✅ Evidence-Backed Compliance

Evidence-Backed
Compliance
Proven or Attested

A scanner can only prove the controls it can see. SBCMSP shows every control as automated, attested, or undocumented — then generates the shortest possible questionnaire to close the gaps honestly.

Control Coverageyourclient.com
82
B
NIST CSF 2.0 · evidence-backed
Encryption in transitAUTOMATED
Backup & recoveryATTESTED
Awareness trainingATTESTED
Incident response planUNDOCUMENTED
Vendor risk managementUNDOCUMENTED

Half of Compliance Isn’t Technical

Automated scanning nails the technical half of any framework — encryption, configuration, access. But policy, training, incident response, and vendor management aren’t things a scanner can see. Most tools quietly mark those “unknown” and inflate the score anyway.

SBCMSP is honest about it. Every control shows one of three states: automated (proven by a scan or a connected integration), attested (a person affirmed it, recorded with their email, IP, and timestamp), or undocumented (the real gap).

For the undocumented controls, the platform generates the shortest possible questionnaire targeting only what’s missing. Answer once, and the report cites your attestation with a date — and because controls are grouped into concept families, one answer satisfies the equivalent control in every other framework.

01Automated
Proven by a live scan result or a connected evidence integration — no human action.
02Attested
A person affirmed the control, recorded with their email, IP, and a timestamp.
03Undocumented
No scan signal and no attestation yet — the honest gap the questionnaire closes.

Answer Once, Satisfy Many

Concept families propagate a single answer across every framework’s equivalent control.

AWARE
Security Awareness
Training across CSF, SOC 2, ISO, CIS…
IR
Incident Response
One answer, mapped to every framework
BACKUP
Backup & Recovery
Recovery evidence, shared across standards
VENDOR
Vendor Management
Third-party risk, once
EDR
Managed Detection
Endpoint defense evidence
HR
Personnel Lifecycle
Screening + offboarding

Close the Gap in Three Steps

Automated where possible, attested where needed.

🔍
1. Scan Automatically
Every scan source marks the technical controls it can prove as automated — no questionnaire for those.
2. Answer the Short List
An AI-generated questionnaire targets only the undocumented controls — the shortest path to full coverage.
🗺️
3. Propagate Everywhere
One attestation satisfies the equivalent control across every framework via concept families.
⏱️
Timestamped Evidence
Each attestation records who affirmed it, from what IP, and when — audit-ready by construction.
🔒
Human Answer Wins
A person’s attestation always outranks an automated sync — nightly refreshes never overwrite an answer.
📈
Live Coverage
A per-framework strip shows automated / attested / undocumented counts at a glance.

Common Questions About Evidence-Backed Compliance

What do automated, attested, and undocumented mean?
Automated means the control is proven by a live scan result or a connected evidence integration. Attested means a person affirmed it, recorded with their email, IP, and a timestamp. Undocumented means there is no scan signal and no attestation yet — the real gap.
Do I have to answer the same question for every framework?
No. Controls are grouped into concept families, so answering a control in one framework propagates the same evidence to the equivalent control in every other framework you assess.
Is the questionnaire AI-generated?
Yes. For the undocumented controls, the platform generates the shortest possible AI-generated questionnaire targeting only what the scanner can’t see. Your answers are cited in the report with a timestamp.
Does an attestation get overwritten by a scan?
No. A human attestation always outranks an automated sync. A nightly integration refresh can fill undocumented gaps but never overwrites an answer a person gave.

Prove Every Control, Honestly

Automated where the scanner can see it, attested where it can’t — with a date on every claim.

→ Start Free Trial