MVSP is a minimum security baseline for enterprise-ready products and services. The baseline checklist can be used at various stages of the sales cycle, from RFP through to contractual controls.

The best way to read about MVSP is to visit mvsp.dev.

Universal baseline for vendor selection simplifies the jobs of the sourcing teams. MVSP is short and concise to be included into RFP documents without bloating them.

Smaller companies that are not mature enough to afford large compliance efforts such as SOC 2 or PCI DSS use MVSP as the baseline for the security posture of their MVP.

Larger companies attempting to triage their vendors' security posture incorporate MVSP as their universal questionnaire.

By including the MVSP in your standard agreements, it is possible to align on a set of baseline contractual controls that matches those shared at the point of RFP. This can greatly help to ensure that requirements are communicated clearly up front, and reduces last minute surprises.

As a vendor you may be asked if you are able to comply with the MVSP baseline. Alongside the checklist, you can find more information about the controls and why these are important in the Controls FAQ.

MVSP is designed to be simple, understandable and minimalistic. It must be considered that the goal is not to become another complex standard. Before sending a PULL request contributors should always ask themselves the question: Could I consider a vendor secure if they did not comply with the control I am adding? If the answer is yes, then the control should not be there.

For more information, see Contributing

MVSP and its translations are public domain under CC0 1.0 Universal license.