https://mvsp.dev/ Minimum Viable Secure Product [logo] Open main menu Controls Control FAQ Contribute [logo] Close menu Controls Controls FAQ Contribute Minimum Viable Secure Product A minimum security baseline for enterprise-ready products and services * Minimal. Baseline criteria for secure products. * Practical. Specifies checks applicable even to small companies. * Modern. Updated annually. The checklist Contributors Salesforce Google Okta Slack Vanta C2SEC BoxyHQ Secureframe Reciprocity SecurityScorecard SecureStack BitSight Safebase Boberdoo Compliance Cow Terratrue Unicis.Tech Whistic Synaptics Motivation Minimum Viable Secure Product is a minimalistic security checklist for B2B software and business process outsourcing suppliers. Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. We recommend that all companies building B2B software or otherwise handling sensitive information under its broadest definition implement the listed controls and are strongly encouraged to go well beyond them in their security programs. Where is it used? Requests for proposals Universal baseline for vendor selection simplifies the jobs of the sourcing teams. MVSP is short and concise to be included into RFP documents without bloating them. Self-assessments Smaller companies that are not mature enough to afford large compliance efforts such as SOC 2 or PCI DSS use MVSP as the baseline ensuring the security posture of their MVP. Third-party security Larger companies attempting to triage their vendors' security posture incorporate MVSP as their universal questionnaire. Prior Art The motivation for MVSP has arrived from the Dropbox' Vendor Security Model Contract (VSMC) and the Google's Vendor Security Assessment Questionnaire (VSAQ). We have analyzed multiple existing master agreements and produced a baseline that incorporates the most of these requirements. Update cadence MVSP is using Semantic Versioning. The PATCH version is updated frequently and is used for fixing typos, formatting, or word choice. The MINOR version is updated when there are changes to the text of a control that do not alter the nature of the control. The MAJOR version is updated when the new controls are added, or the nature of the existing controls has changed. The MAJOR version does not change more frequently than once a year. GitHub MVSP and its translations are public domain under CC0 1.0 Universal license.