CISA Cyber Essentials

Best for: Leaders and IT staff at small businesses, local governments, tribal nations, and territorial agencies without dedicated cybersecurity teams. CISA Cyber Essentials gives resource-constrained organizations a starting point for basic cyber hygiene. No regulatory mandate exists, but federal grant programs such as the State and Local Cybersecurity Grant Program under the Infrastructure Investment and Jobs Act frequently treat CISA guidance as a baseline expectation.

Mandatory?Voluntary — recommended for small organizations and critical infrastructure

Who validates?Self-assessment; no formal certification

RenewalNo fixed cycle

ScopeSmall businesses and SLTT governments; six essential elements

🏛 Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security · CISA Cyber Essentials (2019) Official source →

Get Started

module "..." {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates
- Audit Logging and Trail Integrity: Runs 9 controls validating CloudTrail multi-region enablement, S3 data event logging (read and write), CloudWatch integration, log file validation, and KMS encryption of trail logs. Also checks API Gateway stage logging.
- Encryption at Rest: Covers API Gateway cache encryption, backup recovery point encryption, and CloudTrail log encryption with KMS CMK. Validates that encryption is configured at the resource level.
- Encryption in Transit: Validates that API Gateway REST API stages use SSL certificates for backend authentication.
- Backup and Disaster Recovery: Three controls check backup plan minimum retention (35 days), recovery point retention enforcement, and manual deletion protection on recovery points.
- Network Exposure Reduction: Flags Auto Scaling launch configurations that assign public IPs and API Gateway stages not associated with a WAF web ACL.
- Credential and Certificate Management: Flags ACM certificates within 30 days of expiration and CodeBuild projects with plaintext sensitive AWS values in environment variables.
What you handle
- Audit Logging and Trail Integrity: Log review procedures, alerting thresholds in CloudWatch or a SIEM, and an incident escalation process tied to log findings.
- Encryption at Rest: KMS key rotation schedules, key access policies, and documenting which teams are authorized to manage or use each CMK.
- Encryption in Transit: Enforcing TLS 1.2+ across all endpoints, configuring custom domain names with appropriate security policies, and testing cipher suites.
- Backup and Disaster Recovery: Periodic restore testing, RPO/RTO targets documented per workload, and maintaining an offline or immutable backup copy outside AWS for critical assets.
- Network Exposure Reduction: WAF rule tuning, security group reviews for resources outside these specific controls, and keeping a network diagram current showing all internet-facing entry points.
- Credential and Certificate Management: Setting up ACM auto-renewal where possible, rotating credentials stored in Secrets Manager, and establishing a process for tracking certificate ownership across teams.

Controls by Category

Your Data: Backup and Recovery (1 control)

Essential Element 5 ('Your Data') requires more than just having backups. Assessors confirm that backup plans enforce a minimum 35-day retention, that recovery points cannot be manually deleted (a real concern when a ransomware actor gains console access), and that recovery points persist through the full retention window. Pull AWS Backup plan JSON exports and vault access policies to show this.

Backup plan min frequency and min retention check

Your Data: Encryption and Data Protection (3 controls)

The first question is whether encryption is configured at the resource level, both at rest and in transit. That means KMS CMK for CloudTrail logs, encrypted backup recovery points, SSL certificates on API Gateway stages, and API Gateway cache encryption. That last item is a frequent miss because it is disabled by default, and teams often discover the gap only when reviewing API Gateway stage settings directly. Bring KMS key policies, API Gateway stage configurations, and AWS Backup vault encryption settings to the review.

CloudTrail trail logs should be encrypted with KMS CMK API Gateway stage should uses SSL certificate API Gateway stage cache encryption at rest should be enabled

Your Systems: Audit Logging and Monitoring (4 controls)

A common gap here is enabling CloudTrail at the account level but missing S3 object-level data events, which leaves a blind spot on actual data access patterns. Reviewers will want CloudTrail configuration exports and CloudWatch log group retention settings, and they will confirm that no trails are disabled. Log integrity through file validation and centralized forwarding to CloudWatch Logs is expected, not optional.

At least one enabled trail should be present in a region CloudTrail trails should be integrated with CloudWatch logs CloudTrail trail log file validation should be enabled API Gateway stage logging should be enabled

Additional Controls (78)

AWS Database Migration Service (1)