarizing evidence
- Drafting control narratives from verified inputs
- Mapping evidence candidates to controls
- Flagging stale or weak evidence
- Comparing SSP language to uploaded artifacts
- Finding contradictions between claimed and actual implementation
Bad AI uses
- Inventing evidence
- Claiming compliance without proof
- Generating final SSP language without review
- Creating fake control implementation statements
- Replacing assessor judgment
- Replacing customer sign-off
“Handoff rule: AI can assist, but every assessment-facing claim must trace back to evidence the customer can defend.”
VIII. Deployment
Four ways in. Zero required stack.
Best for speed
SaaS-Hosted
For small suppliers who need to move now and don't want to manage infrastructure.
Best for data control
Customer-Controlled Cloud
Runs in the customer's own Azure, AWS, GCP, or government cloud environment.
Best for providers
MSP-Managed Tenant
For MSP partners serving multiple small defense customers from one tenant.
Best for going slow
Hybrid Evidence Mode
Manual uploads and structured metadata, no direct API integrations required to start.
Future path · Azure Government or AWS GovCloud when customer requirements justify it
IX. What’s at Stake
An SPRS score that doesn’t match reality is a False Claims Act problem, with or without a breach.
01
Enforcement is active, not theoretical
DOJ's Civil Cyber-Fraud Initiative, running since October 2021, has settled fifteen cybersecurity-related False Claims Act cases. More than half closed in fiscal year 2025 alone, recovering over $52 million.
DOJ Civil Division, FY2025 FCA statistics
02
Named settlements, real numbers
Georgia Tech Research Corporation paid $875,000 in September 2025 over DFARS 252.204-7012 and NIST SP 800-171 gaps on Air Force and DARPA work. Raytheon and its successor, Nightwing, paid $8.4 million in May 2025 for the same category of failure across roughly thirty DoD contracts.
DOJ settlement announcements, 2025
03
The theory is misrepresentation
DOJ's own framing of these cases: they are not about being breached. They are about certifying something to the government that wasn't true. An inaccurate SPRS score creates the exposure, whether or not an incident ever happens.
31 U.S.C. §§ 3729–3733
Whistleblowers filed five of DOJ’s eight Initiative-related settlements in 2025 as qui tam actions and took home a rising share of the recovery. A gap between what your SSP claims and what your evidence actually shows is a liability an employee can act on, not just an assessor.
X. The Founder
Built by a compliance professional who has lived the evidence problem, not just diagrammed it.

Texas Veterans Commission verified veteran-owned business
Bradley A. Baker
Founder & Sole Principal, Patriot 7Six LLC
“I administer the M365 tenant and Mimecast for a clinical research organization under constant regulatory audit. Access control, retention, and evidence trails are my day job. Overwatch7Six exists because I have seen what happens when that evidence lives in someone’s inbox instead of a system built to defend it in front of an assessor. For a defense contractor, that gap is the difference between a Final CMMC status and a Conditional one that runs out the clock.”
— Bradley Baker, Founder
Service record
- Rank
- SGT / E-5
- MOS
- 11B · Infantryman
- Branch
- U.S. Army · RA
- Service
- 1996 – 2002
- Discharge
- Honorable
- Status
- Service-Connected Disabled Veteran
Civilian record
- Tenure
- 2005 – Present
- Role
- Sr. IT Application Administrator
- Domain
- Clinical Research
- Specialty
- O365 · DLP · Compliance
- Degree
- B.S. Information Systems Security
- Honors
- Honor Graduate · NTHS
Airborne-qualified infantryman with the 82nd Airborne Division, 1996–1999, earning the Expert Infantryman’s Badge. Promoted to Sergeant with the 172nd Infantry Brigade, Fort Wainwright, Alaska, 1999–2002. Two decades in enterprise IT since 2005, including SOX and FERPA-regulated environments, before founding Patriot 7Six LLC.
XI. Stage & Posture
Bootstrapped. Building. Open to the right conversations.
Capital
Bootstrapped
Solo founder, full-time employed elsewhere, building on personal capital and earned time. No outside dilution to date.
Build state
Overwatch7Six · MVP build
In active development. Not yet live. This site describes the product being built, not a shipped platform.
Posture
Selectively open
Not actively raising. Open to mission-aligned angels, veteran-network professionals, and strategic partners: VSOs, PTACs, and government contracting consultants.
Data handling
Built on cloud-native infrastructure with encryption in transit and at rest, strict tenant isolation, and role-based access control. No customer PII, CUI, or unverified regulatory claim leaves the platform for a third-party tool without the customer’s knowledge.
XII. Contact
Request a Readiness Snapshot, or just reach out directly.
Defense contractor, MSP, assessor, or investor, every inquiry gets a direct reply from the founder, not a ticket queue.
Founder · Direct
founder@patriot7six.com
Investors · Deck & NDA
investors@patriot7six.com
Partnerships · MSPs · C3PAOs · vCISOs
partnerships@patriot7six.com
Response window · 48 hrs · all inquiries answered personally