VS-010
gapVendor Security Control 010
Severity 5; 3 evidence expectations are missing in the current public sample.
PUBLIC PREVIEWvendor_securityAligned: 2026-03-14
Vendor Security
An evidence-first pack for third-party and supplier security review, built to show baseline control posture without relying on sales claims.
This page is a public-safe wrapper over the real artifacts. It shows the review shape and posture of the current pack without making the full pack the default public surface.
Who it is for
- Security or procurement teams reviewing a supplier baseline before onboarding or renewal.
- Cloud-first software vendors preparing a deterministic due-diligence pack for customers.
- Operators who need a portable trust layer for repeated vendor questionnaires and evidence requests.
Civitas preview document
Vendor Security
Public preview derived from the real pack. Includes the reviewer summary, representative controls, representative gaps, and artifact posture.
Pack ID: PACK-001
Public alignment: 2026-03-14
Public source: Canonical public specimen
Verification: OK
Total controls
80
Visible gaps
80
Claims
2
Verifier
15
Reviewer summary
The artifact structure is verified, but the current sample remains gap-heavy: 80 of 80 controls are marked as gaps in the current public output.
The declared in-scope statement is "Vendor security control assessment", and the declared out-of-scope statement is "Penetration testing and red teaming". This is a public preview, not the full control matrix.
Current posture
Verified structure
Public context: Curated preview over the real artifacts
Boundary: Full pack retained for customer delivery
Sealed artifacts: 6
Verify model: Local confirmation of the complete pack
Representative controls
| ID | Objective | Severity | Status |
|---|---|---|---|
| VS-001 | Ensure Vendor Security control coverage for IDENTITY/ACCESS/MFA with documented ownership and operating cadence. | 1 | gap |
| VS-002 | Ensure Vendor Security control coverage for PRIVILEGED/REVIEW/ACCESS with documented ownership and operating cadence. | 2 | gap |
| VS-003 | Ensure Vendor Security control coverage for LOGGING/MONITORING/RETENTION with documented ownership and operating cadence. | 3 | gap |
Representative gaps
VS-030
gapVendor Security Control 030
Severity 5; 3 evidence expectations are missing in the current public sample.
VS-045
gapVendor Security Control 045
Severity 5; 3 evidence expectations are missing in the current public sample.
Sample artifact block
Decision preview
The complete HTML/PDF exists in the real pack. Here we expose only the cover, summary, and reviewer posture.
Integrity and verification
Verifier OK: yes; 15 checked entries; 6 sealed artifacts.
Public boundary
The complete control matrix, full evidence trace, full run log, and raw pack.zip remain in internal or customer-delivery context.
What it helps produce
- A reviewer-ready proof set with inspectable claims, drift context, and decision outputs.
- A portable artifact trail that can be reopened in the Civitas viewer or checked locally.
- A deterministic baseline for supplier trust discussions without exposing full internal control logic.
What it covers at a high level
- Identity, access, and privileged-access hygiene at a high level.
- Endpoint, asset, and vulnerability management signals relevant to supplier review.
- Logging, monitoring, backup, and change-control readiness indicators.
- Vendor governance, operational discipline, and supporting evidence paths.
What it does not claim
- Certification, independent attestation, or universal supplier approval.
- A replacement for a customer-specific security review or contractual diligence process.
Full artifacts in customer delivery
DecisionPack.html
Browser-readable decision surface for reviewer inspection.
DecisionPack.pdf
Print-ready decision pack for procurement, audit, and leadership review.
DecisionPack.manifest.json
Artifact manifest and pack metadata for traceability.
DecisionPack.seal.json
Deterministic seal metadata for integrity review.
pack.zip
Pack archive delivered for local inspection and replay.
verify.json
Verifier output expected to resolve to a passing state on a valid public pack.
SHA256.txt
Checksums for reviewer-side integrity confirmation.
Those artifacts remain real and unchanged. The difference is only public exposure: the preview is default, not the full dump.
Relevant next steps
The public preview demonstrates the real product shape. The complete pack, full mapping, and full delivery remain available in customer-delivery or controlled demo context.