Comment by lelanthran

> I ended up getting the contract and they never asked for those extra things.

Same boat about 2 years ago: the compliance is a lot more flexible than you would think - it doesn't matter if you have a poor password policy, what matters is that you document you have a poor password policy.

Your client didn't have to get a compliant vendor to remain compliant themselves; what matters to their compliance is formal attestations from their vendor about where they are not compliant.

As a 1-man show I went through the same thing, still got the contract even though I had to formally attest to not having maybe 25% of those boxes ticked. The whole point is that it is recorded that you don't have MFA, or that you failed a pentest on these 5 items... or that you have a vendor who fails these specific 43 requirements.