This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity risk.


ControlDescription
ID.AM-1
Physical devices and systems within the organization are inventoried.
ID.AM-2
Software platforms and applications within the organization are inventoried.
ID.AM-5
Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value.
ID.AM-6
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.
ID.GV-1
Organizational information security policy is established.
ID.GV-2
 Information security roles & responsibilities are coordinated and aligned with internal roles and external partners.
ID.GV-3
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.
ID.GV-4
Governance and risk management processes address cybersecurity risks.
ID.RA-6
Risk responses are identified and prioritized.
ID.RM-1
Risk management processes are established, managed, and agreed to by organizational stakeholders.
PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
PR.AC-3
Remote access is managed.
PR.AC-4
Access permissions are managed, incorporating the principles of least privilege and separation of duties.
PR.AC-5
Network integrity is protected, incorporating network segregation where appropriate.
PR.AT-2
Privileged users understand roles & responsibilities.
PR.DS-1
Data-at-rest is protected.
PR.DS-2
Data-in-transit is protected.
PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition.
PR.DS-4
Adequate capacity to ensure availability is maintained.
PR.DS-5
Protections against data leaks are implemented.
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity.
PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality).
PR.IP-3
Configuration change control processes are in place.
PR.IP-4
Backups of information are conducted, maintained, and tested periodically.
PR.IP-6
Data is destroyed according to policy.
PR.IP-9
Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.
PR.PT-3
Access to systems and assets is controlled, incorporating the principle of least functionality.
PR.PT-4
Communications and control networks are protected.
PR.PT-5
Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations.
DE.AE-1
A baseline of network operations and expected data flows for users and systems is established and managed.
DE.AE-2
Detected events are analyzed to understand attack targets and methods.
DE.AE-5
Incident alert thresholds are established.
DE.CM-3
Personnel activity is monitored to detect potential cybersecurity events.
DE.CM-4
Malicious code is detected.
DE.CM-5
Unauthorized mobile code is detected.
DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed.
DE.CM-8
Vulnerability scans are performed.
DE.DP-1
Roles and responsibilities for detection are well defined to ensure accountability.
DE.DP-2
Detection activities comply with all applicable requirements.
DE.DP-4
Event detection information is communicated to appropriate parties.
RS.CO-1
Personnel know their roles and order of operations when a response is needed.
RS.CO-3
Information is shared consistent with response plans.
RS.AN-1
Notifications from detection systems are investigated.
RS.AN-3Forensics are performed.
RS.MI-1
Incidents are contained.
RS.MI-2
Incidents are mitigated.
RS.MI-3
Newly identified vulnerabilities are mitigated or documented as accepted risks.
RC.RP-1
Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.



To View the Compliance Programs available visit Compliance in your Aqua CSPM Console, and select Defaults or Custom to filter the programs displayed, you can also expand the program control details using the Expand Settings toggle.