Minimum Viable Secure Product
MVSP is a minimum security baseline for enterprise-ready products and services. The baseline checklist can be used at various stages of the sales cycle, from RFP through to contractual controls.
The best way to read about MVSP is to visit mvsp.dev.
How to use it
Requests for proposals
Universal baseline for vendor selection simplifies the jobs of the sourcing teams. MVSP is short and concise to be included into RFP documents without bloating them.
Self-assessment
Smaller companies that are not mature enough to afford large compliance efforts such as SOC 2 or PCI DSS use MVSP as the baseline for the security posture of their MVP.
Third-party security
Larger companies attempting to triage their vendors' security posture incorporate MVSP as their universal questionnaire.
Including it into your standard agreements
By including the MVSP in your standard agreements, it is possible to align on a set of baseline contractual controls that matches those shared at the point of RFP. This can greatly help to ensure that requirements are communicated clearly up front, and reduces last minute surprises.
Complying with it as vendor
As a vendor you may be asked if you are able to comply with the MVSP baseline. Alongside the checklist, you can find more information about the controls and why these are important in the Controls FAQ.
Contributing
MVSP is designed to be simple, understandable and minimalistic. It must be considered that the goal is not to become another complex standard. Before sending a PULL request contributors should always ask themselves the question: Could I consider a vendor secure if they did not comply with the control I am adding? If the answer is yes, then the control should not be there.
For more information, see Contributing
License
MVSP and its translations are public domain under CC0 1.0 Universal license.