Living Control Set FAQ
Answers to common questions about the Living Control Set and related features in the CRT.
General
What is the Living Control Set?
The Living Control Set (LCS) is your organization's central set of controls in the CRT. It defines the controls your organization implements and operates against to manage security, compliance, and risk. More information on the Living Control Set can be found here.
Do I have to use the Living Control Set?
The Living Control Set is not required to use the CRT. Standard engagements can still be created and managed without it. However, if your organization works across multiple compliance frameworks, the Living Control Set is strongly recommended. it eliminates duplicated work, reduces inconsistent responses, and gives you a single, unified view of your compliance program. Organizations that operate under a single framework with no plans to expand may find standard engagements sufficient for their needs.
How is the Living Control Set different from a regular engagement?
A standard engagement is tied to a specific framework or assessment cycle. The Living Control Set is your organization's ongoing, foundational control set. It does not expire or reset. All Conformity Engagements are built on top of it, and it evolves as your organization's requirements change.
Can a client have more than one Living Control Set?
No. Each client can only have one Living Control Set. If your organization needs to assess against multiple frameworks, that is handled through Conformity Engagements, not separate Living Control Sets.
What does "living" mean?
The Living Control Set is designed to evolve as your organization changes. New controls can be added as new compliance requirements emerge, frameworks are introduced, or your organization's risk posture shifts. It reflects what good security and compliance looks like for your organization right now and not at a fixed point in the past.
What is FASCR and why do I see it in the platform?
FASCR stands for Framework Agnostic Security, Compliance, and Resilience. It is the underlying model in the CRT that enables the Living Control Set and allows your organization's controls to be compared against multiple compliance frameworks without duplicating work. As user, you do not need to configure FASCR directly. More information on the FASCR can be found here.
Setup & Configuration
Who can enable and set up the Living Control Set?
Only users with admin rights to both the organization and client can enable the Living Control Set and complete the setup wizard. See Establishing the Living Control Set for step-by-step instructions.
What needs to be in place before I can create a Living Control Set?
Two things must be in place before the Living Control Set can be created. The client must be associated with an organization in the CRT, and the user must have access to both the organization and client settings.
What is the Master Control Library?
The Master Control Library (MCL) is the complete catalog of controls available in the CRT. Your Living Control Set is built from it. The MCL is configured at the organization or application level by an administrator. If your organization has already set it up, it will be available to select when enabling the Living Control Set for a client.
At this time, the SCF framework is the only available option for the Master Control Library.
What are the different ways I can build my Living Control Set?
The setup wizard offers multiple creation methods depending on your organization's starting point. For example, selecting controls manually by class, choosing applicable security principles, or using an existing engagement as a starting point. Not all methods may be available at this time. The wizard will present the options available to you.
Working with Frameworks
Do I need a separate Living Control Set for each compliance framework?
No. That is one of the core benefits of the Living Control Set. You define your controls once in the LCS and then compare them against individual frameworks using Conformity Engagements. The same control can satisfy requirements across multiple frameworks without duplicating your work.
What is a Conformity Engagement?
A Conformity Engagement compares your Living Control Set against the requirements of a specific compliance framework such as CMMC, HIPAA, or PCI and identifies where you already meet requirements and where deltas exist. See Creating a Conformity Engagement for instructions.
What is a delta?
A delta is the difference between the controls in a Conformity Assessment and the controls in your Living Control Set. Specifically, the delta represents the controls the framework requires that are not yet in your LCS. When you create a Conformity Engagement, the CRT automatically calculates this difference and presents the delta for review. You can choose to merge the delta controls into your LCS or continue working within the Conformity Engagement without merging.
Do I have to merge delta controls into my Living Control Set? (UPDATE)
No, merging is optional. You can continue working within the Conformity Engagement without adding the delta controls to your LCS. However, merging is recommended if you want your Living Control Set to remain your complete source of truth across all frameworks.
What happens to my existing data when delta controls are merged into the LCS?
When delta controls are merged, the CRT creates a new iteration in the LCS engagement based on the most recent existing iteration. All existing data is carried forward, and the delta controls and AOs are added. The new iteration is named Conformity Controls Update followed by the class name so it is easy to identify.
The LCS Dashboard
How do I access the Living Control Set Dashboard?
Select the LCS icon from the center of the main CRT dashboard. If a Living Control Set has already been created for the client, you will be taken directly to the dashboard. If it has not been created yet, the setup wizard will launch instead.
What data does the LCS Dashboard show?
The dashboard displays data from the latest iteration of the LCS engagement. It includes a summary of total Controls, AOs, and Action Items in the Overview Pane, along with interactive charts showing implementation status distribution. You can also browse and filter all practices in the Controls Area and view detailed information for individual practices in the Details Pane.
Can I navigate to the assessment from the dashboard?
Yes. Select any control from the Controls Area or the Pie Chart to load it in the Details Pane, then select the Edit button to navigate directly to the assessment form for that practice. You can also select the Iteration Management button at the top of the dashboard to navigate to the iteration list.
Troubleshooting
Why can't I see the LCS icon on my dashboard?
The LCS icon is only visible when all of the following conditions are met:
- The Living Control Set has been enabled at the Organization level
- The Living Control Set has been enabled at the Client level
- Your user account has the Compliance Admin entitlement assigned
If any of these conditions are not met, the icon will not appear. Contact your administrator to confirm the Living Control Set has been configured for your client and that the correct entitlement has been assigned to your account.
The setup wizard launched when I selected the LCS icon. What does that mean?
This means a Living Control Set has not yet been created for this client. The wizard will guide you through the setup process. See Establishing the Living Control Set for a full walkthrough. Note that you must have admin rights to complete the setup.
Can I delete my Living Control Set and start over?
Yes. To remove your Living Control Set and start over, you will need to delete the LCS engagement from the Engagement List. Once the LCS engagement has been deleted, selecting the LCS icon on the main dashboard will launch the setup wizard again, allowing you to create a new Living Control Set from scratch.