NIST CSF 2.0 // 44% COMPLIANT
GOVERN
0P 1A 1F
IDENTIFY
3P 1A 2F
PROTECT
2P 0A 2F
DETECT
1P 0A 0F
RESPOND
0P 0A 2F
RECOVER
0P 0A 1F
CONTROL DETAILS
| ID | CONTROL | STATUS | SOC 2 | ISO 27001 |
|---|---|---|---|---|
| GV.PO-01 | Governance and security policy documents exist | [XX] FAIL | CC1.1, CC1.2, CC5.3 | A.5.1 |
| GV.SC-01 | Third-party dependencies and services are inventoried and tracked | [!!] PARTIAL | CC9.2 | A.5.19, A.5.20, A.5.21, A.5.22 |
| ID.AM-01 | Infrastructure hosting is documented | [XX] FAIL | CC6.1 | A.5.9 |
| ID.AM-02 | Dependencies and third-party services are tracked | [OK] PASS | CC6.1 | A.5.9, A.8.19 |
| ID.RA-01 | Dependency vulnerabilities are scanned | [!!] PARTIAL | CC3.2, CC7.1 | A.8.8 |
| ID.RA-02 | Known vulnerability databases are checked (npm audit, GitHub Advisory Database) | [OK] PASS | CC3.2 | A.5.6 |
| ID.RA-08 | Vulnerability disclosure process + security contact published | [XX] FAIL | CC7.3 | A.5.24, A.6.8 |
| ID.IM-02 | Automated scanning runs on code changes | [OK] PASS | CC4.1, CC8.1 | A.8.8 |
| PR.AA-01 | No secrets/credentials in source code | [OK] PASS | CC6.1, CC6.2 | A.5.16, A.5.17 |
| PR.AA-05 | Branch protection and code review requirements | [XX] FAIL | CC6.1, CC6.3 | A.5.15, A.8.3 |
| PR.DS-01 | Data collection points are documented with retention policies | [XX] FAIL | CC6.1, CC6.7 | A.5.10, A.8.24 |
| PR.DS-02 | HTTPS enforced with valid certificate and HSTS | [--] NOT-APPLICABLE | CC6.1, CC6.7 | A.8.24, A.8.20 |
| PR.DS-10 | Security headers mitigate in-browser data leakage and tampering | [--] NOT-APPLICABLE | CC6.1 | A.8.20, A.8.22, A.8.23 |
| PR.PS-01 | Security configuration baseline is documented and scannable | [OK] PASS | CC7.1, CC8.1 | A.8.9 |
| DE.CM-09 | Secrets scanning + dependency monitoring on every push/PR | [OK] PASS | CC7.1 | A.8.7, A.8.16 |
| RS.MA-01 | Incident Response Plan exists | [XX] FAIL | CC7.3, CC7.4 | A.5.24, A.5.26 |
| RS.CO-02 | Vulnerability disclosure and security contact are published | [XX] FAIL | CC7.3 | A.5.25, A.6.8 |
| RC.RP-01 | IRP includes recovery procedures | [XX] FAIL | CC7.5 | A.5.29, A.5.30 |
GAPS // 10 CONTROLS
| ID | STATUS | EVIDENCE |
|---|---|---|
| GV.PO-01 | [XX] FAIL | Privacy Policy: missing, ToS: missing, security.txt: missing, Vuln Disclosure: missing, IRP: missing |
| GV.SC-01 | [!!] PARTIAL | 1 third-party services identified, 0 open advisories tracked. A supply-chain program additionally requires supplier agreements, risk tiering, and periodic review (not scanner-verifiable). |
| ID.AM-01 | [XX] FAIL | No live site URL provided |
| ID.RA-01 | [!!] PARTIAL | Critical: 0, High: 1, Medium: 3 |
| ID.RA-08 | [XX] FAIL | security.txt: missing, Vulnerability Disclosure: missing |
| PR.AA-05 | [XX] FAIL | Branch protection: disabled, Required reviews: none |
| PR.DS-01 | [XX] FAIL | 10 data collection points. 10 with undefined retention. |
| RS.MA-01 | [XX] FAIL | IRP status: missing |
| RS.CO-02 | [XX] FAIL | security.txt: missing, Vulnerability Disclosure: missing |
| RC.RP-01 | [XX] FAIL | IRP includes recovery section: no |