Vendor Security and Customer Requirement Questionnaires ask the same questions every time — SIG, CAIQ, HECVAT, MVSP all cover the same ground with different phrasing. I stopped treating this as a writing problem and started treating it as a retrieval problem: pre-built corpus, offline TF-IDF matching, confidence scoring, link validation.
https://tobytes.com/articles/vendor-security-questionnaires-retrieval-problem

Vendor Security and Customer Requirement Questionnaires as a Retrieval Problem
Every Vendor Security and Customer Requirement Questionnaire asks the same questions — the SIG words them one way, CAIQ another, HECVAT a third. The standard approach is to re-derive answers from scratch each time. The better approach is to treat this as a retrieval problem: build a canonical corpus of approved answers once, and match new questions to it.