Minimum Viable Secure Product

A minimum security baseline for enterprise-ready products and services

Minimal. Baseline criteria for secure products.
Practical. Easy to understand application security focused controls.
Modern. Updated annually.

News

2024-06-24
The Working Group weclomes Nudge Security, Pangea, and OmniSec.
2024-04-04
CISA joins the Working Group - Read CISA's blog post here.
2024-02-29
Comparisons between MVSP and common standards launched

Motivation

Minimum Viable Secure Product (MVSP) is a list of essential application security controls that should be implemented in enterprise-ready products and services. The controls are designed to be simple to implement and provide a good foundation for building secure and resilient systems and services. MVSP is based on the experience of contributors in enterprise application security and has been built with contributions from a range of companies.

We recommend that all companies building enterprise software and services, or otherwise handling sensitive information, implement the MVSP controls and, where possible, go well beyond them in their application security programs.

We welcome constructive feedback to help us continue to improve MVSP and provide a control set that meets the needs of its users.

Where can you use MVSP?

Procurement	Self-Assessment	Software Development Lifecycle (SDLC)	Contractual Controls
A standardized application security baseline for vendor selection simplifies the sourcing team's job and provides a clear set of requirements for enterprise-ready products and services. MVSP is designed to be brief, concise, and easy to understand so that it can be included in RFP documents without causing delays to the sales cycle.	Smaller companies that are not yet mature enough to invest in large compliance efforts such as SOC 2 or PCI DSS can use MVSP as a baseline to measure the security posture of their MVP and create a roadmap for continuous improvement. MVPs often lack essential security controls, however to attract enterprise customers, a clear security roadmap must be a priority.	Security teams often have a great number of requirements pertinent to providing digital services. Prioritizing “security as a feature” can be challenging for software teams. MVSP provides a simple set of minimum controls that are both easy for product teams to understand and integrate and easy to verify by the security and compliance team.	To ensure the security posture of third-party suppliers, large companies can incorporate MVSP into their standard contractual controls. By ensuring that third-parties acknowledge and respond to the MVSP controls at the initial RFP stage, agreeing to contractual controls based on MVSP can be further expedited.
Find out more here	Review the MVSP controls	Find out more here	Find out more here

View a comparison of MVSP controls against common standards (ISO, NIST, CSA) here.

Contributors

Cybersecurity and Infrastructure Security Agency (CISA)

Prior Art

Part of the motivation for MVSP was driven by Dropbox's Vendor Security Model Contract (VSMC), and Google's Vendor Security Assessment Questionnaire (VSAQ).

We have analyzed multiple existing master agreements, as well as taking experience from mature vendor security assessment programs to produce an application-focused security baseline that incorporates the most critical of these requirements.

Update cadence

MVSP is using Semantic Versioning.

The PATCH version is updated frequently and is used for fixing typos, formatting, or word choice. The MINOR version is updated when there are changes to the text of a control that do not alter the nature of the control.

The MAJOR version is updated when the new controls are added, or the nature of the existing controls has changed. The MAJOR version does not change more frequently than once a year.