DARKNX / GRC

GUIDANCE

Platform overview, workflows, and compliance reference for data center and organisational GRC

WHAT IS GRC

GOVERNANCE

The policies, roles, and decision-making structures that define how your organisation manages risk. Includes security policies, access control procedures, and board-level accountability.

RISK

Identifying, assessing, and treating threats to your operations and data. Includes risk registers, vendor assessments, and continuous monitoring of your threat landscape.

COMPLIANCE

Demonstrating adherence to external standards (SOC 2, CMMC 2.0, ISO 27001, FedRAMP) and internal policies. Produces audit-ready evidence packages for auditors and clients.

WHAT THIS TOOL DOES

DARKNX GRC gives you two parallel tracks. Projects audits individual data center assets against external frameworks — generating scorecards, findings, and exportable reports for client due diligence. DARKNX manages your own organisation's internal controls, policies, and people across ISO 27001, NIST CSF, CIS v8, PIPEDA, and more. Together they give DARKNX a single pane of glass across both deal-side and internal compliance posture.

STEP-BY-STEP WORKFLOWS

DATA CENTER PROJECT AUDIT

SOC 2, CMMC 2.0, US Federal Standards

  1. 1
    Create a project — Go to Projects → New Project. Enter the data center name, location, capacity, and deal type.
  2. 2
    Start an audit session — Open the project and select a compliance framework. SOC 2 Type II is recommended for most commercial deals; CMMC 2.0 for DoD-adjacent work.
  3. 3
    Review controls by domain — Work through each domain (Access Control, Physical Security, Change Management, etc.). For each control mark Compliant, Non-Compliant, In Progress, or N/A.
  4. 4
    Record findings — Non-compliant controls become findings. Set the risk level (High / Medium / Low) and add notes with remediation detail.
  5. 5
    Track progress — The compliance score updates in real time as you assess controls. Revisit non-compliant items as evidence is gathered.
  6. 6
    Export — Use Report, CSV, or PDF from the audit session to generate a compliance package for clients, auditors, or internal review.

DARKNX INTERNAL GRC

ISO 27001, NIST CSF, CIS v8, PIPEDA, SOC 2, CMMC 2.0

  1. 1
    Seed a framework — Go to DARKNX → Frameworks. Select a framework (start with ISO 27001 or SOC 2) and click Seed. This loads all controls for that standard.
  2. 2
    Assess controls — Open a framework and work through each control. Set status (Implemented / Partial / Not Implemented), owner, and notes. Controls are grouped by domain.
  3. 3
    Add people — Go to DARKNX → People. Add team members with roles and departments. Assign them as control owners for accountability.
  4. 4
    Write policies — Go to DARKNX → Policies. Create policy documents that map to control requirements (e.g. Access Control Policy, Incident Response Plan).
  5. 5
    Monitor readiness — The DARKNX dashboard shows overall readiness score, controls by status, and open gaps across all seeded frameworks.
  6. 6
    Iterate — As controls are implemented, update their status. The readiness score reflects your live compliance posture across all active frameworks.
Overview Workflows Evidence Requirements Common Findings Compliance Roadmap Platform Suggestions External Integration

EVIDENCE REQUIREMENTS BY FRAMEWORK

SOC 2 TYPE II AICPA Trust Services Criteria
  • Access Control (CC6) — User access lists, access provisioning/de-provisioning logs, MFA configuration screenshots, RBAC policy documents
  • System Operations (CC7)SIEM alerts, incident tickets, monitoring dashboards, on-call runbooks
  • Change Management (CC8) — Change tickets, approval records, test results, rollback procedures
  • Availability (A1) — Uptime reports, capacity monitoring graphs, BCP/DR test results, RTO/RPO documentation
  • Confidentiality (C1) — Data classification policy, encryption key management docs, data destruction records
  • Risk Assessment (CC3) — Annual risk register, threat model, vendor risk assessments
CMMC 2.0 LEVEL 2 NIST SP 800-171 · 110 Practices
  • Access Control (AC)SSP, account management procedures, session timeout configs, remote access policies
  • Identification & Authentication (IA)MFA screenshots, password policy enforcement evidence, credential management procedures
  • Audit & Accountability (AU) — Audit log samples, SIEM configuration, log retention policy (min 3 years)
  • Configuration Management (CM) — Baseline configuration documents, system inventory, hardening guides (CIS benchmarks)
  • Physical Protection (PE) — Visitor logs, badge access reports, CCTV policies, environmental monitoring reports
  • Incident Response (IR) — IR plan, tabletop exercise records, incident reports (with CUI impact assessment)
  • Media Protection (MP) — Media sanitization certificates (NIST 800-88 compliant), chain of custody forms
US FEDERAL STANDARDS FISMA · NIST 800-53 · EO 14028 · FedRAMP
  • FISMASSP, PIA, ATO package, continuous monitoring reports
  • EO 14028 — Zero Trust — Zero Trust Architecture roadmap, identity governance documentation, network microsegmentation diagrams
  • EO 14028 — Log Retention — Log retention policy (30-month minimum), SIEM topology diagram, log integrity controls
  • EO 14028 — EDR — EDR deployment coverage report, agent health dashboard, response playbooks
  • FedRAMP — Alternate processing site agreement, emergency power test records, UPS capacity reports
  • Software Supply ChainSBOM, vendor attestation letters, SSDF compliance evidence

COMMON FINDINGS IN DARKNX DATA CENTER AUDITS

HIGH
MFA not enforced for privileged accounts

Remote and local access to admin/root accounts lacks multi-factor authentication. Affects: IA.L2-3.5.3, FISMA-IA-2, EO14028-5, CC6.1

Recommendation: Deploy Duo, Okta, or Microsoft Authenticator. Enforce via Group Policy or Conditional Access. Document policy and evidence screenshots.

HIGH
No formal incident response plan

No documented IR plan or the plan has not been tested in the past 12 months. Affects: CC7.4, IR.L2-3.6.1, FISMA-IR-4

Recommendation: Develop IR plan per NIST SP 800-61. Conduct tabletop exercise annually. Document exercise findings and plan revisions.

HIGH
CUI not encrypted at rest

Storage volumes containing controlled data lack encryption. Affects: SC.L2-3.13.16, FISMA-SC-28, CC6.7, C1.1

Recommendation: Enable AES-256 encryption on all storage. Use FIPS 140-2 validated cryptographic modules. Provide key management documentation.

MED
Audit log retention below required threshold

Logs purged before 90 days (CMMC) or 30 months (EO 14028). Affects: AU.L2-3.3.1, EO14028-3, FISMA-AU-12

Recommendation: Configure SIEM/log aggregator with compliant retention. For federal work: 30-month hot/warm storage. Automate archival to cold storage (S3/GCS).

MED
No formal vulnerability scanning program

Ad-hoc scanning only; no scheduled scans or remediation tracking. Affects: RM.L2-3.11.2, FISMA-RA-5

Recommendation: Deploy Tenable, Qualys, or Rapid7. Run authenticated scans weekly. Track findings in a remediation register with SLA-based closure targets.

MED
Physical access logs not maintained or reviewed

Visitor logs incomplete; no periodic review of physical access. Affects: CC6.4, PE.L2-3.10.4, FISMA-PE-6

Recommendation: Deploy badge access system with automated logging. Export and review reports monthly. Retain logs minimum 1 year.

LOW
Security awareness training not documented

Training conducted informally with no completion records. Affects: AT.L2-3.2.1, AT.L2-3.2.2

Recommendation: Use KnowBe4, Proofpoint, or similar LMS. Track completions. Annual training + quarterly phishing simulations. Retain records 3 years.

LOW
System inventory not maintained

No up-to-date hardware and software inventory. Affects: CM.L2-3.4.1, FISMA-CM-8

Recommendation: Implement CMDB (Snipe-IT, Lansweeper, ServiceNow). Auto-discover with network scans. Review and reconcile quarterly.

RECOMMENDED COMPLIANCE ROADMAP BY STAGE

STAGE 1–2 Discovery & Checklist
  • Establish security policies (Access Control, Incident Response, Change Management)
  • Define organizational roles and responsibilities
  • Engage a compliance advisor or vCISO
  • Select compliance framework target (SOC 2, CMMC 2, or Federal)
  • Begin asset inventory
STAGE 3–4 Technical BOM
  • Physical security design: badge access, CCTV, environmental monitoring
  • Network architecture: segmentation, boundary protection, firewall rules
  • Baseline configuration hardening (CIS benchmarks)
  • Deploy logging/SIEM infrastructure
  • Vulnerability scanning setup
STAGE 5–6 Tenant & Proposal
  • Implement MFA across all accounts
  • Deploy EDR (endpoint detection and response)
  • Conduct first tabletop IR exercise
  • Complete security awareness training rollout
  • Begin evidence collection for audit
  • Vendor/supply chain risk assessments
STAGE 7 Contract & Operations
  • Conduct formal audit (SOC 2 Type II requires 6–12 months of evidence)
  • Remediate all HIGH and MEDIUM findings before contract close
  • Establish continuous monitoring program
  • Zero Trust Architecture roadmap (for federal work)
  • Annual re-certification schedule

SUGGESTED PLATFORM ENHANCEMENTS

Features that would significantly improve audit workflow and compliance posture for DARKNX.

PRIORITY

Evidence Vault

File attachment support per control result. Upload PDFs, screenshots, policy docs, and configuration exports. Tied to control ID for easy audit evidence package generation.

S3/GCS storagePer-control attachmentsEvidence package export
PRIORITY

Remediation Tracker

Track open findings across all projects. Assign owners, set due dates, add comments. Dashboard showing aging findings by risk level. Email alerts for overdue items.

Owner assignmentDue dates & SLAsEmail notifications
MEDIUM

Multi-Auditor Workflow

Assign specific control domains to different team members. Track reviewer progress per domain. Reviewer sign-off with digital signature equivalent. Conflict of interest controls.

Domain assignmentsRole-based accessReview sign-off
MEDIUM

Compliance Calendar

Track audit cycle dates, certification renewals, evidence refresh deadlines. Dashboard view of upcoming audit windows across all projects. Calendar export (iCal).

Audit schedulingRenewal trackingiCal export
MEDIUM

Cross-Project Dashboard

Portfolio-level compliance view: heatmap of compliance scores across all projects and frameworks. Identify systemic gaps affecting multiple sites. Executive-ready summary.

Portfolio heatmapTrend chartsExecutive summary
FUTURE

AI-Assisted Control Assessment

Upload a policy document or config file; AI extracts relevant compliance signals and suggests control statuses. Analyze evidence automatically and draft findings.

AI AnalysisDocument parsingAuto-findings draft
FUTURE

Vendor / Subprocessor Register

Track third-party vendors, their certifications, and review dates. Auto-populate CC9.2 evidence. Risk tier each vendor. Flag expired certifications.

Vendor databaseCert trackingRisk tiering
FUTURE

Continuous Control Monitoring

API integrations with AWS/Azure/GCP, Qualys, CrowdStrike, and Okta to auto-verify control status in real time. Drift alerts when a control degrades from compliant.

Cloud APIReal-time driftAuto-remediation

EXTERNAL PROJECTS INTEGRATION

DARKNX SALES PLATFORM SYNC PLACEHOLDER

Connect to the DARKNX Sales platform to automatically pull project data from the pipeline. New projects at Stage 3+ can trigger audit session creation. Stage transitions can update audit scope.

TO CONNECT:

  1. Provide the DARKNX Sales platform GitHub repo URL
  2. An API endpoint will be added to pull project data in JSON format
  3. Set DARKNX_API_URL and DARKNX_API_KEY env vars in Railway
  4. Projects will sync on a schedule or on-demand