The Living Control Set defines the controls your organization actually implements and operates against to manage security, compliance, and risk. Instead of managing each framework separately, the Living Control Set gives you one place to define how your organization operates. It is built from controls in the Secure Controls Framework (SCF), the platform's Master Control Library (MCL), and reflects your organization's regulatory obligations, risk posture, and security goals.
Why the Living Control Set Matters
Many organizations manage compliance one framework at a time. This often leads to duplicated work, inconsistent answers, and limited visibility.
The Living Control set changes that by introducing a single, centralized model. With the Living Control Set you can:
- Define one set of controls for your organization
- Use that control set across multiple frameworks
- Reduce duplication and conflicting responses
- Gain a clearer, organization-wide view of your program
This shifts your approach from managing individual frameworks to managing one unified security and compliance program.
Why It's Called "Living"
The Living Control Set is designed to evolve. Your control set may change when:
- New regulatory requirements apply to your organization
- Your organization adopts new frameworks
- Risks or threat conditions shift
- Control implementations mature over time
- New systems or business operations are introduced
As your organization changes, your control set can be updated to reflect new requirements, risks, or priorities. This ensures your controls stay aligned with real-world conditions instead of becoming outdated.
How the Living Control Set is Built
Your Living Control Set is created by selecting controls from the Secure Controls Framework based on two types of requirements:
- Minimum Compliance Requirements (MCR) - Controls required to meet laws, regulations, contracts, or frameworks
- Discretionary Security Requirements (DSR) - Additional controls based on your organization's risks, threats, and security goals
Together, MCR and DSR form your organization's Minimum Security Requirements (MSR). The MSR represents your defensible baseline, the full set of controls your organization operates to protect its systems, data, and operations.
.jpg?width=600&height=338&name=Minimum%20Security%20Requirements%20(MSR).jpg)
How the Living Control Set Works with Frameworks
Rather than creating a separate set of controls for each framework, you define your controls once and compare them against different frameworks using Conformity Engagements.
A Conformity Engagement compares your existing controls (LCS) to the requirements of a specific framework (i.e., CMMC 2.0 Level 2) and identifies where you are already meeting requirements and where gaps exist.
This means:
- You are not starting from scratch for each framework
- The same control can support multiple frameworks
- Differences between frameworks are handled as gaps, not separate systems
💡Think of your Living Control Set as your system, and frameworks as checks against that system.
How the Living Control Set is Used in the CRT
Within the CRT, the Living Control Set acts as the operational foundation for Security, Compliance, and Resilience Management (SCRM). All assessment, evidence, and maturity activity in the platform operates against it as the single source of truth.
Once your Living Control Set is established, it supports:
- Assessing how controls are implemented across your organization
- Collecting and managing evidence tied to specific controls
- Tracking remediation efforts and improvements over time
- Monitoring control maturity as your program evolves
The following diagram shows how the Living Control Set fits into the CRT's control architecture. The Secure Controls Framework serves as the Master Control Library, your organization selects controls from it to build the Living Control Set, and Conformity Engagements evaluate that control set against specific frameworks.
