Read-only demo with fictional data (Foundry Labs, Inc.). Nothing here is a real company.Get Controls for your own stack →

NIST CSF 2.0 Coverage — derived view

Organization: Foundry Labs, Inc.

Report Date: July 12, 2026

This view maps the automated checks and manual controls tracked in this instance onto the 106 subcategories of NIST CSF 2.0. It is a coverage snapshot for security questionnaires and cyber-insurance applications, not an attestation: subcategories marked Not covered are simply outside what this tool tracks — many (risk-appetite statements, recovery communications) are organizational practices no tool evidences. CSF coverage does not affect your compliance score and CSF does not appear in the dashboard framework filter.

106
Subcategories
44
Covered by evidence
8
Implemented
17
Partial

GVGovern

CodeCategorySubcategoryStatusEvidence
GV.OC-01Organizational ContextThe organizational mission is understood and informs cybersecurity risk managementNot yetManual: ISMS scope defined and documented
GV.OC-02Organizational ContextInternal and external stakeholders and their expectations are understoodNot covered
GV.OC-03Organizational ContextLegal, regulatory, and contractual cybersecurity requirements are understood and managedNot covered
GV.OC-04Organizational ContextCritical objectives, capabilities, and services that external stakeholders depend on are understoodNot covered
GV.OC-05Organizational ContextOutcomes, capabilities, and services the organization depends on are understoodNot covered
GV.RM-01Risk Management StrategyRisk management objectives are established and agreed to by stakeholdersNot yetManual: Information security objectives set and measured
GV.RM-02Risk Management StrategyRisk appetite and risk tolerance statements are established and communicatedNot covered
GV.RM-03Risk Management StrategyCybersecurity risk management is included in enterprise risk processesNot covered
GV.RM-04Risk Management StrategyA strategic direction describing appropriate risk response options is establishedNot covered
GV.RM-05Risk Management StrategyLines of communication for cybersecurity risk are established across the organization and with suppliersNot covered
GV.RM-06Risk Management StrategyA standard method for calculating, documenting, and prioritizing cybersecurity risks is establishedNot covered
GV.RM-07Risk Management StrategyStrategic opportunities (positive risks) are characterized and included in risk discussionsNot covered
GV.RR-01Roles, Responsibilities, and AuthoritiesLeadership is accountable for cybersecurity risk and fosters a risk-aware cultureImplementedManual: Management information security oversight
GV.RR-02Roles, Responsibilities, and AuthoritiesCybersecurity roles, responsibilities, and authorities are established, communicated, and enforcedImplementedManual: HIPAA security official designated
GV.RR-03Roles, Responsibilities, and AuthoritiesAdequate resources are allocated commensurate with the risk strategyNot covered
GV.RR-04Roles, Responsibilities, and AuthoritiesCybersecurity is included in human resources practicesPartialManual: Background checks for new hires; Manual: Offboarding access revoked within 24h; Manual: NDAs signed by all employees; Manual: Workforce sanction policy documented
GV.PO-01PolicyA cybersecurity risk management policy is established, communicated, and enforcedImplementedManual: Information security policy approved
GV.PO-02PolicyThe policy is reviewed, updated, and re-communicated as requirements and risks changeNot covered
GV.OV-01OversightRisk management strategy outcomes are reviewed to inform and adjust strategyPartialManual: Management information security oversight; Manual: Management review of the ISMS completed
GV.OV-02OversightThe strategy is reviewed and adjusted to cover organizational requirements and risksNot covered
GV.OV-03OversightOrganizational cybersecurity risk management performance is evaluated and reviewedImplementedManual: Annual CMMC L1 self-assessment and SPRS affirmation
GV.SC-01Cybersecurity Supply Chain Risk ManagementA supply chain risk management program, strategy, objectives, policies, and processes are establishedNot covered
GV.SC-02Cybersecurity Supply Chain Risk ManagementSupplier and third-party roles and responsibilities for cybersecurity are established and coordinatedNot covered
GV.SC-03Cybersecurity Supply Chain Risk ManagementSupply chain risk management is integrated into broader risk management and improvement processesNot covered
GV.SC-04Cybersecurity Supply Chain Risk ManagementSuppliers are known and prioritized by criticalityPartialManual: Third-party service provider (TPSP) list; Manual: Business associate inventory maintained
GV.SC-05Cybersecurity Supply Chain Risk ManagementRequirements to address supply chain risks are established and included in agreements with suppliersNot yetManual: Vendor DPAs / BAAs in place; Manual: Written PCI responsibility agreements with TPSPs
GV.SC-06Cybersecurity Supply Chain Risk ManagementPlanning and due diligence are performed to reduce risk before entering supplier relationshipsNot covered
GV.SC-07Cybersecurity Supply Chain Risk ManagementSupplier risks are understood, recorded, prioritized, assessed, and monitored over the relationshipImplementedManual: Annual vendor security review
GV.SC-08Cybersecurity Supply Chain Risk ManagementRelevant suppliers are included in incident planning, response, and recovery activitiesNot covered
GV.SC-09Cybersecurity Supply Chain Risk ManagementSupply chain security practices are integrated and monitored throughout the technology lifecycleNot covered
GV.SC-10Cybersecurity Supply Chain Risk ManagementSupply chain risk plans include provisions for concluding or transitioning supplier relationshipsNot covered

IDIdentify

CodeCategorySubcategoryStatusEvidence
ID.AM-01Asset ManagementInventories of hardware managed by the organization are maintainedNot yetManual: Information asset inventory maintained
ID.AM-02Asset ManagementInventories of software, services, and systems are maintainedNot yetManual: Payment-page script inventory + authorization; Manual: Information asset inventory maintained
ID.AM-03Asset ManagementRepresentations of authorized network communication and data flows are maintainedPartialManual: Cardholder data flow diagram documented; Manual: Quarterly PCI scope confirmation; Manual: FCI scoping documented
ID.AM-04Asset ManagementInventories of services provided by suppliers are maintainedNot covered
ID.AM-05Asset ManagementAssets are prioritized based on classification, criticality, resources, and mission impactNot yetManual: Application and data criticality analysis
ID.AM-07Asset ManagementInventories of data and metadata are maintained for designated data typesNot covered
ID.AM-08Asset ManagementSystems, hardware, software, services, and data are managed through their lifecyclesPartialManual: Device and media controls documented; Manual: Media sanitized before disposal or reuse
ID.RA-01Risk AssessmentVulnerabilities in assets are identified, validated, and recordedPartialCheck: Dependabot security alerts enabled; Manual: Annual penetration test
ID.RA-02Risk AssessmentCyber threat intelligence is received from information sharing forums and sourcesNot covered
ID.RA-03Risk AssessmentInternal and external threats to the organization are identified and recordedNot yetManual: Fraud risk assessment
ID.RA-04Risk AssessmentPotential impacts and likelihoods of threats exploiting vulnerabilities are identified and recordedNot covered
ID.RA-05Risk AssessmentThreats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform prioritizationPartialManual: Annual risk assessment completed; Manual: ePHI-scoped risk analysis completed
ID.RA-06Risk AssessmentRisk responses are chosen, prioritized, planned, tracked, and communicatedNot yetManual: Risk treatment plan approved; Manual: Statement of Applicability documented
ID.RA-07Risk AssessmentChanges and exceptions are managed, assessed for risk impact, recorded, and trackedNot yetManual: Change management approval process
ID.RA-08Risk AssessmentProcesses for receiving, analyzing, and responding to vulnerability disclosures are establishedNot covered
ID.RA-09Risk AssessmentThe authenticity and integrity of hardware and software are assessed prior to acquisition and useNot covered
ID.RA-10Risk AssessmentCritical suppliers are assessed prior to acquisitionNot covered
ID.IM-01ImprovementImprovements are identified from evaluationsNot yetManual: ISMS internal audit completed
ID.IM-02ImprovementImprovements are identified from security tests and exercises, including with suppliersNot yetManual: Annual IR tabletop exercise; Manual: Annual disaster recovery test; Manual: Annual penetration test
ID.IM-03ImprovementImprovements are identified from execution of operational processes, procedures, and activitiesNot yetManual: Nonconformities and corrective actions tracked
ID.IM-04ImprovementIncident response and other cybersecurity plans are established, communicated, maintained, and improvedPartialManual: Incident response plan documented; Manual: Business continuity plan documented; Manual: Card-breach incident response playbook

PRProtect

CodeCategorySubcategoryStatusEvidence
PR.AA-01Identity Management, Authentication, and Access ControlIdentities and credentials for authorized users, services, and hardware are managedPartialCheck: Strong password policy configured; Check: Root account has no active access keys; Check: No credentials unused for 90+ days; Check: No stale Azure AD guest users; Check: Service account keys not older than 90 days; Check: OS Login is enforced at the project level; Check: RDS instances use non-default master username; Check: Secret scanning enabled; Manual: Offboarding access revoked within 24h
PR.AA-02Identity Management, Authentication, and Access ControlIdentities are proofed and bound to credentials based on the context of interactionsNot covered
PR.AA-03Identity Management, Authentication, and Access ControlUsers, services, and hardware are authenticatedPartialCheck: MFA enabled for all IAM users; Check: 2FA required for all org members; Check: 2-Step Verification enforced for all Google Workspace users; Check: MFA enforced via Security Defaults or Conditional Access
PR.AA-04Identity Management, Authentication, and Access ControlIdentity assertions are protected, conveyed, and verifiedNot covered
PR.AA-05Identity Management, Authentication, and Access ControlAccess permissions, entitlements, and authorizations are managed with least privilege and separation of dutiesPartialCheck: Root account has no active access keys; Check: Primitive IAM roles (Owner/Editor) not assigned to users; Check: Key Vaults use Azure RBAC; Check: Privileged Identity Management activated for admin roles; Check: Uniform bucket-level access enabled on GCS buckets; Manual: Quarterly user access review; Manual: Privileged access reviewed quarterly
PR.AA-06Identity Management, Authentication, and Access ControlPhysical access to assets is managed, monitored, and enforced commensurate with riskNot yetManual: Facility access controls documented; Manual: Visitors escorted and activity logged; Manual: Physical access devices controlled
PR.AT-01Awareness and TrainingPersonnel are provided with awareness and training to perform tasks with security in mindPartialManual: Annual security awareness training; Manual: PCI security awareness training (annual)
PR.AT-02Awareness and TrainingIndividuals in specialized roles are provided role-specific awareness and trainingNot covered
PR.DS-01Data SecurityThe confidentiality, integrity, and availability of data-at-rest are protectedPartialCheck: S3 public access block enabled; Check: GCS buckets block public access; Check: Azure Storage account public blob access disabled; Check: S3 buckets encrypted at rest; Check: RDS instances encrypted at rest; Check: EBS default encryption enabled; Check: Compute Engine disks are encrypted; Check: Cloud SQL instances encrypted at rest; Check: Azure managed disks encrypted at rest; Check: Azure SQL Transparent Data Encryption enabled; Check: Azure Key Vault in use for secrets management; Check: KMS symmetric keys rotate within 90 days
PR.DS-02Data SecurityThe confidentiality, integrity, and availability of data-in-transit are protectedPartialCheck: Load balancer HTTPS listeners require TLS 1.2 or higher; Check: RDS instances enforce TLS at the parameter group; Check: Cloud SQL requires SSL connections; Check: Storage accounts require HTTPS; Check: Azure PostgreSQL enforces SSL
PR.DS-10Data SecurityThe confidentiality, integrity, and availability of data-in-use are protectedNot covered
PR.DS-11Data SecurityBackups of data are created, protected, maintained, and testedNot yetCheck: S3 versioning enabled on critical buckets; Manual: Annual disaster recovery test
PR.PS-01Platform SecurityConfiguration management practices are established and appliedPartialCheck: Default branch protection enabled; Manual: Change management approval process; Manual: Workstation use and security policy
PR.PS-02Platform SecuritySoftware is maintained, replaced, and removed commensurate with riskNot covered
PR.PS-03Platform SecurityHardware is maintained, replaced, and removed commensurate with riskNot covered
PR.PS-04Platform SecurityLog records are generated and made available for continuous monitoringPartialCheck: CloudTrail enabled in all regions; Check: CloudTrail log file validation enabled; Check: CloudWatch log groups retain at least 12 months; Check: Cloud Audit Logs enabled for all services; Check: Long-term log sink configured; Check: Azure Activity Log diagnostic settings configured; Check: Log Analytics workspaces retain logs for 90+ days; Check: Azure SQL server-level auditing enabled
PR.PS-05Platform SecurityInstallation and execution of unauthorized software are preventedNot covered
PR.PS-06Platform SecuritySecure software development practices are integrated and monitored throughout the lifecycleNot yetCheck: Required status checks on default branch; Manual: Security requirements in SDLC
PR.IR-01Technology Infrastructure ResilienceNetworks and environments are protected from unauthorized logical access and usageImplementedCheck: No security groups expose SSH/RDP/DB ports to the internet; Check: No firewall rule opens SSH/RDP to the internet; Check: No NSG rule opens SSH/RDP to the internet; Check: The default VPC network has been removed
PR.IR-02Technology Infrastructure ResilienceThe organization's technology assets are protected from environmental threatsNot covered
PR.IR-03Technology Infrastructure ResilienceMechanisms are implemented to achieve resilience requirements in normal and adverse situationsNot yetManual: Business continuity plan documented
PR.IR-04Technology Infrastructure ResilienceAdequate resource capacity to ensure availability is maintainedNot covered

DEDetect

CodeCategorySubcategoryStatusEvidence
DE.CM-01Continuous MonitoringNetworks and network services are monitored to find potentially adverse eventsNot yetCheck: VPC Flow Logs enabled; Check: VPC Flow Logs enabled on all subnets; Check: GuardDuty enabled in all regions
DE.CM-02Continuous MonitoringThe physical environment is monitored to find potentially adverse eventsNot yetManual: Visitors escorted and activity logged
DE.CM-03Continuous MonitoringPersonnel activity and technology usage are monitored to find potentially adverse eventsImplementedCheck: CloudWatch alarm for root account usage
DE.CM-06Continuous MonitoringExternal service provider activities and services are monitored to find potentially adverse eventsNot covered
DE.CM-09Continuous MonitoringComputing hardware and software, runtime environments, and their data are monitoredPartialCheck: GuardDuty enabled in all regions; Check: Microsoft Defender for Cloud enabled on key workloads; Manual: Payment-page tamper detection evidence
DE.AE-02Adverse Event AnalysisPotentially adverse events are analyzed to better understand associated activitiesNot covered
DE.AE-03Adverse Event AnalysisInformation is correlated from multiple sourcesNot covered
DE.AE-04Adverse Event AnalysisThe estimated impact and scope of adverse events are understoodNot covered
DE.AE-06Adverse Event AnalysisInformation on adverse events is provided to authorized staff and toolsImplementedCheck: CloudWatch alarm for root account usage
DE.AE-07Adverse Event AnalysisCyber threat intelligence and other contextual information are integrated into the analysisNot covered
DE.AE-08Adverse Event AnalysisIncidents are declared when adverse events meet the defined incident criteriaNot covered

RSRespond

CodeCategorySubcategoryStatusEvidence
RS.MA-01Incident ManagementThe incident response plan is executed in coordination with relevant third parties once an incident is declaredNot covered
RS.MA-02Incident ManagementIncident reports are triaged and validatedNot covered
RS.MA-03Incident ManagementIncidents are categorized and prioritizedNot covered
RS.MA-04Incident ManagementIncidents are escalated or elevated as neededNot covered
RS.MA-05Incident ManagementThe criteria for initiating incident recovery are appliedNot covered
RS.AN-03Incident AnalysisAnalysis is performed to establish what has taken place during an incident and its root causeNot covered
RS.AN-06Incident AnalysisActions performed during an investigation are recorded and their integrity and provenance preservedNot covered
RS.AN-07Incident AnalysisIncident data and metadata are collected with integrity and provenance preservedNot covered
RS.AN-08Incident AnalysisAn incident's magnitude is estimated and validatedNot covered
RS.CO-02Incident Response Reporting and CommunicationInternal and external stakeholders are notified of incidentsNot yetManual: Breach notification process documented
RS.CO-03Incident Response Reporting and CommunicationInformation is shared with designated internal and external stakeholdersNot covered
RS.MI-01Incident MitigationIncidents are containedNot covered
RS.MI-02Incident MitigationIncidents are eradicatedNot covered

RCRecover

CodeCategorySubcategoryStatusEvidence
RC.RP-01Incident Recovery Plan ExecutionThe recovery portion of the incident response plan is executed once initiatedNot covered
RC.RP-02Incident Recovery Plan ExecutionRecovery actions are selected, scoped, prioritized, and performedNot covered
RC.RP-03Incident Recovery Plan ExecutionThe integrity of backups and restoration assets is verified before useNot covered
RC.RP-04Incident Recovery Plan ExecutionCritical mission functions and cybersecurity risk management are considered when establishing post-incident normsNot covered
RC.RP-05Incident Recovery Plan ExecutionThe integrity of restored assets is verified and normal operations confirmedNot covered
RC.RP-06Incident Recovery Plan ExecutionThe end of recovery is declared based on criteria and documentation completedNot covered
RC.CO-03Incident Recovery CommunicationRecovery activities and progress are communicated to designated stakeholdersNot covered
RC.CO-04Incident Recovery CommunicationPublic updates on recovery are shared using approved methods and messagingNot covered

Generated by Scorifya Controls · July 12, 2026 · NIST CSF 2.0 derived coverage view for Foundry Labs, Inc.