Help Center › Scan / pen-test / IR cadence
Scan / pen-test / IR cadence
Some 2026 controls aren’t “set once and forget” — they must be re-done and re-evidenced on a schedule. This tab tracks each recurring obligation, computes the next due date in your browser, and flags anything overdue.
1. Why a cadence tracker
The proposed 2026 rule turns several controls into fixed-cadence obligations — things you must perform and document on a recurring schedule, not just claim once on a checklist. Auditors increasingly want to see the dated evidence that you actually ran the scan, did the test, or collected the verification. The Scan/IR Cadence tab makes that easy: record each completion, and Ward computes when the next one is due and warns you when it’s overdue.
2. The five tracked artifacts
| ID | Artifact | Interval | CFR | Linked mandate |
|---|---|---|---|---|
| C1 | Vulnerability scan | Every 6 months | 164.308(a)(5)(ii)(B) | G4 |
| C2 | Penetration test | Every 12 months | 164.308(a)(5)(ii)(B) | G4 |
| C3 | Business associate written verification | Every 12 months | 164.308(b)(3) & 164.314(a)(2)(i) | G7 |
| C4 | Backup restoration test (72-hour objective) | Every 12 months | 164.308(a)(7)(ii) | G8 |
| C5 | Incident response plan test | Every 12 months | 164.308(a)(6) | G9 |
Each card shows the artifact’s CFR citation, its interval, a one-line summary of what to do, and an evidence hint.
3. Recording a completion
There are two ways to log that you did one of these:
- Mark done today — click the button. Ward sets the “last completed” date to today and adds a dated entry to the history.
- Set the date manually — use the Last completed date picker to enter the actual date it happened (useful for backfilling a scan you ran last month).
4. Status & due-date logic
Ward computes the next due date as last-completed date + the interval, then assigns a status by comparing it to today:
| Status | Means |
|---|---|
| Not done | You’ve never recorded a completion for this artifact. |
| Current (green) | Done, and the next due date is more than ~30 days away. |
| Due soon (amber) | The next due date is within ~30 days. |
| Overdue (red) | The next due date has already passed. |
A stats strip at the top counts total artifacts, how many are Overdue, and how many were Never recorded. Example: a vulnerability scan last completed 2026-01-01 (6-month interval) is due 2026-07-01; on 2026-06-14 that’s “Due soon.”
All local. Due dates and overdue status are calculated entirely in your browser by simple date math — nothing is sent anywhere.
5. Evidence notes
Each artifact has an Evidence field. Record a reference to the proof — the report file name, tool, date, host count, tester/firm, scope, or where the document is stored. The card’s placeholder shows a hint of what to capture (e.g. for a restore test: “date, systems restored, time-to-restore, pass/fail”).
Don’t paste PHI here. The evidence field is for references to documents (“VulnScan-2026-06.pdf in the compliance share”), not the documents themselves and never patient data. The field label says “no PHI” for this reason.
6. History log
Every time you “Mark done today,” Ward appends a dated entry (with the evidence note at that time) to the artifact’s history. The card shows the recent history inline, giving you a chronological record of every scan/test/verification — exactly the kind of trail an auditor asks for.
7. Dashboard reminders
You don’t have to remember to check this tab. The Dashboard surfaces any Overdue or Due soon cadence artifacts in a callout, with an “Open Scan/IR Cadence →” button. Overdue items make the callout red; due-soon make it amber.
Roadmap note — external reminders. These reminders are computed and shown in the browser. There is no email, SMS, or calendar delivery today; any external reminder delivery would be an opt-in future feature. So check the app (or the Dashboard) periodically — Ward won’t message you.
8. Exporting the cadence log
From the Scan/IR Cadence tab you can export the full log as CSV or Markdown (artifact, rule, interval, last done, next due, status, evidence). It’s also bundled into the audit binder ZIP as 10-cadence-log.md (“scan/pen-test/IR/restore cadence log with due dates — 2026 requirement”).