DARKNX/GUIDANCE

GUIDANCE

Platform overview, workflows, and compliance reference for data center and organisational GRC

Overview Workflows Evidence Requirements Common Findings Compliance Roadmap Integrations Roadmap Features

WHAT IS GRC

GOVERNANCE

The policies, roles, and decision-making structures that define how your organisation manages risk. Includes security policies, access control procedures, and executive accountability.

RISK

Identifying, assessing, and treating threats to your operations and data. Includes risk registers, vendor assessments, and continuous monitoring of your threat landscape.

COMPLIANCE

Demonstrating adherence to external standards (SOC 2, CMMC 2.0, ISO 27001, NIST CSF, PIPEDA) and internal policies. Produces audit-ready evidence packages for auditors and clients.

WHAT THIS TOOL DOES

DARKNX GRC operates across two parallel tracks. Projects audits individual data center assets against external frameworks — generating scorecards, findings, and exportable reports for client due diligence. DARKNX manages the organisation's own internal controls, policies, and people across SOC 2, NIST CSF, ISO 27001, CMMC 2.0, CIS v8, PIPEDA, and Federal standards. Together they provide a single pane of glass across both deal-side and internal compliance posture. Active integrations connect to the Enterprise System pipeline and Google Workspace for people sync.

STEP-BY-STEP WORKFLOWS

DATA CENTER PROJECT AUDIT

SOC 2, CMMC 2.0, US Federal Standards

  1. 1
    Create a project — Go to Projects → New Project. Enter the data center name, location, capacity, and deal type. Alternatively import projects directly from the Enterprise System DCB or Retrofit pipeline via the DES sync.
  2. 2
    Start an audit session — Open the project and select a compliance framework. SOC 2 Type II is recommended for most commercial deals; CMMC 2.0 for DoD-adjacent work.
  3. 3
    Review controls by domain — Work through each domain (Access Control, Physical Security, Change Management, etc.). For each control mark Compliant, Non-Compliant, In Progress, or N/A.
  4. 4
    Record findings — Non-compliant controls become findings. Set the risk level (High / Medium / Low) and add notes with remediation detail.
  5. 5
    Track progress — The compliance score updates in real time as you assess controls. Revisit non-compliant items as evidence is gathered.
  6. 6
    Export — Use Report, CSV, or PDF from the audit session to generate a compliance package for clients, auditors, or internal review.

DARKNX INTERNAL GRC

SOC 2, NIST CSF, ISO 27001, CMMC 2.0, CIS v8, PIPEDA, Federal

  1. 1
    Manage frameworks — Go to DARKNX → Frameworks. View all seeded frameworks and their readiness scores. Currently active: SOC 2 and NIST CSF. Use Seed to activate additional frameworks; Reset to clear and re-seed a framework.
  2. 2
    Assess controls — Open a framework domain and work through each control. Set status (Implemented / In Progress / Not Started / Not Applicable), assign an owner, and add evidence notes. Controls are grouped by domain.
  3. 3
    Manage people — Go to DARKNX → People. Add team members or sync from Google Workspace. Assign them as control owners for accountability tracking.
  4. 4
    Write policies — Go to DARKNX → Policies. Create policy documents that map to control requirements (e.g. Access Control Policy, Incident Response Plan).
  5. 5
    Monitor readiness — The DARKNX dashboard shows overall readiness score, controls by status, and open gaps across all seeded frameworks.
  6. 6
    Iterate — As controls are implemented, update their status and notes. The readiness score reflects live compliance posture across all active frameworks.

EVIDENCE REQUIREMENTS BY FRAMEWORK

SOC 2 TYPE II AICPA Trust Services Criteria
  • Access Control (CC6) — User access lists, provisioning/de-provisioning logs, MFA configuration screenshots, RBAC policy documents
  • System Operations (CC7) — Monitoring dashboards, incident tickets, alert configurations, on-call runbooks
  • Change Management (CC8) — Change tickets, approval records, test results, rollback procedures, version control history
  • Availability (A1) — Uptime reports, capacity monitoring graphs, BCP/DR test results, RTO/RPO documentation
  • Confidentiality (C1) — Data classification policy, encryption configuration, data retention and disposal records
  • Risk Assessment (CC3) — Annual risk register, threat model, vendor risk assessments
CMMC 2.0 LEVEL 2 NIST SP 800-171 · 110 Practices
  • Access Control (AC)SSP, account management procedures, session timeout configs, remote access policies
  • Identification & Authentication (IA)MFA screenshots, password policy enforcement evidence, credential management procedures
  • Audit & Accountability (AU) — Audit log samples, log retention policy (min 3 years), log integrity controls
  • Configuration Management (CM) — Baseline configuration documents, system inventory, hardening guides (CIS benchmarks)
  • Physical Protection (PE) — Visitor logs, badge access reports, CCTV policies, environmental monitoring reports
  • Incident Response (IR) — IR plan, tabletop exercise records, incident reports (with CUI impact assessment)
  • Media Protection (MP) — Media sanitization certificates (NIST 800-88 compliant), chain of custody forms
US FEDERAL STANDARDS FISMA · NIST 800-53 · EO 14028 · FedRAMP
  • FISMASSP, PIA, ATO package, continuous monitoring reports
  • EO 14028 — Zero Trust — Zero Trust Architecture roadmap, identity governance documentation, network microsegmentation diagrams
  • EO 14028 — Log Retention — Log retention policy (30-month minimum), log aggregation topology, log integrity controls
  • EO 14028 — EDR — EDR deployment coverage report, agent health dashboard, response playbooks
  • FedRAMP — Alternate processing site agreement, emergency power test records, UPS capacity reports
  • Software Supply ChainSBOM, vendor attestation letters, SSDF compliance evidence

COMMON FINDINGS IN DARKNX DATA CENTER AUDITS

HIGH
MFA not enforced for privileged accounts

Remote and local access to admin/root accounts lacks multi-factor authentication. Affects: IA.L2-3.5.3, FISMA-IA-2, EO14028-5, CC6.1

Recommendation: Deploy Duo, Okta, or Microsoft Authenticator. Enforce via Group Policy or Conditional Access. Document policy and evidence screenshots.

HIGH
No formal incident response plan

No documented IR plan or the plan has not been tested in the past 12 months. Affects: CC7.4, IR.L2-3.6.1, FISMA-IR-4

Recommendation: Develop IR plan per NIST SP 800-61. Conduct tabletop exercise annually. Document exercise findings and plan revisions.

HIGH
CUI / sensitive data not encrypted at rest

Storage volumes containing controlled or confidential data lack encryption. Affects: SC.L2-3.13.16, FISMA-SC-28, CC6.7, C1.1

Recommendation: Enable AES-256 encryption on all storage. Use FIPS 140-2 validated cryptographic modules. Provide key management documentation.

MED
Audit log retention below required threshold

Logs purged before 90 days (CMMC) or 30 months (EO 14028). Affects: AU.L2-3.3.1, EO14028-3, FISMA-AU-12

Recommendation: Configure log aggregator with compliant retention. For federal work: 30-month hot/warm storage. Automate archival to cold storage.

MED
No formal vulnerability scanning program

Ad-hoc scanning only; no scheduled scans or remediation tracking. Affects: RM.L2-3.11.2, FISMA-RA-5

Recommendation: Deploy Tenable, Qualys, or Rapid7. Run authenticated scans weekly. Track findings in a remediation register with SLA-based closure targets.

MED
Physical access logs not maintained or reviewed

Visitor logs incomplete; no periodic review of physical access. Affects: CC6.4, PE.L2-3.10.4, FISMA-PE-6

Recommendation: Deploy badge access system with automated logging. Export and review reports monthly. Retain logs minimum 1 year.

LOW
Security awareness training not documented

Training conducted informally with no completion records. Affects: AT.L2-3.2.1, AT.L2-3.2.2

Recommendation: Use KnowBe4, Proofpoint, or similar LMS. Track completions. Annual training + quarterly phishing simulations. Retain records 3 years.

LOW
System inventory not maintained

No up-to-date hardware and software inventory. Affects: CM.L2-3.4.1, FISMA-CM-8, CIS-1.1, CIS-2.1

Recommendation: Implement CMDB (Snipe-IT, Lansweeper, ServiceNow). Auto-discover with network scans. Review and reconcile quarterly.

RECOMMENDED COMPLIANCE ROADMAP BY DEAL STAGE

STAGE 1–2 Discovery & Checklist
  • Establish security policies (Access Control, Incident Response, Change Management)
  • Define organizational roles and responsibilities
  • Engage a compliance advisor or vCISO
  • Select compliance framework target (SOC 2, CMMC 2, or Federal)
  • Begin asset inventory and data classification
STAGE 3–4 Technical BOM
  • Physical security design: badge access, CCTV, environmental monitoring
  • Network architecture: segmentation, boundary protection, firewall rules
  • Baseline configuration hardening (CIS benchmarks)
  • Deploy logging infrastructure
  • Vulnerability scanning setup
STAGE 5–6 Tenant & Proposal
  • Implement MFA across all accounts
  • Deploy EDR (endpoint detection and response)
  • Conduct first tabletop IR exercise
  • Complete security awareness training rollout
  • Begin evidence collection for audit
  • Vendor and supply chain risk assessments
STAGE 7 Contract & Operations
  • Conduct formal audit (SOC 2 Type II requires 6–12 months of evidence)
  • Remediate all HIGH and MEDIUM findings before contract close
  • Establish continuous monitoring programme
  • Zero Trust Architecture roadmap (for federal work)
  • Annual re-certification schedule

ACTIVE INTEGRATIONS

Manage all integrations from Settings → Integrations.

ENTERPRISE SYSTEM (DES) Pipeline sync · DCB & Retrofit deals
  • What it does — Pulls active deals from the DARKNX Enterprise System DCB and Retrofit pipelines and makes them available for import into GRC Projects.
  • How to use — Go to Projects → Import from DES. Select a deal and a compliance framework to create a linked audit project.
  • Configure — Set DES_APP_URL and DES_API_KEY in Railway environment variables. Trigger sync from Integrations.
GOOGLE WORKSPACE Identity provider · People sync
  • What it does — Google Workspace is the identity provider for all GRC authentication via OAuth 2.0 with MFA. The Workspace sync imports org members into the People directory for control ownership assignment.
  • How to use — Go to Integrations → Google Workspace → Connect. Authorise the GRC app in your Google admin console, then run Sync to import people.
  • Permissions required — Directory read access (admin.directory.user.readonly) in Google Workspace admin.
GITHUB Change management evidence
  • What it does — Connects to a GitHub organisation to surface repository activity as change management evidence for controls such as CC8.1 (Change Management) and PR.PS-06 (Secure Development).
  • How to use — Go to Integrations → GitHub → Save. Provide your GitHub organisation name and personal access token with repo:read scope.
  • Evidence generated — Commit history, branch protection status, and recent deployment activity linked to relevant controls.

PLATFORM ROADMAP

Planned features for future development. Not yet available in the current release.

PLANNED

Evidence Vault

File attachment support per control. Upload PDFs, screenshots, policy docs, and configuration exports directly to a control record. Tied to control ID for automated evidence package generation at export time.

Per-control attachmentsEvidence package exportAudit-ready
PLANNED

Remediation Tracker

Track open control gaps across all frameworks. Assign owners, set due dates, add comments. Dashboard showing aging items by risk level with overdue alerts.

Owner assignmentDue dates & SLAsGap dashboard
FUTURE

Cross-Framework Gap Analysis

Identify controls that map across multiple frameworks so implementing one satisfies several. Portfolio-level compliance heatmap showing systemic gaps across all active frameworks.

Control mappingPortfolio heatmapExecutive summary
FUTURE

Compliance Calendar

Track audit cycle dates, certification renewals, evidence refresh deadlines. Dashboard view of upcoming audit windows across all projects. Calendar export (iCal).

Audit schedulingRenewal trackingiCal export
FUTURE

Vendor / Subprocessor Register

Track third-party vendors, certifications, and review dates. Auto-populate CC9.2 evidence. Risk-tier each vendor. Flag expired certifications.

Vendor databaseCert trackingRisk tiering
FUTURE

Continuous Control Monitoring

API integrations with cloud providers, vulnerability scanners, and identity tools to auto-verify control status in real time. Drift alerts when a control degrades from compliant.

Cloud APIReal-time driftAuto-verification