Terms of Service

By accessing or using any page, tool, calculator, or content on grc.engineering (the "Site"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, please do not use the Site.

These Terms apply to all visitors, users, and others who access or use the Site, including any organization on whose behalf an individual accesses the Site. Your continued use of the Site following the posting of any changes to these Terms constitutes acceptance of those changes.

The Site is operated by grc.engineering ("we", "us", or "our"). We reserve the right to update or modify these Terms at any time. The "Last updated" date at the top of this page reflects when these Terms were most recently revised.

grc.engineering provides free, browser-based interactive tools designed to help organizations understand U.S. federal compliance frameworks, including:

• CMMC (Cybersecurity Maturity Model Certification) Level 1 and Level 2 readiness estimators and simulators
• HIPAA Security Rule gap calculators and breach cost estimators
• SPRS (Supplier Performance Risk System) score simulators
• Control explorers, timeline calculators, and cost estimators
• Threat intelligence dashboards and attack coverage maps
• Educational articles and framework comparison guides
• Sample evidence package templates for reference purposes

All tools are provided free of charge and require no account or registration. We may add, modify, suspend, or discontinue any tool or feature at any time without prior notice.

Nothing on this Site constitutes legal advice, compliance certification, security assessment, or any other form of professional advice. The content and tools are provided for educational and informational purposes only.

Specifically, grc.engineering tools do not:

• Certify or verify that your organization meets CMMC Level 1 or Level 2 requirements
• Constitute a formal security assessment, readiness review, or gap assessment
• Satisfy any requirement for a CMMC Third-Party Assessment Organization (C3PAO) assessment
• Constitute a HIPAA risk analysis under 45 CFR § 164.308(a)(1)
• Provide legal advice regarding contractual obligations, DFARS clauses, or regulatory compliance
• Guarantee any outcome in a formal assessment, audit, or regulatory review

You should consult with qualified professionals before making compliance decisions, including but not limited to:

• C3PAOs (CMMC Third-Party Assessment Organizations) for CMMC Level 2 certification
• RPOs (Registered Provider Organizations) for CMMC implementation guidance
• Licensed attorneys specializing in government contracting and cybersecurity law
• Qualified security assessors and penetration testers
• Healthcare compliance professionals for HIPAA matters

A positive result from any grc.engineering tool does not mean your organization will pass a formal assessment. A negative result does not mean your organization will fail one.

THE SITE AND ALL TOOLS, CONTENT, AND INFORMATION ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED.

To the fullest extent permitted by applicable law, we disclaim all warranties, including but not limited to:

• Implied warranties of merchantability, fitness for a particular purpose, and non-infringement
• Any warranty that the Site will be uninterrupted, error-free, or free of viruses or other harmful components
• Any warranty regarding the accuracy, completeness, timeliness, or reliability of any tool output, score, or estimate
• Any warranty that the tools reflect current regulatory requirements, agency guidance, or assessment standards

Compliance frameworks such as CMMC and HIPAA are subject to ongoing regulatory interpretation, rulemaking, and agency guidance. Tool logic may not reflect the most current requirements. Always verify against primary sources, including official federal regulations and published NIST standards.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL grc.engineering, ITS OPERATORS, CONTRIBUTORS, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO:

• Loss of business, contracts, revenue, or profits
• Failure to achieve or maintain compliance certification
• Regulatory fines, penalties, or enforcement actions
• Security incidents, data breaches, or unauthorized access to your systems
• Reliance on any tool output, estimate, score, or recommendation presented on the Site

These limitations apply whether the claim arises in contract, tort, negligence, strict liability, or any other legal or equitable theory, even if we have been advised of the possibility of such damages.

Some jurisdictions do not allow the exclusion or limitation of certain damages. In such jurisdictions, our liability is limited to the maximum extent permitted by law. Because all tools and content are provided free of charge, our aggregate liability to you for any claim shall not exceed zero U.S. dollars ($0.00).

The Site, including its design, source code, tool logic, written content, and visual elements, is the intellectual property of grc.engineering and its contributors, and is protected by applicable copyright, trademark, and other intellectual property laws.

What you may do:

• Use the tools for your own internal compliance assessment and planning purposes
• Share links to the Site and individual tool pages
• Quote brief excerpts of educational content with attribution to grc.engineering
• Print or save tool output for your own internal records

What you may not do without our prior written consent:

• Reproduce, copy, or redistribute the Site's source code or tool logic in competing products or services
• Resell, sublicense, or commercialize access to the tools or their outputs
• Scrape, crawl, or systematically harvest tool outputs for training datasets, competitive benchmarking, or derivative products
• Remove or alter any copyright, trademark, or attribution notices
• Represent tool output as the product of your own independent assessment or professional judgment

This Site references and incorporates information from publicly available government publications, including NIST Special Publications, CMMC Model documentation, and HIPAA regulations. Such third-party content remains subject to its original terms and is cited for educational purposes only. grc.engineering claims no ownership over government-produced reference material.

You agree to use the Site only for lawful purposes and in a manner consistent with these Terms. You agree not to:

• Attempt to interfere with, disrupt, or gain unauthorized access to the Site or its underlying infrastructure
• Submit false, misleading, or malicious inputs to any tool with the intent to produce misleading outputs
• Use automated means (bots, scrapers, headless browsers) to access or extract data from the Site at scale without prior written permission
• Transmit any viruses, malware, or other harmful code through the Site
• Represent tool results as official government determinations, certified assessments, or professional opinions
• Use the Site in any manner that could damage, disable, or impair its functionality for other users

We reserve the right to block access from IP addresses, networks, or user agents that violate these conduct requirements or abuse Site resources.

We reserve the right to modify these Terms at any time. When we make material changes, we will update the "Last updated" date at the top of this page. Your continued use of the Site after any modification constitutes your acceptance of the updated Terms.

We also reserve the right to modify, suspend, or discontinue any portion of the Site — including individual tools, content pages, or the Site as a whole — at any time and without notice. We shall not be liable to you or any third party for any modification, suspension, or discontinuation of the Site or any part thereof.

These Terms are governed by and construed in accordance with the laws of the United States, without regard to its conflict-of-law principles. To the extent that state law applies, the laws of the state in which grc.engineering is principally located shall govern.

Any dispute arising out of or relating to these Terms or your use of the Site shall be resolved through good-faith negotiation in the first instance. If negotiation fails, disputes shall be resolved through binding arbitration or in a court of competent jurisdiction located within the United States, as agreed by the parties or as required by applicable law.

You agree that any claim arising out of your use of this Site must be brought within one (1) year of the date on which the claim arose, or such claim is permanently barred.

If you have questions about these Terms, believe a tool contains a material error in its regulatory logic, or wish to report misuse of Site content, please reach out: