As of this week, Iru Compliance Automation supports three new frameworks: CMMC, NIST SP 800-171, and ISO 27701. These frameworks join the others within Iru Compliance Automation today (SOC 2, ISO 27001, ISO 42001, GDPR, HIPAA, NIST 800-53, and NIST CSF 2.0), bringing the total to ten.
And with these additions, your coverage now extends meaningfully into defense contracting, federal supply chain security, and global privacy compliance. Here’s what each of these new frameworks supports, and how Iru Compliance Automation can help your organization with each:
CMMC: Certification that defense contractors can no longer defer
The Cybersecurity Maturity Model Certification is the U.S. Department of Defense's framework for protecting Controlled Unclassified Information (CUI) across the defense industrial base. What makes CMMC different from its predecessors is the shift from self-attestation to third-party certification, and the enforcement mechanism attached to it. Without the right CMMC level, you cannot bid on or hold DoD contracts.
CMMC is structured across three maturity levels. Level 1 covers basic cyber hygiene. Level 2, where most defense contractors with CUI obligations land,maps directly to NIST SP 800-171's 110 security requirements. Level 3 adds requirements on top of that for organizations handling the most sensitive programs.
For GRC teams in the defense industrial base, the challenge has never been understanding the requirements. It's been demonstrating continuous compliance to auditors. That calls for device-level evidence, at scale, collected automatically. A spreadsheet assembled before an assessment doesn't hold up the way it used to.
Iru's endpoint data provides a strong, continuously updated evidence layer for applicable requirements. Device check-ins, applied policies, and configurations are recorded continuously and mapped to the applicable CMMC controls.
NIST SP 800-171: The technical baseline behind federal procurement
NIST 800-171 defines 110 security requirements for protecting CUI in non-federal information systems. If CMMC Level 2 is the certification, NIST 800-171 is the technical standard it's built on. NIST 800-171 is the backbone.
But NIST 800-171 shows up in places beyond CMMC. Federal agencies include it in contract clauses. Research institutions, universities, and manufacturers with federal contracts may encounter it in procurement contexts where a formal CMMC audit may not be required.
The 110 requirements span access control, incident response, configuration management, audit logging, and more — all areas where endpoint posture is either the primary control or the evidence source for it. Teams that have been managing these requirements manually, through policy documents and point-in-time assessments, are increasingly being asked to demonstrate continuous compliance rather than snapshot compliance.
Iru's Adaptive Evidence Map solves exactly that. It’s evidence from your endpoints, identity, and security tooling is collected continuously, timestamped, and mapped to NIST 800-171 requirements, so you're presenting, not reconstructing, your compliance history.
ISO 27701: A structured framework for managing personal data
Originally a privacy extension to ISO 27001, ISO 27701 is now a standalone framework. This standard defines requirements for a Privacy Information Management System, covering how personal data is collected, processed, stored, and transferred.
Its practical value is twofold. First, it provides a structured framework for organizations that need to demonstrate accountability under GDPR, CCPA, or other regional data protection regimes, without building a compliance program from scratch for each regulation. Second, for organizations already certified to ISO 27001, bridging into ISO 27701 is significantly more efficient than it would be starting from zero because the management system foundations from ISO 27001 are already in place.
Organizations that act as both data controllers and data processors, holding customer data while also processing it on behalf of others, face accountability obligations from multiple directions. ISO 27701 gives them a single framework to demonstrate that they've addressed both.
For organizations already running ISO 27001 in Iru, that foundation carries forward automatically. Controls are scoped to your role as a controller, processor, or both, adjusted to your regions of operation, and built on top of your existing ISMS evidence.
Additional frameworks deliver a compounding advantage
Adding a new framework in Iru doesn't mean starting over. Iru already knows your business — your devices, your identity posture, your policies, your existing control evidence. When you map to a new framework, that organizational context carries forward automatically. Controls that already satisfy requirements in one framework satisfy overlapping requirements in the next. Evidence already being collected gets remapped, not recollected.
For GRC teams, that changes the math on every new regulatory requirement you face as your business expands. Instead of starting from scratch, you’re building off the hard work you’ve already done with a platform that is built on the same data layer as device management and identity. That’s the Iru advantage for compliance.
Furthermore, the market is recognizing our acceleration. This month, The Hacker News named Iru the Best Cybersecurity Compliance Company at the 2026 Cybersecurity Stars Awards.
The award recognizes something our customers already know: compliance built on the same data layer as endpoint management, identity, and vulnerability management operates differently than a standalone GRC tool. Evidence is always current. Control drift triggers remediation automatically. And Adaptive Compliance features help to ensure your compliance program stays aligned with how your organization operates.
What's available now
CMMC, NIST SP 800-171, and ISO 27701 are live in Iru Compliance Automation. If your organization is preparing for a CMMC audit, operating under federal contract, or extending an existing ISO 27001 program into privacy, you can begin mapping controls and collecting evidence in the same platform as your other frameworks today.
Learn more about Compliance Automation from Iru or book a demo to see it running live in your environment.