May 1, 2026 · Tim Fraser

MVSP: The 25-Point Security Baseline Your Customers Are Starting to Ask About

If you run a small SaaS or agency on AWS, you've probably had a security questionnaire land in your inbox lately. A new customer's procurement team wants to know about your security posture before they sign. Twenty pages, dense, and full of acronyms you've half-heard of: SOC 2, ISO 27001, NIST 800-53. Most of it doesn't apply to a 12-person company. None of it has a quick answer.

MVSP is what comes next. It's the lightweight version designed to answer those questions in a single page.

What MVSP actually is

The Minimum Viable Secure Product is a 25-control checklist maintained as an open standard by Google, Salesforce, Okta and a working group of contributing technology companies. It was built specifically as the "concise element in RFP documents" that procurement teams can use to filter vendors before triggering full SOC 2-level diligence. It's vendor-neutral, free to use, and short enough that a small team can self-assess in an afternoon.

The 25 controls break into four buckets:

• Business controls. Vulnerability disclosure policy, annual self-assessment, incident handling within 72 hours, training, sub-processor list.
• Application design. HTTPS-only, single sign-on, security headers, dependency patching, encryption in transit and at rest, logging.
• Application implementation. Data inventory, time-to-fix targets, build-and-release process.
• Operational controls. Physical access, logical access with MFA, backups and tested disaster recovery.

The full list lives at mvsp.dev. It's a one-page read.

The nine controls plainfra's weekly scan checks for you

About a third of the MVSP list maps directly to things plainfra can read out of an AWS account. The weekly health report and the on-demand consult both surface this without any extra configuration.

• Encryption at rest. S3 bucket encryption, EBS volume encryption, RDS encryption, DynamoDB encryption-at-rest. plainfra flags resources that don't have it.
• Encryption in transit. CloudFront and ALB listener policies, ACM certificate expiry, HTTP-to-HTTPS redirect rules.
• Logical access and MFA. IAM users without MFA, root account access keys (which should not exist), dormant access keys older than 90 days, overly broad IAM policies.
• Logging. CloudTrail enabled across regions, CloudWatch log retention set to at least 30 days, S3 access logging on sensitive buckets.
• Backup and disaster recovery. DynamoDB point-in-time recovery, RDS automated backups, S3 versioning, AWS Backup plans where applicable.
• Dependency patching. Lambda runtimes that have entered deprecation, EC2 patch compliance via SSM, container image scan findings.
• Time-to-fix. Inspector and Security Hub finding age, so you can show you're closing critical issues within the 90-day MVSP target.
• Build and release. IAM policies attached to CI roles, evidence of consistent versioned builds.
• Physical access. Covered by AWS itself, which means plainfra can confirm your workloads sit in regions backed by AWS's audited data-centre programme.

When a customer asks "do you encrypt customer data at rest", you don't have to answer from memory. You ask plainfra, and it reads the actual configuration of the actual account.

The sixteen controls plainfra can't verify

The rest of MVSP is process and policy work that lives outside AWS. plainfra is read-only and reads infrastructure, so it cannot tell you whether you have a written incident-handling policy, whether you publish a vulnerability disclosure page, or whether your developers have been trained against OWASP Top 10. Those need to be done by the team and documented separately.

What plainfra does help with is the structure. Once the AWS portion is audited and known, the policy portion is a half-day of writing. Most of the controls in the Business and Implementation buckets are one-page documents that read like internal handbooks.

Why this is useful right now

Two things are converging. The first is that buyers are getting more security-savvy faster than vendors are catching up. A 30-person logistics SaaS in Australia is now being asked the same questions a 300-person fintech was asked five years ago. The second is that SOC 2 is still expensive, slow, and overkill for a company without enterprise customers paying enterprise prices.

MVSP fills the gap. It's the answer for the buyer who needs more than a marketing page but doesn't expect a six-figure compliance programme. And because it's open and vendor-neutral, any vendor can adopt it without paying anyone.

How to use plainfra for the AWS portion

If you've already connected an AWS account, ask plainfra: "summarise where I stand against the AWS-checkable MVSP controls". You'll get a per-control readout with the resources that pass, the resources that don't, and the specific configuration to change. The weekly health report covers the same ground every Monday morning so the answer stays current.

If you haven't connected yet, the read-only CloudFormation template takes about five minutes to install. plainfra cannot change anything in your account: the IAM role has explicit deny on every mutable AWS action, so the worst-case outcome of plainfra running an MVSP check is a finding it cannot act on.