Read-only demo with fictional data (Foundry Labs, Inc.). Nothing here is a real company.Get Controls for your own stack →

CIS Controls v8 Coverage — IG1 derived view

Organization: Foundry Labs, Inc.

Report Date: July 12, 2026

This view maps the automated checks and manual controls tracked in this instance onto the 56 Implementation Group 1 safeguards of CIS Controls v8 — the tier CIS defines as essential cyber hygiene. It is a coverage snapshot for security questionnaires and cyber-insurance applications, not an attestation. Subcategories marked Not covered are outside what this tool tracks (end-user device safeguards especially). IG2 and IG3 safeguards are intentionally excluded, which is also why the encryption checks tracked elsewhere in Controls do not appear here: server-side encryption at rest and in transit are IG2 safeguards. CIS coverage does not affect your compliance score and CIS does not appear in the dashboard framework filter.

56
IG1 safeguards
28
Covered by evidence
12
Implemented
10
Partial

01 Inventory and Control of Enterprise Assets

CodeSafeguardStatusEvidence
1.1Establish and maintain a detailed enterprise asset inventoryNot yetManual: Information asset inventory maintained
1.2Address unauthorized assetsNot covered

02 Inventory and Control of Software Assets

CodeSafeguardStatusEvidence
2.1Establish and maintain a software inventoryNot yetManual: Information asset inventory maintained; Manual: Payment-page script inventory + authorization
2.2Ensure authorized software is currently supportedNot covered
2.3Address unauthorized softwareNot covered

03 Data Protection

CodeSafeguardStatusEvidence
3.1Establish and maintain a data management processNot covered
3.2Establish and maintain a data inventoryPartialManual: Cardholder data flow diagram documented; Manual: Quarterly PCI scope confirmation; Manual: FCI scoping documented; Manual: Application and data criticality analysis
3.3Configure data access control listsPartialCheck: Key Vaults use Azure RBAC; Check: Uniform bucket-level access enabled on GCS buckets; Check: S3 public access block enabled; Check: GCS buckets block public access; Check: Azure Storage account public blob access disabled
3.4Enforce data retentionNot covered
3.5Securely dispose of dataPartialManual: Device and media controls documented; Manual: Media sanitized before disposal or reuse
3.6Encrypt data on end-user devicesImplementedManual: Workstation use and security policy

04 Secure Configuration of Enterprise Assets and Software

CodeSafeguardStatusEvidence
4.1Establish and maintain a secure configuration processNot covered
4.2Establish and maintain a secure configuration process for network infrastructureImplementedCheck: The default VPC network has been removed
4.3Configure automatic session locking on enterprise assetsImplementedManual: Workstation use and security policy
4.4Implement and manage a firewall on serversImplementedCheck: No security groups expose SSH/RDP/DB ports to the internet; Check: No firewall rule opens SSH/RDP to the internet; Check: No NSG rule opens SSH/RDP to the internet
4.5Implement and manage a firewall on end-user devicesNot covered
4.6Securely manage enterprise assets and softwareNot covered
4.7Manage default accounts on enterprise assets and softwareImplementedCheck: RDS instances use non-default master username

05 Account Management

CodeSafeguardStatusEvidence
5.1Establish and maintain an inventory of accounts, validated on a regular schedulePartialCheck: OS Login is enforced at the project level; Check: Service account keys not older than 90 days; Manual: Quarterly user access review
5.2Use unique passwordsImplementedCheck: Strong password policy configured
5.3Disable dormant accountsImplementedCheck: No credentials unused for 90+ days; Check: No stale Azure AD guest users
5.4Restrict administrator privileges to dedicated administrator accountsPartialCheck: Root account has no active access keys; Check: Primitive IAM roles (Owner/Editor) not assigned to users; Check: Privileged Identity Management activated for admin roles; Manual: Privileged access reviewed quarterly

06 Access Control Management

CodeSafeguardStatusEvidence
6.1Establish an access granting processNot covered
6.2Establish an access revoking processNot yetManual: Offboarding access revoked within 24h
6.3Require MFA for externally-exposed applicationsPartialCheck: 2FA required for all org members; Check: 2-Step Verification enforced for all Google Workspace users; Check: MFA enforced via Security Defaults or Conditional Access
6.4Require MFA for remote network accessNot covered
6.5Require MFA for administrative accessImplementedCheck: MFA enabled for all IAM users

07 Continuous Vulnerability Management

CodeSafeguardStatusEvidence
7.1Establish and maintain a vulnerability management processNot covered
7.2Establish and maintain a remediation processNot covered
7.3Perform automated operating system patch managementNot covered
7.4Perform automated application patch managementImplementedCheck: Dependabot security alerts enabled

08 Audit Log Management

CodeSafeguardStatusEvidence
8.1Establish and maintain an audit log management processNot covered
8.2Collect audit logsPartialCheck: CloudTrail enabled in all regions; Check: CloudTrail log file validation enabled; Check: VPC Flow Logs enabled; Check: Cloud Audit Logs enabled for all services; Check: VPC Flow Logs enabled on all subnets; Check: Azure Activity Log diagnostic settings configured; Check: Azure SQL server-level auditing enabled
8.3Ensure adequate audit log storageImplementedCheck: CloudWatch log groups retain at least 12 months; Check: Long-term log sink configured; Check: Log Analytics workspaces retain logs for 90+ days

09 Email and Web Browser Protections

CodeSafeguardStatusEvidence
9.1Ensure use of only fully supported browsers and email clientsNot covered
9.2Use DNS filtering servicesNot covered

10 Malware Defenses

CodeSafeguardStatusEvidence
10.1Deploy and maintain anti-malware softwarePartialCheck: GuardDuty enabled in all regions; Check: Microsoft Defender for Cloud enabled on key workloads
10.2Configure automatic anti-malware signature updatesNot covered
10.3Disable autorun and autoplay for removable mediaNot covered

11 Data Recovery

CodeSafeguardStatusEvidence
11.1Establish and maintain a data recovery processNot yetManual: Business continuity plan documented; Manual: Annual disaster recovery test
11.2Perform automated backupsNot yetCheck: S3 versioning enabled on critical buckets
11.3Protect recovery dataNot covered
11.4Establish and maintain an isolated instance of recovery dataNot covered

12 Network Infrastructure Management

CodeSafeguardStatusEvidence
12.1Ensure network infrastructure is up-to-dateNot covered

14 Security Awareness and Skills Training

CodeSafeguardStatusEvidence
14.1Establish and maintain a security awareness programPartialManual: Annual security awareness training; Manual: PCI security awareness training (annual)
14.2Train workforce members to recognize social engineering attacksNot covered
14.3Train workforce members on authentication best practicesNot covered
14.4Train workforce members on data handling best practicesNot covered
14.5Train workforce members on causes of unintentional data exposureNot covered
14.6Train workforce members on recognizing and reporting security incidentsNot covered
14.7Train workforce members on identifying and reporting missing security updatesNot covered
14.8Train workforce members on the dangers of connecting to insecure networksNot covered

15 Service Provider Management

CodeSafeguardStatusEvidence
15.1Establish and maintain an inventory of service providersPartialManual: Annual vendor security review; Manual: Third-party service provider (TPSP) list; Manual: Business associate inventory maintained

17 Incident Response Management

CodeSafeguardStatusEvidence
17.1Designate personnel to manage incident handlingImplementedManual: Incident response plan documented
17.2Establish and maintain contact information for reporting security incidentsNot yetManual: Breach notification process documented
17.3Establish and maintain an enterprise process for reporting incidentsImplementedManual: Incident response plan documented

Generated by Scorifya Controls · July 12, 2026 · CIS Controls v8 IG1 derived coverage view for Foundry Labs, Inc.