Organization: Foundry Labs, Inc.
Report Date: July 12, 2026
This view maps the automated checks and manual controls tracked in this instance onto the 106 subcategories of NIST CSF 2.0. It is a coverage snapshot for security questionnaires and cyber-insurance applications, not an attestation: subcategories marked Not covered are simply outside what this tool tracks — many (risk-appetite statements, recovery communications) are organizational practices no tool evidences. CSF coverage does not affect your compliance score and CSF does not appear in the dashboard framework filter.
| Code | Category | Subcategory | Status | Evidence |
|---|---|---|---|---|
| GV.OC-01 | Organizational Context | The organizational mission is understood and informs cybersecurity risk management | Not yet | Manual: ISMS scope defined and documented |
| GV.OC-02 | Organizational Context | Internal and external stakeholders and their expectations are understood | Not covered | — |
| GV.OC-03 | Organizational Context | Legal, regulatory, and contractual cybersecurity requirements are understood and managed | Not covered | — |
| GV.OC-04 | Organizational Context | Critical objectives, capabilities, and services that external stakeholders depend on are understood | Not covered | — |
| GV.OC-05 | Organizational Context | Outcomes, capabilities, and services the organization depends on are understood | Not covered | — |
| GV.RM-01 | Risk Management Strategy | Risk management objectives are established and agreed to by stakeholders | Not yet | Manual: Information security objectives set and measured |
| GV.RM-02 | Risk Management Strategy | Risk appetite and risk tolerance statements are established and communicated | Not covered | — |
| GV.RM-03 | Risk Management Strategy | Cybersecurity risk management is included in enterprise risk processes | Not covered | — |
| GV.RM-04 | Risk Management Strategy | A strategic direction describing appropriate risk response options is established | Not covered | — |
| GV.RM-05 | Risk Management Strategy | Lines of communication for cybersecurity risk are established across the organization and with suppliers | Not covered | — |
| GV.RM-06 | Risk Management Strategy | A standard method for calculating, documenting, and prioritizing cybersecurity risks is established | Not covered | — |
| GV.RM-07 | Risk Management Strategy | Strategic opportunities (positive risks) are characterized and included in risk discussions | Not covered | — |
| GV.RR-01 | Roles, Responsibilities, and Authorities | Leadership is accountable for cybersecurity risk and fosters a risk-aware culture | Implemented | Manual: Management information security oversight |
| GV.RR-02 | Roles, Responsibilities, and Authorities | Cybersecurity roles, responsibilities, and authorities are established, communicated, and enforced | Implemented | Manual: HIPAA security official designated |
| GV.RR-03 | Roles, Responsibilities, and Authorities | Adequate resources are allocated commensurate with the risk strategy | Not covered | — |
| GV.RR-04 | Roles, Responsibilities, and Authorities | Cybersecurity is included in human resources practices | Partial | Manual: Background checks for new hires; Manual: Offboarding access revoked within 24h; Manual: NDAs signed by all employees; Manual: Workforce sanction policy documented |
| GV.PO-01 | Policy | A cybersecurity risk management policy is established, communicated, and enforced | Implemented | Manual: Information security policy approved |
| GV.PO-02 | Policy | The policy is reviewed, updated, and re-communicated as requirements and risks change | Not covered | — |
| GV.OV-01 | Oversight | Risk management strategy outcomes are reviewed to inform and adjust strategy | Partial | Manual: Management information security oversight; Manual: Management review of the ISMS completed |
| GV.OV-02 | Oversight | The strategy is reviewed and adjusted to cover organizational requirements and risks | Not covered | — |
| GV.OV-03 | Oversight | Organizational cybersecurity risk management performance is evaluated and reviewed | Implemented | Manual: Annual CMMC L1 self-assessment and SPRS affirmation |
| GV.SC-01 | Cybersecurity Supply Chain Risk Management | A supply chain risk management program, strategy, objectives, policies, and processes are established | Not covered | — |
| GV.SC-02 | Cybersecurity Supply Chain Risk Management | Supplier and third-party roles and responsibilities for cybersecurity are established and coordinated | Not covered | — |
| GV.SC-03 | Cybersecurity Supply Chain Risk Management | Supply chain risk management is integrated into broader risk management and improvement processes | Not covered | — |
| GV.SC-04 | Cybersecurity Supply Chain Risk Management | Suppliers are known and prioritized by criticality | Partial | Manual: Third-party service provider (TPSP) list; Manual: Business associate inventory maintained |
| GV.SC-05 | Cybersecurity Supply Chain Risk Management | Requirements to address supply chain risks are established and included in agreements with suppliers | Not yet | Manual: Vendor DPAs / BAAs in place; Manual: Written PCI responsibility agreements with TPSPs |
| GV.SC-06 | Cybersecurity Supply Chain Risk Management | Planning and due diligence are performed to reduce risk before entering supplier relationships | Not covered | — |
| GV.SC-07 | Cybersecurity Supply Chain Risk Management | Supplier risks are understood, recorded, prioritized, assessed, and monitored over the relationship | Implemented | Manual: Annual vendor security review |
| GV.SC-08 | Cybersecurity Supply Chain Risk Management | Relevant suppliers are included in incident planning, response, and recovery activities | Not covered | — |
| GV.SC-09 | Cybersecurity Supply Chain Risk Management | Supply chain security practices are integrated and monitored throughout the technology lifecycle | Not covered | — |
| GV.SC-10 | Cybersecurity Supply Chain Risk Management | Supply chain risk plans include provisions for concluding or transitioning supplier relationships | Not covered | — |
| Code | Category | Subcategory | Status | Evidence |
|---|---|---|---|---|
| ID.AM-01 | Asset Management | Inventories of hardware managed by the organization are maintained | Not yet | Manual: Information asset inventory maintained |
| ID.AM-02 | Asset Management | Inventories of software, services, and systems are maintained | Not yet | Manual: Payment-page script inventory + authorization; Manual: Information asset inventory maintained |
| ID.AM-03 | Asset Management | Representations of authorized network communication and data flows are maintained | Partial | Manual: Cardholder data flow diagram documented; Manual: Quarterly PCI scope confirmation; Manual: FCI scoping documented |
| ID.AM-04 | Asset Management | Inventories of services provided by suppliers are maintained | Not covered | — |
| ID.AM-05 | Asset Management | Assets are prioritized based on classification, criticality, resources, and mission impact | Not yet | Manual: Application and data criticality analysis |
| ID.AM-07 | Asset Management | Inventories of data and metadata are maintained for designated data types | Not covered | — |
| ID.AM-08 | Asset Management | Systems, hardware, software, services, and data are managed through their lifecycles | Partial | Manual: Device and media controls documented; Manual: Media sanitized before disposal or reuse |
| ID.RA-01 | Risk Assessment | Vulnerabilities in assets are identified, validated, and recorded | Partial | Check: Dependabot security alerts enabled; Manual: Annual penetration test |
| ID.RA-02 | Risk Assessment | Cyber threat intelligence is received from information sharing forums and sources | Not covered | — |
| ID.RA-03 | Risk Assessment | Internal and external threats to the organization are identified and recorded | Not yet | Manual: Fraud risk assessment |
| ID.RA-04 | Risk Assessment | Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded | Not covered | — |
| ID.RA-05 | Risk Assessment | Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform prioritization | Partial | Manual: Annual risk assessment completed; Manual: ePHI-scoped risk analysis completed |
| ID.RA-06 | Risk Assessment | Risk responses are chosen, prioritized, planned, tracked, and communicated | Not yet | Manual: Risk treatment plan approved; Manual: Statement of Applicability documented |
| ID.RA-07 | Risk Assessment | Changes and exceptions are managed, assessed for risk impact, recorded, and tracked | Not yet | Manual: Change management approval process |
| ID.RA-08 | Risk Assessment | Processes for receiving, analyzing, and responding to vulnerability disclosures are established | Not covered | — |
| ID.RA-09 | Risk Assessment | The authenticity and integrity of hardware and software are assessed prior to acquisition and use | Not covered | — |
| ID.RA-10 | Risk Assessment | Critical suppliers are assessed prior to acquisition | Not covered | — |
| ID.IM-01 | Improvement | Improvements are identified from evaluations | Not yet | Manual: ISMS internal audit completed |
| ID.IM-02 | Improvement | Improvements are identified from security tests and exercises, including with suppliers | Not yet | Manual: Annual IR tabletop exercise; Manual: Annual disaster recovery test; Manual: Annual penetration test |
| ID.IM-03 | Improvement | Improvements are identified from execution of operational processes, procedures, and activities | Not yet | Manual: Nonconformities and corrective actions tracked |
| ID.IM-04 | Improvement | Incident response and other cybersecurity plans are established, communicated, maintained, and improved | Partial | Manual: Incident response plan documented; Manual: Business continuity plan documented; Manual: Card-breach incident response playbook |
| Code | Category | Subcategory | Status | Evidence |
|---|---|---|---|---|
| PR.AA-01 | Identity Management, Authentication, and Access Control | Identities and credentials for authorized users, services, and hardware are managed | Partial | Check: Strong password policy configured; Check: Root account has no active access keys; Check: No credentials unused for 90+ days; Check: No stale Azure AD guest users; Check: Service account keys not older than 90 days; Check: OS Login is enforced at the project level; Check: RDS instances use non-default master username; Check: Secret scanning enabled; Manual: Offboarding access revoked within 24h |
| PR.AA-02 | Identity Management, Authentication, and Access Control | Identities are proofed and bound to credentials based on the context of interactions | Not covered | — |
| PR.AA-03 | Identity Management, Authentication, and Access Control | Users, services, and hardware are authenticated | Partial | Check: MFA enabled for all IAM users; Check: 2FA required for all org members; Check: 2-Step Verification enforced for all Google Workspace users; Check: MFA enforced via Security Defaults or Conditional Access |
| PR.AA-04 | Identity Management, Authentication, and Access Control | Identity assertions are protected, conveyed, and verified | Not covered | — |
| PR.AA-05 | Identity Management, Authentication, and Access Control | Access permissions, entitlements, and authorizations are managed with least privilege and separation of duties | Partial | Check: Root account has no active access keys; Check: Primitive IAM roles (Owner/Editor) not assigned to users; Check: Key Vaults use Azure RBAC; Check: Privileged Identity Management activated for admin roles; Check: Uniform bucket-level access enabled on GCS buckets; Manual: Quarterly user access review; Manual: Privileged access reviewed quarterly |
| PR.AA-06 | Identity Management, Authentication, and Access Control | Physical access to assets is managed, monitored, and enforced commensurate with risk | Not yet | Manual: Facility access controls documented; Manual: Visitors escorted and activity logged; Manual: Physical access devices controlled |
| PR.AT-01 | Awareness and Training | Personnel are provided with awareness and training to perform tasks with security in mind | Partial | Manual: Annual security awareness training; Manual: PCI security awareness training (annual) |
| PR.AT-02 | Awareness and Training | Individuals in specialized roles are provided role-specific awareness and training | Not covered | — |
| PR.DS-01 | Data Security | The confidentiality, integrity, and availability of data-at-rest are protected | Partial | Check: S3 public access block enabled; Check: GCS buckets block public access; Check: Azure Storage account public blob access disabled; Check: S3 buckets encrypted at rest; Check: RDS instances encrypted at rest; Check: EBS default encryption enabled; Check: Compute Engine disks are encrypted; Check: Cloud SQL instances encrypted at rest; Check: Azure managed disks encrypted at rest; Check: Azure SQL Transparent Data Encryption enabled; Check: Azure Key Vault in use for secrets management; Check: KMS symmetric keys rotate within 90 days |
| PR.DS-02 | Data Security | The confidentiality, integrity, and availability of data-in-transit are protected | Partial | Check: Load balancer HTTPS listeners require TLS 1.2 or higher; Check: RDS instances enforce TLS at the parameter group; Check: Cloud SQL requires SSL connections; Check: Storage accounts require HTTPS; Check: Azure PostgreSQL enforces SSL |
| PR.DS-10 | Data Security | The confidentiality, integrity, and availability of data-in-use are protected | Not covered | — |
| PR.DS-11 | Data Security | Backups of data are created, protected, maintained, and tested | Not yet | Check: S3 versioning enabled on critical buckets; Manual: Annual disaster recovery test |
| PR.PS-01 | Platform Security | Configuration management practices are established and applied | Partial | Check: Default branch protection enabled; Manual: Change management approval process; Manual: Workstation use and security policy |
| PR.PS-02 | Platform Security | Software is maintained, replaced, and removed commensurate with risk | Not covered | — |
| PR.PS-03 | Platform Security | Hardware is maintained, replaced, and removed commensurate with risk | Not covered | — |
| PR.PS-04 | Platform Security | Log records are generated and made available for continuous monitoring | Partial | Check: CloudTrail enabled in all regions; Check: CloudTrail log file validation enabled; Check: CloudWatch log groups retain at least 12 months; Check: Cloud Audit Logs enabled for all services; Check: Long-term log sink configured; Check: Azure Activity Log diagnostic settings configured; Check: Log Analytics workspaces retain logs for 90+ days; Check: Azure SQL server-level auditing enabled |
| PR.PS-05 | Platform Security | Installation and execution of unauthorized software are prevented | Not covered | — |
| PR.PS-06 | Platform Security | Secure software development practices are integrated and monitored throughout the lifecycle | Not yet | Check: Required status checks on default branch; Manual: Security requirements in SDLC |
| PR.IR-01 | Technology Infrastructure Resilience | Networks and environments are protected from unauthorized logical access and usage | Implemented | Check: No security groups expose SSH/RDP/DB ports to the internet; Check: No firewall rule opens SSH/RDP to the internet; Check: No NSG rule opens SSH/RDP to the internet; Check: The default VPC network has been removed |
| PR.IR-02 | Technology Infrastructure Resilience | The organization's technology assets are protected from environmental threats | Not covered | — |
| PR.IR-03 | Technology Infrastructure Resilience | Mechanisms are implemented to achieve resilience requirements in normal and adverse situations | Not yet | Manual: Business continuity plan documented |
| PR.IR-04 | Technology Infrastructure Resilience | Adequate resource capacity to ensure availability is maintained | Not covered | — |
| Code | Category | Subcategory | Status | Evidence |
|---|---|---|---|---|
| DE.CM-01 | Continuous Monitoring | Networks and network services are monitored to find potentially adverse events | Not yet | Check: VPC Flow Logs enabled; Check: VPC Flow Logs enabled on all subnets; Check: GuardDuty enabled in all regions |
| DE.CM-02 | Continuous Monitoring | The physical environment is monitored to find potentially adverse events | Not yet | Manual: Visitors escorted and activity logged |
| DE.CM-03 | Continuous Monitoring | Personnel activity and technology usage are monitored to find potentially adverse events | Implemented | Check: CloudWatch alarm for root account usage |
| DE.CM-06 | Continuous Monitoring | External service provider activities and services are monitored to find potentially adverse events | Not covered | — |
| DE.CM-09 | Continuous Monitoring | Computing hardware and software, runtime environments, and their data are monitored | Partial | Check: GuardDuty enabled in all regions; Check: Microsoft Defender for Cloud enabled on key workloads; Manual: Payment-page tamper detection evidence |
| DE.AE-02 | Adverse Event Analysis | Potentially adverse events are analyzed to better understand associated activities | Not covered | — |
| DE.AE-03 | Adverse Event Analysis | Information is correlated from multiple sources | Not covered | — |
| DE.AE-04 | Adverse Event Analysis | The estimated impact and scope of adverse events are understood | Not covered | — |
| DE.AE-06 | Adverse Event Analysis | Information on adverse events is provided to authorized staff and tools | Implemented | Check: CloudWatch alarm for root account usage |
| DE.AE-07 | Adverse Event Analysis | Cyber threat intelligence and other contextual information are integrated into the analysis | Not covered | — |
| DE.AE-08 | Adverse Event Analysis | Incidents are declared when adverse events meet the defined incident criteria | Not covered | — |
| Code | Category | Subcategory | Status | Evidence |
|---|---|---|---|---|
| RS.MA-01 | Incident Management | The incident response plan is executed in coordination with relevant third parties once an incident is declared | Not covered | — |
| RS.MA-02 | Incident Management | Incident reports are triaged and validated | Not covered | — |
| RS.MA-03 | Incident Management | Incidents are categorized and prioritized | Not covered | — |
| RS.MA-04 | Incident Management | Incidents are escalated or elevated as needed | Not covered | — |
| RS.MA-05 | Incident Management | The criteria for initiating incident recovery are applied | Not covered | — |
| RS.AN-03 | Incident Analysis | Analysis is performed to establish what has taken place during an incident and its root cause | Not covered | — |
| RS.AN-06 | Incident Analysis | Actions performed during an investigation are recorded and their integrity and provenance preserved | Not covered | — |
| RS.AN-07 | Incident Analysis | Incident data and metadata are collected with integrity and provenance preserved | Not covered | — |
| RS.AN-08 | Incident Analysis | An incident's magnitude is estimated and validated | Not covered | — |
| RS.CO-02 | Incident Response Reporting and Communication | Internal and external stakeholders are notified of incidents | Not yet | Manual: Breach notification process documented |
| RS.CO-03 | Incident Response Reporting and Communication | Information is shared with designated internal and external stakeholders | Not covered | — |
| RS.MI-01 | Incident Mitigation | Incidents are contained | Not covered | — |
| RS.MI-02 | Incident Mitigation | Incidents are eradicated | Not covered | — |
| Code | Category | Subcategory | Status | Evidence |
|---|---|---|---|---|
| RC.RP-01 | Incident Recovery Plan Execution | The recovery portion of the incident response plan is executed once initiated | Not covered | — |
| RC.RP-02 | Incident Recovery Plan Execution | Recovery actions are selected, scoped, prioritized, and performed | Not covered | — |
| RC.RP-03 | Incident Recovery Plan Execution | The integrity of backups and restoration assets is verified before use | Not covered | — |
| RC.RP-04 | Incident Recovery Plan Execution | Critical mission functions and cybersecurity risk management are considered when establishing post-incident norms | Not covered | — |
| RC.RP-05 | Incident Recovery Plan Execution | The integrity of restored assets is verified and normal operations confirmed | Not covered | — |
| RC.RP-06 | Incident Recovery Plan Execution | The end of recovery is declared based on criteria and documentation completed | Not covered | — |
| RC.CO-03 | Incident Recovery Communication | Recovery activities and progress are communicated to designated stakeholders | Not covered | — |
| RC.CO-04 | Incident Recovery Communication | Public updates on recovery are shared using approved methods and messaging | Not covered | — |
Generated by Scorifya Controls · July 12, 2026 · NIST CSF 2.0 derived coverage view for Foundry Labs, Inc.