CIS Controls v8
Prioritized set of actions to protect organizations and data from cyber attack vectors
14
Total Controls
8
Implemented
5
Partial
61.5%
Coverage
Control Families
1 — Inventory and Control of Enterprise Assets
Actively manage all enterprise assets connected to the infrastructure0.0%
1 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 1.1 | Establish and Maintain Enterprise Asset Inventory | partial |
cdk_stacks
aws_config
|
CDK stacks define all infrastructure; AWS Config can enumerate resources |
2 — Inventory and Control of Software Assets
Actively manage all software on the network50.0%
2 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 2.1 | Establish and Maintain Software Inventory | implemented |
pyproject_toml
requirements_lambda
|
All dependencies declared and version-pinned |
| 2.3 | Address Unauthorized Software | partial |
dependabot
pip_audit
|
Dependabot alerts on known vulnerabilities; manual review cycle |
3 — Data Protection
Develop processes and technical controls to identify, classify, and protect data33.3%
3 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 3.1 | Establish and Maintain a Data Management Process | partial |
memory_tiers
data_classification
|
3-tier memory architecture with clear retention policies; formal data classification needed |
| 3.6 | Encrypt Data on End-User Devices | not applicable | Cloud-native serverless — no end-user devices | |
| 3.11 | Encrypt Sensitive Data at Rest | implemented |
kms_keys
dynamodb_encryption
s3_encryption
|
KMS encryption on all data stores |
4 — Secure Configuration of Enterprise Assets and Software
Establish and maintain secure configurations100.0%
1 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 4.1 | Establish and Maintain a Secure Configuration Process | implemented |
cdk_stacks
scp_policies
|
All infrastructure defined as CDK code with security defaults; SCPs enforce guardrails |
6 — Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials50.0%
2 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 6.1 | Establish an Access Granting Process | implemented |
iam_policies
oidc_provider
|
OIDC for CI/CD, scoped IAM policies per service, no shared credentials |
| 6.2 | Establish an Access Revoking Process | partial |
iam_policies
|
Manual process — automate with SCIM in Sprint 9 |
8 — Audit Log Management
Collect, alert, review, and retain audit logs100.0%
2 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 8.2 | Collect Audit Logs | implemented |
cloudtrail
cloudwatch_logs
xray_traces
|
CloudTrail for API audit, CloudWatch for application logs, X-Ray for tracing |
| 8.5 | Collect Detailed Audit Logs | implemented |
structlog
cloudtrail
|
Structured JSON logging via structlog, tamper-proof CloudTrail |
13 — Network Monitoring and Defense
Operate processes and tooling to detect and prevent network-based threats0.0%
1 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 13.1 | Centralize Security Event Alerting | partial |
guardduty
cloudwatch_alarms
|
GuardDuty for threat detection; centralized alerting pipeline needed |
16 — Application Software Security
Manage the security lifecycle of in-house developed software100.0%
2 controls
| ID | Title | Status | Evidence Sources | Notes |
|---|---|---|---|---|
| 16.1 | Establish and Maintain a Secure Application Development Process | implemented |
ci_cd_pipeline
ruff_linter
github_pr_reviews
|
CI runs lint+tests+synth on every PR; ruff catches security issues (S rules) |
| 16.4 | Establish and Manage an Inventory of Third-Party Software Components | implemented |
pyproject_toml
requirements_lambda
dependabot
|
pyproject.toml + requirements-lambda.txt declare all deps; Dependabot monitors |
Gaps Requiring Remediation (5)
| Control | Family | Title | Status | Cross-Mappings | Notes |
|---|---|---|---|---|---|
| 1.1 | Inventory and Control of Enterprise Assets | Establish and Maintain Enterprise Asset Inventory | partial | nist_csf:ID.AM-01 | CDK stacks define all infrastructure; AWS Config can enumerate resources |
| 2.3 | Inventory and Control of Software Assets | Address Unauthorized Software | partial | Dependabot alerts on known vulnerabilities; manual review cycle | |
| 3.1 | Data Protection | Establish and Maintain a Data Management Process | partial | 3-tier memory architecture with clear retention policies; formal data classification needed | |
| 6.2 | Access Control Management | Establish an Access Revoking Process | partial | Manual process — automate with SCIM in Sprint 9 | |
| 13.1 | Network Monitoring and Defense | Centralize Security Event Alerting | partial | soc2:CC6.6 | GuardDuty for threat detection; centralized alerting pipeline needed |