M4 — Path
Where to intervene first.
Ranked by RAG, buffer days, stale controls and unowned dependencies. Named dependencies. Named owners. No status-report abstraction.
Off track
1
At risk
1
Controls stale
17
Unowned controls
0
| Status | Regulation | Deadline | Buffer | Controls | Stale | Unowned | Score |
|---|---|---|---|---|---|---|---|
| Off track | SEC Cyber Incident Disclosure Rule USSEC · 5 stale · 5d over | 1 Sep 2026 | -5d | 7 | 5 | — | 140 |
| At risk | Small Business Data Collection — Section 1071 USCFPB · 8 stale · 12d buffer | 1 Oct 2026 | 12d | 11 | 8 | — | 72 |
| On track | OCC Third-Party Risk Management Guidance USOCC · 4 stale | 31 Mar 2027 | 80d | 6 | 4 | — | 12 |
Score combines RAG (0–100), buffer penalty, stale controls (×3) and unowned dependencies (×5). Higher scores need attention first.