The Anvil Suite
Built for the work.
Not bolted onto it.
Two purpose-built tools that cover the full compliance lifecycle — from SSP authoring to formal assessment execution.
Anvil FORGE
Desktop SSP Authoring App · One-time $50
Author System Security Plans against any loaded catalog. Works fully offline — your data stays on your machine. Export to OSCAL JSON for direct import into Anvil CRAFT, or to Word and PDF for human distribution.
Your SSP library
All your SSP drafts in one place. Start a new plan, import a backup, or pick up where you left off.
Catalog-driven
Load any catalog — NIST SP 800-53, CIS, or custom. The control structure follows the catalog, not a hardcoded template.
Backup & restore
Export a full backup of any SSP at any time. Import it back on any machine running Anvil FORGE.
System characterization
System identification per NIST SP 800-18 Section 1. Agency identifier, operational status, and system type — structured fields, not free text.
FIPS 199 categorization
Set overall security categorization and individual impact levels for Confidentiality, Integrity, and Availability directly in the tool.
Branded exports
Upload your organization logo and it appears on the cover page and headers of all exported Word and PDF documents.
Full control hierarchy
Every control family, control, and enhancement from the loaded catalog. The sidebar keeps you oriented across all 119 controls without losing context.
Objective-level authoring
Control statements and assessment objectives are shown together. Write your implementation narrative against the objectives that will be tested during assessment.
Maps directly to CRAFT
Implementation narratives export in OSCAL JSON and pre-fill the corresponding fields in Anvil CRAFT on import — no manual re-entry.
Anvil CRAFT
Control Risk Assessment Framework Tool · From $20/seat/mo
A web-based assessment platform built around the full lifecycle of a formal security assessment — scoping, execution, findings, reporting, and POA&M tracking. Built for teams, designed around how assessors actually work.
Anvil CRAFT — Assessment Dashboard
Screenshot coming soon
Assessment overview
All active assessments at a glance. Progress rings show completion by control family. See at a glance what's done, what's in progress, and what needs attention.
Collaborative by design
Assign control families to individual assessors. Each assessor works their assigned controls independently while managers track progress across the full assessment in real time.
Multiple assessments
Manage multiple active assessments simultaneously. Each assessment is isolated with its own team, timeline, and findings.
Anvil CRAFT — Assessment Workspace
Screenshot coming soon
Objective-level findings
Document findings at the assessment objective level — not just the control. Satisfied, other-than-satisfied, and not applicable statuses with supporting narratives for each objective.
SSP pre-fill from FORGE
Import an OSCAL SSP from Anvil FORGE and implementation narratives pre-fill the corresponding controls. Assessors start with context, not a blank form.
Finding propagation
Apply a finding from one control to related controls across the assessment with a single action — consistent documentation without repetitive data entry.
Anvil CRAFT — Reports
Screenshot coming soon
Security Assessment Report
Generate a full SAR from your assessment findings. Structured output that follows the assessment results — not a blank template you fill in after the fact.
POA&M generation
Export a Plan of Action & Milestones as HTML or CSV from other-than-satisfied findings. Ready to hand to the system owner.
Executive summary
A concise executive-level view of assessment results — overall posture, findings summary, and key recommendations for leadership distribution.