CIS Controls v8 IG1 mapping
Last reviewed 2026-05-18
Mapping to CIS Critical Security Controls v8, Implementation Group 1 (the 56 safeguards expected of every organization regardless of size). IG1 is our committed baseline.
1. Inventory and Control of Enterprise Assets
- 1.1 Establish and Maintain Detailed Enterprise Asset Inventory: data map, architecture, cloud inventories in Vercel / GCP consoles
- 1.2 Address Unauthorized Assets: access policy enforces provisioning only through the Security Officer
- 1.3 Utilize an Active Discovery Tool: N/A at our scale; cloud console inventory is authoritative
2. Inventory and Control of Software Assets
- 2.1 Establish Software Inventory:
package.json+ CycloneDX SBOM generated through the manual security workflow and published when the workflow is run frommaster - 2.2 Ensure Authorized Software is Currently Supported: Dependabot + monthly upgrade window
- 2.3 Address Unauthorized Software: PR review gates additions; acceptable use controls personnel devices
3. Data Protection
- 3.1 Establish and Maintain a Data Management Process: data classification
- 3.2 Establish and Maintain a Data Inventory: data map
- 3.3 Configure Data Access Control Lists: Firestore Security Rules default-deny with user-scoped access checks (
request.auth.uid) and administrator-role checks; API routes enforce administrator vs. non-administrator access. - 3.4 Enforce Data Retention: data retention policy
- 3.5 Securely Dispose of Data: cascading Firestore deletion, Stripe subscription cancellation/verification, and vendor-side deletion through the DSR process where vendor API deletion is not available
- 3.6 Encrypt Data on End-User Devices: full-disk encryption mandatory per physical security
4. Secure Configuration of Enterprise Assets and Software
- 4.1 Establish and Maintain a Secure Configuration Process: secure development lifecycle, change management
- 4.2 Establish and Maintain a Secure Configuration Process for Network Infrastructure: relies on Vercel + GCP managed configuration
- 4.3 Configure Automatic Session Locking: device screen lock ≤10 min
- 4.4 Implement and Manage a Firewall on Servers: Cloudflare DNS/reverse proxy, Cloudflare Managed Free Ruleset and L7 DDoS ruleset evidence, and Vercel inherited platform protection apply; no active custom Vercel Firewall configuration or custom Cloudflare WAF/rate-limit entrypoint rulesets were found on 2026-05-07; Cloud Armor is not configured for our Google Cloud project.
- 4.5 Implement and Manage a Firewall on End-User Devices: OS-level firewalls enabled per acceptable use
- 4.6 Securely Manage Enterprise Assets and Software: CI + PR review
- 4.7 Manage Default Accounts on Enterprise Assets and Software: no defaults; admin created intentionally
5. Account Management
- 5.1 Establish and Maintain an Inventory of Accounts:
adminsFirestore collection + vendor dashboards audited quarterly - 5.2 Use Unique Passwords: password manager required per acceptable use
- 5.3 Disable Dormant Accounts: JML process per access control policy
- 5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts: break-glass vs. day-to-day separation
6. Access Control Management
- 6.1 Establish an Access Granting Process: access control policy — provisioning
- 6.2 Establish an Access Revoking Process: access control policy — deprovisioning
- 6.3 Require MFA for Externally-Exposed Applications: Met as an opt-in customer control. Application-level TOTP MFA is available on the user's
/accountSecurity tab (RFC 6238 authenticator apps; one-time backup codes; AES-256-GCM at rest; anti-replay enforced server-side; defined re-challenge window). MFA is opt-in rather than required for customers; institution-enforced MFA is available on enterprise engagement. - 6.4 Require MFA for Remote Network Access: N/A (no VPN / on-prem networks)
- 6.5 Require MFA for Administrative Access: Current administrative accounts are required by policy to use Google Account MFA at the identity-provider layer. Administrators may also enable application-level TOTP MFA on their own accounts via
/account/security.
7. Continuous Vulnerability Management
- 7.1 Establish and Maintain a Vulnerability Management Process: patch management
- 7.2 Establish and Maintain a Remediation Process: SLAs defined
- 7.3 Perform Automated Operating System Patch Management: OS auto-update on endpoints; runtime patched by Vercel
- 7.4 Perform Automated Application Patch Management: Dependabot
8. Audit Log Management
- 8.1 Establish and Maintain an Audit Log Management Process: see the logging & retention.
- 8.2 Collect Audit Logs: Firestore append-only audit log, Sentry, and the Vercel log drain to Sentry for selected production and preview platform sources.
- 8.3 Ensure Adequate Audit Log Storage: 2-year audit-log retention and 1-year AI call audit retention enforced by a scheduled retention runner.
- 8.4 Standardize Time Synchronization: server clocks via Vercel / GCP (NTP)
9. Email and Web Browser Protections
- 9.1 Ensure Use of Only Fully Supported Browsers and Email Clients: personnel policy
- 9.2 Use DNS Filtering Services: browser + OS defaults; optional Pi-hole / NextDNS on personnel networks
10. Malware Defenses
- 10.1 Deploy and Maintain Anti-Malware Software: OS-native (Defender, XProtect)
- 10.2 Configure Automatic Anti-Malware Signature Updates: OS-managed
- 10.3 Disable Autorun and Autoplay for Removable Media: OS policy
11. Data Recovery
- 11.1 Establish and Maintain a Data Recovery Process: disaster recovery plan
- 11.2 Perform Automated Backups: Firestore PITR and managed daily Firestore backups with 98-day retention confirmed in live GCP review
- 11.3 Protect Recovery Data: primary backup/export bucket uses US multi-region storage, versioning, public access prevention, uniform bucket-level access, 90-day soft delete, and a 90-day retention policy
- 11.4 Establish and Maintain an Isolated Instance of Recovery Data: separate US multi-region backup/export bucket is configured; restore drill from managed backup remains pending
12. Network Infrastructure Management
- 12.1 Ensure Network Infrastructure is Up-to-Date: Vercel + GCP managed
14. Security Awareness and Skills Training
- 14.1 Establish and Maintain a Security Awareness Program: security awareness training defines the program; the required onboarding module suite includes security awareness training module, privacy and data handling training module, responsible AI training module, incident reporting training module, and device and physical security training module; role-specific accessibility training is assigned through accessibility training module; restricted training evidence records signed acknowledgments for audit review
15. Service Provider Management
- 15.1 Establish and Maintain an Inventory of Service Providers: sub-processors
17. Incident Response Management
- 17.1 Designate Personnel to Manage Incident Handling: Security Officer
- 17.2 Establish and Maintain Contact Information for Reporting Security Incidents:
[email protected];.well-known/security.txt - 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents: IR runbook
IG2/IG3 aspirational (not yet claimed)
Red teaming, external pen testing, dedicated log management platform, formal SOC. Tracked as future work.
Change log
| Date | Change |
|---|---|
| 2026-04-24 | Initial mapping |
| 2026-05-07 | Updated Cloudflare/Vercel logging, retention enforcement, and training-current-state mapping. |