Regulatory compliance is assessed on implementations of systems and products, not on the products themselves.

An auditor does not deal with hypothetical situations, system designs, or product capabilities. They want to see how the system is built and operated. While a VMware Cloud-based SDDC has hundreds of security features and is validated for use in the world’s most sensitive environments, it is still possible to make implementation decisions that provide opportunities for attackers and disasters. An auditor seeks to find those problems and shine a light on them.