Trust Center

Workforce

NIST CSF 2.0

Voluntary framework for managing cybersecurity risk

17
Total Controls
8
Implemented
6
Partial
47.1%
Coverage

Control Families

GV — Govern

Organizational context, risk management strategy, policies
33.3%
3 controls
ID Title Status Evidence Sources Notes
GV.OC-01 Organizational Context implemented adr_001 accountability_framework ADR-001 establishes positioning, risk tolerance, and compliance commitments
GV.RM-01 Risk Management Strategy partial adr_001 ADR-001 covers strategic risk; formal risk register needed
GV.SC-01 Supply Chain Risk Management partial dependabot requirements_lambda Dependabot for dependency scanning, pinned versions in requirements-lambda.txt

ID — Identify

Asset management, risk assessment, improvement
25.0%
4 controls
ID Title Status Evidence Sources Notes
ID.AM-01 Asset Inventory partial cdk_stacks agent_registry CDK manages infrastructure as code; agent registry tracks all agents
ID.AM-02 Software Inventory implemented pyproject_toml requirements_lambda package_lock All dependencies declared in pyproject.toml and requirements-lambda.txt
ID.RA-01 Risk Identification partial dependabot guardduty Automated dependency scanning, GuardDuty for runtime threats
ID.RA-03 Threat Identification not started threat_model Formal threat model planned for Sprint 7

PR — Protect

Access control, awareness, data security, platform security
100.0%
5 controls
ID Title Status Evidence Sources Notes
PR.AC-01 Identity and Access Management implemented iam_policies oidc_provider secrets_manager OIDC CI/CD, scoped IAM roles, Secrets Manager for all credentials
PR.AC-05 Network Integrity implemented no_vpc_architecture api_gateway scp_policies No VPC by design (all services via IAM auth), API Gateway for ingress, SCPs for account boundary
PR.DS-01 Data at Rest Protection implemented kms_keys dynamodb_encryption s3_encryption KMS encryption on all DynamoDB tables, S3 buckets, and Secrets Manager
PR.DS-02 Data in Transit Protection implemented tls_enforcement All AWS API calls and external communications over TLS 1.2+
PR.IP-03 Configuration Change Control implemented github_pr_reviews ci_cd_pipeline cdk_stacks All infrastructure as CDK code, PR reviews, automated CI/CD pipeline

DE — Detect

Continuous monitoring, adverse event analysis
33.3%
3 controls
ID Title Status Evidence Sources Notes
DE.CM-01 Network Monitoring implemented guardduty cloudwatch_alarms cloudtrail GuardDuty for threat detection, CloudWatch for operational monitoring, CloudTrail for API audit
DE.CM-04 Malicious Code Detection partial guardduty dependabot GuardDuty runtime detection, Dependabot for known vulnerabilities in dependencies
DE.AE-02 Anomalous Activity Analysis partial cloudwatch_alarms cost_tracker Cost anomaly tracking, CloudWatch metric alarms for Lambda errors/duration

RS — Respond

Incident management, analysis, mitigation
0.0%
1 controls
ID Title Status Evidence Sources Notes
RS.MA-01 Incident Management not started incident_response_plan Formal incident response plan needed — Sprint 7 with Compliance Auditor

RC — Recover

Incident recovery plan execution
0.0%
1 controls
ID Title Status Evidence Sources Notes
RC.RP-01 Recovery Plan Execution not started disaster_recovery_plan DR plan needed — DynamoDB PITR enabled, S3 versioning on

Gaps Requiring Remediation (9)

Control Family Title Status Cross-Mappings Notes
GV.RM-01 Govern Risk Management Strategy partial ADR-001 covers strategic risk; formal risk register needed
GV.SC-01 Govern Supply Chain Risk Management partial Dependabot for dependency scanning, pinned versions in requirements-lambda.txt
ID.AM-01 Identify Asset Inventory partial cis_v8:1.1 CDK manages infrastructure as code; agent registry tracks all agents
ID.RA-01 Identify Risk Identification partial soc2:CC3.2, hipaa:164.308(a)(1)(ii)(A) Automated dependency scanning, GuardDuty for runtime threats
ID.RA-03 Identify Threat Identification not started Formal threat model planned for Sprint 7
DE.CM-04 Detect Malicious Code Detection partial soc2:CC6.8 GuardDuty runtime detection, Dependabot for known vulnerabilities in dependencies
DE.AE-02 Detect Anomalous Activity Analysis partial Cost anomaly tracking, CloudWatch metric alarms for Lambda errors/duration
RS.MA-01 Respond Incident Management not started Formal incident response plan needed — Sprint 7 with Compliance Auditor
RC.RP-01 Recover Recovery Plan Execution not started DR plan needed — DynamoDB PITR enabled, S3 versioning on
← Back to Overview