Identity and scope
Title, pack identity, a short scope statement, and reviewer context.
Proof layer
Curated previews show the cover, reviewer summary, verification posture, representative controls, representative gaps, and sampled artifact blocks. Full mappings and raw outputs remain in the complete pack.
Title, pack identity, a short scope statement, and reviewer context.
Verify status, sealed-artifact posture, and a control summary, without dumping the full raw files.
2-3 controls and 2-3 gaps extracted from the real output to demonstrate the review shape.
The full control matrix, full evidence trace, full run log, and raw pack.zip are no longer the default public surfaces.
Each library page is a public-safe preview over a generated synthetic specimen. The values below are derived from the retained specimen artifacts, not authored separately.
CIS Controls v8 family-level mapping
An evidence-first pack for third-party and supplier security review, built to show baseline control posture without relying on sales claims.
ISO/IEC 27001:2022 Annex A references
A readiness-oriented evidence pack mapped to ISO/IEC 27001:2022 Annex A references, designed for teams that need a concrete baseline before formal audit work.
AICPA TSC CC1-CC9 spine
A readiness pack for organisations that need to show disciplined trust-service control evidence before any formal SOC examination.
NIST CSF 1.1 subcategory IDs
A cross-functional readiness pack aligned to NIST CSF 1.1 style categories, built for teams that need an inspectable security-baseline narrative rather than a generic maturity slide.
DFIR lifecycle phases + NIST RS/RC crosswalk
A readiness pack for incident response and recovery review, focused on whether evidence exists for disciplined response rather than whether a team can improvise under stress.
This is the public-safe model we use to show the shape of a reviewer artifact without exposing the full pack.
Civitas public proof preview
Cover, summary, verification posture, representative controls, and representative gaps extracted from the real output.
| ID | Objective | Status |
|---|---|---|
| VS-001 | Ensure Vendor Security control coverage for IDENTITY/ACCESS/MFA with documented ownership and operating cadence. | gap |
| VS-002 | Ensure Vendor Security control coverage for PRIVILEGED/REVIEW/ACCESS with documented ownership and operating cadence. | gap |
| VS-003 | Ensure Vendor Security control coverage for LOGGING/MONITORING/RETENTION with documented ownership and operating cadence. | gap |
Severity 5; 3 evidence expectations are missing in the current public sample.
Severity 5; 3 evidence expectations are missing in the current public sample.
Severity 5; 3 evidence expectations are missing in the current public sample.
The public surface shows the cover, summary, and reviewer posture. The complete DecisionPack.html and PDF remain in the full pack context.
Verifier OK: yes; 15 checked entries; 6 sealed artifacts.
The public preview is aligned to the canonical March 2026 state; raw specimen metadata is intentionally hidden on the public surface.
The full reviewer pack contains the complete control mapping, full evidence trace, and final outputs. Those are not exposed by default on the public surface.
The retained specimen artifacts remain unchanged for internal verification and delivery rehearsal. They are summarized here, not exposed as the default public surface.
Browser-readable decision surface for reviewer inspection.
Full specimen / controlled rehearsal
Print-ready decision pack for procurement, audit, and leadership review.
Full specimen / controlled rehearsal
Artifact manifest and pack metadata for traceability.
Full specimen / controlled rehearsal
Deterministic seal metadata for integrity review.
Full specimen / controlled rehearsal
Pack archive delivered for local inspection and replay.
Full specimen / controlled rehearsal
Verifier output expected to resolve to a passing state on a valid public pack.
Full specimen / controlled rehearsal
Checksums for reviewer-side integrity confirmation.
Full specimen / controlled rehearsal
The public preview does not remove verification; it only stops making pack.zip, verify.json, and SHA256.txt the first experience for a cold public audience. Local verification remains anchored in the full pack and customer-delivery workflow.