CAAMS Enterprise is a fully self-hosted GRC platform — from tool inventory to auditor-ready report across CIS, NIST, SOC 2, PCI DSS, and HIPAA — with full lifecycle management, evidence workflows, and multi-format exports.
From first assessment to final sign-off — every workflow is covered.
Select your tools; CAAMS automatically computes covered, partial, and uncovered controls using capability tags. No manual mapping.
Upload files per-control with descriptions and expiry dates. Admins approve or reject with reasons. Package everything into a ZIP in one click.
Log findings with critical→informational severity, remediation owner, and target date. Full status lifecycle from open through remediated and accepted.
Create Requests for Information with priorities and due dates. Assignees respond inline; admins close RFIs when resolved. Full thread history preserved.
Org-wide posture across all active assessments. Per-framework scores, open findings by severity, overdue controls, and the assessment renewal pipeline.
Tag-based automatic overlap mapping between any two frameworks. See which SOC 2 controls your CIS assessment already satisfies — and what's missing.
Generate scoped, time-limited share links for external auditors. No account creation — auditors get read-only access to exactly what you share.
Every state-changing action — lifecycle transitions, evidence approvals, overrides — is recorded with user, timestamp, IP, and detail payload. Cannot be edited.
Full FastAPI backend with Swagger at /docs. Generate long-lived API tokens for CI/CD pipelines and external integrations.
Formally accept residual risk on any control with a rated justification (critical → low), named approver, and expiry date. Accepted risks surface in the XLSX export and audit trail.
Additional frameworks can be added by dropping a JSON file into app/data/
The internet security essentials — 18 controls mapping to real-world defenses.
6 functions and 22 categories covering the full cybersecurity lifecycle.
Trust Services Criteria — the standard for service organization compliance.
Payment card industry requirements for organizations handling cardholder data.
Security Rule standards for protecting electronic protected health information.
Add your own framework
Drop a JSON file into app/data/ and re-run seed.py
Framework Crosswalk
The crosswalk engine automatically identifies which controls in Framework A are already satisfied by your Framework B assessment — no manual mapping required.
Every assessment moves through a formal lifecycle with signed-off stage transitions and an immutable audit trail on every action.
Create the assessment, select the framework, add tools in scope, set ownership, and upload initial evidence.
Contributors submit for review. Admins close RFIs, resolve findings, and can return to draft if changes are needed.
Admin approves. Exports are generated. Auditor share links can be issued for external review.
Completed assessments archived for historical reference. All data and audit trails preserved.
Recurring assessments
Mark any assessment as recurring with a configurable interval (e.g. every 90 days). CAAMS tracks the next review date and surfaces overdue renewals on the dashboard — so nothing slips between audit cycles.
Every endpoint enforces role checks. Roles are assigned at account creation — no extra configuration.
Full access — create/delete assessments, manage users, approve lifecycle transitions, manage API tokens, review and approve evidence.
Create and edit assessments, update notes and ownership, upload evidence, log findings, create and respond to RFIs.
Read-only access to all assessments, results, evidence, and findings. Ideal for executives and stakeholders.
External auditor access via scoped share links — no account needed. Read-only visibility limited to exactly the controls you share, with a comment thread for RFI-style questions.
Three export formats cover every stakeholder — the auditor, the CISO, and everyone in between.
GET /assessments/{id}/export
GET /assessments/{id}/export/pdf
GET /assessments/{id}/export/evidence-package
CAAMS doesn't just pass/fail controls. Partial coverage is measured and scored honestly.
All required capability tags satisfied by selected tools
Some required tags present, but not all
No required capability tags satisfied
Coverage Score Formula
score = (covered + 0.5 × partial) / applicable_total × 100
Three commands. No Docker, no cloud account, no YAML sprawl — just Python on your server.
Pull the repo and generate a self-signed cert (or drop in your CA cert). That's the only prereq.
sudo bash install_service.sh handles everything else — venv, deps, system user, secret key, DB seed, and systemd unit.
CAAMS is running at https://<your-host>:8443, starts on boot, and logs to journald.
# 1. Clone the repo
$ git clone https://github.com/naterohrer/caams-enterprise-prod
$ cd caams-enterprise-prod
# 2. Generate a TLS certificate (skip if you already have cert.pem + key.pem)
$ mkdir -p certs
$ openssl req -x509 -newkey rsa:4096 \
-keyout certs/key.pem -out certs/cert.pem \
-sha256 -days 3650 -nodes \
-subj "/CN=$(hostname)" \
-addext "subjectAltName=DNS:$(hostname)"
# 3. Run the installer — this is the only sudo command
$ sudo bash install_service.sh
========================================
CAAMS service installer
========================================
Install dir: /opt/caams
Service user: caams
========================================
[+] Checking prerequisites…
[+] Found python3 at /usr/bin/python3
[+] Syncing repo → /opt/caams …
[+] Creating virtualenv at /opt/caams/venv …
[+] Installing Python dependencies into venv …
[+] Dependencies installed.
[+] TLS certificate: OK
[+] Creating system user 'caams' …
[+] Setting ownership on /opt/caams …
[+] Generating /etc/caams.env …
[+] Generated CAAMS_SECRET_KEY and wrote /etc/caams.env
[+] Seeding database …
[+] Installing /etc/systemd/system/caams.service …
[+] Reloading systemd daemon …
[+] Enabling caams.service (auto-start on boot) …
[+] Starting caams.service …
========================================
[+] Installation complete!
========================================
caams.service - CAAMS Compliance Auditing Tool
Loaded: loaded (/etc/systemd/system/caams.service; enabled)
Active: active (running)
Useful commands:
systemctl status caams — check status
systemctl restart caams — restart after config changes
journalctl -u caams -f — tail live logs
# Done. CAAMS is live at https://your-host:8443pip install -r requirements.txt
python seed.py
mkdir -p certs
openssl req -x509 -newkey rsa:4096 \
-keyout certs/key.pem \
-out certs/cert.pem \
-sha256 -days 3650 -nodes \
-subj "/CN=localhost"
export CAAMS_SECRET_KEY="$(python3 -c \
'import secrets; print(secrets.token_hex(32))')"
bash start.sh
# → https://localhost:8443| Variable | Required | Description |
|---|---|---|
| CAAMS_SECRET_KEY | Required | 64-char hex key to sign JWTs. Auto-generated by installer. |
| CAAMS_CORS_ORIGIN | Optional | Intranet hostname for credentialed cross-origin requests. |
| CAAMS_HOST | Optional | Bind address (default: 0.0.0.0) |
| CAAMS_PORT | Optional | Port (default: 8443) |
No external auth providers. No object storage. No message brokers. Just Python on your server.
CAAMS is free and open-source. Deploy to your own infrastructure in minutes, keep your compliance data on-prem, and generate auditor-ready reports whenever you need them.