I am evaluating a construction management software ProCore for use in my organization. The idea is to use this on projects that do not handle CUI data. They do not have any security mappings to 800-171 or CMMC and have ISO 27001:2013 and SOC 2. How do you handle SaaS software that does not have direct mappings NIST 800-171, do you go through what security they have in place and try and map it back to the standard best you can? If there are gaps and you have no route to close those requirements, what do you do?