compliance.tf
Compliance FrameworksCommon Frameworks

CISA Cyber Essentials

Best for: Leaders and IT staff at small businesses, local governments, tribal nations, and territorial agencies without dedicated cybersecurity teams. CISA Cyber Essentials gives resource-constrained organizations a starting point for basic cyber hygiene. No regulatory mandate exists, but federal grant programs such as the State and Local Cybersecurity Grant Program under the Infrastructure Investment and Jobs Act frequently treat CISA guidance as a baseline expectation.

Mandatory?Voluntary โ€” recommended for small organizations and critical infrastructure
Who validates?Self-assessment; no formal certification
RenewalNo fixed cycle
ScopeSmall businesses and SLTT governments; six essential elements

๐Ÿ› Cybersecurity and Infrastructure Security Agency (CISA), U.S. Department of Homeland Security ยท CISA Cyber Essentials (2019) Official source โ†’

Get Started

module "..." {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Audit Logging and Trail Integrity: Runs 9 controls validating CloudTrail multi-region enablement, S3 data event logging (read and write), CloudWatch integration, log file validation, and KMS encryption of trail logs. Also checks API Gateway stage logging.
  • Encryption at Rest: Covers API Gateway cache encryption, backup recovery point encryption, and CloudTrail log encryption with KMS CMK. Validates that encryption is configured at the resource level.
  • Encryption in Transit: Validates that API Gateway REST API stages use SSL certificates for backend authentication.
  • Backup and Disaster Recovery: Three controls check backup plan minimum retention (35 days), recovery point retention enforcement, and manual deletion protection on recovery points.
  • Network Exposure Reduction: Flags Auto Scaling launch configurations that assign public IPs and API Gateway stages not associated with a WAF web ACL.
  • Credential and Certificate Management: Flags ACM certificates within 30 days of expiration and CodeBuild projects with plaintext sensitive AWS values in environment variables.

What you handle

  • Audit Logging and Trail Integrity: Log review procedures, alerting thresholds in CloudWatch or a SIEM, and an incident escalation process tied to log findings.
  • Encryption at Rest: KMS key rotation schedules, key access policies, and documenting which teams are authorized to manage or use each CMK.
  • Encryption in Transit: Enforcing TLS 1.2+ across all endpoints, configuring custom domain names with appropriate security policies, and testing cipher suites.
  • Backup and Disaster Recovery: Periodic restore testing, RPO/RTO targets documented per workload, and maintaining an offline or immutable backup copy outside AWS for critical assets.
  • Network Exposure Reduction: WAF rule tuning, security group reviews for resources outside these specific controls, and keeping a network diagram current showing all internet-facing entry points.
  • Credential and Certificate Management: Setting up ACM auto-renewal where possible, rotating credentials stored in Secrets Manager, and establishing a process for tracking certificate ownership across teams.

Controls by Category

Your Data: Backup and Recovery (1 control)

Essential Element 5 ('Your Data') requires more than just having backups. Assessors confirm that backup plans enforce a minimum 35-day retention, that recovery points cannot be manually deleted (a real concern when a ransomware actor gains console access), and that recovery points persist through the full retention window. Pull AWS Backup plan JSON exports and vault access policies to show this.

Backup plans should have minimum frequency and minimum retention configured

Your Data: Encryption and Data Protection (3 controls)

The first question is whether encryption is configured at the resource level, both at rest and in transit. That means KMS CMK for CloudTrail logs, encrypted backup recovery points, SSL certificates on API Gateway stages, and API Gateway cache encryption. That last item is a frequent miss because it is disabled by default, and teams often discover the gap only when reviewing API Gateway stage settings directly. Bring KMS key policies, API Gateway stage configurations, and AWS Backup vault encryption settings to the review.

CloudTrail trails should have logs encrypted using a customer managed KMS keyAPI Gateway stages should not use client SSL certificatesAPI Gateway stages should have cache encryption at rest enabled

Your Systems: Audit Logging and Monitoring (4 controls)

A common gap here is enabling CloudTrail at the account level but missing S3 object-level data events, which leaves a blind spot on actual data access patterns. Reviewers will want CloudTrail configuration exports and CloudWatch log group retention settings, and they will confirm that no trails are disabled. Log integrity through file validation and centralized forwarding to CloudWatch Logs is expected, not optional.

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have log file validation enabledAPI Gateway stages should have logging enabled
Additional Controls (78)

AWS Database Migration Service (1)

DMS replication instances should not be publicly accessiblecompliance.tf module

AWS IAM (7)

IAM password policies should have minimum length set to 14 or greaterIAM password policies should require at least one lowercase letterIAM password policies should require at least one numberIAM password policies should require at least one symbolIAM password policies should require at least one uppercase letterIAM password policies should have strong configurations with minimum length of 8 or greaterIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (1)

Lambda functions should be in a VPCcompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (3)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon DynamoDB Accelerator (1)

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Amazon EBS (2)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (3)

EC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf module

Amazon EFS (2)

EFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon OpenSearch Service (3)

OpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (16)

RDS DB clusters should have automatic minor version upgrade enabledRDS clusters should have deletion protection enabledcompliance.tf moduleRDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should be integrated with CloudWatch logscompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS for MariaDB DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS for PostgreSQL DB instances should publish logs to CloudWatch Logscompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleRDS for SQL Server DB instances should publish logs to CloudWatch Logscompliance.tf module

Amazon Redshift (8)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift clusters should have automatic upgrades to major versions enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (13)

S3 buckets should not use ACLs for user access controlcompliance.tf moduleS3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (5)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf module

Other (4)

ES domain encryption at rest should be enabledES domains should be in a VPCElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabled

Related Frameworks

NIST CSF โ€” ๐ŸŸข High overlap (65%)

CISA Cyber Essentials was designed as a simplified on-ramp to the NIST Cybersecurity Framework. Most Cyber Essentials recommendations map to NIST CSF Identify, Protect, and Detect functions, but Cyber Essentials omits the depth of subcategories and implementation tiers that CSF provides.

NIST 800-53 Rev 5 โ€” ๐ŸŸก Medium overlap (35%)

NIST 800-53 Rev 5 is far more granular, with over 1,000 controls. The Cyber Essentials controls mapped here partially overlap with the AU (Audit and Accountability), CP (Contingency Planning), and SC (System and Communications Protection) families, but cover only a fraction of 800-53's scope.

CIS AWS Benchmark v3.0.0 โ€” ๐ŸŸก Medium overlap (45%)

CIS Benchmarks for AWS share many of the same technical checks (CloudTrail configuration, encryption, network exposure). CIS is more prescriptive at the resource configuration level, while Cyber Essentials provides broader organizational guidance that extends beyond cloud infrastructure.

Frequently Asked Questions

Does CISA Cyber Essentials apply to my organization, or is it voluntary?
It is voluntary. CISA does not mandate compliance or conduct audits. That said, if your organization receives federal cybersecurity grants (particularly under the State and Local Cybersecurity Grant Program), grant reviewers expect alignment with CISA guidance. Cyber insurance carriers may also treat it as a baseline expectation during underwriting.
Is there a formal certification or attestation process?
No. CISA Cyber Essentials has no certification body, no exam, and no badge. You self-assess. If you need a certifiable or attestable framework, look at SOC 2, ISO/IEC 27001, or CMMC depending on your sector. NIST CSF can be independently assessed, but it is not a formal certification scheme either.
How does this differ from the UK Cyber Essentials scheme?
They share a name but are distinct programs. The UK Cyber Essentials is a government-backed scheme with requirements set by the National Cyber Security Centre and certification delivered through IASME-accredited bodies. It has two levels (Cyber Essentials and Cyber Essentials Plus) and is mandatory for certain UK government contracts. CISA Cyber Essentials has no certification, no levels, and is purely guidance for U.S. organizations.
Can I use CISA Cyber Essentials as a stepping stone toward NIST CSF?
Yes, CISA explicitly designed it for that purpose. Each of the six Essential Elements maps to NIST CSF functions, so once you have the Cyber Essentials baseline in place, a gap analysis against the full NIST CSF will show you exactly where additional maturity is needed.
How long does it take to implement the 50 mapped AWS controls?
For a single AWS account with moderate workloads, an experienced engineer can remediate most findings in 2 to 4 weeks. CloudTrail and backup controls are straightforward configuration changes. The time-consuming work is WAF web ACL tuning (which requires traffic analysis) and cleaning up legacy launch configurations with public IPs still assigned. Multi-account environments using AWS Organizations will need to factor in account-level rollout through SCPs or Terraform modules.

AWS Well-Architected Framework v10

Previous Page

NYDFS Cybersecurity Regulation

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryYour Data: Backup and Recovery (1)Your Data: Encryption and Data Protection (3)Your Systems: Audit Logging and Monitoring (4)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page