NIST CSF 2.0 mapping

Mapping of HiringCoachAI controls to NIST CSF 2.0 functions and categories. This is the framework we claim alignment to for HECVAT DOCU-04 and customer security reviews.

Govern (GV)

Category	Our controls	Evidence
GV.OC: Organizational Context	Defined scope, product, hosting model	deployment model
GV.RM: Risk Management Strategy	Risk register in internal audit; risk tiers for vendors	vendor risk management
GV.RR: Roles, Responsibilities, and Authorities	Security Officer, Privacy Officer / data-protection contact, and Engineering Lead defined	information security policy
GV.PO: Policy	Full policy set in docs/compliance/	this directory
GV.OV: Oversight	Quarterly internal audit; annual policy review	internal audit program
GV.SC: Cybersecurity Supply Chain	Vendor-risk program; DPAs; sub-processor list	vendor risk management, sub-processors, and the internal DPA register (available on request via [email protected])

Identify (ID)

Category	Our controls	Evidence
ID.AM: Asset Management	Code in git; Firebase/Vercel inventory; data map	data map, architecture
ID.RA: Risk Assessment	Threat model (summary available on request via [email protected]); quarterly audit	internal audit program
ID.IM: Improvement	Post-incident action items; audit findings tracked	incident response, internal audit program

Protect (PR)

Category	Our controls	Evidence
PR.AA: Identity Management	OAuth and email magic-link sign-in for customers, with opt-in application-level TOTP MFA available on the user's account Security tab. Current administrative accounts are required by policy to use Google Account MFA at the identity-provider layer and MFA on vendor consoles where supported. Authorization enforces administrator vs. non-administrator roles with user-scoped data access enforced by Firestore Security Rules.	access control policy
PR.AT: Awareness & Training	Training program with role-specific modules; onboarding acknowledgments captured in the admin console; phishing simulations start when at least two sensitive-access recipients exist	security awareness training (with linked module suite covering security, privacy and data handling, responsible AI, incident reporting, device and physical security, and accessibility)
PR.DS: Data Security	TLS, at-rest encryption, field-level AES-GCM; DLP via classification	data classification, data map
PR.PS: Platform Security	Firestore rules default-deny; CSP; security headers; dependency scanning	secure development lifecycle, patch management
PR.IR: Technology Infrastructure Resilience	Google-managed platform durability, Firestore PITR, managed daily backups with 98-day retention, US multi-region backup/export bucket with versioning, soft delete, and a retention policy; restore drills	disaster recovery plan, data retention policy

Detect (DE)

Category	Our controls	Evidence
DE.CM: Continuous Monitoring	Sentry, enabled Vercel log drain to Sentry, status probes, selected Firestore audit logs, and hourly audit-log anomaly monitoring for selected authentication/admin events	incident response, logging & retention
DE.AE: Adverse Event Analysis	Sentry alerts, selected audit-log anomaly findings, and Sev 1/2 triage under the incident-response process	incident response, logging & retention

Respond (RS)

Category	Our controls	Evidence
RS.MA: Incident Management	IR runbook; severity matrix; on-call	incident response
RS.AN: Incident Analysis	Post-mortem template; 5-whys	incident response
RS.CO: Incident Response Reporting	Breach-notification procedure	breach notification
RS.MI: Incident Mitigation	Containment steps in IR runbook	incident response

Recover (RC)

Category	Our controls	Evidence
RC.RP: Incident Recovery Plan Execution	DRP procedures; restore playbooks	disaster recovery plan, business continuity plan
RC.CO: Incident Recovery Communications	Status page; customer comms templates	incident response

Change log

Date	Change
2026-04-24	Initial mapping
2026-05-07	Updated training, privacy role, and monitoring current-state language.