Track vulnerabilities against GSA CIO-IT Security-21-112 remediation timelines. Monitor CISA KEV alerts. Generate compliance reports that auditors love.
Government contractors face strict vulnerability remediation timelines. Miss a deadline, lose a contract.
Everything you need to track vulnerabilities, meet deadlines, and pass audits.
Automatic remediation deadlines based on GSA CIO-IT Security-21-112. Critical, High, Moderate, and Low timelines calculated from discovery date, adjusted for internet-facing vs internal.
Daily sync with the CISA Known Exploited Vulnerabilities catalog. Automatic 7-day SLA override for actively exploited vulns. Instant breach detection and notifications.
Generate gap analysis reports for auditors in one click. Export to PDF and CSV. Track compliance scores over time with full audit trail documentation.
Import vulnerability data from Radar, Nessus, Qualys, or CSV. Automatic deduplication across scanners. NVD enrichment for accurate CVSS scoring.
Track internet-facing vs internal assets. Auto-apply correct SLA timelines. Organize by system boundary. See compliance status at a glance per asset group.
Manage multiple government clients from a single dashboard. Complete data isolation. Per-org policies and billing. Role-based access control built in.
Per GSA CIO-IT Security-21-112 — the deadlines your auditor checks
| Severity | Internet-Facing | Internal |
|---|---|---|
| Critical | 15 days | 30 days |
| High | 15 days | 30 days |
| Moderate | 90 days | 90 days |
| Low | 180 days | 180 days |
| CISA KEV | 7 days (overrides all severities) | |
Import your vulnerability data, track deadlines, and generate audit-ready reports.
Upload scan results from Radar, Nessus, Qualys, or CSV. Auto-deduplicated and enriched.
Assets auto-tagged as internet-facing or internal. Correct SLA timelines applied instantly.
Monitor remediation progress in real time. Get alerts before deadlines hit. Track SLA breaches.
Generate gap analysis and compliance reports. PDF and CSV exports ready for your auditor.
Full visibility into every vulnerability, every deadline, every SLA.
Start free. Scale as your compliance needs grow.
Up to 25 assets. Perfect for small contractors.
Up to 100 assets. Built for growing teams.
Unlimited assets. For MSPs and large contractors.
GSA CIO-IT Security-21-112 defines mandatory remediation timelines for vulnerabilities found on federal contractor systems. It specifies how quickly Critical, High, Moderate, and Low severity vulnerabilities must be fixed, with tighter deadlines for internet-facing assets. Radar Comply automates tracking against these timelines so you never miss a deadline.
The CISA Known Exploited Vulnerabilities (KEV) catalog lists CVEs that are being actively exploited in the wild. When a vulnerability you have appears on the KEV, it overrides all other SLA timelines with a mandatory 7-day remediation window. Radar Comply syncs with KEV daily and instantly adjusts deadlines and alerts when your vulnerabilities appear.
Radar Comply accepts imports from multiple scanners: Oscar Six Radar, Nessus, Qualys, and generic CSV files. You run your existing scanners, export the results, and upload them to Radar Comply. We automatically deduplicate findings, enrich with NVD data for accurate CVSS scores, and begin SLA tracking from the discovery date.
When you add assets to Radar Comply, you classify them as internet-facing or internal. This classification determines which SLA timelines apply — internet-facing systems have shorter remediation windows (15 days for Critical/High vs 30 days for internal). You can organize assets by system boundary and bulk-classify them.
Yes. Radar Comply supports multi-tenant management out of the box. MSPs and IT consultants serving government clients can manage all their organizations from a single dashboard with complete data isolation, per-org policies, and separate compliance reporting.
Radar Comply generates compliance gap analysis reports showing your current compliance score, open vulnerabilities, SLA breaches, remediation timelines, and historical trends. Reports are available in PDF and CSV formats. Auditors can see exactly which vulnerabilities are open, when they were discovered, when they're due, and what remediation efforts have been documented.