compliance.tf
Compliance FrameworksRetired Frameworks

NIST Cybersecurity Framework v1.1

Deprecated Framework

This framework has been superseded by NIST Cybersecurity Framework v2.0. Organizations should migrate to version 2.0, which was released in February 2024 with an additional Govern function and enhanced guidance on supply chain risk management.

Best for: Federal contractors and subcontractors demonstrating a cybersecurity risk management program aligned with NIST guidance. Organizations in critical infrastructure sectors (energy, financial services, healthcare, transportation) that reference the CSF in regulatory filings or board-level risk reporting. Companies preparing for NIST 800-171 or CMMC assessments often use CSF v1.1 as a baseline. Note: CSF v2.0 supersedes this version, but many active assessment programs remain tied to v1.1.

Mandatory?Voluntary โ€” widely adopted across sectors
Who validates?Self-assessment; optional third-party
RenewalNo fixed cycle; continuous improvement
ScopeCritical infrastructure and all sectors; five core functions

๐Ÿ› National Institute of Standards and Technology (NIST), U.S. Department of Commerce ยท NIST CSF v1.1 (Apr 2018, superseded by v2.0) Official source โ†’

Get Started

module "..." {
  source  = "nistcsfv11.compliance.tf/terraform-aws-modules/<module>/aws"
  version = "<version>"
}

What Compliance.tf Covers vs. What You Handle

What Compliance.tf automates

  • Encryption at Rest: Checks encryption configuration on API Gateway cache stages and backup recovery points. apigateway_stage_cache_encryption_at_rest_enabled and backup_recovery_point_encryption_enabled confirm that data-at-rest encryption is active on covered services.
  • Encryption in Transit: Flags ACM certificates expiring within 30 days and API Gateway stages missing SSL certificates. Controls: acm_certificate_expires_30_days and apigateway_rest_api_stage_use_ssl_certificate.
  • Network and Instance Hardening: Verifies that WAF web ACLs are attached to API Gateway stages and that launch configurations enforce IMDSv2, disable public IPs by default, and restrict metadata hop limits. Covers autoscaling_launch_config_requires_imdsv2 and apigateway_stage_use_waf_web_acl.
  • Backup and Recovery: Confirms backup plan retention meets the 35-day minimum, that recovery point manual deletion is disabled, and that recovery points have not expired prematurely. Covers backup_plan_min_retention_35_days and backup_recovery_point_manual_deletion_disabled.
  • High Availability and Resilience: Checks that Auto Scaling groups span multiple availability zones with health check integration, deploy multiple instance types, and that CloudFront distributions have origin failover configured.
  • Logging and Monitoring: Validates API Gateway stage logging, X-Ray tracing on REST API stages, and SNS notifications on CloudFormation stacks. Covers apigateway_stage_logging_enabled and apigateway_rest_api_stage_xray_tracing_enabled.

What you handle

  • Encryption at Rest: Define and document your encryption policy, manage KMS key rotation schedules, audit key access grants, and extend encryption coverage to services outside the scope of these controls (including application-level encryption).
  • Encryption in Transit: Enforce minimum TLS version requirements (TLS 1.2+), configure certificate auto-renewal, and validate TLS on internal service-to-service communication paths not fronted by API Gateway.
  • Network and Instance Hardening: Write and tune WAF rule sets, define security group and NACL policies, run penetration testing, and manage your vulnerability scanning program.
  • Backup and Recovery: Set RPO and RTO targets per workload, run periodic recovery tests (tabletop and live), document recovery runbooks, and verify that backup data actually restores successfully.
  • High Availability and Resilience: Capacity planning, chaos engineering exercises, failover procedures for stateful workloads, and cross-region disaster recovery testing where applicable.
  • Logging and Monitoring: Build detection rules and alerting thresholds in your SIEM, staff a security operations function to triage alerts, and retain logs for the period your risk profile or regulatory obligations require.

Controls by Category

Detect: Security Continuous Monitoring (DE.CM) (3 controls)

The most frequent gap is not missing logging but logging that exists without feeding into alerting. Assessors check whether API activity reaches CloudWatch, whether distributed tracing gives request-level visibility, and whether infrastructure change notifications actually reach the security operations team.

API Gateway REST API stages should have AWS X-Ray tracing enabledAPI Gateway stages should have logging enabledCloudFormation stacks should have notifications enabled

Protect: Data Security (PR.DS) (2 controls)

Configuration snapshots, certificate inventory exports, and KMS key policies are the primary evidence set here. Expired or soon-to-expire ACM certificates, API stages transmitting without TLS, and unencrypted backup recovery points are the most common findings. Assessors also check that approved algorithms are in use, not just that encryption is nominally enabled.

API Gateway stages should not use client SSL certificatesAPI Gateway stages should have cache encryption at rest enabled

Recover: Recovery Planning (RC.RP) (1 control)

The first thing an assessor asks for is documented RPO and RTO targets per workload, then checks that backup configurations actually enforce them. Core evidence includes AWS Backup plan definitions showing 35-day minimum retention, vault lock policies blocking manual deletion, and records of successful backup job completion. Organizations routinely fail on the deletion protection requirement, leaving recovery points exposed to insider threat or ransomware.

Backup plans should have minimum frequency and minimum retention configured
Additional Controls (133)

AWS CloudTrail (4)

CloudTrail trails should have at least one enabled trail present in a regionCloudTrail trails should be integrated with CloudWatch logsCloudTrail trails should have logs encrypted using a customer managed KMS keyCloudTrail trails should have log file validation enabled

AWS CodeBuild (4)

CodeBuild projects should have artifact encryption enabledCodeBuild projects should not have privileged mode enabledCodeBuild projects should have logging enabledCodeBuild projects should have S3 logs encrypted

AWS Database Migration Service (1)

DMS replication instances should not be publicly accessiblecompliance.tf module

AWS IAM (2)

IAM password policies should prevent password reuseIAM password policies should have strong configurations

AWS KMS (1)

KMS CMK rotation should be enabledcompliance.tf module

AWS Lambda (5)

Lambda functions should have concurrent execution limit configuredcompliance.tf moduleLambda functions should be configured with a dead-letter queuecompliance.tf moduleLambda functions should be in a VPCcompliance.tf moduleLambda functions should restrict public URLcompliance.tf moduleLambda functions should use latest runtimescompliance.tf module

AWS Secrets Manager (1)

Secrets Manager secrets should be encrypted using CMKcompliance.tf module

Amazon CloudFront (6)

CloudFront distributions should have a default root object configuredcompliance.tf moduleCloudFront distributions should require encryption in transitcompliance.tf moduleCloudFront distributions access logs should be enabledcompliance.tf moduleCloudFront distributions should use SNI to serve HTTPS requestscompliance.tf moduleCloudFront distributions should use custom SSL/TLS certificatescompliance.tf moduleCloudFront distributions should have AWS WAF enabledcompliance.tf module

Amazon CloudWatch (3)

CloudWatch alarms should have an action configuredcompliance.tf moduleCloudWatch alarms should have action enabledcompliance.tf moduleCloudWatch log groups should have retention period of at least 365 dayscompliance.tf module

Amazon CloudWatch Logs (1)

Log groups should have encryption at rest enabledcompliance.tf module

Amazon DynamoDB (3)

DynamoDB tables should have AWS KMS encryption enabledcompliance.tf moduleDynamoDB tables should have encryption enabledcompliance.tf moduleDynamoDB tables should have point-in-time recovery enabledcompliance.tf module

Amazon DynamoDB Accelerator (1)

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

Amazon EBS (2)

Attached EBS volumes should have encryption enabledcompliance.tf moduleEBS volumes should have encryption at rest enabledcompliance.tf module

Amazon EC2 (10)

EC2 instances should have detailed monitoring enabledcompliance.tf moduleEC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should have IAM profile attachedcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not use key pairs in running statecompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should not use multiple ENIscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleEC2 instances should not use paravirtual instance typescompliance.tf moduleEC2 transit gateways should have auto accept shared attachments disabled

Amazon ECR (2)

ECR repositories should have image scan on push enabledcompliance.tf moduleECR private repositories should have tag immutability configuredcompliance.tf module

Amazon ECS (3)

ECS clusters should have container insights enabledcompliance.tf moduleECS fargate services should run on the latest fargate platform versioncompliance.tf moduleECS task definitions should not share the host's process namespacecompliance.tf module

Amazon EFS (4)

EFS access points should enforce a root directoryEFS access points should enforce a user identityEFS file systems should have encryption at rest enabledcompliance.tf moduleEFS file systems should be encrypted with CMKcompliance.tf module

Amazon EKS (3)

EKS clusters endpoint public access should be restrictedcompliance.tf moduleEKS clusters endpoint should restrict public accesscompliance.tf moduleEKS clusters should be configured to have kubernetes secrets encrypted using KMScompliance.tf module

Amazon EMR (1)

EMR cluster Kerberos should be enabledcompliance.tf module

Amazon ElastiCache (1)

ElastiCache Redis clusters should have automatic backups enabled with a retention period of 15 days or greatercompliance.tf module

Amazon Kinesis (1)

Kinesis streams should have server side encryption enabled

Amazon OpenSearch Service (7)

OpenSearch domains should have audit logging enabledcompliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should have fine-grained access control enabledcompliance.tf moduleOpenSearch domains should use HTTPScompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf module

Amazon RDS (17)

RDS Aurora clusters should have backtracking enabledcompliance.tf moduleRDS clusters should have deletion protection enabledcompliance.tf moduleRDS DB clusters should have IAM authentication configuredcompliance.tf moduleRDS DB clusters should be configured for multiple Availability Zonescompliance.tf moduleRDS database clusters should use a custom administrator usernamecompliance.tf moduleRDS DB instances and clusters should have enhanced monitoring enabledcompliance.tf moduleRDS DB instance automatic minor version upgrade should be enabledcompliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances backup retention period should be greater than or equal to 7compliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have iam authentication enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS database instances should use a custom administrator usernamecompliance.tf moduleRDS DB instances should not use public subnetcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf module

Amazon Redshift (10)

Redshift clusters should have audit logging enabledcompliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have enhanced VPC routing enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should have required maintenance settingscompliance.tf moduleRedshift clusters should not use the default admin usernamecompliance.tf moduleRedshift clusters should not use the default database namecompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf module

Amazon S3 (19)

S3 buckets should not use ACLs for user access controlcompliance.tf moduleS3 buckets should have cross-region replication enabledcompliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have event notifications enabledcompliance.tf moduleS3 buckets should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have MFA delete enabledcompliance.tf moduleS3 buckets should not be accessible to all authenticated userscompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have object logging enabledS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should restrict cross-account permissionscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets with versioning enabled should have lifecycle policies configuredcompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleS3 public access should be blocked at bucket levelcompliance.tf module

Amazon SNS (1)

SNS topics should be encrypted at restcompliance.tf module

Amazon SageMaker (4)

SageMaker endpoint configuration encryption should be enabledSageMaker notebook instances should not have direct internet accessSageMaker notebook instances should be encrypted using CMKSageMaker notebook instance encryption should be enabled

Amazon VPC (1)

VPC subnet auto assign public IP should be disabledcompliance.tf module

Elastic Load Balancing (9)

ELB application and classic load balancer logging should be enabledcompliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured with defensive or strictest desync mitigation modecompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB application and network load balancer listeners should use secure protocolscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf moduleELB classic load balancers should span multiple availability zonescompliance.tf module

Other (6)

ES domain encryption at rest should be enabledES domains should be in a VPCElasticsearch domain should send logs to CloudWatchElasticsearch domain node-to-node encryption should be enabledNetwork Firewall policies should have default stateless action set to drop or forward for fragmented packetscompliance.tf moduleNetwork Firewall policies should have default stateless action set to drop or forward for full packetscompliance.tf module

Related Frameworks

NIST CSF v2.0 โ€” ๐ŸŸข High overlap (85%)

NIST CSF v2.0 is the direct successor. It adds a sixth function (Govern) and expands supply chain risk management. Most v1.1 subcategories carry forward with revised identifiers, so control mappings translate closely, but v2.0 introduces requirements around organizational context and cybersecurity governance that have no v1.1 equivalent.

NIST 800-53 Rev 5 โ€” ๐ŸŸข High overlap (70%)

NIST CSF v1.1 was designed as an abstraction layer above 800-53 controls. NIST publishes an explicit mapping between CSF subcategories and 800-53 Rev 5 control families. The CSF is outcome-focused, while 800-53 prescribes specific control implementations. Organizations using the CSF for risk framing often adopt 800-53 controls as their implementation detail.

ISO/IEC 27001:2022 โ€” ๐ŸŸก Medium overlap (55%)

NIST provides an official informative reference mapping between CSF subcategories and ISO 27001 Annex A controls. The overlap is strongest in the Protect and Detect functions. ISO 27001 requires a formal ISMS with certification audits, while the CSF is a voluntary risk framework with no certification body.

Frequently Asked Questions

Is NIST CSF v1.1 mandatory for my organization?
For most private-sector organizations, no. The CSF is voluntary. It becomes effectively mandatory in specific contexts: federal agencies and contractors subject to Executive Order 13800, organizations in critical infrastructure sectors where regulators reference the CSF (e.g., FFIEC, NERC CIP crosswalks), and companies whose customers or partners require CSF alignment in contract language. If none of those apply, the CSF is still widely used as a common language for communicating cybersecurity risk to boards and executives.
Should I adopt CSF v1.1 or migrate to v2.0?
If you are starting fresh, use v2.0. It was published in February 2024 and adds the Govern function, which addresses organizational governance gaps that v1.1 left implicit. If you have an existing v1.1 program, plan a transition within 12 to 18 months. NIST provides a subcategory mapping to ease migration, and most v1.1 work carries forward. The gap is primarily in governance and supply chain controls.
How long does a CSF assessment take?
For a mid-size organization doing this for the first time, expect 4 to 8 weeks, depending on how many systems are in scope and whether you have an existing control inventory. The process means defining your Current Profile (where you are), your Target Profile (where you need to be), and a gap analysis between the two. There is no formal certification. Organizations doing this for regulatory reporting or board presentations often bring in a third-party assessor, which adds roughly 2 to 4 weeks.
How do CSF 'Tiers' differ from 'Profiles'?
Tiers (1 through 4) describe the maturity of your risk management practices, from Partial (Tier 1) to Adaptive (Tier 4). They are not levels to climb sequentially. Profiles describe the alignment of your cybersecurity activities to business requirements, risk tolerance, and available resources for specific CSF subcategories. Use Profiles to capture current state and target state. Tiers characterize how your organization manages risk overall. An assessor will ask for both, but Profiles are the operational artifact you will maintain and update.
What evidence do I need to demonstrate CSF alignment in AWS?
At minimum: AWS Config rule evaluation results or equivalent policy-as-code scan outputs covering each subcategory, CloudTrail logs demonstrating continuous monitoring (DE.CM), IAM policies and access reviews for PR.AC, backup configuration and restore test records for RC.RP, and an incident response plan with tabletop exercise results for RS.RP. Running the compliance.tf NIST CSF v1.1 benchmark produces a control-level report that maps directly to subcategories, which most assessors accept as technical evidence alongside your policy documentation.

ISO/IEC 27001:2013

Previous Page

NIST SP 800-53 Rev 4

Next Page

On this page

Get StartedWhat Compliance.tf Covers vs. What You HandleControls by CategoryDetect: Security Continuous Monitoring (DE.CM) (3)Protect: Data Security (PR.DS) (2)Recover: Recovery Planning (RC.RP) (1)Related FrameworksFrequently Asked Questions

Ask AI about this

Help improve this page