Post by NR Labs

People hear "CMMC is prescriptive" and think that is a limitation. The deterministic nature of CMMC makes it one of the best frameworks for GRC engineering. Every control tells you exactly what to assess. The assessment objectives are defined. The evidence requirements are known. The pass/fail criteria are binary. That means we can engineer for it. - If a control requires monitoring at the external boundary, we can build a pipeline that validates monitoring is active - If a control requires MFA, we can query the identity provider and confirm enforcement programmatically - If a control requires encryption, we can scan configurations and produce evidence automatically The prescriptive nature of CMMC is what makes it engineerable. #CMMC #GRCEngineering